Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
atpRyiZGTE.exe

Overview

General Information

Sample Name:atpRyiZGTE.exe
Analysis ID:652396
MD5:0515b4d32d6d65d19832858957f0847f
SHA1:3cb9acc775da6908c56890f0827398b817467e0e
SHA256:9027302b65c696c2e079f70c18f55abc1fd10c497b4cad63bdbfbd8ac110b916
Tags:Arechclient2exe
Infos:

Detection

RedLine
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected RedLine Stealer
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Machine Learning detection for sample
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Creates an undocumented autostart registry key
Machine Learning detection for dropped file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
Uses insecure TLS / SSL version for HTTPS connection
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Uses reg.exe to modify the Windows registry
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • atpRyiZGTE.exe (PID: 3452 cmdline: "C:\Users\user\Desktop\atpRyiZGTE.exe" MD5: 0515B4D32D6D65D19832858957F0847F)
    • cmd.exe (PID: 6720 cmdline: cmd" /c ping 127.0.0.1 -n 38 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\user\AppData\Roaming\LightKeeperService.exe, MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • PING.EXE (PID: 6792 cmdline: ping 127.0.0.1 -n 38 MD5: 70C24A306F768936563ABDADB9CA9108)
      • reg.exe (PID: 3796 cmdline: REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\user\AppData\Roaming\LightKeeperService.exe," MD5: CEE2A7E57DF2A159A065A34913A055C2)
    • cmd.exe (PID: 6248 cmdline: cmd" /c ping 127.0.0.1 -n 45 > nul && copy "C:\Users\user\Desktop\atpRyiZGTE.exe" "C:\Users\user\AppData\Roaming\LightKeeperService.exe" && ping 127.0.0.1 -n 45 > nul && "C:\Users\user\AppData\Roaming\LightKeeperService.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 4148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • PING.EXE (PID: 6200 cmdline: ping 127.0.0.1 -n 45 MD5: 70C24A306F768936563ABDADB9CA9108)
      • PING.EXE (PID: 6864 cmdline: ping 127.0.0.1 -n 45 MD5: 70C24A306F768936563ABDADB9CA9108)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
00000000.00000002.450115307.0000000004BE2000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
    00000000.00000002.450115307.0000000004BE2000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000000.00000002.448862255.00000000048DB000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        00000000.00000002.448862255.00000000048DB000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Process Memory Space: atpRyiZGTE.exe PID: 3452JoeSecurity_RedLineYara detected RedLine StealerJoe Security
            Click to see the 1 entries
            SourceRuleDescriptionAuthorStrings
            0.2.atpRyiZGTE.exe.49762aa.1.unpackSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
            • 0x451b1:$s1: +773yll
            • 0x45342:$s1: \xED\xF1\xF1\xF5\xBF\xAA\xAA
            • 0x475df:$s1: \xE5\xF9\xF9\xFD\xB7\xA2\xA2
            • 0x47783:$s1: PLLH\x02\x17\x17
            • 0x48628:$s1: \x13\x0F\x0F\x0BATT
            • 0x82d05:$s1: \xCA\xD6\xD6\xD2\x98\x8D\x8D
            • 0x451be:$s2: +7730yll
            • 0x4534f:$s2: \xED\xF1\xF1\xF5\xF6\xBF\xAA\xAA
            • 0x475ec:$s2: \xE5\xF9\xF9\xFD\xFE\xB7\xA2\xA2
            • 0x47790:$s2: PLLHK\x02\x17\x17
            • 0x4c19a:$s2: \xF5\xE9\xE9\xED\xEE\xA7\xB2\xB2
            • 0x4c5f7:$s2: \x08\x14\x14\x10\x13ZOO
            • 0x73a84:$s2: osswt=((
            • 0x73b9b:$s2: \xCB\xD7\xD7\xD3\xD0\x99\x8C\x8C
            • 0x83582:$s2: \x0E\x12\x12\x16\x15\II
            0.2.atpRyiZGTE.exe.49762aa.1.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              0.2.atpRyiZGTE.exe.49762aa.1.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                0.2.atpRyiZGTE.exe.49762aa.1.unpackMALWARE_Win_Arechclient2Detects Arechclient2 RATditekSHen
                • 0x92f6d:$s14: keybd_event
                • 0x97c10:$v1_1: grabber@
                • 0x90796:$v1_2: <BrowserProfile>k__
                • 0x9185a:$v1_3: <SystemHardwares>k__
                • 0x91919:$v1_5: <ScannedWallets>k__
                • 0x919a9:$v1_6: <DicrFiles>k__
                • 0x91985:$v1_7: <MessageClientFiles>k__
                • 0x91d4f:$v1_8: <ScanBrowsers>k__BackingField
                • 0x91da1:$v1_8: <ScanWallets>k__BackingField
                • 0x91dbe:$v1_8: <ScanScreen>k__BackingField
                • 0x91df8:$v1_8: <ScanVPN>k__BackingField
                • 0x84e76:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost
                • 0x84682:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
                0.2.atpRyiZGTE.exe.4c7d2e8.5.unpackSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
                • 0x451b1:$s1: +773yll
                • 0x45342:$s1: \xED\xF1\xF1\xF5\xBF\xAA\xAA
                • 0x475df:$s1: \xE5\xF9\xF9\xFD\xB7\xA2\xA2
                • 0x47783:$s1: PLLH\x02\x17\x17
                • 0x48628:$s1: \x13\x0F\x0F\x0BATT
                • 0x82d05:$s1: \xCA\xD6\xD6\xD2\x98\x8D\x8D
                • 0x451be:$s2: +7730yll
                • 0x4534f:$s2: \xED\xF1\xF1\xF5\xF6\xBF\xAA\xAA
                • 0x475ec:$s2: \xE5\xF9\xF9\xFD\xFE\xB7\xA2\xA2
                • 0x47790:$s2: PLLHK\x02\x17\x17
                • 0x4c19a:$s2: \xF5\xE9\xE9\xED\xEE\xA7\xB2\xB2
                • 0x4c5f7:$s2: \x08\x14\x14\x10\x13ZOO
                • 0x73a84:$s2: osswt=((
                • 0x73b9b:$s2: \xCB\xD7\xD7\xD3\xD0\x99\x8C\x8C
                • 0x83582:$s2: \x0E\x12\x12\x16\x15\II
                Click to see the 35 entries
                No Sigma rule has matched
                No Snort rule has matched

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Source: atpRyiZGTE.exeReversingLabs: Detection: 42%
                Source: C:\Users\user\AppData\Roaming\LightKeeperService.exeReversingLabs: Detection: 42%
                Source: atpRyiZGTE.exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Roaming\LightKeeperService.exeJoe Sandbox ML: detected
                Source: atpRyiZGTE.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 142.250.185.100:443 -> 192.168.2.4:49746 version: TLS 1.0
                Source: atpRyiZGTE.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                Networking

                barindex
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 38
                Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive
                Source: unknownHTTPS traffic detected: 142.250.185.100:443 -> 192.168.2.4:49746 version: TLS 1.0
                Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
                Source: atpRyiZGTE.exeString found in binary or memory: http://api.textlocal.in/send/?
                Source: atpRyiZGTE.exe, LightKeeperService.exe.19.drString found in binary or memory: http://api.textlocal.in/send/?1sangleshubham9
                Source: atpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                Source: atpRyiZGTE.exe, 00000000.00000003.348966637.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.337172932.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.334588359.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.335558240.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.440305727.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.341919239.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.348472153.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.341573864.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.345775535.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.340929865.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.438770547.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.343342627.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.342714698.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.344471615.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.353915669.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.351717491.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.347097585.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.336546347.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.354548458.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.352972101.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.335252277.0000000006887000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ns.adp/1.0/
                Source: atpRyiZGTE.exe, 00000000.00000003.348966637.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.337172932.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.334588359.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.335558240.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.440305727.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.341919239.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.348472153.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.341573864.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.345775535.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.340929865.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.438770547.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.343342627.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.342714698.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.344471615.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.353915669.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.351717491.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.347097585.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.336546347.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.354548458.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.352972101.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.335252277.0000000006887000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ns.microsoto/1.2
                Source: atpRyiZGTE.exe, 00000000.00000002.445054854.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: atpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.295467627.0000000006850000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.295597676.0000000006845000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.295438765.0000000006845000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: atpRyiZGTE.exe, 00000000.00000003.295735340.0000000006846000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.295655832.0000000006846000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.295687027.0000000006846000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/i
                Source: atpRyiZGTE.exe, 00000000.00000003.299802336.0000000006859000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.299334032.0000000006859000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.298764281.0000000006846000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.300440687.0000000006859000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
                Source: atpRyiZGTE.exe, 00000000.00000003.298764281.0000000006846000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.htmlG
                Source: atpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: atpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: atpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: atpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                Source: atpRyiZGTE.exe, 00000000.00000003.314251572.0000000006846000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
                Source: atpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                Source: atpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.312675141.0000000006814000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                Source: atpRyiZGTE.exe, 00000000.00000003.312783150.0000000006855000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.312649918.0000000006855000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html8
                Source: atpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: atpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                Source: atpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                Source: atpRyiZGTE.exe, 00000000.00000002.452188664.0000000006800000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.coma
                Source: atpRyiZGTE.exe, 00000000.00000002.452188664.0000000006800000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.como
                Source: atpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                Source: atpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: atpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: atpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: atpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                Source: atpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: atpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                Source: atpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: atpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: atpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                Source: atpRyiZGTE.exe, 00000000.00000003.299475642.0000000006814000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.300737819.0000000006814000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.300455988.0000000006814000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.300935758.0000000006814000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.300039387.0000000006814000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.301161307.0000000006814000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.300667068.0000000006814000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.comr
                Source: atpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: atpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                Source: atpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                Source: atpRyiZGTE.exe, 00000000.00000003.309958195.0000000006814000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.309784943.0000000006814000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.315674707.0000000006814000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.310013124.0000000006814000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.315753789.0000000006814000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.310158459.0000000006814000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.309902011.0000000006814000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.de
                Source: atpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                Source: atpRyiZGTE.exe, 00000000.00000003.315674707.0000000006814000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.315753789.0000000006814000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deEv
                Source: atpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                Source: atpRyiZGTE.exe, atpRyiZGTE.exe, 00000000.00000002.445054854.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
                Source: atpRyiZGTE.exe, LightKeeperService.exe.19.drString found in binary or memory: https://www.google.com%BorderColorFocused
                Source: atpRyiZGTE.exe, 00000000.00000002.445054854.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/
                Source: atpRyiZGTE.exe, 00000000.00000002.445054854.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.comT
                Source: unknownDNS traffic detected: queries for: www.google.com
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive

                System Summary

                barindex
                Source: 0.2.atpRyiZGTE.exe.49762aa.1.unpack, type: UNPACKEDPEMatched rule: Detects Arechclient2 RAT Author: ditekSHen
                Source: 0.2.atpRyiZGTE.exe.4c7d2e8.5.unpack, type: UNPACKEDPEMatched rule: Detects Arechclient2 RAT Author: ditekSHen
                Source: 0.2.atpRyiZGTE.exe.4aac2da.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Arechclient2 RAT Author: ditekSHen
                Source: 0.2.atpRyiZGTE.exe.4a112ca.2.unpack, type: UNPACKEDPEMatched rule: Detects Arechclient2 RAT Author: ditekSHen
                Source: 0.2.atpRyiZGTE.exe.4c7d2e8.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Arechclient2 RAT Author: ditekSHen
                Source: 0.2.atpRyiZGTE.exe.4aac2da.3.unpack, type: UNPACKEDPEMatched rule: Detects Arechclient2 RAT Author: ditekSHen
                Source: 0.2.atpRyiZGTE.exe.4be22da.4.unpack, type: UNPACKEDPEMatched rule: Detects Arechclient2 RAT Author: ditekSHen
                Source: 0.2.atpRyiZGTE.exe.4a112ca.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Arechclient2 RAT Author: ditekSHen
                Source: 0.2.atpRyiZGTE.exe.4be22da.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Arechclient2 RAT Author: ditekSHen
                Source: 0.2.atpRyiZGTE.exe.49762aa.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Arechclient2 RAT Author: ditekSHen
                Source: atpRyiZGTE.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 0.2.atpRyiZGTE.exe.49762aa.1.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
                Source: 0.2.atpRyiZGTE.exe.49762aa.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
                Source: 0.2.atpRyiZGTE.exe.4c7d2e8.5.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
                Source: 0.2.atpRyiZGTE.exe.4c7d2e8.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
                Source: 0.2.atpRyiZGTE.exe.4aac2da.3.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
                Source: 0.2.atpRyiZGTE.exe.4aac2da.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
                Source: 0.2.atpRyiZGTE.exe.4a112ca.2.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
                Source: 0.2.atpRyiZGTE.exe.4a112ca.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
                Source: 0.2.atpRyiZGTE.exe.4c7d2e8.5.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
                Source: 0.2.atpRyiZGTE.exe.4c7d2e8.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
                Source: 0.2.atpRyiZGTE.exe.4aac2da.3.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
                Source: 0.2.atpRyiZGTE.exe.4aac2da.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
                Source: 0.2.atpRyiZGTE.exe.4be22da.4.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
                Source: 0.2.atpRyiZGTE.exe.4be22da.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
                Source: 0.2.atpRyiZGTE.exe.4a112ca.2.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
                Source: 0.2.atpRyiZGTE.exe.4a112ca.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
                Source: 0.2.atpRyiZGTE.exe.4be22da.4.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
                Source: 0.2.atpRyiZGTE.exe.4be22da.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
                Source: 0.2.atpRyiZGTE.exe.49762aa.1.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
                Source: 0.2.atpRyiZGTE.exe.49762aa.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeCode function: 0_2_009913280_2_00991328
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeCode function: 0_2_00FE74080_2_00FE7408
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeCode function: 0_2_00FE7B510_2_00FE7B51
                Source: atpRyiZGTE.exe, 00000000.00000002.444211680.000000000120C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamecw.exeF vs atpRyiZGTE.exe
                Source: atpRyiZGTE.exe, 00000000.00000002.447907797.0000000003EF7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNeWUsakdjfnsd.dll< vs atpRyiZGTE.exe
                Source: atpRyiZGTE.exe, 00000000.00000002.453220816.0000000006B00000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameNeWUsakdjfnsd.dll< vs atpRyiZGTE.exe
                Source: atpRyiZGTE.exe, 00000000.00000002.448862255.00000000048DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTest.exe" vs atpRyiZGTE.exe
                Source: atpRyiZGTE.exe, 00000000.00000002.450115307.0000000004BE2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTest.exe" vs atpRyiZGTE.exe
                Source: atpRyiZGTE.exeBinary or memory string: OriginalFilenamecw.exeF vs atpRyiZGTE.exe
                Source: atpRyiZGTE.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: atpRyiZGTE.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: atpRyiZGTE.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: atpRyiZGTE.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: atpRyiZGTE.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: atpRyiZGTE.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: atpRyiZGTE.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: atpRyiZGTE.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: atpRyiZGTE.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: LightKeeperService.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: LightKeeperService.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: LightKeeperService.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: LightKeeperService.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: LightKeeperService.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: LightKeeperService.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: LightKeeperService.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: LightKeeperService.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: LightKeeperService.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\user\AppData\Roaming\LightKeeperService.exe,"
                Source: atpRyiZGTE.exeReversingLabs: Detection: 42%
                Source: atpRyiZGTE.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\atpRyiZGTE.exe "C:\Users\user\Desktop\atpRyiZGTE.exe"
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c ping 127.0.0.1 -n 38 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\user\AppData\Roaming\LightKeeperService.exe,
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 38
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c ping 127.0.0.1 -n 45 > nul && copy "C:\Users\user\Desktop\atpRyiZGTE.exe" "C:\Users\user\AppData\Roaming\LightKeeperService.exe" && ping 127.0.0.1 -n 45 > nul && "C:\Users\user\AppData\Roaming\LightKeeperService.exe
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 45
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\user\AppData\Roaming\LightKeeperService.exe,"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 45
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c ping 127.0.0.1 -n 38 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\user\AppData\Roaming\LightKeeperService.exe,Jump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c ping 127.0.0.1 -n 45 > nul && copy "C:\Users\user\Desktop\atpRyiZGTE.exe" "C:\Users\user\AppData\Roaming\LightKeeperService.exe" && ping 127.0.0.1 -n 45 > nul && "C:\Users\user\AppData\Roaming\LightKeeperService.exeJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 38 Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\user\AppData\Roaming\LightKeeperService.exe,"Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 45 Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 45 Jump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\atpRyiZGTE.exe.logJump to behavior
                Source: classification engineClassification label: mal96.troj.evad.winEXE@15/5@1/3
                Source: atpRyiZGTE.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6740:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4148:120:WilError_01
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: atpRyiZGTE.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                Source: atpRyiZGTE.exeStatic file information: File size 1598976 > 1048576
                Source: atpRyiZGTE.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: atpRyiZGTE.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x168600
                Source: atpRyiZGTE.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeCode function: 0_2_009921CD push FFFFFF8Bh; iretd 0_2_009921CF
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeCode function: 0_2_00FE8355 push eax; retf 5502h0_2_00FE86BD
                Source: atpRyiZGTE.exe, Bo6/a8C.csHigh entropy of concatenated method names: '.ctor', 'Ki3', 'p4J', 'Nz0', 'Bt6', 'Mk3', 'Si9', 'Wp6', 'd8B', 'Wk7'
                Source: atpRyiZGTE.exe, w0XGc7/Mr7n6D.csHigh entropy of concatenated method names: '.ctor', 'f9WBp6', 'Gf13Tw', 'Qj28Bz', 'y1Y8Ri', 'r3E1Tx', 'Hi39Fa', 'Cf89Kt', 'w5P8Kp', 'f3JEb0'
                Source: atpRyiZGTE.exe, Kj87Xi/Xn05Ce.csHigh entropy of concatenated method names: '.ctor', 'q0M8Ss', 'x0Q5Wf', 'No60Js', 'Lr01Db', 'q5DSj2', 'Ci8o1H', 'x3K4Lj', 'y5QEj4', 'Kk68Yd'
                Source: atpRyiZGTE.exe, Dp4o9T/Sy50Xx.csHigh entropy of concatenated method names: '.ctor', 'j4FLp8', 'Ho3s2F', 'd3J2Be', 'Bt6z9M', 'g1MZw6', 'As86Wi', 'Ww52Sr', 'Cs51Ki', 'x6QJj2'
                Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Roaming\LightKeeperService.exeJump to dropped file

                Boot Survival

                barindex
                Source: C:\Windows\SysWOW64\reg.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior

                Hooking and other Techniques for Hiding and Protection

                barindex
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeFile opened: C:\Users\user\Desktop\atpRyiZGTE.exe\:Zone.Identifier read attributes | deleteJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 38
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 45
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 45
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 38 Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 45 Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 45 Jump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exe TID: 6756Thread sleep time: -28592453314249787s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exe TID: 6756Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\PING.EXE TID: 6796Thread sleep count: 37 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\PING.EXE TID: 6796Thread sleep time: -37000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\PING.EXE TID: 4284Thread sleep count: 44 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\PING.EXE TID: 4284Thread sleep time: -44000s >= -30000sJump to behavior
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\PING.EXELast function: Thread delayed
                Source: C:\Windows\SysWOW64\PING.EXELast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeWindow / User API: threadDelayed 4246Jump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeWindow / User API: threadDelayed 5455Jump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeThread delayed: delay time: 30000Jump to behavior
                Source: atpRyiZGTE.exe, 00000000.00000002.445231000.0000000002EE7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware VGAuth
                Source: atpRyiZGTE.exe, 00000000.00000002.445231000.0000000002EE7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: sandboxierpcss#SOFTWARE\VMware, Inc.\VMware VGAuth
                Source: atpRyiZGTE.exe, 00000000.00000002.445231000.0000000002EE7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VBoxTray6
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeMemory allocated: page read and write | page guardJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c ping 127.0.0.1 -n 38 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\user\AppData\Roaming\LightKeeperService.exe,Jump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c ping 127.0.0.1 -n 45 > nul && copy "C:\Users\user\Desktop\atpRyiZGTE.exe" "C:\Users\user\AppData\Roaming\LightKeeperService.exe" && ping 127.0.0.1 -n 45 > nul && "C:\Users\user\AppData\Roaming\LightKeeperService.exeJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 38 Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\user\AppData\Roaming\LightKeeperService.exe,"Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 45 Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 45 Jump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Users\user\Desktop\atpRyiZGTE.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\atpRyiZGTE.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Source: Yara matchFile source: 0.2.atpRyiZGTE.exe.49762aa.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.atpRyiZGTE.exe.4c7d2e8.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.atpRyiZGTE.exe.4aac2da.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.atpRyiZGTE.exe.4a112ca.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.atpRyiZGTE.exe.4c7d2e8.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.atpRyiZGTE.exe.4aac2da.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.atpRyiZGTE.exe.4be22da.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.atpRyiZGTE.exe.4a112ca.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.atpRyiZGTE.exe.4be22da.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.atpRyiZGTE.exe.49762aa.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.450115307.0000000004BE2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.448862255.00000000048DB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: atpRyiZGTE.exe PID: 3452, type: MEMORYSTR
                Source: Yara matchFile source: 0.2.atpRyiZGTE.exe.49762aa.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.atpRyiZGTE.exe.4c7d2e8.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.atpRyiZGTE.exe.4aac2da.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.atpRyiZGTE.exe.4a112ca.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.atpRyiZGTE.exe.4c7d2e8.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.atpRyiZGTE.exe.4aac2da.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.atpRyiZGTE.exe.4be22da.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.atpRyiZGTE.exe.4a112ca.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.atpRyiZGTE.exe.4be22da.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.atpRyiZGTE.exe.49762aa.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.450115307.0000000004BE2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.448862255.00000000048DB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: atpRyiZGTE.exe PID: 3452, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Source: Yara matchFile source: 0.2.atpRyiZGTE.exe.49762aa.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.atpRyiZGTE.exe.4c7d2e8.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.atpRyiZGTE.exe.4aac2da.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.atpRyiZGTE.exe.4a112ca.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.atpRyiZGTE.exe.4c7d2e8.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.atpRyiZGTE.exe.4aac2da.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.atpRyiZGTE.exe.4be22da.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.atpRyiZGTE.exe.4a112ca.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.atpRyiZGTE.exe.4be22da.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.atpRyiZGTE.exe.49762aa.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.450115307.0000000004BE2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.448862255.00000000048DB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: atpRyiZGTE.exe PID: 3452, type: MEMORYSTR
                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid AccountsWindows Management Instrumentation1
                Registry Run Keys / Startup Folder
                11
                Process Injection
                1
                Masquerading
                OS Credential Dumping11
                Security Software Discovery
                Remote Services1
                Archive Collected Data
                Exfiltration Over Other Network Medium11
                Encrypted Channel
                Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                Registry Run Keys / Startup Folder
                1
                Modify Registry
                LSASS Memory1
                Process Discovery
                Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
                Ingress Tool Transfer
                Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
                Disable or Modify Tools
                Security Account Manager21
                Virtualization/Sandbox Evasion
                SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration2
                Non-Application Layer Protocol
                Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)21
                Virtualization/Sandbox Evasion
                NTDS1
                Application Window Discovery
                Distributed Component Object ModelInput CaptureScheduled Transfer3
                Application Layer Protocol
                SIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script11
                Process Injection
                LSA Secrets11
                Remote System Discovery
                SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.common1
                Hidden Files and Directories
                Cached Domain Credentials1
                System Network Configuration Discovery
                VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup Items1
                Obfuscated Files or Information
                DCSync12
                System Information Discovery
                Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 signatures2 2 Behavior Graph ID: 652396 Sample: atpRyiZGTE.exe Startdate: 26/06/2022 Architecture: WINDOWS Score: 96 44 Malicious sample detected (through community Yara rule) 2->44 46 Multi AV Scanner detection for dropped file 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 3 other signatures 2->50 7 atpRyiZGTE.exe 15 3 2->7         started        process3 dnsIp4 42 www.google.com 142.250.185.100, 443, 49746 GOOGLEUS United States 7->42 32 C:\Users\user\AppData\...\atpRyiZGTE.exe.log, ASCII 7->32 dropped 54 Hides that the sample has been downloaded from the Internet (zone.identifier) 7->54 12 cmd.exe 1 7->12         started        15 cmd.exe 3 7->15         started        file5 signatures6 process7 file8 56 Uses ping.exe to sleep 12->56 58 Uses ping.exe to check the status of other devices and networks 12->58 18 reg.exe 1 1 12->18         started        21 PING.EXE 1 12->21         started        24 conhost.exe 12->24         started        34 C:\Users\user\...\LightKeeperService.exe, PE32 15->34 dropped 36 C:\...\LightKeeperService.exe:Zone.Identifier, ASCII 15->36 dropped 26 conhost.exe 15->26         started        28 PING.EXE 1 15->28         started        30 PING.EXE 15->30         started        signatures9 process10 dnsIp11 52 Creates an undocumented autostart registry key 18->52 38 127.0.0.1 unknown unknown 21->38 40 192.168.2.1 unknown unknown 21->40 signatures12

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand
                SourceDetectionScannerLabelLink
                atpRyiZGTE.exe42%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                atpRyiZGTE.exe100%Joe Sandbox ML
                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Roaming\LightKeeperService.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\LightKeeperService.exe42%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                No Antivirus matches
                No Antivirus matches
                SourceDetectionScannerLabelLink
                http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                http://www.ascendercorp.com/typedesigners.htmlG0%Avira URL Cloudsafe
                http://www.tiro.com0%URL Reputationsafe
                http://www.goodfont.co.kr0%URL Reputationsafe
                http://www.fontbureau.coma0%URL Reputationsafe
                http://www.carterandcone.coml0%URL Reputationsafe
                http://www.sajatypeworks.com0%URL Reputationsafe
                http://www.typography.netD0%URL Reputationsafe
                http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                http://fontfabrik.com0%URL Reputationsafe
                http://www.founder.com.cn/cn0%URL Reputationsafe
                http://www.sakkal.comr0%URL Reputationsafe
                https://www.google.comT0%Avira URL Cloudsafe
                http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                http://ns.adp/1.0/0%Avira URL Cloudsafe
                http://www.fontbureau.como0%URL Reputationsafe
                https://www.google.com%BorderColorFocused0%Avira URL Cloudsafe
                http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                http://www.urwpp.deEv0%Avira URL Cloudsafe
                http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
                http://ns.microsoto/1.20%Avira URL Cloudsafe
                http://www.sandoll.co.kr0%URL Reputationsafe
                http://www.urwpp.deDPlease0%URL Reputationsafe
                http://www.urwpp.de0%URL Reputationsafe
                http://www.zhongyicts.com.cn0%URL Reputationsafe
                http://www.sakkal.com0%URL Reputationsafe
                NameIPActiveMaliciousAntivirus DetectionReputation
                www.google.com
                142.250.185.100
                truefalse
                  high
                  NameMaliciousAntivirus DetectionReputation
                  https://www.google.com/false
                    high
                    NameSourceMaliciousAntivirus DetectionReputation
                    http://www.apache.org/licenses/LICENSE-2.0atpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.295467627.0000000006850000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.295597676.0000000006845000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.295438765.0000000006845000.00000004.00000800.00020000.00000000.sdmpfalse
                      high
                      http://www.fontbureau.comatpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpfalse
                        high
                        http://www.fontbureau.com/designersGatpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpfalse
                          high
                          http://www.fontbureau.com/designers/?atpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpfalse
                            high
                            http://www.founder.com.cn/cn/bTheatpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            http://www.fontbureau.com/designers?atpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpfalse
                              high
                              http://www.ascendercorp.com/typedesigners.htmlGatpRyiZGTE.exe, 00000000.00000003.298764281.0000000006846000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              http://www.tiro.comatpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              http://www.fontbureau.com/designersatpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpfalse
                                high
                                http://www.goodfont.co.kratpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                http://www.fontbureau.comaatpRyiZGTE.exe, 00000000.00000002.452188664.0000000006800000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                http://www.carterandcone.comlatpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                http://www.sajatypeworks.comatpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                http://www.typography.netDatpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                https://www.google.comatpRyiZGTE.exe, atpRyiZGTE.exe, 00000000.00000002.445054854.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                  high
                                  http://www.apache.org/licenses/iatpRyiZGTE.exe, 00000000.00000003.295735340.0000000006846000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.295655832.0000000006846000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.295687027.0000000006846000.00000004.00000800.00020000.00000000.sdmpfalse
                                    high
                                    http://www.fontbureau.com/designers/cabarga.htmlNatpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpfalse
                                      high
                                      http://www.founder.com.cn/cn/cTheatpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      unknown
                                      http://www.galapagosdesign.com/staff/dennis.htmatpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      unknown
                                      http://fontfabrik.comatpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      unknown
                                      http://www.founder.com.cn/cnatpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      unknown
                                      http://www.fontbureau.com/designers/frere-user.htmlatpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.312675141.0000000006814000.00000004.00000800.00020000.00000000.sdmpfalse
                                        high
                                        http://www.sakkal.comratpRyiZGTE.exe, 00000000.00000003.299475642.0000000006814000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.300737819.0000000006814000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.300455988.0000000006814000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.300935758.0000000006814000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.300039387.0000000006814000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.301161307.0000000006814000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.300667068.0000000006814000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        unknown
                                        https://www.google.comTatpRyiZGTE.exe, 00000000.00000002.445054854.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        unknown
                                        http://www.fontbureau.com/designers/cabarga.htmlatpRyiZGTE.exe, 00000000.00000003.314251572.0000000006846000.00000004.00000800.00020000.00000000.sdmpfalse
                                          high
                                          http://www.jiyu-kobo.co.jp/atpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          unknown
                                          http://ns.adp/1.0/atpRyiZGTE.exe, 00000000.00000003.348966637.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.337172932.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.334588359.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.335558240.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.440305727.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.341919239.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.348472153.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.341573864.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.345775535.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.340929865.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.438770547.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.343342627.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.342714698.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.344471615.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.353915669.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.351717491.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.347097585.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.336546347.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.354548458.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.352972101.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.335252277.0000000006887000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          unknown
                                          http://www.fontbureau.comoatpRyiZGTE.exe, 00000000.00000002.452188664.0000000006800000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          unknown
                                          https://www.google.com%BorderColorFocusedatpRyiZGTE.exe, LightKeeperService.exe.19.drfalse
                                          • Avira URL Cloud: safe
                                          low
                                          http://www.galapagosdesign.com/DPleaseatpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          unknown
                                          http://www.urwpp.deEvatpRyiZGTE.exe, 00000000.00000003.315674707.0000000006814000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.315753789.0000000006814000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          unknown
                                          http://www.fontbureau.com/designers8atpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpfalse
                                            high
                                            http://www.ascendercorp.com/typedesigners.htmlatpRyiZGTE.exe, 00000000.00000003.299802336.0000000006859000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.299334032.0000000006859000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.298764281.0000000006846000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.300440687.0000000006859000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            unknown
                                            http://www.fontbureau.com/designers/frere-user.html8atpRyiZGTE.exe, 00000000.00000003.312783150.0000000006855000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.312649918.0000000006855000.00000004.00000800.00020000.00000000.sdmpfalse
                                              high
                                              http://ns.microsoto/1.2atpRyiZGTE.exe, 00000000.00000003.348966637.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.337172932.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.334588359.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.335558240.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.440305727.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.341919239.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.348472153.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.341573864.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.345775535.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.340929865.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.438770547.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.343342627.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.342714698.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.344471615.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.353915669.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.351717491.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.347097585.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.336546347.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.354548458.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.352972101.0000000006887000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.335252277.0000000006887000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              unknown
                                              http://www.fonts.comatpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpfalse
                                                high
                                                http://www.sandoll.co.kratpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                unknown
                                                http://www.urwpp.deDPleaseatpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                unknown
                                                http://www.urwpp.deatpRyiZGTE.exe, 00000000.00000003.309958195.0000000006814000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.309784943.0000000006814000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.315674707.0000000006814000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.310013124.0000000006814000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.315753789.0000000006814000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.310158459.0000000006814000.00000004.00000800.00020000.00000000.sdmp, atpRyiZGTE.exe, 00000000.00000003.309902011.0000000006814000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                unknown
                                                http://www.zhongyicts.com.cnatpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                unknown
                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameatpRyiZGTE.exe, 00000000.00000002.445054854.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  high
                                                  http://www.sakkal.comatpRyiZGTE.exe, 00000000.00000002.454472741.000000000A742000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  unknown
                                                  • No. of IPs < 25%
                                                  • 25% < No. of IPs < 50%
                                                  • 50% < No. of IPs < 75%
                                                  • 75% < No. of IPs
                                                  IPDomainCountryFlagASNASN NameMalicious
                                                  142.250.185.100
                                                  www.google.comUnited States
                                                  15169GOOGLEUSfalse
                                                  IP
                                                  192.168.2.1
                                                  127.0.0.1
                                                  Joe Sandbox Version:35.0.0 Citrine
                                                  Analysis ID:652396
                                                  Start date and time: 26/06/202209:46:562022-06-26 09:46:56 +02:00
                                                  Joe Sandbox Product:CloudBasic
                                                  Overall analysis duration:0h 9m 57s
                                                  Hypervisor based Inspection enabled:false
                                                  Report type:full
                                                  Sample file name:atpRyiZGTE.exe
                                                  Cookbook file name:default.jbs
                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                  Number of analysed new started processes analysed:31
                                                  Number of new started drivers analysed:0
                                                  Number of existing processes analysed:0
                                                  Number of existing drivers analysed:0
                                                  Number of injected processes analysed:0
                                                  Technologies:
                                                  • HCA enabled
                                                  • EGA enabled
                                                  • HDC enabled
                                                  • AMSI enabled
                                                  Analysis Mode:default
                                                  Analysis stop reason:Timeout
                                                  Detection:MAL
                                                  Classification:mal96.troj.evad.winEXE@15/5@1/3
                                                  EGA Information:
                                                  • Successful, ratio: 100%
                                                  HDC Information:
                                                  • Successful, ratio: 0.1% (good quality ratio 0.1%)
                                                  • Quality average: 84.5%
                                                  • Quality standard deviation: 1.5%
                                                  HCA Information:
                                                  • Successful, ratio: 100%
                                                  • Number of executed functions: 57
                                                  • Number of non-executed functions: 1
                                                  Cookbook Comments:
                                                  • Found application associated with file extension: .exe
                                                  • Adjust boot time
                                                  • Enable AMSI
                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                  • Excluded IPs from analysis (whitelisted): 20.223.24.244
                                                  • Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, login.live.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                  • Not all processes where analyzed, report is missing behavior information
                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                  • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                  • VT rate limit hit for: atpRyiZGTE.exe
                                                  TimeTypeDescription
                                                  09:49:02API Interceptor184x Sleep call for process: atpRyiZGTE.exe modified
                                                  No context
                                                  No context
                                                  No context
                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                  54328bd36c14bd82ddaa0c04b25ed9ad06-21-2022 Order _8678498578378598489304885909394899.exeGet hashmaliciousBrowse
                                                  • 142.250.185.100
                                                  DTGWS8colL.exeGet hashmaliciousBrowse
                                                  • 142.250.185.100
                                                  Nitro Gen And Check.exeGet hashmaliciousBrowse
                                                  • 142.250.185.100
                                                  New Europe RFQ & Samples for June-2022_Purchase_0622.exeGet hashmaliciousBrowse
                                                  • 142.250.185.100
                                                  tka30O3OZN.exeGet hashmaliciousBrowse
                                                  • 142.250.185.100
                                                  24.06.2022.CUMA.IHTIYAC.LISTESI.xlsxGet hashmaliciousBrowse
                                                  • 142.250.185.100
                                                  F96UcEk8Z9.exeGet hashmaliciousBrowse
                                                  • 142.250.185.100
                                                  vbc (2).exeGet hashmaliciousBrowse
                                                  • 142.250.185.100
                                                  bE1EERq3Pt.exeGet hashmaliciousBrowse
                                                  • 142.250.185.100
                                                  New-Client.exeGet hashmaliciousBrowse
                                                  • 142.250.185.100
                                                  SNAMPT.exeGet hashmaliciousBrowse
                                                  • 142.250.185.100
                                                  o0C5PwQnYf.exeGet hashmaliciousBrowse
                                                  • 142.250.185.100
                                                  PO.wsfGet hashmaliciousBrowse
                                                  • 142.250.185.100
                                                  xpK6fkhZnr.exeGet hashmaliciousBrowse
                                                  • 142.250.185.100
                                                  SecuriteInfo.com.Trojan.Inject4.8347.15442.exeGet hashmaliciousBrowse
                                                  • 142.250.185.100
                                                  2009B8F4C568A316978B7BC19BDDAC9DD20FF8E2D796A.exeGet hashmaliciousBrowse
                                                  • 142.250.185.100
                                                  DOC.exeGet hashmaliciousBrowse
                                                  • 142.250.185.100
                                                  hesap ekstresi_22-06-2022.doc.exeGet hashmaliciousBrowse
                                                  • 142.250.185.100
                                                  Pagamento SEPA_tansfer_220622_Swift.exeGet hashmaliciousBrowse
                                                  • 142.250.185.100
                                                  Purchase Order.vbsGet hashmaliciousBrowse
                                                  • 142.250.185.100
                                                  No context
                                                  Process:C:\Users\user\Desktop\atpRyiZGTE.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1216
                                                  Entropy (8bit):5.355304211458859
                                                  Encrypted:false
                                                  SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
                                                  MD5:69206D3AF7D6EFD08F4B4726998856D3
                                                  SHA1:E778D4BF781F7712163CF5E2F5E7C15953E484CF
                                                  SHA-256:A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
                                                  SHA-512:CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
                                                  Malicious:true
                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
                                                  Process:C:\Windows\SysWOW64\cmd.exe
                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):1598976
                                                  Entropy (8bit):6.542587858621466
                                                  Encrypted:false
                                                  SSDEEP:24576:hfFQnGpTDv52xFCsS4M61DPcnc4VsBKm6cCEtfG4RTRTHTM:hfFQnkV2TCo1DPcnc4VsKm6c9NxDXM
                                                  MD5:0515B4D32D6D65D19832858957F0847F
                                                  SHA1:3CB9ACC775DA6908C56890F0827398B817467E0E
                                                  SHA-256:9027302B65C696C2E079F70C18F55ABC1FD10C497B4CAD63BDBFBD8AC110B916
                                                  SHA-512:9E145260E75D7359772FAB436372CCFA249054F4CDA7E9FAFD2A67B7CC7B8166CBD1F38C73CD89737E3EA6F6D670684400250ADB26CD777080D4A203E4FD409E
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  • Antivirus: ReversingLabs, Detection: 42%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......2................................. ........@.. ....................................`.....................................S.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc...............d..............@..B.......................H.......0...x.......y... {...............................................j.?f...k.........i....12..w..1=...L.Q..(.~>.lE+.R.|../.4z.F....a.....).#.}..LB.Q~..!...@s....p..E..........^....@N...n..i.O.6.q.L.Z...C]..e......!.xf0.#.w.;..EN9Mr0..'M.\.".|.B..`l..{H.~&...<S ......p.*..&......J6.S.*x?.0E. ..Y.Y....l..!.i+.....G._.oT.........9.J.G......K.^Z... %..R.O.......z^..r.@.6.%.........POW.fj...u.mLC...Ts...8...=....\."U.dF.5..F.o...(@C...z.....S.a...}v.0.,9.
                                                  Process:C:\Windows\SysWOW64\cmd.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:modified
                                                  Size (bytes):26
                                                  Entropy (8bit):3.95006375643621
                                                  Encrypted:false
                                                  SSDEEP:3:ggPYV:rPYV
                                                  MD5:187F488E27DB4AF347237FE461A079AD
                                                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                  Malicious:true
                                                  Preview:[ZoneTransfer]....ZoneId=0
                                                  Process:C:\Windows\SysWOW64\PING.EXE
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):2440
                                                  Entropy (8bit):4.725663483598328
                                                  Encrypted:false
                                                  SSDEEP:12:PKMRJpTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTd:/elAokItULVDv
                                                  MD5:CE2B4D3E2C6F89A5578B7B2574D9316A
                                                  SHA1:0B97F330E453CBCD78F3FE1C41675DF80D8BC81A
                                                  SHA-256:23F40B2D6379451ACD948C88723D09339D6386D08C068D70A9DC67EB56D3FB95
                                                  SHA-512:1AE47563977707328E8381BF37E1628B57886A9B570314D36225A628130B7F83058D5C4889C7BDF48F0719181B302985F3913264089854029098385B3D5C7E8F
                                                  Malicious:false
                                                  Preview:..Pinging 127.0.0.1 with 32 bytes of data:..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: byt
                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Entropy (8bit):6.542587858621466
                                                  TrID:
                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                  • Win32 Executable (generic) a (10002005/4) 49.78%
                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                  • DOS Executable Generic (2002/1) 0.01%
                                                  File name:atpRyiZGTE.exe
                                                  File size:1598976
                                                  MD5:0515b4d32d6d65d19832858957f0847f
                                                  SHA1:3cb9acc775da6908c56890f0827398b817467e0e
                                                  SHA256:9027302b65c696c2e079f70c18f55abc1fd10c497b4cad63bdbfbd8ac110b916
                                                  SHA512:9e145260e75d7359772fab436372ccfa249054f4cda7e9fafd2a67b7cc7b8166cbd1f38c73cd89737e3ea6f6d670684400250adb26cd777080d4a203e4fd409e
                                                  SSDEEP:24576:hfFQnGpTDv52xFCsS4M61DPcnc4VsBKm6cCEtfG4RTRTHTM:hfFQnkV2TCo1DPcnc4VsKm6c9NxDXM
                                                  TLSH:4575BEA22B857E03C03CA63E8234F54093F6FDCAA349C79D7DD5B5C666A23413BA2754
                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......2................................. ........@.. ....................................`................................
                                                  Icon Hash:8e2b6d6c6c69abcc
                                                  Entrypoint:0x56a3fe
                                                  Entrypoint Section:.text
                                                  Digitally signed:false
                                                  Imagebase:0x400000
                                                  Subsystem:windows gui
                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                  DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                  Time Stamp:0x32E593FC [Wed Jan 22 04:13:48 1997 UTC]
                                                  TLS Callbacks:
                                                  CLR (.Net) Version:
                                                  OS Version Major:4
                                                  OS Version Minor:0
                                                  File Version Major:4
                                                  File Version Minor:0
                                                  Subsystem Version Major:4
                                                  Subsystem Version Minor:0
                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                                                  Instruction
                                                  jmp dword ptr [00402000h]
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  NameVirtual AddressVirtual Size Is in Section
                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x16a3a80x53.text
                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x16c0000x1db00.rsrc
                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x18a0000xc.reloc
                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                  .text0x20000x1684040x168600False0.6130488802896289data6.475046719062856IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                  .rsrc0x16c0000x1db000x1dc00False0.7296316964285714data6.869642401970742IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  .reloc0x18a0000xc0x200False0.041015625data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                  NameRVASizeTypeLanguageCountry
                                                  RT_ICON0x16c6280x1c57PNG image data, 128 x 128, 8-bit colormap, non-interlaced
                                                  RT_ICON0x16e2800x1628data
                                                  RT_ICON0x16f8a80xea8data
                                                  RT_ICON0x1707500x8a8data
                                                  RT_ICON0x170ff80x6c8dBase III DBT, version number 0, next free block index 40
                                                  RT_ICON0x1716c00x568GLS_BINARY_LSB_FIRST
                                                  RT_ICON0x171c280x8683PNG image data, 256 x 256, 8-bit/color RGB, non-interlaced
                                                  RT_ICON0x17a2ac0x3d5cPNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced
                                                  RT_ICON0x17e0080x4228data
                                                  RT_ICON0x1822300x25a8data
                                                  RT_ICON0x1847d80x10a8data
                                                  RT_ICON0x1858800x988data
                                                  RT_ICON0x1862080x468GLS_BINARY_LSB_FIRST
                                                  RT_ICON0x1866700x2e8data
                                                  RT_ICON0x1869580x128GLS_BINARY_LSB_FIRST
                                                  RT_ICON0x186a800x128GLS_BINARY_LSB_FIRST
                                                  RT_ICON0x186ba80x2e8data
                                                  RT_ICON0x186e900x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 4294967295, next used block 4286019583
                                                  RT_ICON0x1871780x128GLS_BINARY_LSB_FIRST
                                                  RT_ICON0x1872a00x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0
                                                  RT_ICON0x187b480x568GLS_BINARY_LSB_FIRST
                                                  RT_ICON0x1880b00xca8dBase IV DBT of @.DBF, block length 3072, next free block index 40, next free block 4143380214, next used block 4143380214
                                                  RT_ICON0x188d580x368GLS_BINARY_LSB_FIRST
                                                  RT_ICON0x1890c00x468GLS_BINARY_LSB_FIRST
                                                  RT_ICON0x1895280x128GLS_BINARY_LSB_FIRST
                                                  RT_GROUP_ICON0x1896500xbcdata
                                                  RT_GROUP_ICON0x18970c0x22data
                                                  RT_GROUP_ICON0x1897300x22data
                                                  RT_GROUP_ICON0x1897540x5adata
                                                  RT_GROUP_ICON0x1897b00x22data
                                                  RT_VERSION0x1897d40x32cdataEnglishUnited States
                                                  DLLImport
                                                  mscoree.dll_CorExeMain
                                                  Language of compilation systemCountry where language is spokenMap
                                                  EnglishUnited States
                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Jun 26, 2022 09:48:20.692310095 CEST49746443192.168.2.4142.250.185.100
                                                  Jun 26, 2022 09:48:20.692351103 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:20.692446947 CEST49746443192.168.2.4142.250.185.100
                                                  Jun 26, 2022 09:48:20.764801979 CEST49746443192.168.2.4142.250.185.100
                                                  Jun 26, 2022 09:48:20.764837980 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:20.817599058 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:20.817701101 CEST49746443192.168.2.4142.250.185.100
                                                  Jun 26, 2022 09:48:20.821000099 CEST49746443192.168.2.4142.250.185.100
                                                  Jun 26, 2022 09:48:20.821022034 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:20.821403027 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:21.009613037 CEST49746443192.168.2.4142.250.185.100
                                                  Jun 26, 2022 09:48:21.224230051 CEST49746443192.168.2.4142.250.185.100
                                                  Jun 26, 2022 09:48:21.264503002 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:21.283855915 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:21.283974886 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:21.284046888 CEST49746443192.168.2.4142.250.185.100
                                                  Jun 26, 2022 09:48:21.284091949 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:21.284181118 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:21.284250975 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:21.284262896 CEST49746443192.168.2.4142.250.185.100
                                                  Jun 26, 2022 09:48:21.284284115 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:21.284348965 CEST49746443192.168.2.4142.250.185.100
                                                  Jun 26, 2022 09:48:21.284708977 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:21.285936117 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:21.286016941 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:21.286029100 CEST49746443192.168.2.4142.250.185.100
                                                  Jun 26, 2022 09:48:21.286052942 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:21.286099911 CEST49746443192.168.2.4142.250.185.100
                                                  Jun 26, 2022 09:48:21.287271976 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:21.288619995 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:21.288696051 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:21.288716078 CEST49746443192.168.2.4142.250.185.100
                                                  Jun 26, 2022 09:48:21.288743973 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:21.288794994 CEST49746443192.168.2.4142.250.185.100
                                                  Jun 26, 2022 09:48:21.300412893 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:21.300869942 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:21.300940037 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:21.300992966 CEST49746443192.168.2.4142.250.185.100
                                                  Jun 26, 2022 09:48:21.301035881 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:21.301119089 CEST49746443192.168.2.4142.250.185.100
                                                  Jun 26, 2022 09:48:21.302185059 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:21.303555012 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:21.303637981 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:21.303685904 CEST49746443192.168.2.4142.250.185.100
                                                  Jun 26, 2022 09:48:21.303713083 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:21.303775072 CEST49746443192.168.2.4142.250.185.100
                                                  Jun 26, 2022 09:48:21.304765940 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:21.306030989 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:21.306128025 CEST49746443192.168.2.4142.250.185.100
                                                  Jun 26, 2022 09:48:21.306149006 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:21.307329893 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:21.307384968 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:21.307414055 CEST49746443192.168.2.4142.250.185.100
                                                  Jun 26, 2022 09:48:21.307430983 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:21.307475090 CEST49746443192.168.2.4142.250.185.100
                                                  Jun 26, 2022 09:48:21.308541059 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:21.309636116 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:21.309689999 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:21.309756994 CEST49746443192.168.2.4142.250.185.100
                                                  Jun 26, 2022 09:48:21.309781075 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:21.309827089 CEST49746443192.168.2.4142.250.185.100
                                                  Jun 26, 2022 09:48:21.310713053 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:21.311939001 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:21.312007904 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:21.312042952 CEST49746443192.168.2.4142.250.185.100
                                                  Jun 26, 2022 09:48:21.312062025 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:21.312105894 CEST49746443192.168.2.4142.250.185.100
                                                  Jun 26, 2022 09:48:21.312947989 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:21.314049959 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:21.314114094 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:21.314165115 CEST49746443192.168.2.4142.250.185.100
                                                  Jun 26, 2022 09:48:21.314188957 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:21.314249039 CEST44349746142.250.185.100192.168.2.4
                                                  Jun 26, 2022 09:48:21.314279079 CEST49746443192.168.2.4142.250.185.100
                                                  Jun 26, 2022 09:48:21.314316034 CEST49746443192.168.2.4142.250.185.100
                                                  Jun 26, 2022 09:48:21.326067924 CEST49746443192.168.2.4142.250.185.100
                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Jun 26, 2022 09:48:20.636743069 CEST6050653192.168.2.48.8.8.8
                                                  Jun 26, 2022 09:48:20.662038088 CEST53605068.8.8.8192.168.2.4
                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                  Jun 26, 2022 09:48:20.636743069 CEST192.168.2.48.8.8.80xc6daStandard query (0)www.google.comA (IP address)IN (0x0001)
                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                  Jun 26, 2022 09:48:20.662038088 CEST8.8.8.8192.168.2.40xc6daNo error (0)www.google.com142.250.185.100A (IP address)IN (0x0001)
                                                  • www.google.com
                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                  0192.168.2.449746142.250.185.100443C:\Users\user\Desktop\atpRyiZGTE.exe
                                                  TimestampkBytes transferredDirectionData
                                                  2022-06-26 07:48:21 UTC0OUTGET / HTTP/1.1
                                                  Host: www.google.com
                                                  Connection: Keep-Alive
                                                  2022-06-26 07:48:21 UTC0INHTTP/1.1 200 OK
                                                  Date: Sun, 26 Jun 2022 07:48:21 GMT
                                                  Expires: -1
                                                  Cache-Control: private, max-age=0
                                                  Content-Type: text/html; charset=ISO-8859-1
                                                  P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                  Server: gws
                                                  X-XSS-Protection: 0
                                                  X-Frame-Options: SAMEORIGIN
                                                  Set-Cookie: AEC=AakniGPWn24ct2sLJwkW8tir5SqQA7-iC8qNpsQ5GdxWywSGbxpJrJNDqg; expires=Fri, 23-Dec-2022 07:48:21 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
                                                  Set-Cookie: __Secure-ENID=5.SE=X8yGHJuvgnzc55XoNk8_Mza3nrf_VAoZchfNhOXPFcbqcmgj1aewySqRYSnGFa0ilk8eMV4EXP5nkNk3gV51yHqvAH8wD5DgmNpHFFfLVYb-7qDKKviaOiPYs4cwftZ1orAh6t7MMg7MqKj8TIZ_ACF7qCnLvdxGp80kbDkVtx8; expires=Thu, 27-Jul-2023 00:06:39 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
                                                  Set-Cookie: CONSENT=PENDING+312; expires=Tue, 25-Jun-2024 07:48:21 GMT; path=/; domain=.google.com; Secure
                                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
                                                  Accept-Ranges: none
                                                  Vary: Accept-Encoding
                                                  Connection: close
                                                  Transfer-Encoding: chunked
                                                  2022-06-26 07:48:21 UTC1INData Raw: 35 36 37 38 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 69 74 65 6d 73 63 6f 70 65 3d 22 22 20 69 74 65 6d 74 79 70 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 2f 57 65 62 50 61 67 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 47 42 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 3c 6d 65 74 61 20 63 6f 6e 74
                                                  Data Ascii: 5678<!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="en-GB"><head><meta content="text/html; charset=UTF-8" http-equiv="Content-Type"><meta cont
                                                  2022-06-26 07:48:21 UTC1INData Raw: 65 6e 74 3d 22 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 67 2f 31 78 2f 67 6f 6f 67 6c 65 67 5f 73 74 61 6e 64 61 72 64 5f 63 6f 6c 6f 72 5f 31 32 38 64 70 2e 70 6e 67 22 20 69 74 65 6d 70 72 6f 70 3d 22 69 6d 61 67 65 22 3e 3c 74 69 74 6c 65 3e 47 6f 6f 67 6c 65 3c 2f 74 69 74 6c 65 3e 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 22 6d 63 55 74 69 34 46 30 6e 31 4c 53 35 44 72 76 4a 70 76 4d 42 51 22 3e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 67 6f 6f 67 6c 65 3d 7b 6b 45 49 3a 27 52 51 2d 34 59 73 53 66 44 72 4b 41 69 2d 67 50 31 66 43 73 6f 41 59 27 2c 6b 45 58 50 49 3a 27 30 2c 31 33 30 32 35 33 36 2c 35 34 32 34 34 2c 32 36 32 39 2c 36 30 35 38 2c 32 30 37 2c 34 38 30 34 2c 32 33 31 36 2c 33 38 33 2c 32 34 36
                                                  Data Ascii: ent="/images/branding/googleg/1x/googleg_standard_color_128dp.png" itemprop="image"><title>Google</title><script nonce="mcUti4F0n1LS5DrvJpvMBQ">(function(){window.google={kEI:'RQ-4YsSfDrKAi-gP1fCsoAY',kEXPI:'0,1302536,54244,2629,6058,207,4804,2316,383,246
                                                  2022-06-26 07:48:21 UTC2INData Raw: 30 2c 32 31 33 30 2c 34 32 37 2c 38 34 39 2c 37 31 39 2c 33 36 35 38 2c 39 33 32 35 31 39 27 2c 6b 42 4c 3a 27 30 4d 75 38 27 7d 3b 67 6f 6f 67 6c 65 2e 73 6e 3d 27 77 65 62 68 70 27 3b 67 6f 6f 67 6c 65 2e 6b 48 4c 3d 27 65 6e 2d 47 42 27 3b 7d 29 28 29 3b 28 66 75 6e 63 74 69 6f 6e 28 29 7b 0a 76 61 72 20 66 3d 74 68 69 73 7c 7c 73 65 6c 66 3b 76 61 72 20 68 2c 6b 3d 5b 5d 3b 66 75 6e 63 74 69 6f 6e 20 6c 28 61 29 7b 66 6f 72 28 76 61 72 20 62 3b 61 26 26 28 21 61 2e 67 65 74 41 74 74 72 69 62 75 74 65 7c 7c 21 28 62 3d 61 2e 67 65 74 41 74 74 72 69 62 75 74 65 28 22 65 69 64 22 29 29 29 3b 29 61 3d 61 2e 70 61 72 65 6e 74 4e 6f 64 65 3b 72 65 74 75 72 6e 20 62 7c 7c 68 7d 66 75 6e 63 74 69 6f 6e 20 6d 28 61 29 7b 66 6f 72 28 76 61 72 20 62 3d 6e 75 6c
                                                  Data Ascii: 0,2130,427,849,719,3658,932519',kBL:'0Mu8'};google.sn='webhp';google.kHL='en-GB';})();(function(){var f=this||self;var h,k=[];function l(a){for(var b;a&&(!a.getAttribute||!(b=a.getAttribute("eid")));)a=a.parentNode;return b||h}function m(a){for(var b=nul
                                                  2022-06-26 07:48:21 UTC3INData Raw: 5d 2c 62 2c 63 5d 29 7d 3b 67 6f 6f 67 6c 65 2e 6c 6f 61 64 41 6c 6c 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 67 6f 6f 67 6c 65 2e 6c 71 2e 70 75 73 68 28 5b 61 2c 62 5d 29 7d 3b 67 6f 6f 67 6c 65 2e 62 78 3d 21 31 3b 67 6f 6f 67 6c 65 2e 6c 78 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 7d 3b 7d 29 2e 63 61 6c 6c 28 74 68 69 73 29 3b 67 6f 6f 67 6c 65 2e 66 3d 7b 7d 3b 28 66 75 6e 63 74 69 6f 6e 28 29 7b 0a 64 6f 63 75 6d 65 6e 74 2e 64 6f 63 75 6d 65 6e 74 45 6c 65 6d 65 6e 74 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 22 73 75 62 6d 69 74 22 2c 66 75 6e 63 74 69 6f 6e 28 62 29 7b 76 61 72 20 61 3b 69 66 28 61 3d 62 2e 74 61 72 67 65 74 29 7b 76 61 72 20 63 3d 61 2e 67 65 74 41 74 74 72 69 62 75 74 65 28 22 64 61 74 61 2d 73 75 62 6d 69 74 66 61
                                                  Data Ascii: ],b,c])};google.loadAll=function(a,b){google.lq.push([a,b])};google.bx=!1;google.lx=function(){};}).call(this);google.f={};(function(){document.documentElement.addEventListener("submit",function(b){var a;if(a=b.target){var c=a.getAttribute("data-submitfa
                                                  2022-06-26 07:48:21 UTC5INData Raw: 6c 75 74 65 3b 74 6f 70 3a 33 30 70 78 3b 77 69 64 74 68 3a 31 30 30 25 7d 2e 67 62 74 63 62 7b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 76 69 73 69 62 69 6c 69 74 79 3a 68 69 64 64 65 6e 7d 23 67 62 7a 20 2e 67 62 74 63 62 7b 72 69 67 68 74 3a 30 7d 23 67 62 67 20 2e 67 62 74 63 62 7b 6c 65 66 74 3a 30 7d 2e 67 62 78 78 7b 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 78 6f 7b 6f 70 61 63 69 74 79 3a 30 20 21 69 6d 70 6f 72 74 61 6e 74 3b 66 69 6c 74 65 72 3a 61 6c 70 68 61 28 6f 70 61 63 69 74 79 3d 30 29 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 6d 7b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 7a 2d 69 6e 64 65 78 3a 39 39 39 3b 74 6f 70 3a 2d 39 39 39 70 78 3b 76 69 73 69 62 69 6c 69 74 79
                                                  Data Ascii: lute;top:30px;width:100%}.gbtcb{position:absolute;visibility:hidden}#gbz .gbtcb{right:0}#gbg .gbtcb{left:0}.gbxx{display:none !important}.gbxo{opacity:0 !important;filter:alpha(opacity=0) !important}.gbm{position:absolute;z-index:999;top:-999px;visibility
                                                  2022-06-26 07:48:21 UTC6INData Raw: 73 74 2d 73 74 79 6c 65 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 2e 67 62 6d 63 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 20 30 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7a 2d 69 6e 64 65 78 3a 32 3b 7a 6f 6f 6d 3a 31 7d 2e 67 62 74 7b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 64 69 73 70 6c 61 79 3a 2d 6d 6f 7a 2d 69 6e 6c 69 6e 65 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 37 70 78 3b 70 61 64 64 69 6e 67 3a 30 3b 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 74 6f 70 7d 2e 67 62 74 7b 2a 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 7d 2e 67 62 74 6f 7b 62 6f 78 2d 73 68 61 64 6f
                                                  Data Ascii: st-style:none;margin:0;padding:0}.gbmc{background:#fff;padding:10px 0;position:relative;z-index:2;zoom:1}.gbt{position:relative;display:-moz-inline-box;display:inline-block;line-height:27px;padding:0;vertical-align:top}.gbt{*display:inline}.gbto{box-shado
                                                  2022-06-26 07:48:21 UTC7INData Raw: 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 63 34 63 34 63 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 6e 6f 6e 65 3b 5f 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 6e 6f 6e 65 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 70 6f 73 69 74 69 6f 6e 3a 30 20 2d 31 30 32 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 72 65 70 65 61 74 2d 78 3b 6f 75 74 6c 69 6e 65 3a 6e 6f 6e 65 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 70 64 6a 73 20 2e 67 62 74 6f 20 2e 67 62 6d 7b 6d 69 6e 2d 77 69 64 74 68 3a 39 39 25 7d 2e 67 62 7a 30 6c 20 2e 67 62 74 62 32 7b 62 6f 72 64 65 72 2d 74 6f 70 2d 63 6f 6c 6f 72 3a 23 64 64 34 62 33 39 21 69 6d 70 6f 72 74 61 6e 74 7d 23 67 62 69 34
                                                  Data Ascii: kground-color:#4c4c4c;background-image:none;_background-image:none;background-position:0 -102px;background-repeat:repeat-x;outline:none;text-decoration:none !important}.gbpdjs .gbto .gbm{min-width:99%}.gbz0l .gbtb2{border-top-color:#dd4b39!important}#gbi4
                                                  2022-06-26 07:48:21 UTC8INData Raw: 67 62 6d 74 3a 76 69 73 69 74 65 64 2c 2e 67 62 6e 64 20 2e 67 62 6d 74 2c 2e 67 62 6e 64 20 2e 67 62 6d 74 3a 76 69 73 69 74 65 64 7b 63 6f 6c 6f 72 3a 23 64 64 38 65 32 37 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 66 20 2e 67 62 6d 74 2c 2e 67 62 66 20 2e 67 62 6d 74 3a 76 69 73 69 74 65 64 7b 63 6f 6c 6f 72 3a 23 39 30 30 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 6d 74 2c 2e 67 62 6d 6c 31 2c 2e 67 62 6d 6c 62 2c 2e 67 62 6d 74 3a 76 69 73 69 74 65 64 2c 2e 67 62 6d 6c 31 3a 76 69 73 69 74 65 64 2c 2e 67 62 6d 6c 62 3a 76 69 73 69 74 65 64 7b 63 6f 6c 6f 72 3a 23 33 36 63 20 21 69 6d 70 6f 72 74 61 6e 74 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 6d 74 2c 2e 67 62 6d 74 3a 76 69 73
                                                  Data Ascii: gbmt:visited,.gbnd .gbmt,.gbnd .gbmt:visited{color:#dd8e27 !important}.gbf .gbmt,.gbf .gbmt:visited{color:#900 !important}.gbmt,.gbml1,.gbmlb,.gbmt:visited,.gbml1:visited,.gbmlb:visited{color:#36c !important;text-decoration:none !important}.gbmt,.gbmt:vis
                                                  2022-06-26 07:48:21 UTC10INData Raw: 62 6f 78 2d 73 68 61 64 6f 77 3a 30 20 32 70 78 20 34 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 32 29 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7a 2d 69 6e 64 65 78 3a 31 7d 23 67 62 64 34 20 2e 67 62 6d 68 7b 6d 61 72 67 69 6e 3a 30 7d 2e 67 62 6d 74 63 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 37 70 78 7d 2e 47 42 4d 43 43 3a 6c 61 73 74 2d 63 68 69 6c 64 3a 61 66 74 65 72 2c 23 47 42 4d 50 41 4c 3a 6c 61 73 74 2d 63 68 69 6c 64 3a 61 66 74 65 72 7b 63 6f 6e 74 65 6e 74 3a 27 5c 30 41 5c 30 41 27 3b 77 68 69 74 65 2d 73 70 61 63 65 3a 70 72 65 3b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 7d 23 67 62 6d 70 73 7b 2a 7a 6f 6f 6d 3a 31 7d 23 67 62 64 34 20 2e 67 62 70 63
                                                  Data Ascii: box-shadow:0 2px 4px rgba(0,0,0,.12);position:relative;z-index:1}#gbd4 .gbmh{margin:0}.gbmtc{padding:0;margin:0;line-height:27px}.GBMCC:last-child:after,#GBMPAL:last-child:after{content:'\0A\0A';white-space:pre;position:absolute}#gbmps{*zoom:1}#gbd4 .gbpc
                                                  2022-06-26 07:48:21 UTC11INData Raw: 31 30 70 78 20 32 30 70 78 20 30 3b 77 68 69 74 65 2d 73 70 61 63 65 3a 6e 6f 77 72 61 70 7d 2e 67 62 6d 70 61 6c 61 7b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 30 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 6c 65 66 74 7d 2e 67 62 6d 70 61 6c 62 7b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 72 69 67 68 74 7d 23 67 62 6d 70 61 73 62 20 2e 67 62 70 73 7b 63 6f 6c 6f 72 3a 23 30 30 30 7d 23 67 62 6d 70 61 6c 20 2e 67 62 71 66 62 62 7b 6d 61 72 67 69 6e 3a 30 20 32 30 70 78 7d 2e 67 62 70 30 20 2e 67 62 70 73 7b 2a 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 7d 61 2e 67 62 69 62 61 7b 6d 61 72 67 69 6e 3a 38 70 78 20 32 30 70 78 20 31 30 70 78 7d 2e 67 62 6d 70 69 61 77 7b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b
                                                  Data Ascii: 10px 20px 0;white-space:nowrap}.gbmpala{padding-left:0;text-align:left}.gbmpalb{padding-right:0;text-align:right}#gbmpasb .gbps{color:#000}#gbmpal .gbqfbb{margin:0 20px}.gbp0 .gbps{*display:inline}a.gbiba{margin:8px 20px 10px}.gbmpiaw{display:inline-block
                                                  2022-06-26 07:48:21 UTC12INData Raw: 30 2c 30 2c 30 2c 2e 31 29 7d 2e 67 62 71 66 62 2d 6e 6f 2d 66 6f 63 75 73 3a 66 6f 63 75 73 7b 62 6f 72 64 65 72 3a 31 70 78 20 73 6f 6c 69 64 20 23 33 30 37 39 65 64 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 6e 6f 6e 65 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 6e 6f 6e 65 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 6e 6f 6e 65 7d 2e 67 62 71 66 62 2d 68 76 72 2c 2e 67 62 71 66 62 61 2d 68 76 72 2c 2e 67 62 71 66 62 62 2d 68 76 72 7b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 30 20 31 70 78 20 31 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 30 20 31 70 78 20 31 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 30 20 31 70 78 20
                                                  Data Ascii: 0,0,0,.1)}.gbqfb-no-focus:focus{border:1px solid #3079ed;-moz-box-shadow:none;-webkit-box-shadow:none;box-shadow:none}.gbqfb-hvr,.gbqfba-hvr,.gbqfbb-hvr{-webkit-box-shadow:0 1px 1px rgba(0,0,0,.1);-moz-box-shadow:0 1px 1px rgba(0,0,0,.1);box-shadow:0 1px
                                                  2022-06-26 07:48:21 UTC14INData Raw: 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 6d 6f 7a 2d 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 34 64 39 30 66 65 2c 23 33 35 37 61 65 38 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 6d 73 2d 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 34 64 39 30 66 65 2c 23 33 35 37 61 65 38 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 6f 2d 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 34 64 39 30 66 65 2c 23 33 35 37 61 65 38 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 34 64 39 30 66 65 2c 23 33 35 37 61 65 38 29 7d 2e 67 62 71 66 62 3a 61 63 74 69 76 65 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63
                                                  Data Ascii: ;background-image:-moz-linear-gradient(top,#4d90fe,#357ae8);background-image:-ms-linear-gradient(top,#4d90fe,#357ae8);background-image:-o-linear-gradient(top,#4d90fe,#357ae8);background-image:linear-gradient(top,#4d90fe,#357ae8)}.gbqfb:active{background-c
                                                  2022-06-26 07:48:21 UTC15INData Raw: 31 66 31 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 66 38 66 38 66 38 2c 23 66 31 66 31 66 31 29 3b 66 69 6c 74 65 72 3a 70 72 6f 67 69 64 3a 44 58 49 6d 61 67 65 54 72 61 6e 73 66 6f 72 6d 2e 4d 69 63 72 6f 73 6f 66 74 2e 67 72 61 64 69 65 6e 74 28 73 74 61 72 74 43 6f 6c 6f 72 53 74 72 3d 27 23 66 38 66 38 66 38 27 2c 45 6e 64 43 6f 6c 6f 72 53 74 72 3d 27 23 66 31 66 31 66 31 27 29 7d 2e 67 62 71 66 62 62 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 66 66 66 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 77 65 62 6b 69 74 2d 67 72 61 64 69 65 6e 74 28 6c 69 6e 65 61 72 2c 6c 65 66 74 20 74 6f 70 2c 6c 65 66 74 20 62 6f 74 74 6f 6d 2c 66 72 6f 6d 28 23 66
                                                  Data Ascii: 1f1);background-image:linear-gradient(top,#f8f8f8,#f1f1f1);filter:progid:DXImageTransform.Microsoft.gradient(startColorStr='#f8f8f8',EndColorStr='#f1f1f1')}.gbqfbb{background-color:#fff;background-image:-webkit-gradient(linear,left top,left bottom,from(#f
                                                  2022-06-26 07:48:21 UTC16INData Raw: 31 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 30 20 31 70 78 20 31 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 3b 63 6f 6c 6f 72 3a 23 32 32 32 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 71 66 62 61 3a 61 63 74 69 76 65 2c 2e 67 62 71 66 62 62 3a 61 63 74 69 76 65 7b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 69 6e 73 65 74 20 30 20 31 70 78 20 32 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 69 6e 73 65 74 20 30 20 31 70 78 20 32 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 69 6e 73 65 74 20 30 20 31 70 78 20 32 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 7d 0a 23 67 62 6d 70 61 73 7b
                                                  Data Ascii: 1px rgba(0,0,0,.1);box-shadow:0 1px 1px rgba(0,0,0,.1);color:#222 !important}.gbqfba:active,.gbqfbb:active{-webkit-box-shadow:inset 0 1px 2px rgba(0,0,0,.1);-moz-box-shadow:inset 0 1px 2px rgba(0,0,0,.1);box-shadow:inset 0 1px 2px rgba(0,0,0,.1)}#gbmpas{
                                                  2022-06-26 07:48:21 UTC17INData Raw: 29 3b 74 6f 70 3a 30 7d 2e 67 62 73 62 20 2e 67 62 73 62 62 7b 2d 77 65 62 6b 69 74 2d 6d 61 73 6b 2d 62 6f 78 2d 69 6d 61 67 65 3a 2d 77 65 62 6b 69 74 2d 67 72 61 64 69 65 6e 74 28 6c 69 6e 65 61 72 2c 6c 65 66 74 20 74 6f 70 2c 72 69 67 68 74 20 74 6f 70 2c 63 6f 6c 6f 72 2d 73 74 6f 70 28 30 2c 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 29 2c 63 6f 6c 6f 72 2d 73 74 6f 70 28 2e 35 2c 72 67 62 61 28 30 2c 30 2c 30 2c 2e 38 29 29 2c 63 6f 6c 6f 72 2d 73 74 6f 70 28 31 2c 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 29 29 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 2d 77 65 62 6b 69 74 2d 67 72 61 64 69 65 6e 74 28 6c 69 6e 65 61 72 2c 6c 65 66 74 20 62 6f 74 74 6f 6d 2c 6c 65 66 74 20 74 6f 70 2c 66 72 6f 6d 28 72 67 62 61 28 30 2c 30 2c 30 2c 2e 32 29 29 2c 74 6f
                                                  Data Ascii: );top:0}.gbsb .gbsbb{-webkit-mask-box-image:-webkit-gradient(linear,left top,right top,color-stop(0,rgba(0,0,0,.1)),color-stop(.5,rgba(0,0,0,.8)),color-stop(1,rgba(0,0,0,.1)));background:-webkit-gradient(linear,left bottom,left top,from(rgba(0,0,0,.2)),to
                                                  2022-06-26 07:48:21 UTC19INData Raw: 65 7d 2e 66 6c 20 61 7b 63 6f 6c 6f 72 3a 23 31 35 35 38 64 36 7d 61 3a 76 69 73 69 74 65 64 7b 63 6f 6c 6f 72 3a 23 34 62 31 31 61 38 7d 2e 73 62 6c 63 7b 70 61 64 64 69 6e 67 2d 74 6f 70 3a 35 70 78 7d 2e 73 62 6c 63 20 61 7b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 6d 61 72 67 69 6e 3a 32 70 78 20 30 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 31 33 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 31 70 78 7d 2e 6c 73 62 62 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 38 66 39 66 61 3b 62 6f 72 64 65 72 3a 73 6f 6c 69 64 20 31 70 78 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 23 64 61 64 63 65 30 20 23 37 30 37 35 37 61 20 23 37 30 37 35 37 61 20 23 64 61 64 63 65 30 3b 68 65 69 67 68 74 3a 33 30 70 78 7d 2e 6c 73 62 62 7b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 7d 23
                                                  Data Ascii: e}.fl a{color:#1558d6}a:visited{color:#4b11a8}.sblc{padding-top:5px}.sblc a{display:block;margin:2px 0;margin-left:13px;font-size:11px}.lsbb{background:#f8f9fa;border:solid 1px;border-color:#dadce0 #70757a #70757a #dadce0;height:30px}.lsbb{display:block}#
                                                  2022-06-26 07:48:21 UTC20INData Raw: 72 65 66 26 26 28 65 3d 64 6f 63 75 6d 65 6e 74 2e 64 6f 63 75 6d 65 6e 74 45 6c 65 6d 65 6e 74 2e 6f 75 74 65 72 48 54 4d 4c 2e 73 70 6c 69 74 28 22 5c 6e 22 29 5b 65 5d 2c 62 2b 3d 22 26 63 61 64 3d 22 2b 63 28 65 3f 65 2e 73 75 62 73 74 72 69 6e 67 28 30 2c 33 30 30 29 3a 22 4e 6f 20 73 63 72 69 70 74 20 66 6f 75 6e 64 2e 22 29 29 29 3b 66 6f 72 28 76 61 72 20 74 20 69 6e 20 64 29 62 2b 3d 22 26 22 2c 62 2b 3d 63 28 74 29 2c 62 2b 3d 22 3d 22 2c 62 2b 3d 63 28 64 5b 74 5d 29 3b 62 3d 62 2b 22 26 65 6d 73 67 3d 22 2b 63 28 61 2e 6e 61 6d 65 2b 22 3a 20 22 2b 61 2e 6d 65 73 73 61 67 65 29 3b 62 3d 62 2b 22 26 6a 73 73 74 3d 22 2b 63 28 61 2e 73 74 61 63 6b 7c 7c 22 4e 2f 41 22 29 3b 31 32 32 38 38 3c 3d 62 2e 6c 65 6e 67 74 68 26 26 28 62 3d 62 2e 73 75
                                                  Data Ascii: ref&&(e=document.documentElement.outerHTML.split("\n")[e],b+="&cad="+c(e?e.substring(0,300):"No script found.")));for(var t in d)b+="&",b+=c(t),b+="=",b+=c(d[t]);b=b+"&emsg="+c(a.name+": "+a.message);b=b+"&jsst="+c(a.stack||"N/A");12288<=b.length&&(b=b.su
                                                  2022-06-26 07:48:21 UTC21INData Raw: 79 28 74 68 69 73 2c 61 72 67 75 6d 65 6e 74 73 29 3b 72 65 74 75 72 6e 20 76 6f 69 64 20 30 3d 3d 6b 3f 6d 3a 76 6f 69 64 20 30 3d 3d 6d 3f 6b 3a 6d 26 26 6b 7d 7d 7d 76 61 72 20 64 61 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 67 2e 62 76 2e 6d 3d 3d 61 7d 7d 2c 65 61 3d 64 61 28 31 29 2c 66 61 3d 64 61 28 32 29 3b 70 28 22 73 62 22 2c 65 61 29 3b 70 28 22 6b 6e 22 2c 66 61 29 3b 68 2e 61 3d 5f 74 76 76 3b 68 2e 62 3d 5f 74 76 66 3b 68 2e 63 3d 5f 74 76 6e 3b 68 2e 69 3d 61 61 3b 76 61 72 20 72 3d 77 69 6e 64 6f 77 2e 67 62 61 72 2e 69 2e 69 3b 76 61 72 20 74 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 7d 2c 68 61 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 7d 2c 6b 61 3d 66 75 6e 63 74 69 6f 6e 28
                                                  Data Ascii: y(this,arguments);return void 0==k?m:void 0==m?k:m&&k}}}var da=function(a){return function(){return g.bv.m==a}},ea=da(1),fa=da(2);p("sb",ea);p("kn",fa);h.a=_tvv;h.b=_tvf;h.c=_tvn;h.i=aa;var r=window.gbar.i.i;var t=function(){},ha=function(){},ka=function(
                                                  2022-06-26 07:48:21 UTC22INData Raw: 36 38 66 31 0d 0a 26 43 26 26 43 28 63 5b 31 5d 2e 6c 69 62 73 29 29 7d 2c 74 61 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 41 28 22 67 63 22 2c 61 29 7d 2c 75 61 3d 6e 75 6c 6c 2c 76 61 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 75 61 3d 61 7d 2c 73 61 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 29 7b 69 66 28 75 61 29 7b 61 3d 7b 74 3a 61 2c 62 3a 62 7d 3b 69 66 28 63 29 66 6f 72 28 76 61 72 20 64 20 69 6e 20 63 29 61 5b 64 5d 3d 63 5b 64 5d 3b 74 72 79 7b 75 61 28 61 29 7d 63 61 74 63 68 28 66 29 7b 7d 7d 7d 3b 70 28 22 6d 64 63 22 2c 76 29 3b 70 28 22 6d 64 69 22 2c 6c 61 29 3b 70 28 22 62 6e 63 22 2c 77 29 3b 70 28 22 71 47 43 22 2c 74 61 29 3b 70 28 22 71 6d 22 2c 42 29 3b 70 28 22 71 64 22 2c 78 29 3b 70 28 22 6c 62 22 2c 44 29 3b 70 28 22 6d 63 66 22 2c
                                                  Data Ascii: 68f1&C&&C(c[1].libs))},ta=function(a){A("gc",a)},ua=null,va=function(a){ua=a},sa=function(a,b,c){if(ua){a={t:a,b:b};if(c)for(var d in c)a[d]=c[d];try{ua(a)}catch(f){}}};p("mdc",v);p("mdi",la);p("bnc",w);p("qGC",ta);p("qm",B);p("qd",x);p("lb",D);p("mcf",
                                                  2022-06-26 07:48:21 UTC24INData Raw: 2c 42 61 29 3b 70 28 22 61 67 6c 22 2c 44 61 29 3b 68 2e 6f 3d 78 61 7d 3b 76 61 72 20 46 61 3d 68 2e 62 28 22 30 2e 31 22 2c 2e 30 30 31 29 2c 47 61 3d 30 3b 0a 66 75 6e 63 74 69 6f 6e 20 5f 6d 6c 54 6f 6b 65 6e 28 61 2c 62 29 7b 74 72 79 7b 69 66 28 31 3e 47 61 29 7b 47 61 2b 2b 3b 76 61 72 20 63 3d 61 3b 62 3d 62 7c 7c 7b 7d 3b 76 61 72 20 64 3d 65 6e 63 6f 64 65 55 52 49 43 6f 6d 70 6f 6e 65 6e 74 2c 66 3d 5b 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 67 65 6e 5f 32 30 34 3f 61 74 79 70 3d 69 26 7a 78 3d 22 2c 28 6e 65 77 20 44 61 74 65 29 2e 67 65 74 54 69 6d 65 28 29 2c 22 26 6a 65 78 70 69 64 3d 22 2c 64 28 22 32 38 38 33 34 22 29 2c 22 26 73 72 63 70 67 3d 22 2c 64 28 22 70 72 6f 70 3d 31 22 29 2c 22 26 6a 73 72 3d 22 2c 4d 61 74 68 2e
                                                  Data Ascii: ,Ba);p("agl",Da);h.o=xa};var Fa=h.b("0.1",.001),Ga=0;function _mlToken(a,b){try{if(1>Ga){Ga++;var c=a;b=b||{};var d=encodeURIComponent,f=["//www.google.com/gen_204?atyp=i&zx=",(new Date).getTime(),"&jexpid=",d("28834"),"&srcpg=",d("prop=1"),"&jsr=",Math.
                                                  2022-06-26 07:48:21 UTC25INData Raw: 61 72 67 75 6d 65 6e 74 73 3b 67 2e 71 6d 28 66 75 6e 63 74 69 6f 6e 28 29 7b 61 5b 62 5d 2e 61 70 70 6c 79 28 74 68 69 73 2c 64 29 7d 29 7d 7d 2c 4f 61 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 61 3d 0a 5b 4c 61 3f 22 22 3a 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 73 74 61 74 69 63 2e 63 6f 6d 22 2c 22 2f 6f 67 2f 5f 2f 6a 73 2f 64 3d 31 2f 6b 3d 22 2c 22 6f 67 2e 6f 67 32 2e 65 6e 5f 55 53 2e 51 51 49 52 4e 4f 6c 4c 54 37 38 2e 4f 22 2c 22 2f 72 74 3d 6a 2f 6d 3d 22 2c 61 2c 22 2f 72 73 3d 22 2c 22 41 41 32 59 72 54 76 49 67 38 4f 7a 4d 4e 63 67 79 68 74 44 54 50 49 6d 4b 7a 31 37 78 4c 4e 35 75 41 22 5d 3b 4b 61 26 26 61 2e 70 75 73 68 28 22 3f 68 6f 73 74 3d 77 77 77 2e 67 73 74 61 74 69 63 2e 63 6f 6d 26 62 75 73 74 3d 6f 67 2e 6f 67 32 2e 65 6e 5f 55
                                                  Data Ascii: arguments;g.qm(function(){a[b].apply(this,d)})}},Oa=function(a){a=[La?"":"https://www.gstatic.com","/og/_/js/d=1/k=","og.og2.en_US.QQIRNOlLT78.O","/rt=j/m=",a,"/rs=","AA2YrTvIg8OzMNcgyhtDTPImKz17xLN5uA"];Ka&&a.push("?host=www.gstatic.com&bust=og.og2.en_U
                                                  2022-06-26 07:48:21 UTC26INData Raw: 76 61 72 20 6b 3d 62 2e 70 61 72 65 6e 74 4e 6f 64 65 3b 69 66 28 4f 3d 3d 64 29 4f 3d 76 6f 69 64 20 30 2c 0a 4b 28 6b 2c 22 67 62 74 6f 22 29 3b 65 6c 73 65 7b 69 66 28 4f 29 7b 76 61 72 20 6d 3d 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 4f 29 3b 69 66 28 6d 26 26 6d 2e 67 65 74 41 74 74 72 69 62 75 74 65 29 7b 76 61 72 20 6e 3d 6d 2e 67 65 74 41 74 74 72 69 62 75 74 65 28 22 61 72 69 61 2d 6f 77 6e 65 72 22 29 3b 69 66 28 6e 2e 6c 65 6e 67 74 68 29 7b 76 61 72 20 6c 3d 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 6e 29 3b 6c 26 26 6c 2e 70 61 72 65 6e 74 4e 6f 64 65 26 26 4b 28 6c 2e 70 61 72 65 6e 74 4e 6f 64 65 2c 22 67 62 74 6f 22 29 7d 7d 7d 24 61 28 66 29 26 26 61 62 28 66 29 3b 4f 3d 64 3b
                                                  Data Ascii: var k=b.parentNode;if(O==d)O=void 0,K(k,"gbto");else{if(O){var m=document.getElementById(O);if(m&&m.getAttribute){var n=m.getAttribute("aria-owner");if(n.length){var l=document.getElementById(n);l&&l.parentNode&&K(l.parentNode,"gbto")}}}$a(f)&&ab(f);O=d;
                                                  2022-06-26 07:48:21 UTC27INData Raw: 28 22 6c 69 22 29 2c 7a 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 64 69 76 22 29 3b 79 2e 63 6c 61 73 73 4e 61 6d 65 3d 22 67 62 6d 74 63 22 3b 7a 2e 63 6c 61 73 73 4e 61 6d 65 3d 22 67 62 6d 74 20 67 62 6d 68 22 3b 79 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 7a 29 3b 6b 2e 69 6e 73 65 72 74 42 65 66 6f 72 65 28 79 2c 6b 2e 63 68 69 6c 64 4e 6f 64 65 73 5b 6c 5d 29 7d 67 2e 61 64 64 48 6f 76 65 72 26 26 67 2e 61 64 64 48 6f 76 65 72 28 61 29 7d 65 6c 73 65 20 6b 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 6d 29 7d 7d 63 61 74 63 68 28 45 62 29 7b 72 28 45 62 2c 22 73 62 22 2c 22 61 6c 22 29 7d 7d 2c 66 62 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 66 6f 72 28 76 61 72 20 63 3d 62 2e 6c 65 6e 67 74 68 2c 0a 64 3d 30 3b 64 3c 63
                                                  Data Ascii: ("li"),z=document.createElement("div");y.className="gbmtc";z.className="gbmt gbmh";y.appendChild(z);k.insertBefore(y,k.childNodes[l])}g.addHover&&g.addHover(a)}else k.appendChild(m)}}catch(Eb){r(Eb,"sb","al")}},fb=function(a,b){for(var c=b.length,d=0;d<c
                                                  2022-06-26 07:48:21 UTC29INData Raw: 6e 65 72 48 54 4d 4c 3d 66 3b 64 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 6b 29 7d 7d 65 6c 73 65 20 64 2e 69 6e 6e 65 72 48 54 4d 4c 3d 62 3b 51 28 61 2c 21 30 29 7d 7d 7d 2c 51 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 28 62 3d 76 6f 69 64 20 30 21 3d 3d 62 3f 62 3a 21 30 29 3f 4a 28 61 2c 22 67 62 6d 73 67 6f 22 29 3a 4b 28 61 2c 22 67 62 6d 73 67 6f 22 29 7d 2c 24 61 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 66 6f 72 28 76 61 72 20 62 3d 30 2c 63 3b 63 3d 61 2e 63 68 69 6c 64 4e 6f 64 65 73 5b 62 5d 3b 62 2b 2b 29 69 66 28 48 28 63 2c 22 67 62 6d 73 67 22 29 29 72 65 74 75 72 6e 20 63 7d 2c 50 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 71 62 26 26 77 69 6e 64 6f 77 2e 63 6c 65 61 72 54 69 6d 65 6f 75 74 28 71 62 29 7d 2c 75 62 3d 66 75 6e 63 74 69 6f 6e 28 61
                                                  Data Ascii: nerHTML=f;d.appendChild(k)}}else d.innerHTML=b;Q(a,!0)}}},Q=function(a,b){(b=void 0!==b?b:!0)?J(a,"gbmsgo"):K(a,"gbmsgo")},$a=function(a){for(var b=0,c;c=a.childNodes[b];b++)if(H(c,"gbmsg"))return c},P=function(){qb&&window.clearTimeout(qb)},ub=function(a
                                                  2022-06-26 07:48:21 UTC30INData Raw: 35 35 64 36 61 36 62 37 38 37 64 63 63 32 61 34 30 36 32 65 36 65 39 38 32 34 2e 6a 73 22 2c 69 6e 64 65 78 3a 22 22 2c 6c 61 6e 67 3a 22 65 6e 22 7d 3b 76 2e 67 63 3d 42 62 3b 76 61 72 20 43 62 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 77 69 6e 64 6f 77 2e 67 6f 6f 67 6c 65 61 70 69 73 26 26 77 69 6e 64 6f 77 2e 69 66 72 61 6d 65 73 3f 61 26 26 61 28 29 3a 28 61 26 26 74 61 28 61 29 2c 44 28 22 67 63 22 29 29 7d 3b 70 28 22 6c 47 43 22 2c 43 62 29 3b 68 2e 61 28 22 31 22 29 26 26 70 28 22 6c 50 57 46 22 2c 43 62 29 7d 3b 77 69 6e 64 6f 77 2e 5f 5f 50 56 54 3d 22 22 3b 69 66 28 68 2e 61 28 22 31 22 29 26 26 68 2e 61 28 22 31 22 29 29 7b 76 61 72 20 44 62 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 43 62 28 66 75 6e 63 74 69 6f 6e 28 29 7b 41 28 22 70 77 22 2c 61
                                                  Data Ascii: 55d6a6b787dcc2a4062e6e9824.js",index:"",lang:"en"};v.gc=Bb;var Cb=function(a){window.googleapis&&window.iframes?a&&a():(a&&ta(a),D("gc"))};p("lGC",Cb);h.a("1")&&p("lPWF",Cb)};window.__PVT="";if(h.a("1")&&h.a("1")){var Db=function(a){Cb(function(){A("pw",a
                                                  2022-06-26 07:48:21 UTC31INData Raw: 2e 62 76 2e 66 2c 71 3d 64 28 22 31 22 29 3b 6e 3d 64 28 6e 29 3b 63 3d 4d 61 74 68 2e 72 6f 75 6e 64 28 31 2f 63 29 3b 76 61 72 20 45 3d 64 28 22 34 35 35 39 37 32 34 33 31 2e 30 22 29 2c 55 3d 22 26 6f 67 67 76 3d 22 2b 64 28 22 65 73 5f 70 6c 75 73 6f 6e 65 5f 67 63 5f 32 30 32 32 30 36 30 37 2e 31 5f 70 30 22 29 2c 49 3d 64 28 22 63 6f 6d 22 29 2c 56 3d 64 28 22 65 6e 22 29 2c 57 3d 0a 64 28 22 47 42 52 22 29 3b 76 61 72 20 79 3d 30 3b 68 2e 61 28 22 22 29 26 26 28 79 7c 3d 31 29 3b 68 2e 61 28 22 22 29 26 26 28 79 7c 3d 32 29 3b 68 2e 61 28 22 22 29 26 26 28 79 7c 3d 34 29 3b 61 3d 5b 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 67 65 6e 5f 32 30 34 3f 61 74 79 70 3d 69 26 7a 78 3d 22 2c 66 2c 22 26 6f 67 65 3d 22 2c 61 2c 22 26 6f 67 65 78
                                                  Data Ascii: .bv.f,q=d("1");n=d(n);c=Math.round(1/c);var E=d("455972431.0"),U="&oggv="+d("es_plusone_gc_20220607.1_p0"),I=d("com"),V=d("en"),W=d("GBR");var y=0;h.a("")&&(y|=1);h.a("")&&(y|=2);h.a("")&&(y|=4);a=["//www.google.com/gen_204?atyp=i&zx=",f,"&oge=",a,"&ogex
                                                  2022-06-26 07:48:21 UTC32INData Raw: 62 29 3b 70 28 22 73 70 73 22 2c 57 62 29 3b 70 28 22 73 70 64 22 2c 24 62 29 3b 70 28 22 70 61 61 22 2c 54 62 29 3b 70 28 22 70 72 6d 22 2c 55 62 29 3b 6d 62 28 22 67 62 64 34 22 2c 55 62 29 3b 0a 69 66 28 68 2e 61 28 22 22 29 29 7b 76 61 72 20 61 63 3d 7b 64 3a 68 2e 61 28 22 22 29 2c 65 3a 22 22 2c 73 61 6e 77 3a 68 2e 61 28 22 22 29 2c 70 3a 22 68 74 74 70 73 3a 2f 2f 6c 68 33 2e 67 6f 6f 67 6c 65 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 6f 67 77 2f 64 65 66 61 75 6c 74 2d 75 73 65 72 3d 73 39 36 22 2c 63 70 3a 22 31 22 2c 78 70 3a 68 2e 61 28 22 31 22 29 2c 6d 67 3a 22 25 31 24 73 20 28 64 65 6c 65 67 61 74 65 64 29 22 2c 6d 64 3a 22 25 31 24 73 20 28 64 65 66 61 75 6c 74 29 22 2c 6d 68 3a 22 32 32 30 22 2c 73 3a 22 31 22 2c 70 70 3a 5a 62 2c
                                                  Data Ascii: b);p("sps",Wb);p("spd",$b);p("paa",Tb);p("prm",Ub);mb("gbd4",Ub);if(h.a("")){var ac={d:h.a(""),e:"",sanw:h.a(""),p:"https://lh3.googleusercontent.com/ogw/default-user=s96",cp:"1",xp:h.a("1"),mg:"%1$s (delegated)",md:"%1$s (default)",mh:"220",s:"1",pp:Zb,
                                                  2022-06-26 07:48:21 UTC34INData Raw: 63 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 74 72 79 7b 72 65 74 75 72 6e 21 21 65 2e 6c 6f 63 61 6c 53 74 6f 72 61 67 65 26 26 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 65 2e 6c 6f 63 61 6c 53 74 6f 72 61 67 65 7d 63 61 74 63 68 28 61 29 7b 72 65 74 75 72 6e 21 31 7d 7d 2c 6c 63 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 61 26 26 61 2e 73 74 79 6c 65 26 26 61 2e 73 74 79 6c 65 2e 62 65 68 61 76 69 6f 72 26 26 22 75 6e 64 65 66 69 6e 65 64 22 21 3d 74 79 70 65 6f 66 20 61 2e 6c 6f 61 64 7d 2c 6d 63 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 2c 64 29 7b 74 72 79 7b 6a 63 28 64 6f 63 75 6d 65 6e 74 29 7c 7c 28 64 7c 7c 28 62 3d 22 6f 67 2d 75 70 2d 22 2b 62 29 2c 6b 63 28 29 3f 65 2e 6c 6f 63 61 6c 53 74 6f 72 61 67 65 2e 73 65 74 49
                                                  Data Ascii: c=function(){try{return!!e.localStorage&&"object"==typeof e.localStorage}catch(a){return!1}},lc=function(a){return a&&a.style&&a.style.behavior&&"undefined"!=typeof a.load},mc=function(a,b,c,d){try{jc(document)||(d||(b="og-up-"+b),kc()?e.localStorage.setI
                                                  2022-06-26 07:48:21 UTC35INData Raw: 7b 73 70 3a 68 2e 62 28 22 30 2e 30 31 22 2c 31 29 2c 74 6c 64 3a 22 63 6f 2e 75 6b 22 2c 70 72 69 64 3a 22 31 22 7d 29 3b 66 75 6e 63 74 69 6f 6e 20 72 63 28 29 7b 66 75 6e 63 74 69 6f 6e 20 61 28 29 7b 66 6f 72 28 76 61 72 20 6c 3b 28 6c 3d 6b 5b 6d 2b 2b 5d 29 26 26 22 6d 22 21 3d 6c 5b 30 5d 26 26 21 6c 5b 31 5d 2e 61 75 74 6f 3b 29 3b 6c 26 26 28 73 61 28 32 2c 6c 5b 30 5d 29 2c 6c 5b 31 5d 2e 75 72 6c 26 26 72 61 28 6c 5b 31 5d 2e 75 72 6c 2c 6c 5b 30 5d 29 2c 6c 5b 31 5d 2e 6c 69 62 73 26 26 43 26 26 43 28 6c 5b 31 5d 2e 6c 69 62 73 29 29 3b 6d 3c 6b 2e 6c 65 6e 67 74 68 26 26 73 65 74 54 69 6d 65 6f 75 74 28 61 2c 30 29 7d 66 75 6e 63 74 69 6f 6e 20 62 28 29 7b 30 3c 66 2d 2d 3f 73 65 74 54 69 6d 65 6f 75 74 28 62 2c 30 29 3a 61 28 29 7d 76 61 72
                                                  Data Ascii: {sp:h.b("0.01",1),tld:"co.uk",prid:"1"});function rc(){function a(){for(var l;(l=k[m++])&&"m"!=l[0]&&!l[1].auto;);l&&(sa(2,l[0]),l[1].url&&ra(l[1].url,l[0]),l[1].libs&&C&&C(l[1].libs));m<k.length&&setTimeout(a,0)}function b(){0<f--?setTimeout(b,0):a()}var
                                                  2022-06-26 07:48:21 UTC36INData Raw: 73 75 72 65 20 4c 69 62 72 61 72 79 20 41 75 74 68 6f 72 73 2e 0a 20 53 50 44 58 2d 4c 69 63 65 6e 73 65 2d 49 64 65 6e 74 69 66 69 65 72 3a 20 41 70 61 63 68 65 2d 32 2e 30 0a 2a 2f 0a 76 61 72 20 64 3d 77 69 6e 64 6f 77 2e 67 62 61 72 2e 69 2e 69 3b 76 61 72 20 65 3d 77 69 6e 64 6f 77 2e 67 62 61 72 3b 76 61 72 20 66 3d 65 2e 69 3b 76 61 72 20 67 3d 66 2e 63 28 22 31 22 2c 30 29 2c 68 3d 2f 5c 62 67 62 6d 74 5c 62 2f 2c 6b 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 74 72 79 7b 76 61 72 20 62 3d 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 67 62 5f 22 2b 67 29 2c 63 3d 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 67 62 5f 22 2b 61 29 3b 62 26 26 66 2e 6c 28 62 2c 68 2e 74 65 73 74 28 62 2e 63 6c 61
                                                  Data Ascii: sure Library Authors. SPDX-License-Identifier: Apache-2.0*/var d=window.gbar.i.i;var e=window.gbar;var f=e.i;var g=f.c("1",0),h=/\bgbmt\b/,k=function(a){try{var b=document.getElementById("gb_"+g),c=document.getElementById("gb_"+a);b&&f.l(b,h.test(b.cla
                                                  2022-06-26 07:48:21 UTC38INData Raw: 6e 64 65 66 69 6e 65 64 22 3d 3d 74 79 70 65 6f 66 20 6b 2e 65 78 65 63 53 63 72 69 70 74 7c 7c 6b 2e 65 78 65 63 53 63 72 69 70 74 28 22 76 61 72 20 22 2b 68 5b 30 5d 29 3b 66 6f 72 28 76 61 72 20 6c 3b 68 2e 6c 65 6e 67 74 68 26 26 28 6c 3d 68 2e 73 68 69 66 74 28 29 29 3b 29 68 2e 6c 65 6e 67 74 68 7c 7c 76 6f 69 64 20 30 3d 3d 3d 67 3f 6b 3d 6b 5b 6c 5d 26 26 6b 5b 6c 5d 21 3d 3d 4f 62 6a 65 63 74 2e 70 72 6f 74 6f 74 79 70 65 5b 6c 5d 3f 6b 5b 6c 5d 3a 6b 5b 6c 5d 3d 7b 7d 3a 6b 5b 6c 5d 3d 67 3b 7d 63 61 74 63 68 28 65 29 7b 77 69 6e 64 6f 77 2e 67 62 61 72 26 26 67 62 61 72 2e 6c 6f 67 67 65 72 26 26 67 62 61 72 2e 6c 6f 67 67 65 72 2e 6d 6c 28 65 2c 7b 22 5f 73 6e 22 3a 22 63 66 67 2e 69 6e 69 74 22 7d 29 3b 7d 7d 29 28 29 3b 0a 28 66 75 6e 63 74
                                                  Data Ascii: ndefined"==typeof k.execScript||k.execScript("var "+h[0]);for(var l;h.length&&(l=h.shift());)h.length||void 0===g?k=k[l]&&k[l]!==Object.prototype[l]?k[l]:k[l]={}:k[l]=g;}catch(e){window.gbar&&gbar.logger&&gbar.logger.ml(e,{"_sn":"cfg.init"});}})();(funct
                                                  2022-06-26 07:48:21 UTC39INData Raw: 67 62 5f 38 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 6d 61 70 73 2e 67 6f 6f 67 6c 65 2e 63 6f 2e 75 6b 2f 6d 61 70 73 3f 68 6c 3d 65 6e 26 74 61 62 3d 77 6c 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 67 62 74 62 32 3e 3c 2f 73 70 61 6e 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 67 62 74 73 3e 4d 61 70 73 3c 2f 73 70 61 6e 3e 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 67 62 74 3e 3c 61 20 63 6c 61 73 73 3d 67 62 7a 74 20 69 64 3d 67 62 5f 37 38 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 70 6c 61 79 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 3f 68 6c 3d 65 6e 26 74 61 62 3d 77 38 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 67 62 74 62 32 3e 3c 2f 73 70 61 6e 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 67 62 74 73 3e 50 6c 61 79 3c 2f 73 70 61 6e 3e 3c 2f
                                                  Data Ascii: gb_8 href="https://maps.google.co.uk/maps?hl=en&tab=wl"><span class=gbtb2></span><span class=gbts>Maps</span></a></li><li class=gbt><a class=gbzt id=gb_78 href="https://play.google.com/?hl=en&tab=w8"><span class=gbtb2></span><span class=gbts>Play</span></
                                                  2022-06-26 07:48:21 UTC40INData Raw: 22 67 62 6d 63 20 67 62 73 62 20 67 62 73 62 69 73 22 3e 3c 6f 6c 20 69 64 3d 67 62 6d 6d 20 63 6c 61 73 73 3d 22 67 62 6d 63 63 20 67 62 73 62 69 63 22 3e 3c 6c 69 20 63 6c 61 73 73 3d 67 62 6d 74 63 3e 3c 61 20 63 6c 61 73 73 3d 67 62 6d 74 20 69 64 3d 67 62 5f 32 34 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 61 6c 65 6e 64 61 72 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 63 61 6c 65 6e 64 61 72 3f 74 61 62 3d 77 63 22 3e 43 61 6c 65 6e 64 61 72 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 67 62 6d 74 63 3e 3c 61 20 63 6c 61 73 73 3d 67 62 6d 74 20 69 64 3d 67 62 5f 35 31 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 74 72 61 6e 73 6c 61 74 65 2e 67 6f 6f 67 6c 65 2e 63 6f 2e 75 6b 2f 3f 68 6c 3d 65 6e 26 74 61 62 3d 77 54 22 3e 54 72 61 6e 73
                                                  Data Ascii: "gbmc gbsb gbsbis"><ol id=gbmm class="gbmcc gbsbic"><li class=gbmtc><a class=gbmt id=gb_24 href="https://calendar.google.com/calendar?tab=wc">Calendar</a></li><li class=gbmtc><a class=gbmt id=gb_51 href="https://translate.google.co.uk/?hl=en&tab=wT">Trans
                                                  2022-06-26 07:48:21 UTC41INData Raw: 31 2c 7b 74 3a 36 36 7d 29 3b 3b 20 7d 29 3b 3c 2f 73 63 72 69 70 74 3e 3c 2f 6c 69 3e 3c 2f 6f 6c 3e 3c 64 69 76 20 63 6c 61 73 73 3d 67 62 73 62 74 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 63 6c 61 73 73 3d 67 62 73 62 62 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 6c 69 3e 3c 2f 6f 6c 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 69 64 3d 67 62 67 3e 3c 68 32 20 63 6c 61 73 73 3d 67 62 78 78 3e 41 63 63 6f 75 6e 74 20 4f 70 74 69 6f 6e 73 3c 2f 68 32 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 67 62 74 63 62 3e 3c 2f 73 70 61 6e 3e 3c 6f 6c 20 63 6c 61 73 73 3d 67 62 74 63 3e 3c 6c 69 20 63 6c 61 73 73 3d 67 62 74 3e 3c 61 20 74 61 72 67 65 74 3d 5f 74 6f 70 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 61 63 63 6f 75 6e 74 73 2e 67 6f 6f 67 6c 65 2e 63
                                                  Data Ascii: 1,{t:66});; });</script></li></ol><div class=gbsbt></div><div class=gbsbb></div></div></div></li></ol></div><div id=gbg><h2 class=gbxx>Account Options</h2><span class=gbtcb></span><ol class=gbtc><li class=gbt><a target=_top href="https://accounts.google.c
                                                  2022-06-26 07:48:21 UTC43INData Raw: 62 78 34 3e 3c 2f 64 69 76 3e 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 27 6d 63 55 74 69 34 46 30 6e 31 4c 53 35 44 72 76 4a 70 76 4d 42 51 27 3e 77 69 6e 64 6f 77 2e 67 62 61 72 26 26 67 62 61 72 2e 65 6c 70 26 26 67 62 61 72 2e 65 6c 70 28 29 3c 2f 73 63 72 69 70 74 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 63 65 6e 74 65 72 3e 3c 62 72 20 63 6c 65 61 72 3d 22 61 6c 6c 22 20 69 64 3d 22 6c 67 70 64 22 3e 3c 64 69 76 20 69 64 3d 22 6c 67 61 22 3e 3c 69 6d 67 20 61 6c 74 3d 22 47 6f 6f 67 6c 65 22 20 68 65 69 67 68 74 3d 22 39 32 22 20 73 72 63 3d 22 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 77 68 69 74 65 5f 62 61 63 6b 67 72 6f 75 6e 64 5f 63 6f 6c 6f 72 5f 32 37 32 78
                                                  Data Ascii: bx4></div><script nonce='mcUti4F0n1LS5DrvJpvMBQ'>window.gbar&&gbar.elp&&gbar.elp()</script></div></div><center><br clear="all" id="lgpd"><div id="lga"><img alt="Google" height="92" src="/images/branding/googlelogo/1x/googlelogo_white_background_color_272x
                                                  2022-06-26 07:48:21 UTC44INData Raw: 61 6c 75 65 29 7b 74 68 69 73 2e 63 68 65 63 6b 65 64 20 3d 20 31 3b 69 66 20 28 74 68 69 73 2e 66 6f 72 6d 2e 69 66 6c 73 69 67 29 74 68 69 73 2e 66 6f 72 6d 2e 69 66 6c 73 69 67 2e 64 69 73 61 62 6c 65 64 20 3d 20 66 61 6c 73 65 3b 7d 0a 65 6c 73 65 20 74 6f 70 2e 6c 6f 63 61 74 69 6f 6e 3d 27 2f 64 6f 6f 64 6c 65 73 2f 27 3b 7d 3b 7d 29 28 29 3b 3c 2f 73 63 72 69 70 74 3e 3c 69 6e 70 75 74 20 76 61 6c 75 65 3d 22 41 4a 69 4b 30 65 38 41 41 41 41 41 59 72 67 64 56 54 38 65 36 56 58 30 66 63 76 6c 4d 46 4a 71 44 6a 4c 5f 71 2d 42 49 45 4d 72 4f 22 20 6e 61 6d 65 3d 22 69 66 6c 73 69 67 22 20 74 79 70 65 3d 22 68 69 64 64 65 6e 22 3e 3c 2f 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 2f 74 64 3e 3c 74 64 20 63 6c 61 73 73 3d 22 66 6c 20 73 62 6c 63 22 20 61 6c
                                                  Data Ascii: alue){this.checked = 1;if (this.form.iflsig)this.form.iflsig.disabled = false;}else top.location='/doodles/';};})();</script><input value="AJiK0e8AAAAAYrgdVT8e6VX0fcvlMFJqDjL_q-BIEMrO" name="iflsig" type="hidden"></span></span></td><td class="fl sblc" al
                                                  2022-06-26 07:48:21 UTC45INData Raw: 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 65 74 70 72 65 66 64 6f 6d 61 69 6e 3f 70 72 65 66 64 6f 6d 3d 47 42 26 61 6d 70 3b 70 72 65 76 3d 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 2e 75 6b 2f 26 61 6d 70 3b 73 69 67 3d 4b 5f 66 55 46 49 4c 5f 43 76 43 6b 75 45 76 57 44 57 72 30 55 57 39 47 7a 34 35 74 49 25 33 44 22 3e 47 6f 6f 67 6c 65 2e 63 6f 2e 75 6b 3c 2f 61 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 70 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 38 70 74 3b 63 6f 6c 6f 72 3a 23 37 30 37 35 37 61 22 3e 26 63 6f 70 79 3b 20 32 30 32 32 20 2d 20 3c 61 20 68 72 65 66 3d 22 2f 69 6e 74 6c 2f 65 6e 2f 70 6f 6c 69 63 69 65 73 2f 70 72 69 76 61 63 79 2f 22 3e 50 72 69 76 61 63 79 3c 2f 61 3e 20 2d
                                                  Data Ascii: ttps://www.google.com/setprefdomain?prefdom=GB&amp;prev=https://www.google.co.uk/&amp;sig=K_fUFIL_CvCkuEvWDWr0UW9Gz45tI%3D">Google.co.uk</a></div></div><p style="font-size:8pt;color:#70757a">&copy; 2022 - <a href="/intl/en/policies/privacy/">Privacy</a> -
                                                  2022-06-26 07:48:21 UTC46INData Raw: 6f 67 6c 65 2e 74 69 6d 65 72 73 2e 6c 6f 61 64 26 26 67 6f 6f 67 6c 65 2e 74 69 63 6b 26 26 67 6f 6f 67 6c 65 2e 74 69 63 6b 28 22 6c 6f 61 64 22 2c 22 78 6a 73 6c 73 22 29 3b 76 61 72 20 62 3d 64 6f 63 75 6d 65 6e 74 3b 76 61 72 20 63 3d 22 53 43 52 49 50 54 22 3b 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 68 74 6d 6c 2b 78 6d 6c 22 3d 3d 3d 62 2e 63 6f 6e 74 65 6e 74 54 79 70 65 26 26 28 63 3d 63 2e 74 6f 4c 6f 77 65 72 43 61 73 65 28 29 29 3b 63 3d 62 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 63 29 3b 69 66 28 76 6f 69 64 20 30 3d 3d 3d 67 29 7b 62 3d 6e 75 6c 6c 3b 76 61 72 20 6b 3d 64 2e 74 72 75 73 74 65 64 54 79 70 65 73 3b 69 66 28 6b 26 26 6b 2e 63 72 65 61 74 65 50 6f 6c 69 63 79 29 7b 74 72 79 7b 62 3d 6b 2e 63 72 65 61 74 65 50 6f 6c 69 63
                                                  Data Ascii: ogle.timers.load&&google.tick&&google.tick("load","xjsls");var b=document;var c="SCRIPT";"application/xhtml+xml"===b.contentType&&(c=c.toLowerCase());c=b.createElement(c);if(void 0===g){b=null;var k=d.trustedTypes;if(k&&k.createPolicy){try{b=k.createPolic
                                                  2022-06-26 07:48:21 UTC48INData Raw: 6f 6d 5c 78 32 32 2c 5c 78 32 32 69 73 62 68 5c 78 32 32 3a 32 38 2c 5c 78 32 32 6a 73 6f 6e 70 5c 78 32 32 3a 74 72 75 65 2c 5c 78 32 32 6d 73 67 73 5c 78 32 32 3a 7b 5c 78 32 32 63 69 62 6c 5c 78 32 32 3a 5c 78 32 32 43 6c 65 61 72 20 53 65 61 72 63 68 5c 78 32 32 2c 5c 78 32 32 64 79 6d 5c 78 32 32 3a 5c 78 32 32 44 69 64 20 79 6f 75 20 6d 65 61 6e 3a 5c 78 32 32 2c 5c 78 32 32 6c 63 6b 79 5c 78 32 32 3a 5c 78 32 32 49 5c 5c 75 30 30 32 36 23 33 39 3b 6d 20 46 65 65 6c 69 6e 67 20 4c 75 63 6b 79 5c 78 32 32 2c 5c 78 32 32 6c 6d 6c 5c 78 32 32 3a 5c 78 32 32 4c 65 61 72 6e 20 6d 6f 72 65 5c 78 32 32 2c 5c 78 32 32 6f 73 6b 74 5c 78 32 32 3a 5c 78 32 32 49 6e 70 75 74 20 74 6f 6f 6c 73 5c 78 32 32 2c 5c 78 32 32 70 73 72 63 5c 78 32 32 3a 5c 78 32 32 54
                                                  Data Ascii: om\x22,\x22isbh\x22:28,\x22jsonp\x22:true,\x22msgs\x22:{\x22cibl\x22:\x22Clear Search\x22,\x22dym\x22:\x22Did you mean:\x22,\x22lcky\x22:\x22I\\u0026#39;m Feeling Lucky\x22,\x22lml\x22:\x22Learn more\x22,\x22oskt\x22:\x22Input tools\x22,\x22psrc\x22:\x22T
                                                  2022-06-26 07:48:21 UTC49INData Raw: 30 0d 0a 0d 0a
                                                  Data Ascii: 0


                                                  Click to jump to process

                                                  Click to jump to process

                                                  Click to dive into process behavior distribution

                                                  Click to jump to process

                                                  Target ID:0
                                                  Start time:09:48:15
                                                  Start date:26/06/2022
                                                  Path:C:\Users\user\Desktop\atpRyiZGTE.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\Desktop\atpRyiZGTE.exe"
                                                  Imagebase:0x10a0000
                                                  File size:1598976 bytes
                                                  MD5 hash:0515B4D32D6D65D19832858957F0847F
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:.Net C# or VB.NET
                                                  Yara matches:
                                                  • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.450115307.0000000004BE2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.450115307.0000000004BE2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.448862255.00000000048DB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.448862255.00000000048DB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  Reputation:low

                                                  Target ID:13
                                                  Start time:09:49:00
                                                  Start date:26/06/2022
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd" /c ping 127.0.0.1 -n 38 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\user\AppData\Roaming\LightKeeperService.exe,
                                                  Imagebase:0x1190000
                                                  File size:232960 bytes
                                                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  Target ID:14
                                                  Start time:09:49:01
                                                  Start date:26/06/2022
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff647620000
                                                  File size:625664 bytes
                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  Target ID:15
                                                  Start time:09:49:02
                                                  Start date:26/06/2022
                                                  Path:C:\Windows\SysWOW64\PING.EXE
                                                  Wow64 process (32bit):true
                                                  Commandline:ping 127.0.0.1 -n 38
                                                  Imagebase:0xa50000
                                                  File size:18944 bytes
                                                  MD5 hash:70C24A306F768936563ABDADB9CA9108
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  Target ID:19
                                                  Start time:09:49:32
                                                  Start date:26/06/2022
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd" /c ping 127.0.0.1 -n 45 > nul && copy "C:\Users\user\Desktop\atpRyiZGTE.exe" "C:\Users\user\AppData\Roaming\LightKeeperService.exe" && ping 127.0.0.1 -n 45 > nul && "C:\Users\user\AppData\Roaming\LightKeeperService.exe
                                                  Imagebase:0x1190000
                                                  File size:232960 bytes
                                                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  Target ID:20
                                                  Start time:09:49:33
                                                  Start date:26/06/2022
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff647620000
                                                  File size:625664 bytes
                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  Target ID:21
                                                  Start time:09:49:34
                                                  Start date:26/06/2022
                                                  Path:C:\Windows\SysWOW64\PING.EXE
                                                  Wow64 process (32bit):true
                                                  Commandline:ping 127.0.0.1 -n 45
                                                  Imagebase:0xa50000
                                                  File size:18944 bytes
                                                  MD5 hash:70C24A306F768936563ABDADB9CA9108
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  Target ID:23
                                                  Start time:09:49:42
                                                  Start date:26/06/2022
                                                  Path:C:\Windows\SysWOW64\reg.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\user\AppData\Roaming\LightKeeperService.exe,"
                                                  Imagebase:0x7ff7338d0000
                                                  File size:59392 bytes
                                                  MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language

                                                  Target ID:30
                                                  Start time:09:50:22
                                                  Start date:26/06/2022
                                                  Path:C:\Windows\SysWOW64\PING.EXE
                                                  Wow64 process (32bit):
                                                  Commandline:ping 127.0.0.1 -n 45
                                                  Imagebase:
                                                  File size:18944 bytes
                                                  MD5 hash:70C24A306F768936563ABDADB9CA9108
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language

                                                  Reset < >

                                                    Execution Graph

                                                    Execution Coverage:10.2%
                                                    Dynamic/Decrypted Code Coverage:100%
                                                    Signature Coverage:0%
                                                    Total number of Nodes:2
                                                    Total number of Limit Nodes:0
                                                    execution_graph 8698 990040 PostMessageW 8699 9900ac 8698->8699

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 609 fe7408-fe7422 611 fe7424-fe7435 609->611 612 fe7450-fe7461 609->612 611->612 618 fe7437-fe7443 611->618 613 fe74d2-fe74f5 call fe7a00 612->613 614 fe7463-fe7467 612->614 626 fe74fe-fe7505 613->626 627 fe74f7-fe74f9 613->627 615 fe7469-fe7475 614->615 616 fe7482-fe748b 614->616 620 fe780f-fe785a 615->620 621 fe747b-fe747d 615->621 622 fe77a0 616->622 623 fe7491-fe7494 616->623 624 fe7449-fe744b 618->624 625 fe77a5-fe7808 618->625 679 fe7861-fe78e0 620->679 628 fe7796-fe779d 621->628 622->625 623->622 629 fe749a-fe74b9 623->629 624->628 625->620 630 fe750b-fe7522 626->630 631 fe75f9-fe760a 626->631 627->628 629->622 647 fe74bf-fe74c5 629->647 630->631 638 fe7528-fe7534 630->638 641 fe760c-fe760f 631->641 642 fe7634-fe763a 631->642 645 fe753a-fe75ac 638->645 646 fe75f2-fe75f4 638->646 656 fe7617-fe7619 641->656 643 fe763c-fe7648 642->643 644 fe7655-fe765b 642->644 649 fe764e-fe7650 643->649 650 fe78f7-fe795a 643->650 651 fe7793 644->651 652 fe7661-fe767e 644->652 680 fe75ae-fe75d8 645->680 681 fe75da-fe75ef 645->681 646->628 654 fe74cb-fe74cf 647->654 655 fe79e5-fe79fd 647->655 649->628 705 fe7961-fe79e0 650->705 651->628 652->622 673 fe7684-fe7687 652->673 654->613 656->644 657 fe761b-fe7627 656->657 660 fe762d-fe762f 657->660 661 fe78e5-fe78f0 657->661 660->628 661->650 673->655 677 fe768d-fe76b3 673->677 677->651 687 fe76b9-fe76c5 677->687 680->681 681->646 688 fe778f-fe7791 687->688 689 fe76cb-fe7749 687->689 688->628 707 fe774b-fe7775 689->707 708 fe7777-fe778c 689->708 707->708 708->688
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.442636723.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_fe0000_atpRyiZGTE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 46d3aaa134c1362d297e136569c40fe0726b465c7c508c0ea4f07ccec8b90af0
                                                    • Instruction ID: 5d70da4e67e81dd203ec0590de8802e096270f2599f45e19eee15fec1a7568a0
                                                    • Opcode Fuzzy Hash: 46d3aaa134c1362d297e136569c40fe0726b465c7c508c0ea4f07ccec8b90af0
                                                    • Instruction Fuzzy Hash: 15F1CF70A082998FCB14DF75C890BAEBBB2AF88314F258528E506DB395DF34DD41DB90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 947 fe7b51-fe7b73 948 fe7b7e-fe7b9e 947->948 949 fe7b75-fe7b7b 947->949 952 fe7ba5-fe7bac 948->952 953 fe7ba0 948->953 949->948 955 fe7bae-fe7bb9 952->955 954 fe7f34-fe7f3d 953->954 956 fe7bbf-fe7bd2 955->956 957 fe7f45-fe7f52 955->957 960 fe7be8-fe7c03 956->960 961 fe7bd4-fe7be2 956->961 965 fe7c27-fe7c2a 960->965 966 fe7c05-fe7c0b 960->966 961->960 964 fe7ebc-fe7ec3 961->964 964->954 969 fe7ec5-fe7ec7 964->969 970 fe7d84-fe7d8a 965->970 971 fe7c30-fe7c33 965->971 967 fe7c0d 966->967 968 fe7c14-fe7c17 966->968 967->968 967->970 973 fe7c4a-fe7c50 967->973 974 fe7e76-fe7e79 967->974 968->973 975 fe7c19-fe7c1c 968->975 976 fe7ec9-fe7ece 969->976 977 fe7ed6-fe7edc 969->977 970->974 978 fe7d90-fe7d95 970->978 971->970 972 fe7c39-fe7c3f 971->972 972->970 979 fe7c45 972->979 980 fe7c56-fe7c58 973->980 981 fe7c52-fe7c54 973->981 982 fe7e7f-fe7e85 974->982 983 fe7f40 974->983 984 fe7cb6-fe7cbc 975->984 985 fe7c22 975->985 976->977 977->957 986 fe7ede-fe7ee3 977->986 978->974 979->974 990 fe7c62-fe7c6b 980->990 981->990 991 fe7eaa-fe7eae 982->991 992 fe7e87-fe7e8f 982->992 983->957 984->974 989 fe7cc2-fe7cc8 984->989 985->974 987 fe7f28-fe7f2b 986->987 988 fe7ee5-fe7eea 986->988 987->983 1000 fe7f2d-fe7f32 987->1000 988->983 993 fe7eec 988->993 994 fe7cce-fe7cd0 989->994 995 fe7cca-fe7ccc 989->995 997 fe7c7e-fe7c9b 990->997 998 fe7c6d-fe7c78 990->998 991->964 999 fe7eb0-fe7eb6 991->999 992->957 996 fe7e95-fe7ea4 992->996 1001 fe7ef3-fe7ef8 993->1001 1002 fe7cda-fe7cf1 994->1002 995->1002 996->960 996->991 1017 fe7ca4-fe7ca6 997->1017 998->974 998->997 999->955 999->964 1000->954 1000->969 1003 fe7f1a-fe7f1c 1001->1003 1004 fe7efa-fe7efc 1001->1004 1013 fe7d1c-fe7d43 1002->1013 1014 fe7cf3-fe7d0c 1002->1014 1003->983 1011 fe7f1e-fe7f21 1003->1011 1008 fe7efe-fe7f03 1004->1008 1009 fe7f0b-fe7f11 1004->1009 1008->1009 1009->957 1012 fe7f13-fe7f18 1009->1012 1011->987 1012->1003 1016 fe7eee-fe7ef1 1012->1016 1013->983 1025 fe7d49-fe7d4c 1013->1025 1021 fe7d9a-fe7dd0 1014->1021 1026 fe7d12-fe7d17 1014->1026 1016->983 1016->1001 1020 fe7cac-fe7cb1 1017->1020 1017->1021 1020->1021 1027 fe7ddd-fe7de5 1021->1027 1028 fe7dd2-fe7dd6 1021->1028 1025->983 1029 fe7d52-fe7d7b 1025->1029 1026->1021 1027->983 1032 fe7deb-fe7df0 1027->1032 1030 fe7dd8-fe7ddb 1028->1030 1031 fe7df5-fe7df9 1028->1031 1029->1021 1044 fe7d7d-fe7d82 1029->1044 1030->1027 1030->1031 1033 fe7dfb-fe7e01 1031->1033 1034 fe7e18-fe7e1c 1031->1034 1032->974 1033->1034 1036 fe7e03-fe7e0b 1033->1036 1037 fe7e1e-fe7e24 1034->1037 1038 fe7e26-fe7e45 call fe8355 1034->1038 1036->983 1039 fe7e11-fe7e16 1036->1039 1037->1038 1041 fe7e4b-fe7e4f 1037->1041 1038->1041 1039->974 1041->974 1042 fe7e51-fe7e6d 1041->1042 1042->974 1044->1021
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.442636723.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_fe0000_atpRyiZGTE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0bcf60b22ef7e7428751bb9b3638f3cc24c633cebb762d233e9912374cef5d3a
                                                    • Instruction ID: f503122609e9bccd42cc19d8ffda101eb2edbac4008dab7a949149e16156f965
                                                    • Opcode Fuzzy Hash: 0bcf60b22ef7e7428751bb9b3638f3cc24c633cebb762d233e9912374cef5d3a
                                                    • Instruction Fuzzy Hash: AAD13031E04295DFCB14DFAAD984AADBBB2FF88314F2581A5E405AB365D730DC41DB90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 0 fe4568-fe457f 1 fe4581-fe45aa 0->1 132 fe45ad call fe4a97 1->132 133 fe45ad call fe4aa0 1->133 134 fe45ad call fe4b81 1->134 5 fe45b3-fe45c8 7 fe45ca-fe45d3 5->7 8 fe45eb 5->8 9 fe45da-fe45e7 7->9 10 fe45d5-fe45d8 7->10 11 fe45ee-fe45fd 8->11 12 fe45e9 9->12 10->12 15 fe45ff-fe464c 11->15 16 fe4601-fe4605 11->16 12->11 15->1 18 fe4626 16->18 19 fe4607-fe4610 16->19 22 fe4629-fe4665 18->22 20 fe4617-fe461a 19->20 21 fe4612-fe4615 19->21 23 fe4624 20->23 21->23 29 fe4688 22->29 30 fe4667-fe4670 22->30 23->22 33 fe468b-fe46b2 29->33 31 fe4677-fe4684 30->31 32 fe4672-fe4675 30->32 34 fe4686 31->34 32->34 39 fe46b4-fe46bd 33->39 40 fe46d3 33->40 34->33 41 fe46bf-fe46c2 39->41 42 fe46c4-fe46c7 39->42 43 fe46d6-fe4726 40->43 44 fe46d1 41->44 42->44 49 fe4728-fe4731 43->49 50 fe4747 43->50 44->43 51 fe4738-fe473b 49->51 52 fe4733-fe4736 49->52 53 fe474a-fe4762 50->53 54 fe4745 51->54 52->54 56 fe4764-fe476d 53->56 57 fe4783 53->57 54->53 58 fe476f-fe4772 56->58 59 fe4774-fe4777 56->59 60 fe4786-fe47e8 57->60 61 fe4781 58->61 59->61 68 fe47eb-fe47ff 60->68 61->60 70 fe4822 68->70 71 fe4801-fe480a 68->71 74 fe4825-fe4837 70->74 72 fe480c-fe480f 71->72 73 fe4811-fe481e 71->73 75 fe4820 72->75 73->75 78 fe4a0c-fe4a5a 74->78 79 fe483d-fe485a 74->79 75->74 91 fe4a5c-fe4a61 78->91 79->78 82 fe4860-fe4867 79->82 82->68 84 fe4869-fe489e 82->84 89 fe4a0a 84->89 90 fe48a4-fe48a8 84->90 89->91 92 fe48aa-fe48b3 90->92 93 fe48c9 90->93 95 fe48ba-fe48bd 92->95 96 fe48b5-fe48b8 92->96 97 fe48cc-fe48d3 93->97 98 fe48c7 95->98 96->98 99 fe48f4 97->99 100 fe48d5-fe48de 97->100 98->97 102 fe48f7-fe4920 call fe57c8 99->102 103 fe48e5-fe48e8 100->103 104 fe48e0-fe48e3 100->104 108 fe4926-fe492a 102->108 106 fe48f2 103->106 104->106 106->102 109 fe492c-fe4935 108->109 110 fe494b 108->110 111 fe493c-fe493f 109->111 112 fe4937-fe493a 109->112 113 fe494e-fe4975 110->113 114 fe4949 111->114 112->114 113->89 116 fe497b-fe497f 113->116 114->113 117 fe49a0 116->117 118 fe4981-fe498a 116->118 121 fe49a3-fe49aa 117->121 119 fe498c-fe498f 118->119 120 fe4991-fe4994 118->120 122 fe499e 119->122 120->122 123 fe49ac-fe49b5 121->123 124 fe49cb 121->124 122->121 125 fe49bc-fe49bf 123->125 126 fe49b7-fe49ba 123->126 127 fe49ce-fe49ee 124->127 128 fe49c9 125->128 126->128 127->78 130 fe49f0-fe49f8 127->130 128->127 130->78 131 fe49fa-fe4a03 130->131 131->89 132->5 133->5 134->5
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.442636723.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_fe0000_atpRyiZGTE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: d
                                                    • API String ID: 0-2564639436
                                                    • Opcode ID: 108aa777907bd2be38a38ea87112cb7928f1f7904938651a0679d90e42744b8b
                                                    • Instruction ID: 185f8dae7030fd464d3bb6838235013af1b36ee762a6bbeebce719007a79539d
                                                    • Opcode Fuzzy Hash: 108aa777907bd2be38a38ea87112cb7928f1f7904938651a0679d90e42744b8b
                                                    • Instruction Fuzzy Hash: 62F12535E04288DFCB18DFA5E494AADBBB2FF89315F204569E406AB354CB30AC85DF41
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 136 990006-9900aa PostMessageW 137 9900ac-9900b2 136->137 138 9900b3-9900c7 136->138 137->138
                                                    APIs
                                                    • PostMessageW.USER32(?,?,?,?), ref: 0099009D
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.441685316.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00990000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_990000_atpRyiZGTE.jbxd
                                                    Similarity
                                                    • API ID: MessagePost
                                                    • String ID:
                                                    • API String ID: 410705778-0
                                                    • Opcode ID: 0f28cdf48eca5da913d465efbb0cbd6b711979d1eef162eba68ea61246746789
                                                    • Instruction ID: 409918422a5f2ce46ab7298c06dede66c819340bfa2c91056fc0a923c2c108ea
                                                    • Opcode Fuzzy Hash: 0f28cdf48eca5da913d465efbb0cbd6b711979d1eef162eba68ea61246746789
                                                    • Instruction Fuzzy Hash: F62183B18093848FCB11CF65C8547DEBFF4AF4A314F19808AD494AB652C3796949CFA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 140 990040-9900aa PostMessageW 141 9900ac-9900b2 140->141 142 9900b3-9900c7 140->142 141->142
                                                    APIs
                                                    • PostMessageW.USER32(?,?,?,?), ref: 0099009D
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.441685316.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00990000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_990000_atpRyiZGTE.jbxd
                                                    Similarity
                                                    • API ID: MessagePost
                                                    • String ID:
                                                    • API String ID: 410705778-0
                                                    • Opcode ID: d2fd484938b6b59c550acd8b82538ab0cf7226986da0aa7e2f138642bd5f8b9f
                                                    • Instruction ID: 0e8011edb40b85c917385243f277fbf1d4396e82de0f29a98f972c312f206fd1
                                                    • Opcode Fuzzy Hash: d2fd484938b6b59c550acd8b82538ab0cf7226986da0aa7e2f138642bd5f8b9f
                                                    • Instruction Fuzzy Hash: 9D11D3B59003499FDB10DF99D984BDEBBF8EB48324F14841AD528A7240D375A984CFA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 144 fe57c8-fe57f1 145 fe5b69-fe5b70 144->145 146 fe57f7-fe57fa 144->146 147 fe5b73 146->147 148 fe5800-fe580a 146->148 150 fe5b78-fe5b8c 147->150 148->145 149 fe5810-fe5829 148->149 149->145 152 fe582f-fe584b 149->152 155 fe5b3a-fe5b55 152->155 157 fe5b5b-fe5b5e 155->157 158 fe5850-fe5863 155->158 157->145 158->150 160 fe5869-fe58bb 158->160 166 fe5b1c-fe5b21 160->166 167 fe58c1-fe58ed call fe5b90 160->167 171 fe5b29-fe5b38 166->171 167->166 172 fe58f3-fe58f7 167->172 171->147 171->155 174 fe58f9-fe5918 172->174 175 fe5960-fe5994 172->175 174->166 181 fe591e-fe5940 174->181 186 fe5998-fe59a4 175->186 187 fe5996 175->187 192 fe5958 181->192 193 fe5942-fe5948 181->193 188 fe59a6-fe59c6 186->188 187->188 198 fe59de-fe5a01 188->198 199 fe59c8-fe59ce 188->199 192->175 194 fe594c-fe594e 193->194 195 fe594a 193->195 194->192 195->192 205 fe5ab8-fe5acf 198->205 200 fe59d2-fe59d4 199->200 201 fe59d0 199->201 200->198 201->198 208 fe5a06-fe5a41 call fe5b90 205->208 209 fe5ad5-fe5af9 205->209 219 fe5a47-fe5a6d 208->219 213 fe5afb-fe5b08 209->213 214 fe5b10 209->214 213->214 214->166 219->205 222 fe5a6f-fe5ab0 219->222 222->205
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.442636723.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_fe0000_atpRyiZGTE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: t!il
                                                    • API String ID: 0-212679069
                                                    • Opcode ID: b4d1ac2feb77ec36da7bd36f0858c1a60deadf6aa5a9b70894e581972b0f2d9c
                                                    • Instruction ID: 432baeca03e436ad9a0527a2102d85e06ed4710898ec6e11191363f01c22531e
                                                    • Opcode Fuzzy Hash: b4d1ac2feb77ec36da7bd36f0858c1a60deadf6aa5a9b70894e581972b0f2d9c
                                                    • Instruction Fuzzy Hash: DFA1FD30B042888FCB189B75C855BBE77E2AFC9718F158429E506EB395CF34DC41A7A2
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 229 fea830-fea860 252 fea863 call feaaff 229->252 253 fea863 call feaa1f 229->253 231 fea869-fea870 232 fea872-fea87d 231->232 233 fea883-fea88e 231->233 232->233 236 fea906-fea958 232->236 237 fea95f-fea98d 233->237 238 fea894-fea8a5 233->238 236->237 241 fea8ab-fea903 238->241 252->231 253->231
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.442636723.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_fe0000_atpRyiZGTE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: L
                                                    • API String ID: 0-2909332022
                                                    • Opcode ID: 419ae6f882fea83592dcb89c6ffc38bf6e42240367e6242d29cdf24f6f8c1f55
                                                    • Instruction ID: 141d932a2e3282ed7de182e67fc9d1a94cb825fe63fa81d6f6a424f8ff5048dd
                                                    • Opcode Fuzzy Hash: 419ae6f882fea83592dcb89c6ffc38bf6e42240367e6242d29cdf24f6f8c1f55
                                                    • Instruction Fuzzy Hash: 23310131B042488FCB049B74DC55BAE7BB2AF89324F154069E616EB781CF34DC11C7A2
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 254 fe4aa0-fe4b08 261 fe4b0a-fe4b13 254->261 262 fe4b29 254->262 263 fe4b1a-fe4b1d 261->263 264 fe4b15-fe4b18 261->264 265 fe4b2c-fe4b2e 262->265 266 fe4b27 263->266 264->266 267 fe4b45 265->267 268 fe4b30-fe4b3d 265->268 266->265 270 fe4b46 267->270 268->267 270->270
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.442636723.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_fe0000_atpRyiZGTE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: d
                                                    • API String ID: 0-2564639436
                                                    • Opcode ID: 7beb5f0d3a4aeab9d3df6807c0fb7a5def1a7a1cc54045687b9948e7cd07efba
                                                    • Instruction ID: 8bae3dedc00ea38aea21312722205316495562f7bffa5e7fcbd1a29e0a31779c
                                                    • Opcode Fuzzy Hash: 7beb5f0d3a4aeab9d3df6807c0fb7a5def1a7a1cc54045687b9948e7cd07efba
                                                    • Instruction Fuzzy Hash: DC118E31B00289CBCB149BA5C0557AEBBF6ABC8324F281429C105BB384DF74EC40DBA6
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 271 fe4a97-fe4b08 278 fe4b0a-fe4b13 271->278 279 fe4b29 271->279 280 fe4b1a-fe4b1d 278->280 281 fe4b15-fe4b18 278->281 282 fe4b2c-fe4b2e 279->282 283 fe4b27 280->283 281->283 284 fe4b45 282->284 285 fe4b30-fe4b3d 282->285 283->282 287 fe4b46 284->287 285->284 287->287
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.442636723.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_fe0000_atpRyiZGTE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: d
                                                    • API String ID: 0-2564639436
                                                    • Opcode ID: 3dd3c80b92dc6d0bed6275cb362237b3391b5b80078c2f0f8f58441898ebb5d4
                                                    • Instruction ID: dd1d1a7dd6e696fcad89d2c76d21c58b38e819b78080192b07075c58e0c74eac
                                                    • Opcode Fuzzy Hash: 3dd3c80b92dc6d0bed6275cb362237b3391b5b80078c2f0f8f58441898ebb5d4
                                                    • Instruction Fuzzy Hash: 2411C431A04289CBDB109BA5C0553EDBBF2ABD8324F24041DC045BB380DF75AC45DB65
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 288 fe455f-fe4565 289 fe4567-fe457f 288->289 290 fe4531-fe453c 288->290 291 fe4581-fe45a0 289->291 294 fe45aa 291->294 422 fe45ad call fe4a97 294->422 423 fe45ad call fe4aa0 294->423 424 fe45ad call fe4b81 294->424 295 fe45b3-fe45c8 297 fe45ca-fe45d3 295->297 298 fe45eb 295->298 299 fe45da-fe45e7 297->299 300 fe45d5-fe45d8 297->300 301 fe45ee-fe45fd 298->301 302 fe45e9 299->302 300->302 305 fe45ff-fe464c 301->305 306 fe4601-fe4605 301->306 302->301 305->291 308 fe4626 306->308 309 fe4607-fe4610 306->309 312 fe4629-fe4632 308->312 310 fe4617-fe461a 309->310 311 fe4612-fe4615 309->311 313 fe4624 310->313 311->313 315 fe4639-fe4665 312->315 313->312 319 fe4688 315->319 320 fe4667-fe4670 315->320 323 fe468b-fe46b2 319->323 321 fe4677-fe4684 320->321 322 fe4672-fe4675 320->322 324 fe4686 321->324 322->324 329 fe46b4-fe46bd 323->329 330 fe46d3 323->330 324->323 331 fe46bf-fe46c2 329->331 332 fe46c4-fe46c7 329->332 333 fe46d6-fe4726 330->333 334 fe46d1 331->334 332->334 339 fe4728-fe4731 333->339 340 fe4747 333->340 334->333 341 fe4738-fe473b 339->341 342 fe4733-fe4736 339->342 343 fe474a-fe4762 340->343 344 fe4745 341->344 342->344 346 fe4764-fe476d 343->346 347 fe4783 343->347 344->343 348 fe476f-fe4772 346->348 349 fe4774-fe4777 346->349 350 fe4786-fe47e8 347->350 351 fe4781 348->351 349->351 358 fe47eb-fe47ff 350->358 351->350 360 fe4822 358->360 361 fe4801-fe480a 358->361 364 fe4825-fe4837 360->364 362 fe480c-fe480f 361->362 363 fe4811-fe481e 361->363 365 fe4820 362->365 363->365 368 fe4a0c-fe4a5a 364->368 369 fe483d-fe485a 364->369 365->364 381 fe4a5c-fe4a61 368->381 369->368 372 fe4860-fe4867 369->372 372->358 374 fe4869-fe489e 372->374 379 fe4a0a 374->379 380 fe48a4-fe48a8 374->380 379->381 382 fe48aa-fe48b3 380->382 383 fe48c9 380->383 385 fe48ba-fe48bd 382->385 386 fe48b5-fe48b8 382->386 387 fe48cc-fe48d3 383->387 388 fe48c7 385->388 386->388 389 fe48f4 387->389 390 fe48d5-fe48de 387->390 388->387 392 fe48f7-fe4908 389->392 393 fe48e5-fe48e8 390->393 394 fe48e0-fe48e3 390->394 397 fe490f-fe4920 call fe57c8 392->397 396 fe48f2 393->396 394->396 396->392 398 fe4926-fe492a 397->398 399 fe492c-fe4935 398->399 400 fe494b 398->400 401 fe493c-fe493f 399->401 402 fe4937-fe493a 399->402 403 fe494e-fe4975 400->403 404 fe4949 401->404 402->404 403->379 406 fe497b-fe497f 403->406 404->403 407 fe49a0 406->407 408 fe4981-fe498a 406->408 411 fe49a3-fe49aa 407->411 409 fe498c-fe498f 408->409 410 fe4991-fe4994 408->410 412 fe499e 409->412 410->412 413 fe49ac-fe49b5 411->413 414 fe49cb 411->414 412->411 415 fe49bc-fe49bf 413->415 416 fe49b7-fe49ba 413->416 417 fe49ce-fe49ee 414->417 418 fe49c9 415->418 416->418 417->368 420 fe49f0-fe49f8 417->420 418->417 420->368 421 fe49fa-fe4a03 420->421 421->379 422->295 423->295 424->295
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.442636723.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_fe0000_atpRyiZGTE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: d
                                                    • API String ID: 0-2564639436
                                                    • Opcode ID: 9fbcc16e0e5abd91940d0bdf3d677d4b682382c1ff7b38feb60722f57e39f05d
                                                    • Instruction ID: 392974951075a442e11ca87ad369e8129f8ace8aaad2c96a80b8db1deb7b71cf
                                                    • Opcode Fuzzy Hash: 9fbcc16e0e5abd91940d0bdf3d677d4b682382c1ff7b38feb60722f57e39f05d
                                                    • Instruction Fuzzy Hash: 1E1188B5D04288CFCB10CBB5D4A82ADFBB1FF49305F14406DE402A7640CB31A84ADF01
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 426 fe4b81-fe4b94 436 fe4b0a-fe4b13 426->436 437 fe4b29 426->437 438 fe4b1a-fe4b1d 436->438 439 fe4b15-fe4b18 436->439 440 fe4b2c-fe4b2e 437->440 441 fe4b27 438->441 439->441 442 fe4b45 440->442 443 fe4b30-fe4b3d 440->443 441->440 445 fe4b46 442->445 443->442 445->445
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.442636723.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_fe0000_atpRyiZGTE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: d
                                                    • API String ID: 0-2564639436
                                                    • Opcode ID: 98ff8a370993d3ec8889825b619ba550e707b3b054e6ef6609cb28a009f8c3dc
                                                    • Instruction ID: 77c8c5bca72b7b036d4c5dacbc0e17c5e8ccb30addc7aec76e0c76694b6b64e1
                                                    • Opcode Fuzzy Hash: 98ff8a370993d3ec8889825b619ba550e707b3b054e6ef6609cb28a009f8c3dc
                                                    • Instruction Fuzzy Hash: A4015E31A04249CBCB149FB5D4153AD76F2ABD8325F25142DC106FB284DF78EC40EB69
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 446 fe905b-fe93b6 497 fe93bc-fe93cc 446->497 498 fe9908-fe9920 446->498 497->498 499 fe93d2-fe93e2 497->499 503 fe996c-fe9973 498->503 504 fe9922-fe992c 498->504 499->498 500 fe93e8-fe93f8 499->500 500->498 502 fe93fe-fe940e 500->502 502->498 507 fe9414-fe9424 502->507 505 fe99de-fe99ea 503->505 506 fe9975-fe9981 503->506 504->503 514 fe99ec-fe99f8 505->514 515 fe9a01-fe9a0d 505->515 512 fe99a6-fe99a9 506->512 513 fe9983-fe998e 506->513 507->498 508 fe942a-fe943a 507->508 508->498 511 fe9440-fe9450 508->511 511->498 516 fe9456-fe9466 511->516 518 fe99ab-fe99b7 512->518 519 fe99c0-fe99cc 512->519 513->512 527 fe9990-fe999a 513->527 514->515 528 fe99fa-fe99ff 514->528 530 fe9a0f-fe9a1b 515->530 531 fe9a24-fe9a26 515->531 516->498 517 fe946c-fe947c 516->517 517->498 522 fe9482-fe9492 517->522 518->519 535 fe99b9-fe99be 518->535 524 fe99ce-fe99d5 519->524 525 fe9a34-fe9a56 519->525 522->498 529 fe9498-fe9907 522->529 524->525 526 fe99d7-fe99dc 524->526 542 fe9a58 525->542 543 fe9a66 525->543 533 fe9a2e-fe9a33 526->533 527->512 540 fe999c-fe99a1 527->540 528->533 530->531 541 fe9a1d-fe9a22 530->541 531->533 535->533 540->533 541->533 542->543 545 fe9a5f-fe9a64 542->545 546 fe9a68-fe9a69 543->546 545->546
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.442636723.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_fe0000_atpRyiZGTE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3927051a0ee3c29108a168477858c10e13d89a17fd61a2934ae9b86eb87b8050
                                                    • Instruction ID: e5ff9247a4e0e50c78d6c9703701d3f70eec57cd8c2934ede51141a4404ba8e1
                                                    • Opcode Fuzzy Hash: 3927051a0ee3c29108a168477858c10e13d89a17fd61a2934ae9b86eb87b8050
                                                    • Instruction Fuzzy Hash: 86224B30A0415CCFEB24DBA0C850BAE7BB2AF85344F1181A9C60A7B799DF359E45DF61
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 725 fe9f09-fe9f0e 726 fea39e-fea3af 725->726 727 fe9f0f-fe9f2c 725->727 728 fe9f34-fe9f37 727->728 730 fe9f39-fe9f3b 728->730 731 fe9f40-fe9f43 728->731 732 fea38f-fea396 730->732 733 fea399 731->733 734 fe9f49-fe9f4f 731->734 733->726 734->733 735 fe9f55-fe9f5b 734->735 736 fe9f5d-fe9f61 735->736 737 fe9ef0-fe9ef6 735->737 738 fe9f67-fe9f6b 736->738 739 fea0d0-fea0dc 736->739 737->736 740 fe9ef8-fe9efb 737->740 741 fe9ff3-fe9ff8 738->741 742 fe9f71-fe9f77 738->742 744 fea0de-fea0e7 739->744 745 fea0e9-fea0ef 739->745 740->726 743 fe9f01-fe9f08 740->743 741->733 746 fe9ffe-fea001 741->746 742->733 747 fe9f7d-fe9f7f 742->747 743->725 744->745 748 fea104-fea10b 744->748 745->733 749 fea0f5-fea101 745->749 750 fea00a-fea00d 746->750 751 fea003-fea005 746->751 752 fe9fe9-fe9fec 747->752 753 fe9f81-fe9f84 747->753 754 fea2b8-fea2bc 748->754 755 fea111-fea11a 748->755 749->748 750->726 757 fea013-fea020 750->757 751->732 760 fe9fee 752->760 761 fe9f98-fe9f9b 752->761 753->726 758 fe9f8a-fe9f8f 753->758 762 fea377-fea37b 754->762 763 fea2c2-fea2cb 754->763 755->733 756 fea120-fea123 755->756 756->733 764 fea129-fea13f 756->764 757->726 765 fea026-fea036 757->765 758->752 766 fe9f91-fe9f93 758->766 770 fea0c1-fea0c7 760->770 761->726 769 fe9fa1-fe9fae 761->769 767 fea37d-fea384 762->767 768 fea38a 762->768 763->733 771 fea2d1-fea2d8 763->771 781 fea2ad-fea2b0 764->781 782 fea145-fea14b 764->782 765->770 783 fea03c-fea040 765->783 766->732 767->768 773 fea386-fea388 767->773 768->732 769->726 775 fe9fb4-fe9fd7 769->775 770->733 774 fea0cd 770->774 771->762 772 fea2de-fea2e4 771->772 772->726 776 fea2ea-fea2ef 772->776 773->732 774->739 790 fe9fd9-fe9fdb 775->790 791 fe9fe0-fe9fe3 775->791 779 fea369-fea36c 776->779 780 fea2f1-fea2f7 776->780 779->733 786 fea36e-fea371 779->786 780->726 785 fea2fd-fea30e 780->785 781->754 782->726 787 fea151-fea164 782->787 788 fea0ba-fea0bc 783->788 789 fea042-fea04b 783->789 795 fea316-fea31a 785->795 796 fea310-fea314 785->796 786->762 786->772 797 fea18f-fea195 787->797 798 fea166-fea16a 787->798 788->732 789->726 792 fea051-fea06d 789->792 790->732 791->733 791->752 792->726 804 fea073-fea098 792->804 800 fea31c-fea31e 795->800 801 fea320-fea362 795->801 796->779 805 fea1ed-fea1f6 797->805 806 fea197-fea19b 797->806 802 fea16c-fea16e 798->802 803 fea173-fea18a 798->803 800->732 801->779 802->732 819 fea298-fea29b 803->819 804->726 824 fea09e-fea0b1 804->824 805->726 807 fea1fc-fea201 805->807 808 fea19d-fea19f 806->808 809 fea1a4-fea1e8 806->809 811 fea229-fea22c 807->811 812 fea203-fea207 807->812 808->732 809->819 811->726 815 fea232-fea23f 811->815 817 fea209-fea20b 812->817 818 fea210-fea227 812->818 815->726 821 fea245-fea268 815->821 817->732 818->819 819->733 822 fea2a1-fea2a7 819->822 830 fea26a-fea26c 821->830 831 fea271-fea27a 821->831 822->781 822->782 824->788 830->732 831->726 834 fea280-fea28b 831->834 834->726 835 fea291-fea294 834->835 835->819
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.442636723.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_fe0000_atpRyiZGTE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4164598c2c3fdbc8237193ec161d91fb64c4d981c4e04a3f552a531164f1a6b0
                                                    • Instruction ID: 02fe543e76bb20a6ccb137da07418dc94cb358bb74007b4cc5a54bf7d300aef8
                                                    • Opcode Fuzzy Hash: 4164598c2c3fdbc8237193ec161d91fb64c4d981c4e04a3f552a531164f1a6b0
                                                    • Instruction Fuzzy Hash: FAF15B71A00285CFCB15CF65C584AAEB7F2BF48314F258A55E405EB2A5C736FC81DB62
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 837 fe8355-fe8369 945 fe836b call fe8708 837->945 946 fe836b call fe8707 837->946 838 fe8371-fe8381 839 fe8576-fe857a 838->839 840 fe8387-fe838a 838->840 841 fe869f 839->841 842 fe8580-fe8586 839->842 843 fe838c-fe8392 840->843 844 fe8394-fe8397 840->844 850 fe86a4-fe86bc 841->850 845 fe829f-fe82a8 842->845 846 fe858c-fe8590 842->846 843->844 847 fe839d-fe83a0 843->847 844->841 844->847 851 fe82aa-fe82af 845->851 852 fe82b7-fe82c3 845->852 853 fe85a9-fe85b7 846->853 854 fe8592-fe85a6 846->854 848 fe83a8-fe83ab 847->848 849 fe83a2-fe83a6 847->849 848->841 855 fe83b1-fe83b5 848->855 849->848 849->855 851->852 852->850 856 fe82c9-fe82cf 852->856 862 fe8628-fe863d 853->862 863 fe85b9-fe85ce 853->863 855->841 857 fe83bb-fe83c1 855->857 856->839 859 fe82d5-fe82e5 856->859 864 fe83c7-fe83f2 call fe7f70 * 2 857->864 865 fe8322-fe8333 857->865 873 fe82f9-fe82fb 859->873 874 fe82e7-fe82f7 859->874 875 fe863f-fe8642 862->875 876 fe8644-fe8651 862->876 877 fe85d5-fe85e2 863->877 878 fe85d0-fe85d3 863->878 892 fe84dc-fe84f6 864->892 893 fe83f8-fe83fc 864->893 865->850 867 fe8339-fe834b 865->867 867->850 872 fe8351 867->872 872->837 879 fe82fe-fe8304 873->879 874->879 882 fe8653-fe868e 875->882 876->882 883 fe85e4-fe8625 877->883 878->883 879->839 884 fe830a-fe8319 879->884 915 fe8695-fe869c 882->915 884->864 886 fe831f 884->886 886->865 892->846 918 fe84fc-fe8500 892->918 893->839 896 fe8402-fe8406 893->896 898 fe842e-fe8434 896->898 899 fe8408-fe8415 896->899 900 fe846f-fe8475 898->900 901 fe8436-fe843a 898->901 911 fe8417-fe8422 899->911 912 fe8424 899->912 905 fe8477-fe847b 900->905 906 fe8481-fe8487 900->906 901->900 904 fe843c-fe8445 901->904 913 fe8447-fe844c 904->913 914 fe8454-fe846a 904->914 905->906 905->915 909 fe8489-fe848d 906->909 910 fe8493-fe8495 906->910 909->839 909->910 921 fe84ca-fe84cc 910->921 922 fe8497-fe84a0 910->922 923 fe8426-fe8428 911->923 912->923 913->914 914->839 919 fe853c-fe8540 918->919 920 fe8502-fe850c call fe6e10 918->920 919->915 930 fe8546-fe854a 919->930 920->919 933 fe850e-fe8523 920->933 921->839 928 fe84d2-fe84d9 921->928 926 fe84af-fe84c5 922->926 927 fe84a2-fe84a7 922->927 923->839 923->898 926->839 927->926 930->915 932 fe8550-fe855d 930->932 936 fe855f-fe856a 932->936 937 fe856c 932->937 933->919 942 fe8525-fe853a 933->942 939 fe856e-fe8570 936->939 937->939 939->839 939->915 942->846 942->919 945->838 946->838
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.442636723.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_fe0000_atpRyiZGTE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 439c73e3df034656576055c0c5b8b1ae2bab6d2334ca168fbd57d76f2b9eda69
                                                    • Instruction ID: 8765b87e9e87d3c375accce3710e1fd5b8c43356365cf25d7ae1eaf75534e7d7
                                                    • Opcode Fuzzy Hash: 439c73e3df034656576055c0c5b8b1ae2bab6d2334ca168fbd57d76f2b9eda69
                                                    • Instruction Fuzzy Hash: DED17D31A00288CFCB24EF66D984AADB7F2FF44364F158559E509EB2A1DB30ED42DB50
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.442636723.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_fe0000_atpRyiZGTE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4bf022101fe6f1d35423870789c7da196c1eb32399872e2f752891a0b6f81b65
                                                    • Instruction ID: 9bd3dd39cf72e6d821f67ce1777bb1acd53d9c1c05a0031dc068ebc107e80d0b
                                                    • Opcode Fuzzy Hash: 4bf022101fe6f1d35423870789c7da196c1eb32399872e2f752891a0b6f81b65
                                                    • Instruction Fuzzy Hash: 93B12776E00154CFCB15CF99C9889ADBBB2FF48315B668499E409AB361CB34FC42CB52
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.442636723.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_fe0000_atpRyiZGTE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 19ff4f41ada3877d6ae55bc1bb92481e3a8f70d49e0e82dbd8806d71d09eecef
                                                    • Instruction ID: de55e8763b649990c88a63ed426f86ef54103c89a1b473b081073078af481b17
                                                    • Opcode Fuzzy Hash: 19ff4f41ada3877d6ae55bc1bb92481e3a8f70d49e0e82dbd8806d71d09eecef
                                                    • Instruction Fuzzy Hash: 5681FE30B001599FCB04DF64C858BBE7BA2EF98359F148928EA06DB280CF74DD51DB92
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.442636723.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_fe0000_atpRyiZGTE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 65b199ad243087a83dca62b9ecd535726ab3468a95713e568025c4a6c6d93f08
                                                    • Instruction ID: 3563ea2ee9b63efdeab36a6ec16be0a9e1f611276c41ffe331adf74f8597fc5c
                                                    • Opcode Fuzzy Hash: 65b199ad243087a83dca62b9ecd535726ab3468a95713e568025c4a6c6d93f08
                                                    • Instruction Fuzzy Hash: C5714D34B002458FCB14EF2AC884A6E7BE6AF49794F5900A5E809DB3B1DF70DD42DB51
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.442636723.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_fe0000_atpRyiZGTE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c86a6e6bc74ee93fbc804847853946a2b2f10aac4b8806d5ad13682f126608d7
                                                    • Instruction ID: 720ee24dfe40a1d8582fc488d47a5beae10465f0fb7ca6d597c58f70f648b5d1
                                                    • Opcode Fuzzy Hash: c86a6e6bc74ee93fbc804847853946a2b2f10aac4b8806d5ad13682f126608d7
                                                    • Instruction Fuzzy Hash: 90619335E082C5CFCB18DF6AC8849ADB7B2BF89310B258069D615EB3A5D731EC41DB61
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.442636723.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_fe0000_atpRyiZGTE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 24c4374efbfed1699afb7fa683a8fa60d6768e7647af4d404c464f8f22933c2d
                                                    • Instruction ID: 8a1c86b291b9d57c8e462a683e80dc3f96d6dcafe358bd5f86fe770664e19573
                                                    • Opcode Fuzzy Hash: 24c4374efbfed1699afb7fa683a8fa60d6768e7647af4d404c464f8f22933c2d
                                                    • Instruction Fuzzy Hash: 7651EE30B002598FCB05DB79DC484BEBBB6EFC53207258A69E519DB391EB349C068790
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.442636723.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_fe0000_atpRyiZGTE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 320b2b82e5fd4b7c01cd77de99eb4f58efbb6a39088198e42a51c4ecda52cdfa
                                                    • Instruction ID: 71a5f3d7ec3af0187e747408142d0af1231cf59b3d19ad11fc37db03a3d26ec5
                                                    • Opcode Fuzzy Hash: 320b2b82e5fd4b7c01cd77de99eb4f58efbb6a39088198e42a51c4ecda52cdfa
                                                    • Instruction Fuzzy Hash: 4F517871E082899FCF05CFA9D840ADDBFB2FF89310F20815AE905AB364D7B49955DB60
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.442636723.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_fe0000_atpRyiZGTE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4f7b880f447ac69c4d26364e151da8465b7ba575aec3d27f49dd236c10603b9f
                                                    • Instruction ID: 7a06848fae366ec4e663883bfd6a3616358a6e7476f0141d7de8785b0bb51b72
                                                    • Opcode Fuzzy Hash: 4f7b880f447ac69c4d26364e151da8465b7ba575aec3d27f49dd236c10603b9f
                                                    • Instruction Fuzzy Hash: 2241F330B042888FCB15AB3588A477E77A7AFD9358F148928E646CB385DF78CC419791
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.442636723.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_fe0000_atpRyiZGTE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3d0774d82acb31e9cd21e757dbfbc37ce1f43c01edc3b535458abcd22f96377d
                                                    • Instruction ID: 31805931ebf0770bab8320a7292efa9e766347256cfc5d03474bad34fda6697b
                                                    • Opcode Fuzzy Hash: 3d0774d82acb31e9cd21e757dbfbc37ce1f43c01edc3b535458abcd22f96377d
                                                    • Instruction Fuzzy Hash: 8841F130A082889FCB10AF65C844BAE7BB6EF44314F05847AE5159B251DB78DD51EBA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.442636723.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_fe0000_atpRyiZGTE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: feaf3bb2310bfe5e564f1e8eec1b419e1f766906d3f06231263c949b9a736ae7
                                                    • Instruction ID: a77531a6f32901ce47e93b2b736e1b71a94c62e894ffc4295a55a685bae9e758
                                                    • Opcode Fuzzy Hash: feaf3bb2310bfe5e564f1e8eec1b419e1f766906d3f06231263c949b9a736ae7
                                                    • Instruction Fuzzy Hash: FB31393070C2C48FCF258B36D89463D77A5EF81B64B25097ED046CB296DAA8DC80E772
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.442636723.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_fe0000_atpRyiZGTE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: fb913e1658a90a8db4785f76d232ab05213b35a4736aeee8547f71ed45ebb5ef
                                                    • Instruction ID: 52644cdf5760b4661021db0dfd54393ae891592fb341e50df2a577492715535d
                                                    • Opcode Fuzzy Hash: fb913e1658a90a8db4785f76d232ab05213b35a4736aeee8547f71ed45ebb5ef
                                                    • Instruction Fuzzy Hash: D541D1B1D0035D8BDB14CFAAC584ADEBBB5BF58314F25802AD409BB350D775AA49CF90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.442636723.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_fe0000_atpRyiZGTE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 382a27ee000715508c171f5f32a54cc0269ad4a225686898fdbfafa93d902271
                                                    • Instruction ID: 22080676416cd9e7183727d26ec08b661f33817d3ac31d708ef3f3bcd717f327
                                                    • Opcode Fuzzy Hash: 382a27ee000715508c171f5f32a54cc0269ad4a225686898fdbfafa93d902271
                                                    • Instruction Fuzzy Hash: 6B316D31B406199FCB059F69D86466F3BB2FF88728F108428F9068B350CB38DD21EB91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.442636723.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_fe0000_atpRyiZGTE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 883311d4ac4d0bba3978079f5e07e8daf8711fb1f516243652b94a0ef0ac3599
                                                    • Instruction ID: 86d0b439aa92146bf7d9ec7d6e400f0beda797a122440a2f7c81467be1ffabb2
                                                    • Opcode Fuzzy Hash: 883311d4ac4d0bba3978079f5e07e8daf8711fb1f516243652b94a0ef0ac3599
                                                    • Instruction Fuzzy Hash: AE21C531B042905BDB246A36985477E32979FC4BE9F14803AD50ACBB94EE2ECC43B381
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.442636723.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_fe0000_atpRyiZGTE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: daf9f518a8408f257cb643de1c48acc35e1b19db8c348abcfddcae83561de773
                                                    • Instruction ID: c71fb5228718d45480878d7cdb36e2c522cb02dacc71ef40d58c95172a2592b8
                                                    • Opcode Fuzzy Hash: daf9f518a8408f257cb643de1c48acc35e1b19db8c348abcfddcae83561de773
                                                    • Instruction Fuzzy Hash: A4210A31B042905B8B24763698A467E37A79FC4BE9B14407AD50ACBB94EF2DCC03F341
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.442636723.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_fe0000_atpRyiZGTE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 45f11a16ab80a177b77258fd75fc45e30b894995acb6e31d009513f3ceaca811
                                                    • Instruction ID: e27b712fddb31e83cdbc8c2ec3d35f9d3bcb3296400ed7aa52116ffd4d9d634d
                                                    • Opcode Fuzzy Hash: 45f11a16ab80a177b77258fd75fc45e30b894995acb6e31d009513f3ceaca811
                                                    • Instruction Fuzzy Hash: 9B212671B042848FC701DB78C4544AEBBE2EF8531870584BDD54ADB752EB71ED0ACB91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.442636723.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_fe0000_atpRyiZGTE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8b4407ac05d3f07dc31d23ac9fb12f7f1e184e1146f096d466286a57f73af0dd
                                                    • Instruction ID: b687912fed5df89cd57c45cf97844cfefda674af8e2a73a74c9632793b7ef8fc
                                                    • Opcode Fuzzy Hash: 8b4407ac05d3f07dc31d23ac9fb12f7f1e184e1146f096d466286a57f73af0dd
                                                    • Instruction Fuzzy Hash: 9E215436B406118FC7149B2FD494A2AB7E6EFC8B20B1941BAE505CB375DE71EC01DB90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.442288132.0000000000F3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F3D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_f3d000_atpRyiZGTE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 00a615a884a6f152cf900afd8ee85c55cc398f65bf19fc91ce1f6979b4b77a65
                                                    • Instruction ID: 36dfc4397b579c8a81b752bc93c6c0b87eeb6d36e8de9779564e1e35609ae4e5
                                                    • Opcode Fuzzy Hash: 00a615a884a6f152cf900afd8ee85c55cc398f65bf19fc91ce1f6979b4b77a65
                                                    • Instruction Fuzzy Hash: 8321F5B2504244DFCB05DF50E9C4B2BBB65FB88334F24C569ED055B246C336D856EBA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.442288132.0000000000F3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F3D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_f3d000_atpRyiZGTE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c0287406fea91808ce58ffc492f0ce384c7b1291e18e470c1401f3757e0f4710
                                                    • Instruction ID: 32fe55819487b2a03820f8cd8418569b4f69c5aeed7f9faa9ccf298db2778911
                                                    • Opcode Fuzzy Hash: c0287406fea91808ce58ffc492f0ce384c7b1291e18e470c1401f3757e0f4710
                                                    • Instruction Fuzzy Hash: 82213AB2504244DFDF15DF14E9C0B2ABF65FB88338F28C569E9064B246C336D855E7A1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.442636723.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_fe0000_atpRyiZGTE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f46b526592d9b94fcd6c6bb957c36de0a3833c770ce06095e7b0cf1867ba8000
                                                    • Instruction ID: c7de1b887348e7400f2b907d5eb957d6397c90bb81bc32e56080287269f89499
                                                    • Opcode Fuzzy Hash: f46b526592d9b94fcd6c6bb957c36de0a3833c770ce06095e7b0cf1867ba8000
                                                    • Instruction Fuzzy Hash: 2F210231B00A298BC7359B2AC86862FB7A2FFC47A57194578E806CB790CF30DC0297C0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.442636723.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_fe0000_atpRyiZGTE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 571a0e44d96d1e86fdb79a4c7f64041be3a27330afbc46a5448f52532cdf0e89
                                                    • Instruction ID: ad34d3c9abca2ebf6d823c47688969a92e85c520d1017d216cbcef55173b9c72
                                                    • Opcode Fuzzy Hash: 571a0e44d96d1e86fdb79a4c7f64041be3a27330afbc46a5448f52532cdf0e89
                                                    • Instruction Fuzzy Hash: CA219131B082958FCB21CF69CC84B597BB1AF46314F15459AE5859F2A2D7B0EC40DB61
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.442337564.0000000000F4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F4D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_f4d000_atpRyiZGTE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 40fedcf9a30f497a7dbad2ef615a8dd0f46806d9aeb36619e591d38282b2bc1b
                                                    • Instruction ID: d6ab9874484462c4eee3552272a74d63e8d44ea318b1e018b85e540b2a33e80f
                                                    • Opcode Fuzzy Hash: 40fedcf9a30f497a7dbad2ef615a8dd0f46806d9aeb36619e591d38282b2bc1b
                                                    • Instruction Fuzzy Hash: 2D21D7B1508244DFDB14DF18D9C0B26BFA5FB84324F24C569ED0A4B24AC776D846EA62
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.442337564.0000000000F4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F4D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_f4d000_atpRyiZGTE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 53a55fbbded0040b10f9923198e3851cd3b67c63c0015da62f93dc65b4420369
                                                    • Instruction ID: f2cbf2752f64d04a66798859741c623d8743d833ca386e006ffe719196ea3f12
                                                    • Opcode Fuzzy Hash: 53a55fbbded0040b10f9923198e3851cd3b67c63c0015da62f93dc65b4420369
                                                    • Instruction Fuzzy Hash: 832107B1A04244DFCB00CF10D9C4B2AFFA5FB84328F24C5A9ED094B346C3B6D946EA61
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.442636723.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_fe0000_atpRyiZGTE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: cfe6688032ca94df957f9f74d6b8f095d4bf8ee2f0f4ea864ab728d0dc4e57ea
                                                    • Instruction ID: 2ffe499fe1d2817624592f7a713e02102bec250a66264dd275dabb3ffe0562be
                                                    • Opcode Fuzzy Hash: cfe6688032ca94df957f9f74d6b8f095d4bf8ee2f0f4ea864ab728d0dc4e57ea
                                                    • Instruction Fuzzy Hash: C521F531F002498FCB04CF68C884AAEBBB2FF85714F15C155E511973A1CB38AC52DB91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.442337564.0000000000F4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F4D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_f4d000_atpRyiZGTE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 51c9e9409bababe6f3c92531dab5f3a1a35bb236594cc00bb02e8944f620e9c2
                                                    • Instruction ID: e33f950b88c9dc287cc9703827355f0ae98cd4ce83c59e10d3655ef4521d8d44
                                                    • Opcode Fuzzy Hash: 51c9e9409bababe6f3c92531dab5f3a1a35bb236594cc00bb02e8944f620e9c2
                                                    • Instruction Fuzzy Hash: 16218D7550D3C08FCB03CF24C890B15BF71AB46224F29C1DBD8848F6A7C23A884ACB62
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.442636723.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_fe0000_atpRyiZGTE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 242f6bb3baa0d51982005a1711bcdad386892b9722b20c3b3cd37605f0b41795
                                                    • Instruction ID: 81fcb6adc2a4ac3aef7af5fdfc2ee0a877a0dbd5dfcfbdf18d2caecd7e2c58d8
                                                    • Opcode Fuzzy Hash: 242f6bb3baa0d51982005a1711bcdad386892b9722b20c3b3cd37605f0b41795
                                                    • Instruction Fuzzy Hash: 6431E0B0D01258DFDB20CF9AC588BDEBBF5AB48314F24802AE408BB340D7B55849CB95
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.442636723.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_fe0000_atpRyiZGTE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0400d6f22074dbdc583b4ca48e34c82743de8d3ce61514b591c1ef5527f09942
                                                    • Instruction ID: d38c5e0bce289b40c8ed881feab7755f559f5bf6685ca754f7d38070125c0216
                                                    • Opcode Fuzzy Hash: 0400d6f22074dbdc583b4ca48e34c82743de8d3ce61514b591c1ef5527f09942
                                                    • Instruction Fuzzy Hash: 83110431B005558FC7355B3AD8A86BE7BA2EF953A43094AB8E802CB351CF20DC02D780
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.442636723.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_fe0000_atpRyiZGTE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 21fc33b77a4c806e2f2b215086adedb9bc139269f0bf8c49a06f25903ef195e5
                                                    • Instruction ID: 6972a2220eaa715571239377696343046852d5b976ccc3f1643449cc5009fe48
                                                    • Opcode Fuzzy Hash: 21fc33b77a4c806e2f2b215086adedb9bc139269f0bf8c49a06f25903ef195e5
                                                    • Instruction Fuzzy Hash: D721B435F402089FCB148F65D885BEDBBB6FF8C324F248169E916A7240DA719C15CB90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.442636723.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_fe0000_atpRyiZGTE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5f5fc37961c61b20aae24713dae86472efa5a7cf754577dfced108912012f10e
                                                    • Instruction ID: 3e1cac09e54961474cda2a3b894884170a357260eb29f9809fb2fff853df9c45
                                                    • Opcode Fuzzy Hash: 5f5fc37961c61b20aae24713dae86472efa5a7cf754577dfced108912012f10e
                                                    • Instruction Fuzzy Hash: 19115E31F002598BCB54EBBA99115FEB6B6AB84354B100039D918EB781EF358D4ADBE1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.442288132.0000000000F3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F3D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_f3d000_atpRyiZGTE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c53b459e197a99cbc648a3ef5ae7a15db7c8713d37b39032577316a97369e263
                                                    • Instruction ID: 9c4a1e7dcb22b2fc3f9b06d06234f96b92deff9b7add3e48c71112a085debf7a
                                                    • Opcode Fuzzy Hash: c53b459e197a99cbc648a3ef5ae7a15db7c8713d37b39032577316a97369e263
                                                    • Instruction Fuzzy Hash: 4E21B476904244DFCB06CF50D9C4B16BF71FB84320F28C1A9DC040B656C336D85ADBA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.442636723.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_fe0000_atpRyiZGTE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3535697b824fb92cf45900fa7c5bf7d48a8c5defb9ae6507ab6b6fe93cd0f7e5
                                                    • Instruction ID: 33e2b5dd25573158f45cbc6952660aa2816cf3c049b02c2efb851879537ac795
                                                    • Opcode Fuzzy Hash: 3535697b824fb92cf45900fa7c5bf7d48a8c5defb9ae6507ab6b6fe93cd0f7e5
                                                    • Instruction Fuzzy Hash: 9011BF31E005588FCB249B2AD098B6DBBA2EFA43A5F148629D906CB251D730ED51DB91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.442288132.0000000000F3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F3D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_f3d000_atpRyiZGTE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 066f0fcf2d519ff12744b5cee43703eaa0a1ccacbea13f6ccee3db3d4a564c26
                                                    • Instruction ID: 06b83da0e8968c35cf8a249c6707109c431acc2d35ae450f8920138866a71e54
                                                    • Opcode Fuzzy Hash: 066f0fcf2d519ff12744b5cee43703eaa0a1ccacbea13f6ccee3db3d4a564c26
                                                    • Instruction Fuzzy Hash: AC11B176904280CFCB16CF10D5C4B1ABF71FB94334F28C6A9D8050B656C336D85ADBA2
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.442636723.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_fe0000_atpRyiZGTE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2ef261f25ec333ca510fab417ce03f212b5e642a985784b00a25e91b84d7b05c
                                                    • Instruction ID: cbcceeee0145a5cfd9177bbc268065b130f307180924c389c11694b46a4a2343
                                                    • Opcode Fuzzy Hash: 2ef261f25ec333ca510fab417ce03f212b5e642a985784b00a25e91b84d7b05c
                                                    • Instruction Fuzzy Hash: A40128767042640F8B24ABBB985197F32EA9FD91687101139E609DB759EF31CC058BE0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.442337564.0000000000F4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F4D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_f4d000_atpRyiZGTE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 09f60ba51e4daa749d40bb4da34e965e560e6e677463b7118580e2137e93c53b
                                                    • Instruction ID: 5048f4e886b9fa858d24dfae8dbc03ea3713f6d571c95602ae576a78a0a80abf
                                                    • Opcode Fuzzy Hash: 09f60ba51e4daa749d40bb4da34e965e560e6e677463b7118580e2137e93c53b
                                                    • Instruction Fuzzy Hash: 17119D75904284DFCB01CF10D5C4B15BFA1FB84324F28C6AADC494B656C37AD95ADBA2
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.442636723.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_fe0000_atpRyiZGTE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2712c0e4d158ca63e0716e33b9b79ec57590e1194fa012ee138efa439fe026a3
                                                    • Instruction ID: b1c38e0d344d1800a9abcbebf2fe210187161dd1856205f3483c52f7fe5a8a3e
                                                    • Opcode Fuzzy Hash: 2712c0e4d158ca63e0716e33b9b79ec57590e1194fa012ee138efa439fe026a3
                                                    • Instruction Fuzzy Hash: 5111F5B69042888FCB10DF9AD444BDEBBF4EB48324F14841AD559A7340D778A948CFA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.442288132.0000000000F3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F3D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_f3d000_atpRyiZGTE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5c1eb153b70271d0246efc2b1515d6d99da2825af80678d5a276bbc444a8135f
                                                    • Instruction ID: 8dde7ba400030e5c483cab82d0a6f9e165c205f18dce33594f1ba70a38c934bf
                                                    • Opcode Fuzzy Hash: 5c1eb153b70271d0246efc2b1515d6d99da2825af80678d5a276bbc444a8135f
                                                    • Instruction Fuzzy Hash: A201DB729083849AE7104E16DCC5776FBDCEF41774F19C059EE185B286D374A848E6B1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.442288132.0000000000F3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F3D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_f3d000_atpRyiZGTE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a30ad4c64baae439de894ee12eb3da091e0478262db883b6bc96cb3a0bb3e0fb
                                                    • Instruction ID: 2ac7059d7eaf5ba241411caba0a264d8800f226b04267292bc335d91e3e39013
                                                    • Opcode Fuzzy Hash: a30ad4c64baae439de894ee12eb3da091e0478262db883b6bc96cb3a0bb3e0fb
                                                    • Instruction Fuzzy Hash: 7CF0F6718043889EE7108E06DCC5B72FFA8EB41734F18C05EED081B286C378AC44DAB0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.442636723.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_fe0000_atpRyiZGTE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 421edb8bbf5ce259f313009a22b6ef0c00bc7296b137c11a3381ac7e12e30ee4
                                                    • Instruction ID: 797514b3c008afa52ee19194cdc18b4b3dd3bb50ae265af62e159c0b5e5f9b11
                                                    • Opcode Fuzzy Hash: 421edb8bbf5ce259f313009a22b6ef0c00bc7296b137c11a3381ac7e12e30ee4
                                                    • Instruction Fuzzy Hash: 2501E870C00259DFDB24CF6AC8043AEBEF1EF49360F218625E824AA290D7744A49DB90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.442636723.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_fe0000_atpRyiZGTE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0f17eb85484d54cb8cde1406351f8d180951ca4ae926a62ddd6ffd944c2ec3ba
                                                    • Instruction ID: df74e49f694c39d3ee87980e39926fbf40cef720b1b77737dc3b68cb45de9daa
                                                    • Opcode Fuzzy Hash: 0f17eb85484d54cb8cde1406351f8d180951ca4ae926a62ddd6ffd944c2ec3ba
                                                    • Instruction Fuzzy Hash: 96E06D727041286F5304DA6EEC84C6BBBEEEBCD674351813AF50CC7310DA30DC0086A0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.442636723.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_fe0000_atpRyiZGTE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6d4e3f31121b8d6cb2fb2d665e83ab3731978fdb58e2d0a8afeb8fc076dce43d
                                                    • Instruction ID: 7a0a4636c6551e33828a0f1994f7985ba582532b7c14651ffbe3e018e3b0f6ed
                                                    • Opcode Fuzzy Hash: 6d4e3f31121b8d6cb2fb2d665e83ab3731978fdb58e2d0a8afeb8fc076dce43d
                                                    • Instruction Fuzzy Hash: 84E039727006145B8318DB2AA840817F7EAEFC8734701C57EE60A87711DA71A8048B50
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.442636723.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_fe0000_atpRyiZGTE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: eba2ef256ac13295b16e4e5fe6dc9fefc483acda0fb27c7fc6d433a4ec9d1336
                                                    • Instruction ID: 9408a125c799b56c605ec22a856fc8f88daae73dcaf9a24f77e75b853a475177
                                                    • Opcode Fuzzy Hash: eba2ef256ac13295b16e4e5fe6dc9fefc483acda0fb27c7fc6d433a4ec9d1336
                                                    • Instruction Fuzzy Hash: 8FE08634A04108EF8B00EFB5E94285D77B6EB45324B1149A8D904B7314DB353F009B61
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.442636723.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_fe0000_atpRyiZGTE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: fcc788c89ca91730e34b729ea8219a5e8389f3dd18a4f57a8284d2c23dda9339
                                                    • Instruction ID: a4f7e2faf47515b225bfd418321ba937e536b00b94e3e547618225201af86751
                                                    • Opcode Fuzzy Hash: fcc788c89ca91730e34b729ea8219a5e8389f3dd18a4f57a8284d2c23dda9339
                                                    • Instruction Fuzzy Hash: D4D09E72D00139978B10AFE99C054DFFF78EF05651B418126E955A7110D3715A25DBD1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.442636723.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_fe0000_atpRyiZGTE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6eb43ba3240096e4efd66669bfd44f78bd8b850316893e181c86701362c64028
                                                    • Instruction ID: 6996fb6070106fccf30cce9051ee4f7aa0b9eb9001ff0a77ec2a9f318748e7bd
                                                    • Opcode Fuzzy Hash: 6eb43ba3240096e4efd66669bfd44f78bd8b850316893e181c86701362c64028
                                                    • Instruction Fuzzy Hash: 99D0C97A00A2845FCF036B5088819417FB4AE2720077A41D2E0808A027C12EC41AEB53
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.442636723.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_fe0000_atpRyiZGTE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2c781c7c19a5b771fc847d7740612caf61c8f9eb523c1d543198023ad3c8d3cc
                                                    • Instruction ID: 1c1135f45eb02626ceb1bea346dc70ce2526d094b51c6420196d9289b1f4a2bb
                                                    • Opcode Fuzzy Hash: 2c781c7c19a5b771fc847d7740612caf61c8f9eb523c1d543198023ad3c8d3cc
                                                    • Instruction Fuzzy Hash: 0BC0123051C6484F8940FB71ED4A45D335A9B92318B858E2091084B45DDF74A5044696
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.442636723.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_fe0000_atpRyiZGTE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d13839fde9e4086dc1a2a67860ba8dbdb644b28701511c66cc172fee4fc9d8db
                                                    • Instruction ID: 0db87b6a023d66717f3f1b4e55d0213127340140d13329fb299269d9ed23b7e6
                                                    • Opcode Fuzzy Hash: d13839fde9e4086dc1a2a67860ba8dbdb644b28701511c66cc172fee4fc9d8db
                                                    • Instruction Fuzzy Hash: C8C09B36049344AF8701A752C944C1F7691FF57304741CD51B54456532CB25C815FB86
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.441685316.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00990000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_990000_atpRyiZGTE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7df6da9ffdc6422bc8a7166909ac5c81cc861332a39a3cceb1f5eea5b1e288cc
                                                    • Instruction ID: 858243dfbda0541e7a7885e72a35902d805df6cbebe539ac34cc878e351a2020
                                                    • Opcode Fuzzy Hash: 7df6da9ffdc6422bc8a7166909ac5c81cc861332a39a3cceb1f5eea5b1e288cc
                                                    • Instruction Fuzzy Hash: ACD1A334A006058FDB48DF69C598AA9B7F5BF8D305F2684A8E50AAB371DB31AD40CF50
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%